Cisco 5505 VPN assistance - Resending P1 and Peer to Peer List No match

Similar Messages

• ASA 5505 VPN Group Policies (RADIUS) and tunnel group

  I have a single ASA firewall protecting a small private developing network, and I need it in order to access remotely to two distinct network spaces both of wich are VLAN tagged: 1 is LAN and 3 is management. Each net has its own IP address space and DNS server.
  I'd like to set up Anyconnect to land on lan 1, and SSL VPN in order to see the IPMI and management websites sitting on VLAN 3. In order to make things "safer" I have found a free OTP solution, OpenOTP, and I decided to implement it on a virtual machine, setting up a radius bridge to allow user authentication for VPN. I can pass wichever attribute I'd like to using this radius bridge (for example "Class" or "Group-Policy" or whatever is included in the radius dictionaries). 
  Actually all I need is quite simple. I have to segregate my remote users in 2 groups, one for Anyconnect, and one for SSL based on the radius response from authentication. (I don't need authorization nor accounting) I'm no Cisco Pro, what I've learnt is based on direct "on the field" experience.
  I'm using two radius users for testing right now, one is called "kaisaron78" associated to a group policy "RemoteAC" and a second one called "manintra" associated to a group policy called "SSLPolicy". "kaisaron78" after logging in should only see the Anyconnect "deployment portal", while "manintra" should see the webvpn portal populated with the links specified in the URL list "Management_List". However, no matter what I do, I only see the default "clean" webvpn page. This is an example of "sh vpn-sessiondb webvpn" for both users..
  Session Type: WebVPN
  Username     : kaisaron78             Index        : 1
  Public IP    : 172.16.0.3
  Protocol     : Clientless
  License      : AnyConnect Premium
  Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
  Bytes Tx     : 518483                 Bytes Rx     : 37549
  Group Policy : RemoteAC               Tunnel Group : DefaultWEBVPNGroup
  Login Time   : 10:59:33 CEDT Mon Aug 18 2014
  Duration     : 0h:00m:23s
  Inactivity   : 0h:00m:00s
  VLAN Mapping : N/A                    VLAN         : none
  Audt Sess ID : c0a801fa0000100053f1c075
  Security Grp : none
  Asa5505# sh vpn-sessiondb webvpn
  Session Type: WebVPN
  Username     : manintra               Index        : 2
  Public IP    : 172.16.0.3
  Protocol     : Clientless
  License      : AnyConnect Premium
  Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
  Bytes Tx     : 238914                 Bytes Rx     : 10736
  Group Policy : SSLPolicy              Tunnel Group : DefaultWEBVPNGroup
  Login Time   : 11:01:02 CEDT Mon Aug 18 2014
  Duration     : 0h:00m:05s
  Inactivity   : 0h:00m:00s
  VLAN Mapping : N/A                    VLAN         : none
  Audt Sess ID : c0a801fa0000200053f1c0ce
  Security Grp : none
  As you can see, it seems like the policies are assigned correctly by radius attribute Group-Policy. However, for example you'll notice no vlan mapping, even if I have declared them explicit in group policies themselves. This is the webvpn section of the CLI script I used to setup remote access.
  ! ADDRESS POOLS AND NAT
  names
  ip local pool AnyConnect_Pool 192.168.10.1-192.168.10.20 mask 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_27
   subnet 192.168.10.0 255.255.255.224
  access-list Split_Tunnel_Anyconnect standard permit 192.168.1.0 255.255.255.0
  nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.10.0_27 NETWORK_OBJ_192.168.10.0_27 no-proxy-arp route-lookup
  ! RADIUS SETUP
  aaa-server OpenOTP protocol radius
  aaa-server OpenOTP (inside) host 192.168.1.8
   key ******
   authentication-port 1812
   accounting-port 1814
   radius-common-pw ******
   acl-netmask-convert auto-detect
  webvpn
   port 10443
   enable outside
   dtls port 10443
   anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
   anyconnect profiles AnyConnect_Profile_client_profile disk0:/AnyConnect_Profile_client_profile.xml
   anyconnect enable
  ! LOCAL POLICIES
  group-policy SSLPolicy internal
  group-policy SSLPolicy attributes
   vpn-tunnel-protocol ssl-clientless
   vlan 3
   dns-server value 10.5.1.5
   default-domain value management.local
   webvpn
    url-list value Management_List
  group-policy RemoteAC internal
  group-policy RemoteAC attributes
   vpn-tunnel-protocol ikev2 ssl-client
   vlan 1
   address-pools value AnyConnect_Pool
   dns-server value 192.168.1.4
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value Split_Tunnel_Anyconnect
   default-domain value home.local
   webvpn
    anyconnect profiles value AnyConnect_Profile_client_profile type user
  group-policy SSLLockdown internal
  group-policy SSLLockdown attributes
    vpn-simultaneous-logins 0
  ! DEFAULT TUNNEL
  tunnel-group DefaultRAGroup general-attributes
   authentication-server-group OpenOTP
  tunnel-group DefaultWEBVPNGroup general-attributes
   authentication-server-group OpenOTP
  tunnel-group VPN_Tunnel type remote-access
  tunnel-group VPN_Tunnel general-attributes
   authentication-server-group OpenOTP
   default-group-policy SSLLockdown
  !END
  I had to set up DefaultWEBVPNGroup and RAGroup that way otherwise I couldn't authenticate using radius (login failed every time). Seems like in ASDM the VPN_Tunnel isn't assigned to AnyConnect nor to Clientless VPN client profiles. Do I have to disable both default tunnel groups and set VPN_Tunnel as default on both connections in ASDM ? I know I'm doing something wrong but I can't see where the problem is. I'm struggling since may the 2nd on this, and I really need to finish setting this up ASAP!!!!
  Any help will be more than appreciated.
  Cesare Giuliani

  Ok, it makes sense.
  Last question then I'll try and report any success / failure. In this Cisco webpage, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1661512 there's a list of supported radius attributes. Actually I'm using number 25 Group-Policy, in order to get the correct group policy assigned to users. I see, in that list an attribute 146 Tunnel-Group-Name. Will it work out for the purpose you explained in the previous post ? I mean, if I set up two tunnel groups instead of 1, 1 for anyconnect with its own alias and its own url, and 1 for SSL VPN again with its own alias and url, do you think that using that attribute will place my users logging in into the correct tunnel group ?
  Thank you again for your precious and kind help, and for your patience as well!
  Cesare Giuliani

• Vpn site to site and remote access , access lists

  Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?

  If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.

• Cisco ASA 5505 VPN Routing/Networking Question

  I have a very basic question about Cisco ASA 5505 IPsec Site to Site VPNs.  I want to install a Cisco ASA 5505 at a Data Center, in a LAN subnet that utilizes publicly routable IP addresses.  I would like to install a second Cisco ASA 5505 in a remote branch office as its peer. 
  Regardless of whether I use publicly routable IPs at the branch office in the "inside" network or non-routable IPs, how would the devices and servers at the Data Center know to route IP packets destined for the branch office back through the Cisco ASA instead of through the default gateway at the Data Center?  I can see accomplishing this if every single device at the Data Center is configured with routing table entries, but that isn't feasible.  It also isn't feasible to use the Cisco ASA 5505 as the default gateway for all of the devices as the Data Center, allowing it to decide where the traffic should go.
  What am I missing?  Is the solution to try to map branch office IPs to IP addresses within the Data Center's LAN subnet so that all of the traffic is on the same subnet?

  You can do it in several different ways.
  One way is to tell the server that if it has traffic to network x then it needs to go to the ASA all other traffic is to head for the default gateway.
  In windows this is done via the route command
  do not forget to make it "persistent" otherwise the route will disapear when your reboot the server.
  in unix/linux
  It is also the route command
  Or you can tell your "default gateway" to route that network to the ASA
  Good luck
  HTH

• Cisco ASA 5505 VPN Remote Acces Problem

  Hello Guys .. i have cisco 5505 Asa security Adaptive , and i have two local networks 192.168.1.0 /24   and 192.168.2.0/24 , and i have my ISP public connection,,,,,what i want to do is i want to connect Remote VPN connection and access my  Private Network of 192. my public ip is like 155.155.155.0 /24    ...
  i put my ISP connection in the EO/0 and my private networks into E0/1 and E0/2.
  so i created a remote vpn connection ,, and then i connected to the VPN ..
  My problem i can't reach and access my private networks .. this probem frustrated me a lot .. so cisco guys please help me
  and iam using ASDM cisco graphic interface

  Hi Timothy,
  Could you please try disabling UAC in Win 7. Also try to connect from a machine where you have admin privileges (in case you are trying connection from a restricted machine.
  Also, add the site under trusted sites in IE. i.e if you are connecting to https://1.1.1.1 or https://vpn.abc.com then please add it under the trusted sites:
  Let me know if this helps.
  Thanks,
  Vishnu Sharma

• Cisco IPSec VPN Client and sending a specific Radius A-V value to ACS 5.2

  This setup is to try routing Cisco VPN to either RSA or Entrust from Cisco ACS 5.2, depending on some parameter in incoming AUTH request from Cisco IPSec VPN Client 5.x. Tried playing with pcf files and user names/identity stores, none seems working

  Hi Tony,
  to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
  CSCsw31922    Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
  You may want to try and ask in the AAA forum if there is anything you can do on ACS...
  hth
  Herbert

• Cisco ASA 5505 VPN help for local lan access.

  Hi all,
  I am very new to Cisco systems. Recently I was tasked to enable local lan access for one of my server. The problem is this. I have this server with 2 interfaces. One interface to my FTP server(192.168.2.3) and the other to the Cisco ASA(192.168.1.1). Whenever I connect the server to Cisco Anyconnect VPN, I am unable to access the FTP server anymore.
  I googled and found out that the problem is because the metric level is 1 for Ciscoanyconnect network interface which causes all traffic to go through the Cisco VPN Interface. Another problem is I can't change the metric of the Cisco VPN Interface as whenever I reconnect to the VPN, the metric resets back to 1 again. I tried to follow some guides to configure split tunnel but my traffic is still going through the VPN connection.
  Anyone can tell me what I am missing here? Sorry I am very new to Cisco systems. Spent about 5 days troubleshooting and I feel I am getting it soon. Anyone can guide me what else I am supposed to do?
  What I did> Configuration>> Remote access VPN>> Network Client Access>> Group Policies>> Advanced>> Split Tunneling>> Uncheck Inherit and select "Exclude Network List below.>> Uncheck Network List and select Manage, Add 192.168.2.0/24 to permit.
  Really appreciate if anyone can tell me what else I can do to ensure my server has access the my FTP Server after connecting to the VPN.
  Thanks all!
  Wen Qi

  Hi,
  Try adding the following configuration
  policy-map global_policy
  class inspection_default
    inspect pptp
  And then try again.
  I'm not 100% would you need to perhaps allow GRE through the firewall even after that. (Protocol 47)
  - Jouni

• Problem with Cisco IPMA - between the manager profile and assistant profile

  Greetings to all.
  The problem basically is that wen I do a call (internal o external) to the extension configured in the manager phone, the assistant phone dosen`t rings or take the call, even the call in progress dosen`t appears in the Cisco Unified Communications Manager Assistant Console of the Assistant
  Also the icons of the IPMA in the manager phone dosen`t appears.
  I have check the following:
  1.The configurations on both profile and its look ok
  2.I have restar the Cisco IPMA, CTI and Tomcat Service
  3.I have reconfigured the profiles
  What else I can do
  What is the most common cause in these cases
  Thanks

  I have the same problem, did you resolve it ?
  Our Customer have about 50 IPMA and there are work. The problem is only with 4 IPMA Assistance (always the same). Sometimes (few times in week) lost  Assistance  icon Managers, and Managers doesn’t see shared lines, Intercom, services IPMA on phone doesn’t work. But sometimes Assistant icon is showing but Manager don’t see active connection and can’t call via Intercom.
  Assistance have 7962 Phone with load cmterm-7942_7962-sccp.9-2-3.cop.sgn
  Managers have 7965 Phone with load cmterm-7945_7965-sccp.9-2-3.cop.sgn
  CUCM (PUB/SUB) is 8.6.2.20000-2
  I opened a TAC case already but the problem is not resolved.

• Cisco VPN 3.6.3b and BEFW11S4 v2 connection issue

  I'm hoping someone can help with this problem.  I am able to connect to my employers VPN server, but cannot access any of the shared areas.  I've found some documentation that may point to an MTU issue, but adjusting the value on the laptop from 1400 down to 1250 to 1200 doesn't work.  I've tried forcing the value to 1250 using the Router Filter settings with no luck.  IPSEC pass through is enabled on the router as is MAC filtering.
  I've tested the VPN while on-campus and I have no problems.  I also have no problems accessing the internet through the Linksys router with VPN turned off.
  Any ideas?
  Configuration:
  DELL Precision M70 running  XP
  Time Warner RoadRunner
  Motorola Surfboard Cable Modem
  Linksys BEFW11S4 v2 (using wireless connection) FW 1.45.10
  Cisco VPN 3.6.3b

  Ok thanks so much. I will try again. 
  My company's IT guys aren't  being very helpful, won't return my calls, emails, etc. and don't appear to be giving me clear instructions on what I believe to be a standard request.  Not sure why .
  We can't get in as administrators, they have to do it for us, and they are not timely in requests like these.  We are a large company (over 10K employees) and the last time I tried this was with our email client and and Cisco VPN, bundled together. It was a disaster and I don't recommend it.  So this way was supposed to be easier for the user, and for them to help us with questions.  Oh well. 
  I will at least try what you have suggested, and when I get back to work I will see if I can get their public ip address, and see if they will check on the port.  
  I will post back to see if the suggestions from the above post worked.
  Many thanks again for your help!

• Configurate cisco ipsec vpn client at asa 5505 version 8.4

  Hi dear. I want to configurate cisco ipsec vpn client at asa 5505. At my asa the software version is 8.4.
  please provide me a link or some material to config ipsec vpn client at asa 5505 version 8.4
  thank you.

  are you looking for vpn client .pcf file or the configuration on ASA (ASDM) ?
  what version of vpn client ?

• Mail and SMTP server settings of ASA Certificate Authority for cisco anyconnect VPN

                     Dear All,
  i have the folloing case :
  i am using ASA as Certificate authority for cisco anyconnect VPN users,the authentication happens based on the local database of the ASA,
  i want to issue a new certificate every 72 hours for the users ,and i want to send the one time password via email to each user.
  so what the setting of the mail and smtp server should be ,
  was i understand i should put my smtp server ip address then i have to create the local users again under(Remte VPN VPN--Certificate management--Local certificate authority --Manage user Database) along with their email addresses to send the one time passsword to them via their emails.
  i sent the email manually ,hwo can automate sending the OTP to our VPN users automatically vi their emails?
  Best regards,

  Thanks Jennifer.
  I did manage to configure LDAP attribute map to the specific group policy.
  Nevertheless, I was thinking whether I can have fixed IP address tied to individual user.
  Using legacy Cisco VPN Client, I can do it using IPSEC(IKEv1) Connection profile, where I set Pre-Shared Key and Client Address Pools. Each Client Address Pools has only 1 fix IP address.
  Example: let say my username is LLH.
  Connection Profile for me is : LLH-Connection-Profile, my profile is protected by preshared key.
  Client Address Pool for me is : LLH-pool, and the IP is 172.16.1.11
  Only me know the preshared key and only me can login with my Connection Profile.
  Using AnyConnect, I have problem. User can use any connection profile because I cannot set preshared key for AnyConnect. In that case, I cannot control who can use my Connection Profile and pretend to be me.
  Example:
  AnyConnect Connection Profile for me is : LLH-Connection-Profile, without any password
  Client Address Pool for me is : LLH-pool, IP is 172.16.1.11
  Any body can use LLH-Connection-Profile, login with another user name, let say user-abc which is a valid user in LDAP server. In that case, ASA assign 172.16.1.11 to user-abc and this user-abc can access server which only allow my IP to access.
  I hope above description can paint the scenario clearer.
  Thanks in advance for all the help and comment given.

• VPN client connect to CISCO 887 VPN Server but I can't ping Local LAN

  Hi
  my scenario is as follows
  SERVER1 on lan (192.168.1.4)
  |
  |
  CISCO-887 (192.168.1.254)
  |
  |
  INTERNET
  |
  |
  VPN Cisco client on windows 7 machine
  My connection have public ip address assegned by ISP, after ppp login.
  I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
  All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
  But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN. I can't even ping the gateway 192.168.1.254
  I'm using Cisco VPN client (V5.0.07) with "IPSec over UDP NAT/PAT".
  What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
  Perhaps ACL problem?
  Building configuration...
  Current configuration : 4921 bytes
  ! Last configuration change at 14:33:06 UTC Sun Jan 26 2014 by NetasTest
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname TestLab
  boot-start-marker
  boot-end-marker
  enable secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authentication login ciscocp_vpn_xauth_ml_2 local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa authorization network ciscocp_vpn_group_ml_2 local
  aaa session-id common
  memory-size iomem 10
  crypto pki trustpoint TP-self-signed-3013130599
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3013130599
  revocation-check none
  rsakeypair TP-self-signed-3013130599
  crypto pki certificate chain TP-self-signed-3013130599
  certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33303133 31333035 3939301E 170D3134 30313236 31333333
  35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30313331
  33303539 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A873 940DE7B9 112D7C1E CEF53553 ED09B479 24721449 DBD6F559 1B9702B7
  9087E94B 50CBB29F 6FE9C3EC A244357F 287E932F 4AB30518 08C2EAC1 1DF0C521
  8D0931F7 6E7F7511 7A66FBF1 A355BB2A 26DAD318 5A5A7B0D A261EE22 1FB70FD1
  C20F1073 BF055A86 D621F905 E96BD966 A4E87C95 8222F1EE C3627B9A B5963DCE
  AE7F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14E37481 4AAFF252 197AC35C A6C1E8E1 E9DF5B35 27301D06
  03551D0E 04160414 E374814A AFF25219 7AC35CA6 C1E8E1E9 DF5B3527 300D0609
  2A864886 F70D0101 05050003 81810082 FEE61317 43C08637 F840D6F8 E8FA11D5
  AA5E49D4 BA720ECB 534D1D6B 1A912547 59FED1B1 2B68296C A28F1CD7 FB697048
  B7BF52B8 08827BC6 20B7EA59 E029D785 2E9E11DB 8EAF8FB4 D821C7F5 1AB39B0D
  B599ECC1 F38B733A 5E46FFA8 F0920CD8 DBD0984F 2A05B7A0 478A1FC5 952B0DCC
  CBB28E7A E91A090D 53DAD1A0 3F66A3
  quit
  no ip domain lookup
  ip cef
  no ipv6 cef
  license udi pid CISCO887VA-K9 sn ***********
  username ******* secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
  username ******* secret 4 Qf/16YMe96arcCpYI46YRa.3.7HcUGTBeJB3ZyRxMtE
  controller VDSL 0
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group EXTERNALS
  key NetasTest
  dns 8.8.4.4
  pool VPN-Pool
  acl 120
  crypto isakmp profile ciscocp-ike-profile-1
  match identity group EXTERNALS
  client authentication list ciscocp_vpn_xauth_ml_2
  isakmp authorization list ciscocp_vpn_group_ml_2
  client configuration address respond
  virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  mode tunnel
  crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
  mode tunnel
  crypto ipsec profile CiscoCP_Profile1
  set transform-set ESP-3DES-SHA1
  set isakmp-profile ciscocp-ike-profile-1
  interface Ethernet0
  no ip address
  shutdown
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  hold-queue 224 in
  pvc 8/35
  pppoe-client dial-pool-number 1
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface Virtual-Template1 type tunnel
  ip address 192.168.2.1 255.255.255.0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  interface Vlan1
  ip address 192.168.1.254 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1452
  interface Dialer0
  ip address negotiated
  ip mtu 1452
  ip nat outside
  ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ppp chap hostname ****
  ppp chap password 0 *********
  ppp pap sent-username ****** password 0 *******
  no cdp enable
  ip local pool VPN-Pool 192.168.2.210 192.168.2.215
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip nat inside source list 100 interface Dialer0 overload
  ip route 0.0.0.0 0.0.0.0 Dialer0
  access-list 100 remark
  access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 100 remark
  access-list 100 permit ip 192.168.1.0 0.0.0.255 any
  access-list 120 remark
  access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  line con 0
  exec-timeout 5 30
  password ******
  no modem enable
  line aux 0
  line vty 0 4
  password ******
  transport input all
  end
  Best Regards,

  I've updated ios to c870-advipservicesk9-mz.124-24.T8.bin  and tried to ping from rv320 to 871 and vice versa. Ping stil not working.
  router#sh crypto session detail 
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection     
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: Dialer0
  Uptime: 00:40:37
  Session status: UP-ACTIVE     
  Peer: 93.190.178.205 port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 192.168.1.100
        Desc: (none)
    IKE SA: local 93.190.177.103/500 remote 93.190.178.205/500 Active 
            Capabilities:(none) connid:2001 lifetime:07:19:22
    IPSEC FLOW: permit ip 10.1.1.0/255.255.255.0 10.1.2.0/255.255.255.0 
          Active SAs: 4, origin: dynamic crypto map
          Inbound:  #pkts dec'ed 0 drop 30 life (KB/Sec) 4500544/1162
          Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4500549/1162

• ASA 5505 VPN can't access inside hosts

  I have configured VPN on the 5505 using ASDM and I'm able to connect to the 5505 and the client is also getting an IP-address from the configured pool.
  The Cisco VPN client shows an error in the log: AddRoute failed to add a route: code 87
  Cisco

  No I can't ping anything.
  And here is the route -print after connection
  ===========================================================================
  Interface List
  0x1 ........................... MS TCP Loopback interface
  0x10003 ...00 0c 29 48 d4 50 ...... VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
  0x10004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Scheduler Miniport
  ===========================================================================
  ===========================================================================
  Active Routes:
  Network Destination Netmask Gateway Interface Metric
  0.0.0.0 0.0.0.0 192.168.222.101 192.168.222.100 1
  85.82.25.170 255.255.255.255 192.168.129.2 192.168.129.130 1
  127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
  192.168.129.0 255.255.255.0 192.168.129.130 192.168.129.130 10
  192.168.129.0 255.255.255.0 192.168.222.101 192.168.222.100 10
  192.168.129.130 255.255.255.255 127.0.0.1 127.0.0.1 10
  192.168.129.254 255.255.255.255 192.168.129.130 192.168.129.130 1
  192.168.129.255 255.255.255.255 192.168.129.130 192.168.129.130 10
  192.168.222.100 255.255.255.255 127.0.0.1 127.0.0.1 10
  192.168.222.255 255.255.255.255 192.168.222.100 192.168.222.100 10
  224.0.0.0 240.0.0.0 192.168.129.130 192.168.129.130 10
  224.0.0.0 240.0.0.0 192.168.222.100 192.168.222.100 10
  255.255.255.255 255.255.255.255 192.168.129.130 192.168.129.130 1
  255.255.255.255 255.255.255.255 192.168.222.100 192.168.222.100 1
  Default Gateway: 192.168.222.101
  ===========================================================================
  Persistent Routes:
  None

• Vpn configuration problems 2621xm and vpn client

  hello,
  I'm trying to configure my home cisco 2621xm to accept vpn connections. I've used many cisco pdf documents and they all same almost the same so I've done my configuration using these documents.
  now I just can't get past this error message I'm getting and I have no idea why this is happening.
  any ideas to help me get past this step, I'm really stuck here.
  also, I've tried vpn client version 5 and 4.8
  cisco ios version is:
  Cisco IOS Software, C2600 Software (C2600-ADVIPSERVICESK9-M), Version 12.4(16), RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2007 by Cisco Systems, Inc.
  Compiled Wed 20-Jun-07 05:48 by prod_rel_team
  ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)
  vision-router-01 uptime is 2 hours, 53 minutes
  System returned to ROM by power-on
  System image file is "flash:c2600-advipservicesk9-mz.124-16.bin"
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  Cisco 2621XM (MPC860P) processor (revision 1.0) with 127308K/3764K bytes of memory.
  Processor board ID JAD06350FM7
  M860 processor: part number 5, mask 2
  2 FastEthernet interfaces
  32K bytes of NVRAM.
  49152K bytes of processor board System flash (Read/Write)
  Configuration register is 0x2102
  here is my the config that's vpn related
  aaa authentication login MYTAC group tacacs+ local enable
  aaa authorization network GROUPAUTHOR local
  username someuser password 0 somepassword
  crypto isakmp policy 5
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp keepalive 10 periodic
  crypto isakmp client configuration group VTELVPN
  key cisco123
  dns 192.168.10.5
  domain xyz.com
  pool VTELVPNPOOL
  crypto ipsec transform-set VTELSET1 esp-aes esp-sha-hmac
  crypto dynamic-map VTELDYNAMAP 10
  set transform-set VTELSET1
  set identity thisrouter-01
  reverse-route
  crypto map VTELCLIENTMAP client authentication list MYTAC
  crypto map VTELCLIENTMAP isakmp authorization list GROUPAUTOHOR
  crypto map VTELCLIENTMAP client configuration address respond
  crypto map VTELCLIENTMAP 10 ipsec-isakmp dynamic VTELDYNAMAP
  interface Dialer1
  ip address negotiated
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  no cdp enable
  ppp chap hostname xxxxxx
  ppp chap password 7 hahahahohoho
  ppp pap sent-username xxxxxx password 7 hahahahohoho
  crypto map VTELCLIENTMAP
  ip local pool VTELVPNPOOL 192.168.6.3 192.168.6.254

  Hi
  Can you try assigning a static ip to the dialer interface and try checking out the vpn connectivity ?
  regds

• ASA 5505 VPN with backup route

  We are looking to set up a site-to-site VPN with a backup over a T1. We have a remote site with a  1841 router. This router has a PTP T1 back to a secondary location with a 2811. Due to location, the only option we had to get additional bandwidth was to have a cable modem installed. We want to set a site-to-site up to our primary location, with a backup route over the T1 in the event the cable modem goes down. We have an ASA 5505 at the remote location, and an ASA 5540 at the primary. In addition, we want to split the traffic across the two connections. Since the wireless controllers are anchored back to the secondary location, we want to send that traffic over the PTP T1 and the rest of the traffic over the VPN. We also need to have a backup route for the wireless traffic to send across the VPN in the event the T1 goes down.

  Go to this link and scroll down to  Site to Site VPN (L2L) with IOS  and Site to Site VPN (L2L) with ASA, you can use the links example depicting your scenario requirements, where one end is dynamic and other static for Ipsec L2L  IOS-to-ASA or ASA-to-IOS.
  The best solution obiosly is having  static IP addressing, make that clear with your client  , but  these exmaples are very good solution for your problem.
  Keep in mind that the DHCP dynamic side will  always be the initiator to  bring up the tunnel , not the static side.
  http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
  Regards