Does ASA Service Module on 6509-E support Remote Access VPN ?
I'm having a problem configuring Remote Access VPN (SSL, Anyconnect ect.) on ASA Service Module on 6509-E. Is this even supported or am i wasting my time trying to make something work which will not work in a first place :) ? Site-to-Site works without any problems.
Tech Info:
6509-E running SUP 2T 15.1(2)SY
ASA Module - WS-SVC-ASA-SM1 running image - asa912-smp-k8 & asdm-712
Licenses on ASA:
Encryption-DES - Enabled
Encryption-3DES-AES -Enabled
Thanks in Advance for support.
Are you running multiple context mode?
If you are, remote access VPN is not supported in that case:
"Note Multiple context mode only applies to IKEv2 and IKEv1 site to site and does not apply to AnyConnect, clientless SSL VPN, the legacy Cisco VPN client, the Apple native VPN client, the Microsoft native VPN client, or cTCP for IKEv1 IPsec."
Reference.
Similar Messages
-
ASA Service module shut down and on automatically
hello,
i have a asa service module which is inserted on 6509 chassis.
This morning when i came to the office i have noticed my asa service module was restarted at last night but 6509 was up.
one more thing we dont have failover.only have single asa service module.
ASA SM version is 8.5
below is the failover history and details
ciscoasa up 17 hours 11 mins
------------------ show crashinfo ------------------
No crash file found.
------------------ show failover history ------------------
==========================================================================
<--- More --->
From State To State Reason
==========================================================================
14:28:40 UTC Apr 7 2013
Not Detected Disabled No Error
can any one tell me why this happend.
thanks in advanced
KhemHi,
Would seem to me that it would be best to check this through Cisco TAC to determine the cause.
It would seem though that no Crashinfo file was generated so thats kinda strange.
You should be able to confirm if the ASASM is set to save a crashinfo file with the command "show crashinfo save"
- Jouni -
ASA Service Module on 6500 montoring console session
We have 6500 with ASA Service Module
On 6500 how can we configure so that if someone logs in to the ASA Service Module and reboots the firewall we can have logs of it in syslog of switch .
Thanks for helpI hate to answer my own posts, but here it is. TAC tells us that there are 2 choices to make this work. Apparently the way that worked on an ISR and ISRG2 does not work on the 4000 series routers. I guess that's progress.
Option 1. Use a physical cable to connect one of the router's interfaces to one of the etherswitches interfaces and treat it just like the etherswitch is a seperate physical switch. I'm sure there is a use case for that but I'll not cover that here.
Option 2. Use the "service instance" feature on the router's internal interface to bind it to a new "BDI" virtual interface on the router. This is what we'll do.
On our router ethernet-internal 1/0/0 maps to Gi0/18 on the etherswitch, all internal to the box. The router will be10.0.0.1 and the switch will be 10.0.0.2.
Router:
interface Ethernet-Internal 1/0/0
service instance 1 ethernet
encapsulation dot1q 50
rewrite ingress tag pop 1
interface BDI 1
mtu 9216
ip address 10.0.0.1 255.255.255.0
Switch:
interface Gi0/18
switchport trunk vlan allowed 50
switchport mode trunk
vlan 50
name Egress vlan
interface vlan 50
ip address 10.0.0.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.1
Then there are a million ways to design and configure the switch as a normal 3560X switch but that's beyond the scope of my question. -
Migrating from FWSM to ASA Service Module (ASASM)
I'm migrating from a failover pair of FWSM modules across to a failover pair of ASA Service Modules. In order to avoid a "big bang" switchover I intend to migrate subnets from one to the other over a protracted period.
With that in mind, can anyone confirm whether there is any restriction on having FWSM and ASASM modules in the same chassis? A trawl of the relevant documentation hasn't revealed anything.
In this specific case it is Catalyst 6509E VSS chassis pairs with Sup-2T.
Thanks in advance.So long as the chassis has enough power to power these modules you are good.
Upto 4 FWSMs can be installed in a chassis.
Upto 4 ASA-SM modules can be installed in a chassis.
FWSM:
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet0900aecd803e69c3.html
• Up to 4 FWSMs (20 Gbps) per Catalyst 6500 chassis
ASA-SM
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps11621/qa_c67-662207.html
Q. How many ASA Services Modules can I place in a Cisco Catalyst 6500 Series chassis?
A. Up to four independent ASA Services Modules can simultaneously run in a Cisco Catalyst 6500-E Series chassis.
-Kureli
Checkout my breakout session at Cisco Live 2013, Orlando, Florida.
BRKSEC-2024 Deploying Next-Generation Firewall Services on the ASA
Room 314A Tuesday, June 25 3:00 PM - 4:30 PM -
Problem with Remote Access VPN on ASA 5505
I am currently having an issue configuring an ASA 5505 to connect via remote access VPN using the Cisco VPN Client 5.0.07.0440 running on Windows 8 Pro x64. The VPN client prompts for the username and password during the connect process, but fails soon after.
The VPN client logs are as follows:
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.2.9200
2 15:09:21.240 12/11/12 Sev=Info/4 CM/0x63100002
Begin connection process
3 15:09:21.287 12/11/12 Sev=Info/4 CM/0x63100004
Establish secure connection
4 15:09:21.287 12/11/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "**.**.***.***"
5 15:09:21.287 12/11/12 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with **.**.***.***.
6 15:09:21.287 12/11/12 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
7 15:09:21.303 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to **.**.***.***
8 15:09:21.365 12/11/12 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
9 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
10 15:09:21.334 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from **.**.***.***
11 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
12 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
13 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000001
Peer supports DPD
14 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
15 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
16 15:09:21.334 12/11/12 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
17 15:09:21.334 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to **.**.***.***
18 15:09:21.334 12/11/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
19 15:09:21.334 12/11/12 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xFBCE, Remote Port = 0x1194
20 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
21 15:09:21.334 12/11/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
22 15:09:21.365 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
23 15:09:21.365 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
24 15:09:21.365 12/11/12 Sev=Info/4 CM/0x63100015
Launch xAuth application
25 15:09:21.474 12/11/12 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
26 15:09:21.474 12/11/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
27 15:09:27.319 12/11/12 Sev=Info/4 CM/0x63100017
xAuth application returned
28 15:09:27.319 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
29 15:09:27.365 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
30 15:09:27.365 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
31 15:09:27.365 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
32 15:09:27.365 12/11/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
33 15:09:27.365 12/11/12 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
34 15:09:27.365 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
35 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
36 15:09:27.397 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
37 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
38 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
39 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
40 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
41 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
42 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO
43 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
44 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.2(5) built by builders on Fri 20-May-11 16:00
45 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
46 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
47 15:09:27.397 12/11/12 Sev=Info/4 CM/0x63100019
Mode Config data received
48 15:09:27.412 12/11/12 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.2.70, GW IP = **.**.***.***, Remote IP = 0.0.0.0
49 15:09:27.412 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to **.**.***.***
50 15:09:27.444 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
51 15:09:27.444 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
52 15:09:27.444 12/11/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
53 15:09:27.444 12/11/12 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 6 seconds, setting expiry to 86394 seconds from now
54 15:09:27.459 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
55 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from **.**.***.***
56 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to **.**.***.***
57 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=CE99A8A8
58 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
59 15:09:27.459 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
60 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924
61 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from **.**.***.***
62 15:09:27.490 12/11/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
63 15:09:30.475 12/11/12 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
64 15:09:30.475 12/11/12 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
65 15:09:30.475 12/11/12 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
66 15:09:30.475 12/11/12 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
67 15:09:30.475 12/11/12 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
68 15:09:30.475 12/11/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
69 15:09:30.475 12/11/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
70 15:09:30.475 12/11/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
71 15:09:30.475 12/11/12 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
The running configuration is as follows (there is a site-to-site VPN set up as well to another ASA 5505, but that is working flawlessly):
: Saved
ASA Version 8.2(5)
hostname NCHCO
enable password hTjwXz/V8EuTw9p9 encrypted
passwd hTjwXz/V8EuTw9p9 encrypted
names
name 192.168.2.0 NCHCO description City Offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address **.**.***.*** 255.255.255.248
boot system disk0:/asa825-k8.bin
ftp mode passive
access-list outside_nat0_outbound extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
access-list outside_1_cryptomap extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
access-list LAN_Access standard permit NCHCO 255.255.255.0
access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 74.219.208.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
network-acl outside_nat0_outbound
webvpn
svc ask enable default svc
http server enable
http 192.168.1.0 255.255.255.0 inside
http **.**.***.*** 255.255.255.255 outside
http 74.218.158.238 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set l2tp-transform esp-3des esp-sha-hmac
crypto ipsec transform-set l2tp-transform mode transport
crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs group1
crypto dynamic-map dyn-map 10 set transform-set l2tp-transform vpn-transform
crypto dynamic-map dyn-map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 74.219.208.50
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map vpn-map 1 match address outside_1_cryptomap_1
crypto map vpn-map 1 set pfs group1
crypto map vpn-map 1 set peer 74.219.208.50
crypto map vpn-map 1 set transform-set ESP-3DES-SHA
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 35
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet NCHCO 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh NCHCO 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.150-192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
dhcpd lease 64000 interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value nchco.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
password-storage enable
ipsec-udp enable
intercept-dhcp 255.255.255.0 enable
address-pools value VPN_Pool
group-policy NCHVPN internal
group-policy NCHVPN attributes
dns-server value 192.168.2.1 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value NCHCO
username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
username NCHvpn99 password QhZZtJfwbnowceB7 encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) VPN_Pool
address-pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
authorization-server-group (outside) LOCAL
default-group-policy DefaultRAGroup
strip-realm
strip-group
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 74.219.208.50 type ipsec-l2l
tunnel-group 74.219.208.50 ipsec-attributes
pre-shared-key *****
tunnel-group NCHVPN type remote-access
tunnel-group NCHVPN general-attributes
address-pool VPN_Pool
default-group-policy NCHVPN
tunnel-group NCHVPN ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:15852745977ff159ba808c4a4feb61fa
: end
asdm image disk0:/asdm-645.bin
asdm location VPN_Start 255.255.255.255 inside
asdm location VPN_End 255.255.255.255 inside
no asdm history enable
Anyone have any idea why this is happening?
Thanks!Thanks again for your reply, and sorry about the late response, havent gotten back to this issue until just now. I applied the above command as you specified, and unfortunately, it did not resolve the problem. Below are the logs from the VPN Client for the connection + attempted browsing of a network share that is behind the ASA, and the new running configuration.
VPN Client Log:
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.2.9200
331 13:11:41.362 12/17/12 Sev=Info/4 CM/0x63100002
Begin connection process
332 13:11:41.362 12/17/12 Sev=Info/4 CM/0x63100004
Establish secure connection
333 13:11:41.362 12/17/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "69.61.228.178"
334 13:11:41.362 12/17/12 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 69.61.228.178.
335 13:11:41.362 12/17/12 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
336 13:11:41.424 12/17/12 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
337 13:11:41.362 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 69.61.228.178
338 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
339 13:11:41.393 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 69.61.228.178
340 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
341 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
342 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000001
Peer supports DPD
343 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
344 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
345 13:11:41.393 12/17/12 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
346 13:11:41.393 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 69.61.228.178
347 13:11:41.393 12/17/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
348 13:11:41.393 12/17/12 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xD271, Remote Port = 0x1194
349 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
350 13:11:41.393 12/17/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
351 13:11:41.424 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
352 13:11:41.424 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
353 13:11:41.424 12/17/12 Sev=Info/4 CM/0x63100015
Launch xAuth application
354 13:11:41.424 12/17/12 Sev=Info/4 CM/0x63100017
xAuth application returned
355 13:11:41.424 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
356 13:11:41.456 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
357 13:11:41.456 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
358 13:11:41.456 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
359 13:11:41.456 12/17/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
360 13:11:41.456 12/17/12 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
361 13:11:41.456 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
362 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
363 13:11:41.502 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
364 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
365 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
366 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
367 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
368 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
369 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
370 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 192.168.2.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
371 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO.local
372 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
373 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.4(1) built by builders on Mon 31-Jan-11 02:11
374 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
375 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
376 13:11:41.502 12/17/12 Sev=Info/4 CM/0x63100019
Mode Config data received
377 13:11:41.502 12/17/12 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.2.70, GW IP = 69.61.228.178, Remote IP = 0.0.0.0
378 13:11:41.502 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 69.61.228.178
379 13:11:41.534 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
380 13:11:41.534 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 69.61.228.178
381 13:11:41.534 12/17/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
382 13:11:41.534 12/17/12 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now
383 13:11:41.549 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
384 13:11:41.549 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 69.61.228.178
385 13:11:41.549 12/17/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds
386 13:11:41.549 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to 69.61.228.178
387 13:11:41.549 12/17/12 Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=C4F5B5A6 OUTBOUND SPI = 0xD2DBADEA INBOUND SPI = 0x14762837)
388 13:11:41.549 12/17/12 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0xD2DBADEA
389 13:11:41.549 12/17/12 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0x14762837
390 13:11:41.549 12/17/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.162 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.162 192.168.1.162 266
192.168.1.162 255.255.255.255 192.168.1.162 192.168.1.162 266
192.168.1.255 255.255.255.255 192.168.1.162 192.168.1.162 266
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 192.168.1.162 192.168.1.162 266
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 192.168.1.162 192.168.1.162 266
391 13:11:41.877 12/17/12 Sev=Info/6 CVPND/0x63400001
Launch VAInst64 to control IPSec Virtual Adapter
392 13:11:43.455 12/17/12 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=192.168.2.70/255.255.255.0
DNS=192.168.2.1,8.8.8.8
WINS=0.0.0.0,0.0.0.0
Domain=NCHCO.local
Split DNS Names=
393 13:11:43.455 12/17/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.162 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.162 192.168.1.162 266
192.168.1.162 255.255.255.255 192.168.1.162 192.168.1.162 266
192.168.1.255 255.255.255.255 192.168.1.162 192.168.1.162 266
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 192.168.1.162 192.168.1.162 266
224.0.0.0 240.0.0.0 0.0.0.0 0.0.0.0 266
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 192.168.1.162 192.168.1.162 266
255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 266
394 13:11:47.517 12/17/12 Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.
395 13:11:47.517 12/17/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.162 10
69.61.228.178 255.255.255.255 192.168.1.1 192.168.1.162 100
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.162 192.168.1.162 266
192.168.1.2 255.255.255.255 192.168.1.162 192.168.1.162 100
192.168.1.162 255.255.255.255 192.168.1.162 192.168.1.162 266
192.168.1.255 255.255.255.255 192.168.1.162 192.168.1.162 266
192.168.2.0 255.255.255.0 192.168.2.70 192.168.2.70 266
192.168.2.0 255.255.255.0 192.168.2.1 192.168.2.70 100
192.168.2.70 255.255.255.255 192.168.2.70 192.168.2.70 266
192.168.2.255 255.255.255.255 192.168.2.70 192.168.2.70 266
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 192.168.1.162 192.168.1.162 266
224.0.0.0 240.0.0.0 192.168.2.70 192.168.2.70 266
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 192.168.1.162 192.168.1.162 266
255.255.255.255 255.255.255.255 192.168.2.70 192.168.2.70 266
396 13:11:47.517 12/17/12 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter
397 13:11:47.517 12/17/12 Sev=Info/4 CM/0x6310001A
One secure connection established
398 13:11:47.517 12/17/12 Sev=Info/4 CM/0x6310003B
Address watch added for 192.168.1.162. Current hostname: MATT-PC, Current address(es): 192.168.2.70, 192.168.1.162.
399 13:11:47.517 12/17/12 Sev=Info/4 CM/0x6310003B
Address watch added for 192.168.2.70. Current hostname: MATT-PC, Current address(es): 192.168.2.70, 192.168.1.162.
400 13:11:47.517 12/17/12 Sev=Info/5 CM/0x63100001
Did not find the Smartcard to watch for removal
401 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
402 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
403 13:11:47.517 12/17/12 Sev=Info/6 IPSEC/0x6370002C
Sent 109 packets, 0 were fragmented.
404 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
405 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
406 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xeaaddbd2 into key list
407 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
408 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x37287614 into key list
409 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 192.168.2.70
410 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700037
Configure public interface: 192.168.1.162. SG: 69.61.228.178
411 13:11:47.517 12/17/12 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 1.
412 13:11:52.688 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
413 13:11:52.688 12/17/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 69.61.228.178, our seq# = 2722476009
414 13:11:52.704 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
415 13:11:52.704 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
416 13:11:52.704 12/17/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 69.61.228.178, seq# received = 2722476009, seq# expected = 2722476009
417 13:12:03.187 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
418 13:12:03.187 12/17/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 69.61.228.178, our seq# = 2722476010
419 13:12:03.202 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
420 13:12:03.202 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
421 13:12:03.202 12/17/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 69.61.228.178, seq# received = 2722476010, seq# expected = 2722476010
422 13:12:14.185 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
423 13:12:14.185 12/17/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 69.61.228.178, our seq# = 2722476011
424 13:12:14.201 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
425 13:12:14.201 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
426 13:12:14.201 12/17/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 69.61.228.178, seq# received = 2722476011, seq# expected = 2722476011
427 13:12:24.762 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
428 13:12:24.762 12/17/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 69.61.228.178, our seq# = 2722476012
429 13:12:24.778 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
430 13:12:24.778 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
431 13:12:24.778 12/17/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 69.61.228.178, seq# received = 2722476012, seq# expected = 2722476012
New running configuration:
: Saved
ASA Version 8.4(1)
hostname NCHCO
enable password hTjwXz/V8EuTw9p9 encrypted
passwd hTjwXz/V8EuTw9p9 encrypted
names
name 192.168.2.0 NCHCO description City Offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 69.61.228.178 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa841-k8.bin
ftp mode passive
object network NCHCO
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.64
subnet 192.168.2.64 255.255.255.224
object network obj-0.0.0.0
subnet 0.0.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
network-acl outside_nat0_outbound
webvpn
svc ask enable default svc
http server enable
http 192.168.1.0 255.255.255.0 inside
http 69.61.228.178 255.255.255.255 outside
http 74.218.158.238 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set l2tp-transform mode transport
crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs group1
crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
crypto dynamic-map dyn-map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 74.219.208.50
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map vpn-map 1 match address outside_1_cryptomap_1
crypto map vpn-map 1 set pfs group1
crypto map vpn-map 1 set peer 74.219.208.50
crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto isakmp identity address
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 35
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet NCHCO 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh NCHCO 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.150-192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
dhcpd lease 64000 interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value nchco.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
ipsec-udp enable
intercept-dhcp 255.255.255.0 enable
address-pools value VPN_Pool
group-policy NCHCO internal
group-policy NCHCO attributes
dns-server value 192.168.2.1 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NCHCO_splitTunnelAcl_1
default-domain value NCHCO.local
username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) VPN_Pool
address-pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
authorization-server-group (outside) LOCAL
default-group-policy DefaultRAGroup
strip-realm
strip-group
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 74.219.208.50 type ipsec-l2l
tunnel-group 74.219.208.50 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group NCHCO type remote-access
tunnel-group NCHCO general-attributes
address-pool VPN_Pool
default-group-policy NCHCO
tunnel-group NCHCO ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b6ce58676b6aaeba48caacbeefea53a5
: end
asdm image disk0:/asdm-649.bin
asdm location VPN_Start 255.255.255.255 inside
asdm location VPN_End 255.255.255.255 inside
no asdm history enable
I'm at a loss myself as to why this isn't working, and i'm sure that you are running out of solutions yourself. Any other ideas? I really need to get this working.
Thanks so much!
Matthew -
ASA Remote Access VPN Clients - Multiple DNS Suffixes?
Hi community!
I am setting up a new remote access VPN using the traditional IPSec client via ASA 5515-X runnning OS 8.6.1(5).
We require to provide each client multiple DNS suffixes, but are only to provide a single DNS suffix in the grouip policy.
I have tested using an external DHCP server, but using our Windows Server 2008 infrastructure and Option 119 the list is not provided to clients, and I have read that Windows 7 clietns may ignore this option anyway.
Other than umanually configuring the clients , does anybody have any other suggestions on how we may get this to work?
Full marks for helpful posts!
Kind regards, Ash.Hi
I am looking into the same issue, and I am finding conflicting documentation about this and wondered if you got the answers you were looking for.
I have a remote access requirement for users from separate AD's to authenticate through an ASA.
I was reading about Global Catalogue Server but this is not specifically what I want; and also creating a new AAA server group but the user would need to accept which group to use when they log in
Regards -
Hi Guys
I have a problem with a Remote Access VPN on a ASA 5510 8.6.2
I have created a IPSEC Remote Access VPN through the wizard this is pretty much a base install on the ASA without much configuration.
I can connect to the ASA via the Remote Access client and get TX just no RX therefore i cannot access any of the LAN resources
here is a copy of the config any help would be appreciated.
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
interface Management0/0
nameif management
security-level 100
ip address 10.2.1.252 255.255.240.0
management-only
ftp mode passive
dns server-group DefaultDNS
domain-name perfectdomain.perfect-image.co.uk
same-security-traffic permit inter-interface
object network Inside-Network
subnet 10.2.0.0 255.255.240.0
description Inside Network
object network NETWORK_OBJ_192.168.1.0_27
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group network LOCAL_NETWORKS_VPN
access-list inside_access_in extended permit ip object NETWORK_OBJ_192.168.1.0_24 any
access-list outside_access_in extended permit ip object NETWORK_OBJ_192.168.1.0_24 object Inside-Network
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool RAIPSECPOOL 192.168.1.1-192.168.1.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside,outside) source static Inside-Network Inside-Network destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Inside-Network Inside-Network no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable 4430
http 10.2.0.0 255.255.240.0 management
http 10.2.0.0 255.255.240.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.2.0.0 255.255.240.0 inside
telnet timeout 5
ssh 10.2.0.0 255.255.240.0 management
ssh 10.2.0.0 255.255.240.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
dhcpd address 10.2.1.253-10.2.2.252 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RAIPSECTUNNEL internal
group-policy RAIPSECTUNNEL attributes
dns-server value 10.2.1.7 10.2.1.8
vpn-tunnel-protocol ikev1
default-domain value perfectdomain.perfect-image.co.uk
username KI-Admin password OMa9XVzN1OQ0Is.6 encrypted privilege 15
username PI-Admin password BEGl74DXS9pqUL6v encrypted privilege 15
tunnel-group RAIPSECTUNNEL type remote-access
tunnel-group RAIPSECTUNNEL general-attributes
address-pool RAIPSECPOOL
default-group-policy RAIPSECTUNNEL
tunnel-group RAIPSECTUNNEL ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:43c49a676e839e7821ff1473ddeaf90d
: end
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
interface Management0/0
nameif management
security-level 100
ip address 10.2.1.252 255.255.240.0
management-only
ftp mode passive
dns server-group DefaultDNS
domain-name perfectdomain.perfect-image.co.uk
same-security-traffic permit inter-interface
object network Inside-Network
subnet 10.2.0.0 255.255.240.0
description Inside Network
object network NETWORK_OBJ_192.168.1.0_27
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group network LOCAL_NETWORKS_VPN
access-list inside_access_in extended permit ip object NETWORK_OBJ_192.168.1.0_24 any
access-list outside_access_in extended permit ip object NETWORK_OBJ_192.168.1.0_24 object Inside-Network
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool RAIPSECPOOL 192.168.1.1-192.168.1.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside,outside) source static Inside-Network Inside-Network destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Inside-Network Inside-Network no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable 4430
http 10.2.0.0 255.255.240.0 management
http 10.2.0.0 255.255.240.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.2.0.0 255.255.240.0 inside
telnet timeout 5
ssh 10.2.0.0 255.255.240.0 management
ssh 10.2.0.0 255.255.240.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
dhcpd address 10.2.1.253-10.2.2.252 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RAIPSECTUNNEL internal
group-policy RAIPSECTUNNEL attributes
dns-server value 10.2.1.7 10.2.1.8
vpn-tunnel-protocol ikev1
default-domain value perfectdomain.perfect-image.co.uk
username KI-Admin password OMa9XVzN1OQ0Is.6 encrypted privilege 15
username PI-Admin password BEGl74DXS9pqUL6v encrypted privilege 15
tunnel-group RAIPSECTUNNEL type remote-access
tunnel-group RAIPSECTUNNEL general-attributes
address-pool RAIPSECPOOL
default-group-policy RAIPSECTUNNEL
tunnel-group RAIPSECTUNNEL ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:43c49a676e839e7821ff1473ddeaf90d
: endHi Jouni
Still not working I am afraid, here is the current running config, I have noticed when I connect via VPN client the default gateway address on the VPN client is 192.168.1.2 ?? anymore help would be appreciated
thank you
hostname PIFW01
domain-name perfectdomain.perfect-image.co.uk
enable password pBWHd.sDdzPIDYW/ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.2.1.251 255.255.255.0
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
nameif outside
security-level 0
ip address 212.135.154.130 255.255.255.252
interface Management0/0
nameif management
security-level 100
ip address 10.2.1.252 255.255.240.0
management-only
ftp mode passive
dns server-group DefaultDNS
domain-name perfectdomain.perfect-image.co.uk
same-security-traffic permit inter-interface
object network Inside-Network
subnet 10.2.0.0 255.255.240.0
description Inside Network
object network NETWORK_OBJ_192.168.1.0_27
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network VPNPool
subnet 192.168.1.0 255.255.255.0
description VPNPool
object network VPN-POOL
subnet 192.168.1.0 255.255.255.0
object network LAN
subnet 10.2.1.0 255.255.255.0
access-list inside_access_in extended permit ip object LAN any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool RAIPSECPOOL 192.168.1.1-192.168.1.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 212.135.154.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable 4430
http 10.2.0.0 255.255.240.0 management
http 10.2.0.0 255.255.240.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.2.0.0 255.255.240.0 inside
telnet timeout 5
ssh 10.2.0.0 255.255.240.0 management
ssh 10.2.0.0 255.255.240.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
dhcpd address 10.2.1.253-10.2.2.252 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RAIPSECTUNNEL internal
group-policy RAIPSECTUNNEL attributes
dns-server value 10.2.1.7 10.2.1.8
vpn-tunnel-protocol ikev1
default-domain value perfectdomain.perfect-image.co.uk
username KI-Admin password OMa9XVzN1OQ0Is.6 encrypted privilege 15
username PI-Admin password BEGl74DXS9pqUL6v encrypted privilege 15
tunnel-group RAIPSECTUNNEL type remote-access
tunnel-group RAIPSECTUNNEL general-attributes
address-pool RAIPSECPOOL
default-group-policy RAIPSECTUNNEL
tunnel-group RAIPSECTUNNEL ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f50aaad7c3ecaf94382ff0cc887bb5ac
: end -
Remote Access VPN Support in Multiple Context Mode (9.1(2))?
Hi Guys,
I am currently running two Cisco ASA5520 (ASA Version: 9.1(2)) firewalls in Active/Standby failover and was contemplating the option of migrating my remote access VPN to these firewalls. However seeing that the new IOS now support mixed multiple context mode and dynamic routing. Is it safe to ask whether or not Remote Access VPN is now support in this IOS upgrade?
Multiple Context Mode New Features:
Site-to-Site VPN in multiple context mode | Site-to-site VPN tunnels are now supported in multiple context mode.
New resource type for site-to-site VPN tunnels | New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context.
Dynamic routing in Security Contexts | EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing are not supported.
New resource type for routing table entries | A new resource class, routes, was created to set the maximum number of routing table entries in each context. We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation. We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class.
Mixed firewall mode support in multiple context mode | You can set the firewall mode independently for each security context in multiple context mode, so some can run in transparent mode while others run in routed mode. We modified the following command: firewall transparent. You cannot set the firewall mode in ASDM; you must use the command-line interface. Also available in Version 8.5(1).
Regards,
LeonHey Leon,
According to the ASA 9.1 Configuration Guide, Remote Access VPN is not yet supported with version 9.1(2). Only Site-to-Site VPN support in multiple context was introduced with release ASA 9.0(x). This was mentioned in the 9.0(x) release notes.
Regards,
Dennis -
Remote Access VPN on Cisco ASA Problem
Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
Problem is that my internet has stopped working, and default route is just showing stars.
i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
what additional required to force my internet to go to regular internet instead of getting encrypted?
Also attaching output of route print at the point when VPN is connected.
ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
crypto map VPN_MAP interface outside
isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group ITT_RA type remote-access
tunnel-group ITT_RA general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_GP
tunnel-group ITT_RA ipsec-attributes
pre-shared-key <group key>
group-policy RA_VPN_GP internal
group-policy RA_VPN_GP attributes
dns-server value 10.0.0.1 10.0.0.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value mydomain.com
address-pools value RA_VPN_POOL
access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
nat (inside) 0 access-list nonattest
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.111.36.1 10.111.36.9 276
0.0.0.0 0.0.0.0 On-link 10.1.200.100 20
10.1.200.0 255.255.255.0 On-link 10.1.200.100 276
10.1.200.100 255.255.255.255 On-link 10.1.200.100 276
10.1.200.255 255.255.255.255 On-link 10.1.200.100 276
10.110.10.150 255.255.255.255 10.1.200.1 10.1.200.100 100
10.111.36.0 255.255.255.0 On-link 10.111.36.9 276Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
Problem is that my internet has stopped working, and default route is just showing stars.
i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
what additional required to force my internet to go to regular internet instead of getting encrypted?
Also attaching output of route print at the point when VPN is connected.
ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
crypto map VPN_MAP interface outside
isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group ITT_RA type remote-access
tunnel-group ITT_RA general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_GP
tunnel-group ITT_RA ipsec-attributes
pre-shared-key <group key>
group-policy RA_VPN_GP internal
group-policy RA_VPN_GP attributes
dns-server value 10.0.0.1 10.0.0.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value mydomain.com
address-pools value RA_VPN_POOL
access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
nat (inside) 0 access-list nonattest
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.111.36.1 10.111.36.9 276
0.0.0.0 0.0.0.0 On-link 10.1.200.100 20
10.1.200.0 255.255.255.0 On-link 10.1.200.100 276
10.1.200.100 255.255.255.255 On-link 10.1.200.100 276
10.1.200.255 255.255.255.255 On-link 10.1.200.100 276
10.110.10.150 255.255.255.255 10.1.200.1 10.1.200.100 100
10.111.36.0 255.255.255.0 On-link 10.111.36.9 276 -
Remote access VPN with ASA 5510 using DHCP server
Hi,
Can someone please share your knowledge to help me find why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?
I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
ASA Version 8.2(5)
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.6.0.12 255.255.254.0
ip local pool testpool 10.6.240.150-10.6.240.159 mask 255.255.248.0 !(worked with this)
route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface inside
crypto isakmp enable inside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
vpn-addr-assign aaa
vpn-addr-assign dhcp
group-policy testgroup internal
group-policy testgroup attributes
dhcp-network-scope 10.6.192.1
ipsec-udp enable
ipsec-udp-port 10000
username testlay password *********** encrypted
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
default-group-policy testgroup
dhcp-server 10.6.20.3
tunnel-group testgroup ipsec-attributes
pre-shared-key *****
I got following output when I test connect to ASA with Cisco VPN client 5.0
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDO
4024 bytesR copied in 3.41 0 secs (1341 by(tes/sec)13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 853
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ISA_KE payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received xauth V6 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received DPD VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Fragmentation VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received NAT-Traversal ver 02 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, Connection landed on tunnel_group testgroup
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing IKE SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ISAKMP SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for Responder...
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Cisco Unity VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing xauth V6 VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing dpd vid payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Traversal VID ver 02 payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Fragmentation VID + extended capabilities payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
[OK]
kens-mgmt-012# P = 10.15.200.108, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 87
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing MODE_CFG Reply attributes.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: IP Compression = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling Policy = Disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, User (testlay) authenticated.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg ACK attributes
Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=49ae1bb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 182
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg Request attributes
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 net mask!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DNS server address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for WINS server address!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Received unsupported transaction mode attribute: 5
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Banner!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Save PW setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Default Domain Name!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split Tunnel List!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split DNS!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for PFS setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Browser Proxy Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for backup ip-sec peer list!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Application Version!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Client Type: WinNT Client Application Version: 5.0.07.0440
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for FWTYPE!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DHCP hostname for DDNS is: DEC20128!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for UDP Port!
Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=b04e830f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE received response of type [] to a request from the IP address utility
Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Cannot obtain an IP address for remote peer
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE TM V6 FSM error history (struct &0xd8030048) <state>, <event>: TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE AM Responder FSM error history (struct &0xd82b6740) <state>, <event>: AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b terminating: flags 0x0945c001, refcnt 0, tuncnt 0
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending delete/delete with reason message
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing IKE delete payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=9de30522) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Regards,
LayFor RADIUS you need a aaa-server-definition:
aaa-server NPS-RADIUS protocol radius
aaa-server NPS-RADIUS (inside) host 10.10.18.12
key *****
authentication-port 1812
accounting-port 1813
and tell your tunnel-group to ask that server:
tunnel-group VPN general-attributes
authentication-server-group NPS-RADIUS LOCAL
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
ASA Remote Access VPN: internal LAN cannot connect to connected VPN clients
Hi community,
I configured IPSec remote Access VPN in ASA, and remote client use Cisco VPN client to connect to the HQ. The VPN is working now, VPN clients can connect to Servers inside and IT's subnet, but from my PC or Servers inside LAN cannot ping or initial a RDP to connected VPN clients. Below is my configuration:
object-group network RemoteVPN_LocalNet
network-object 172.29.168.0 255.255.255.0
network-object 172.29.169.0 255.255.255.0
network-object 172.29.173.0 255.255.255.128
network-object 172.29.172.0 255.255.255.0
access-list Split_Tunnel remark The Corporation network behind ASA
access-list Split_Tunnel extended permit ip object-group RemoteVPN_LocalNet 10.88.61.0 255.255.255.0
ip local pool remotevpnpool 10.88.61.10-10.88.61.15 mask 255.255.255.0
nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dyn1 1 set ikev1 transform-set myset
crypto map mymap 65000 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
tunnel-group remotevpngroup type remote-access
tunnel-group remotevpngroup general-attributes
address-pool remotevpnpool
authentication-server-group MS_LDAP LOCAL
default-group-policy Split_Tunnel_Policy
I don't know what I miss in order to have internal LANs initial connection to connected vpn clients. Please guide me.
Thanks in advanced.Hi tranminhc,
Step 1: Create an object.
object network vpn_clients
subnet 10.88.61.0 mask 255.255.255.0
Step 2: Create a standard ACL.
access-list my-split standard permit ip object RemoteVPN_LocalNet
Step 3: Remove this line, because I am not sure what "Allow_Go_Internet" included for nat-exemption.
no nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
Step 4: Create new nat exemption.
nat (inside,outside) source static RemoteVPN_LocalNet RemoteVPN_LocalNet destination static vpn_clients vpn_clients
Step 5: Apply ACL on the tunnel.
group-policy Split_Tunnel_Policy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value my-split
Step 6:
I assume you have a default route on your inside L3 switch point back to ASA's inside address. If you don't have one.
Please add a default or add static route as shown below.
route 10.88.61.0 mask 255.255.255.0 xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx = equal to ASA's inside interface address.
Hope this helps.
Thanks
Rizwan Rafeek -
Remote Access VPN Problem with ASA 5505
After about ~1 year of having the Cisco VPN Client connecting to a ASA 5505 without any problems, suddenly one day it stops working. The client is able to get a connection to the ASA and browse the local network for only about 30 seconds after connection. After that, no access is available to the network behind the ASA. I tried everything that I can think of to try and troubleshoot the problem, but at this point I am just banging my head against a wall. Does anyone know what could cause this?
Here is the running cfg of the ASA
: Saved
ASA Version 8.4(1)
hostname NCHCO
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxx encrypted
names
name 192.168.2.0 NCHCO description City Offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address **.**.***.*** 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa841-k8.bin
ftp mode passive
object network NCHCO
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.64
subnet 192.168.2.64 255.255.255.224
object network obj-0.0.0.0
subnet 0.0.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Webserver
object network FINX
host 192.168.2.11
object service rdp
service tcp source range 1 65535 destination eq 3389
description rdp
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list outside_access_in extended permit tcp any object FINX eq 3389
access-list outside_access_in_1 extended permit object rdp any object FINX
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
object network obj_any
nat (inside,outside) dynamic interface
object network FINX
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
network-acl outside_nat0_outbound
webvpn
svc ask enable default svc
http server enable
http 192.168.1.0 255.255.255.0 inside
http **.**.***.*** 255.255.255.255 outside
http **.**.***.*** 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
http 96.11.251.186 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set l2tp-transform mode transport
crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs group1
crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
crypto dynamic-map dyn-map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 74.219.208.50
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map vpn-map 1 match address outside_1_cryptomap_1
crypto map vpn-map 1 set pfs group1
crypto map vpn-map 1 set peer 74.219.208.50
crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto isakmp identity address
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 35
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet NCHCO 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh NCHCO 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.150-192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
dhcpd lease 64000 interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value nchco.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
ipsec-udp enable
intercept-dhcp 255.255.255.0 enable
address-pools value VPN_Pool
group-policy NCHCO internal
group-policy NCHCO attributes
dns-server value 192.168.2.1 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NCHCO_splitTunnelAcl_1
default-domain value NCHCO.local
username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) VPN_Pool
address-pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
authorization-server-group (outside) LOCAL
default-group-policy DefaultRAGroup
strip-realm
strip-group
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 74.219.208.50 type ipsec-l2l
tunnel-group 74.219.208.50 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group NCHCO type remote-access
tunnel-group NCHCO general-attributes
address-pool VPN_Pool
default-group-policy NCHCO
tunnel-group NCHCO ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a2110206e1af06974c858fb40c6de2fc
: end
asdm image disk0:/asdm-649.bin
asdm location VPN_Start 255.255.255.255 inside
asdm location VPN_End 255.255.255.255 inside
no asdm history enable
And here is the logs from the Cisco VPN Client when it browses, then fails to browse the network behind the ASA:
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
1 09:44:55.677 10/01/13 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
2 09:44:55.677 10/01/13 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
3 09:44:55.693 10/01/13 Sev=Info/6 GUI/0x63B00011
Reloaded the Certificates in all Certificate Stores successfully.
4 09:45:02.802 10/01/13 Sev=Info/4 CM/0x63100002
Begin connection process
5 09:45:02.802 10/01/13 Sev=Info/4 CM/0x63100004
Establish secure connection
6 09:45:02.802 10/01/13 Sev=Info/4 CM/0x63100024
Attempt connection with server "**.**.***.***"
7 09:45:02.802 10/01/13 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with **.**.***.***.
8 09:45:02.818 10/01/13 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
9 09:45:02.865 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to **.**.***.***
10 09:45:02.896 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
11 09:45:02.896 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from **.**.***.***
12 09:45:02.896 10/01/13 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
13 09:45:02.896 10/01/13 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
14 09:45:02.896 10/01/13 Sev=Info/5 IKE/0x63000001
Peer supports DPD
15 09:45:02.896 10/01/13 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
16 09:45:02.896 10/01/13 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
17 09:45:02.927 10/01/13 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
18 09:45:02.927 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to **.**.***.***
19 09:45:02.927 10/01/13 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xDD3B, Remote Port = 0x01F4
20 09:45:02.927 10/01/13 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end is NOT behind a NAT device
21 09:45:02.927 10/01/13 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
22 09:45:02.943 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
23 09:45:02.943 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
24 09:45:02.943 10/01/13 Sev=Info/4 CM/0x63100015
Launch xAuth application
25 09:45:03.037 10/01/13 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
26 09:45:03.037 10/01/13 Sev=Info/4 CM/0x63100017
xAuth application returned
27 09:45:03.037 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
28 09:45:03.037 10/01/13 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
29 09:45:03.037 10/01/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
30 09:45:03.083 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
31 09:45:03.083 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
32 09:45:03.083 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
33 09:45:03.083 10/01/13 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
34 09:45:03.083 10/01/13 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
35 09:45:03.083 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
36 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
37 09:45:03.146 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
38 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
39 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
40 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
41 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
42 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
43 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
44 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 192.168.2.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
45 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO.local
46 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0x00002710
47 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
48 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.4(1) built by builders on Mon 31-Jan-11 02:11
49 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
50 09:45:03.146 10/01/13 Sev=Info/4 CM/0x63100019
Mode Config data received
51 09:45:03.146 10/01/13 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.2.70, GW IP = **.**.***.***, Remote IP = 0.0.0.0
52 09:45:03.146 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to **.**.***.***
53 09:45:03.177 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
54 09:45:03.177 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
55 09:45:03.177 10/01/13 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
56 09:45:03.177 10/01/13 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
57 09:45:03.193 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
58 09:45:03.193 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
59 09:45:03.193 10/01/13 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds
60 09:45:03.193 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to **.**.***.***
61 09:45:03.193 10/01/13 Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=967A3C93 OUTBOUND SPI = 0xAAAF4C1C INBOUND SPI = 0x3EBEBFC5)
62 09:45:03.193 10/01/13 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0xAAAF4C1C
63 09:45:03.193 10/01/13 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0x3EBEBFC5
64 09:45:03.193 10/01/13 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
65 09:45:03.521 10/01/13 Sev=Info/6 CVPND/0x63400001
Launch VAInst64 to control IPSec Virtual Adapter
66 09:45:03.896 10/01/13 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=192.168.2.70/255.255.255.0
DNS=192.168.2.1,8.8.8.8
WINS=0.0.0.0,0.0.0.0
Domain=NCHCO.local
Split DNS Names=
67 09:45:03.912 10/01/13 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 0.0.0.0 0.0.0.0 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 261
68 09:45:07.912 10/01/13 Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.
69 09:45:07.912 10/01/13 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
**.**.***.*** 255.255.255.255 96.11.251.1 96.11.251.149 100
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.2.0 255.255.255.0 192.168.2.70 192.168.2.70 261
192.168.2.0 255.255.255.0 192.168.2.1 192.168.2.70 100
192.168.2.70 255.255.255.255 192.168.2.70 192.168.2.70 261
192.168.2.255 255.255.255.255 192.168.2.70 192.168.2.70 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 192.168.2.70 192.168.2.70 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 192.168.2.70 192.168.2.70 261
70 09:45:07.912 10/01/13 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter
71 09:45:07.912 10/01/13 Sev=Info/4 CM/0x6310001A
One secure connection established
72 09:45:07.943 10/01/13 Sev=Info/4 CM/0x6310003B
Address watch added for 96.11.251.149. Current hostname: psaserver, Current address(es): 192.168.2.70, 96.11.251.149, 192.168.1.3.
73 09:45:07.943 10/01/13 Sev=Info/4 CM/0x6310003B
Address watch added for 192.168.2.70. Current hostname: psaserver, Current address(es): 192.168.2.70, 96.11.251.149, 192.168.1.3.
74 09:45:07.943 10/01/13 Sev=Info/5 CM/0x63100001
Did not find the Smartcard to watch for removal
75 09:45:07.943 10/01/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
76 09:45:07.943 10/01/13 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
77 09:45:07.943 10/01/13 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x1c4cafaa into key list
78 09:45:07.943 10/01/13 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
79 09:45:07.943 10/01/13 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xc5bfbe3e into key list
80 09:45:07.943 10/01/13 Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 192.168.2.70
81 09:45:07.943 10/01/13 Sev=Info/4 IPSEC/0x63700037
Configure public interface: 96.11.251.149. SG: **.**.***.***
82 09:45:07.943 10/01/13 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 1.
83 09:45:13.459 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to **.**.***.***
84 09:45:13.459 10/01/13 Sev=Info/6 IKE/0x6300003D
Sending DPD request to **.**.***.***, our seq# = 107205276
85 09:45:13.474 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
86 09:45:13.474 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from **.**.***.***
87 09:45:13.474 10/01/13 Sev=Info/5 IKE/0x63000040
Received DPD ACK from **.**.***.***, seq# received = 107205276, seq# expected = 107205276
88 09:45:15.959 10/01/13 Sev=Info/4 IPSEC/0x63700019
Activate outbound key with SPI=0x1c4cafaa for inbound key with SPI=0xc5bfbe3e
89 09:46:00.947 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to **.**.***.***
90 09:46:00.947 10/01/13 Sev=Info/6 IKE/0x6300003D
Sending DPD request to **.**.***.***, our seq# = 107205277
91 09:46:01.529 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
92 09:46:01.529 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from **.**.***.***
93 09:46:01.529 10/01/13 Sev=Info/5 IKE/0x63000040
Received DPD ACK from **.**.***.***, seq# received = 107205277, seq# expected = 107205277
94 09:46:11.952 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to **.**.***.***
95 09:46:11.952 10/01/13 Sev=Info/6 IKE/0x6300003D
Sending DPD request to **.**.***.***, our seq# = 107205278
96 09:46:11.979 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
97 09:46:11.979 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from **.**.***.***
98 09:46:11.979 10/01/13 Sev=Info/5 IKE/0x63000040
Received DPD ACK from **.**.***.***, seq# received = 107205278, seq# expected = 107205278
Any help would be appreciated, thanks!I made the change that you requested by moving the VPN pool to the 192.168.3.0 network. Unfortunately, now traffic isn't flowing to the inside network at all. I was going to make a specific route as you suggested, but as far as I can see the routes are already being created correctly on the VPN client's end.
Here is the route print off of the computer behind the (test) client:
===========================================================================
Interface List
21...00 05 9a 3c 78 00 ......Cisco Systems VPN Adapter for 64-bit Windows
10...00 15 5d 01 02 01 ......Microsoft Hyper-V Network Adapter
15...00 15 5d 01 02 02 ......Microsoft Hyper-V Network Adapter #2
1...........................Software Loopback Interface 1
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
14...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
23...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
69.61.228.178 255.255.255.255 96.11.251.1 96.11.251.149 100
96.11.251.0 255.255.255.0 On-link 96.11.251.149 261
96.11.251.149 255.255.255.255 On-link 96.11.251.149 261
96.11.251.255 255.255.255.255 On-link 96.11.251.149 261
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.3 261
192.168.1.3 255.255.255.255 On-link 192.168.1.3 261
192.168.1.255 255.255.255.255 On-link 192.168.1.3 261
192.168.2.0 255.255.255.0 192.168.3.1 192.168.3.70 100
192.168.3.0 255.255.255.0 On-link 192.168.3.70 261
192.168.3.70 255.255.255.255 On-link 192.168.3.70 261
192.168.3.255 255.255.255.255 On-link 192.168.3.70 261
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.3 261
224.0.0.0 240.0.0.0 On-link 96.11.251.149 261
224.0.0.0 240.0.0.0 On-link 192.168.3.70 261
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.3 261
255.255.255.255 255.255.255.255 On-link 96.11.251.149 261
255.255.255.255 255.255.255.255 On-link 192.168.3.70 261
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 96.11.251.1 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
14 1020 ::/0 2002:c058:6301::c058:6301
14 1020 ::/0 2002:c058:6301::1
1 306 ::1/128 On-link
14 1005 2002::/16 On-link
14 261 2002:600b:fb95::600b:fb95/128
On-link
15 261 fe80::/64 On-link
10 261 fe80::/64 On-link
21 261 fe80::/64 On-link
10 261 fe80::64ae:bae7:3dc0:c8c4/128
On-link
21 261 fe80::e9f7:e24:3147:bd/128
On-link
15 261 fe80::f116:2dfd:1771:125a/128
On-link
1 306 ff00::/8 On-link
15 261 ff00::/8 On-link
10 261 ff00::/8 On-link
21 261 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
And here is the updated running config in case you need it:
: Saved
ASA Version 8.4(1)
hostname NCHCO
enable password hTjwXz/V8EuTw9p9 encrypted
passwd hTjwXz/V8EuTw9p9 encrypted
names
name 192.168.2.0 NCHCO description City Offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 69.61.228.178 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa841-k8.bin
ftp mode passive
object network NCHCO
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.64
subnet 192.168.2.64 255.255.255.224
object network obj-0.0.0.0
subnet 0.0.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Webserver
object network FINX
host 192.168.2.11
object service rdp
service tcp source range 1 65535 destination eq 3389
description rdp
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list outside_access_in extended permit tcp any object FINX eq 3389
access-list outside_access_in_1 extended permit object rdp any object FINX
access-list outside_specific_blocks extended deny ip host 121.168.66.35 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
ip local pool VPN_Split_Pool 192.168.3.70-192.168.3.80 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
object network obj_any
nat (inside,outside) dynamic interface
object network FINX
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
network-acl outside_nat0_outbound
webvpn
svc ask enable default svc
http server enable
http 192.168.1.0 255.255.255.0 inside
http 69.61.228.178 255.255.255.255 outside
http 74.218.158.238 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
http 96.11.251.186 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set l2tp-transform mode transport
crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs group1
crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
crypto dynamic-map dyn-map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 74.219.208.50
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map vpn-map 1 match address outside_1_cryptomap_1
crypto map vpn-map 1 set pfs group1
crypto map vpn-map 1 set peer 74.219.208.50
crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto isakmp identity address
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 35
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet NCHCO 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh NCHCO 255.255.255.0 inside
ssh 96.11.251.186 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.150-192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
dhcpd lease 64000 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value nchco.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
ipsec-udp enable
intercept-dhcp 255.255.255.0 enable
address-pools value VPN_Split_Pool
group-policy NCHCO internal
group-policy NCHCO attributes
dns-server value 192.168.2.1 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NCHCO_splitTunnelAcl_1
default-domain value NCHCO.local
username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) VPN_Pool
address-pool VPN_Split_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
authorization-server-group (outside) LOCAL
default-group-policy DefaultRAGroup
strip-realm
strip-group
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 74.219.208.50 type ipsec-l2l
tunnel-group 74.219.208.50 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group NCHCO type remote-access
tunnel-group NCHCO general-attributes
address-pool VPN_Split_Pool
default-group-policy NCHCO
tunnel-group NCHCO ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9e8466cd318c0bd35bc660fa65ba7a03
: end
asdm image disk0:/asdm-649.bin
asdm location VPN_Start 255.255.255.255 inside
asdm location VPN_End 255.255.255.255 inside
no asdm history enable
Thanks again for your help,
Matthew -
Active directory domain services stopped after removing routing and remote access role
Hello everyone;;
I am in deep trouble.. I did install routing and remote access and then lost connection to the server remotely. Then I connected a monitor to the server and removed the role... then it asked me to restart the server . After logging back in I found
all my active directory service has gone... I can see red cross on active directory domain services.. Also I am able to ping other pcs but other pcs cannot ping my server..
However when I go into the active directory services, it shows all services are running except file replication service. I have tried to start that service but it give error 1053 error..
My server in between loses LAN connection... I dont know what is going on.. Please help!!!
My server is win 2008 R2 ser pack 1
Only one DC....
Has fixed ip,
no DNS server running..Hi,
The File Replication Service Start Error 1053 error can be caused by damaged Windows system files. Corrupted system files entries can threaten the well-being of your computer. Many events can result in creating system file errors.
Please refer to the articles below to troubleshoot the issue:
File Replication Service Start Error 1053
http://repairerrors.net/file-replication-service-start-error-1053.html
Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Regards,
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Multicast via Remotes Access VPN (ASA)
Hi all,
I have an ASA 5505 that I would like to use as a head end device for several customers to RA into so they can access our TEST network. The trouble is that the TEST net provides multicast video streams that my clients need to see. I am currently doing this with a Windows Server and Clients via L2TP. How can I do this with the ASA instead? I know IPSEC doesn't support multicast.....can anything be done?Hi,
Currently IPSec / Any connect doesn't support multicast over vpn tunnel. As you have now it is possible through L2TP with L2TP client / ASA / Windows Server or if you have IOS router it can be possible through DMVPN/GETVPN....
Regards
Karthik -
What is/are the best Remote Access/VPN services for my Mac system?
2009 Macbook Pro
2009 Macbook
2010 iMac
2 iPad 2s
2 iPhone 4s
Computers on Snow Leopard
iOS 5
Everything is updated
I want :
1. to have everything working together, with remote access from anywhere on the internet, file sharing, streaming & transfer.
2. the security of a VPN connection.
I will soon update my existing router w/an Airport Extreme. What VPN/Remote Access client(s) should I get? Is there one solution for both jobs, or do I need to get more than one service? I have looked at LogMeIn, Witopia. Thanks for the help.I've been down this road and settled on a much simpler solution...
VPNs are ok... but the performance is bad, they send TCP packets inside TCP packets... which is a bad thing, some connections completely break down. security is o-k, but openVPN is much better yet more complicated to set up. Also you have to go through all the mess of setting up the server.
I tried using VPNs for a while, and then instead settled with tunneling specific connections over ssh... it is more secure and elegant, there is no server setup, however it is not seemless.. you have to set up the connections/ports individually each time, this can get messy if you want access to lots of things at once.
I eventually came accross sshuttle, and this is what i have stuck with because it's just bloody great... it's like a VPN but uses SSH. So you don't have to set up a VPN server... you just need access to an ssh server (i.e your home mac with "remote login" (ssh) enabled, and your router to foward ssh requests to that machine).
not only do you not have to mess around with server configs, but it also give far better performance, stability, and the security of ssh (i.e whichever cypher you want). This is because unlike VPN, sshuttle pulls the TCP packets apart before sending them over SSH (which is allready using TCP) and then re-assembles them the other side with python. the result is comparably better performance and stability than VPN protocols.
you can route individual IPs from the servers subnet, or tell it to automatically find and merge all host names / IPs it can find with your current subnet.
Theory of Operation
sshuttle is not exactly a VPN, and not exactly port forwarding. It's kind of both, and kind of neither.
It's like a VPN, since it can forward every port on an entire network, not just ports you specify. Conveniently, it lets you use the "real" IP addresses of each host rather than faking port numbers on localhost.
On the other hand, the way it works is more like ssh port forwarding than a VPN. Normally, a VPN forwards your data one packet at a time, and doesn't care about individual connections; ie. it's "stateless" with respect to the traffic. sshuttle is the opposite of stateless; it tracks every single connection.
You could compare sshuttle to something like the old Slirp program, which was a userspace TCP/IP implementation that did something similar. But it operated on a packet-by-packet basis on the client side, reassembling the packets on the server side. That worked okay back in the "real live serial port" days, because serial ports had predictable latency and buffering.
But you can't safely just forward TCP packets over a TCP session (like ssh), because TCP's performance depends fundamentally on packet loss; it must experience packet loss in order to know when to slow down! At the same time, the outer TCP session (ssh, in this case) is a reliable transport, which means that what you forward through the tunnel never experiences packet loss. The ssh session itself experiences packet loss, of course, but TCP fixes it up and ssh (and thus you) never know the difference. But neither does your inner TCP session, and extremely screwy performance ensues.
sshuttle assembles the TCP stream locally, multiplexes it statefully over an ssh session, and disassembles it back into packets at the other end. So it never ends up doing TCP-over-TCP. It's just data-over-TCP, which is safe.
Anyway, you can find it on github here https://github.com/apenwarr/sshuttle
if you uncomfortable using the command line, someone has also bundled it into an app here: https://github.com/apenwarr/sshuttle/commits/dist/macos
IMPORTANT, the latest version invokes a bug in one of apple's drivers after a while which causes a kernel panic, (this isn't the same as the bug where you have to reset your network interface like it says in the readme, this WILL cause a kernel panic) stick with version 0.53 untill ether Apple fixes the bug, or sshuttle stops antagonising it. 0.53 works perfectly at the moment. you can ether install git and clone the specific version or download the 0.53 app here instead:
http://mac.softpedia.com/progDownload/sshuttle-Download-97917.html
alternatively, if your loging in from linux there aren't any problems with 0.60 because the system would have different dirvers of course.
One last note... you said you wanted everything to work together, one thing that will not work over VPNs, SSH, and sshuttle is bojour... this is significant because things like AFP shares wont pop up automatically, you will have to specify them ... i.e command+k in finder and type AFP://192.168.0.x or VNC://192.168.0.x etc this is because none of these options support multicasting which bonjour requires. This isn't such a big deal so long as you know what services are available on your machine and how to manually connect to them (like i said above)
Maybe you are looking for
-
View/changes events in ical on multibel computers???
Can I make calender, that is avalibel for other users, on other macs to add. events in as well. ? I mean, is it polible to make a calender, that other peopel, ex. my freinds, will be abel to edit, add events ect. in, the same way that i am on my mac.
-
How can I use my external hard drive with my new (firewire-less) MacBook?
I read in another post that the available firewire adapters don't work for external hard drives. So how can I get my music, etc. off my external hard drive and onto my new computer?
-
Time Limit exceeded error in R & R queue
Hi, We are getting Time limit exceeded error in the R & R queue when we try to extract the data for a site. The error is happening with the message SALESDOCGEN_O_W. It is observed that whenever, the timelimit error is encountered, the possible soluti
-
Not able to post journal voucher because of unbalanced system currency
Hi I am not able to post journal voucher because of unbalanced system currency (the local currency is matching). what should be done, i have posted close to 70 entries!!!!! I am using SAP 2005B patch level 44 please help Thanks
-
Can't play videos on ipod classic
I'm unable to play mp4 videos on my iPod Classic. I can play them fine in my iTunes library on my computer, and they are loaded onto my iPod. But when I click to play the videos nothing happens (I get a black screen for a moment, then nothing). I'v