Does ASA Service Module on 6509-E support Remote Access VPN ?

I'm having a problem configuring Remote Access VPN (SSL, Anyconnect ect.) on ASA Service Module on 6509-E. Is this even supported or am i wasting my time trying to make something work which will not work in a first place :) ? Site-to-Site works without any problems.
Tech Info:
6509-E running SUP 2T 15.1(2)SY
ASA Module - WS-SVC-ASA-SM1 running image - asa912-smp-k8 & asdm-712
Licenses on ASA:
Encryption-DES - Enabled
Encryption-3DES-AES -Enabled
Thanks in Advance for support.

Are you running multiple context mode?
If you are, remote access VPN is not supported in that case:
"Note Multiple context mode only applies to IKEv2 and IKEv1 site to site and does not apply to AnyConnect, clientless SSL VPN, the legacy Cisco VPN client, the Apple native VPN client, the Microsoft native VPN client, or cTCP for IKEv1 IPsec."
Reference.

Similar Messages

ASA Service module shut down and on automatically

hello,
i have a asa service module which is inserted on 6509 chassis.
This morning when i came to the office i have noticed my asa service module was restarted at last night but 6509 was up.
one more thing we dont have failover.only have single asa service module.
ASA SM version is 8.5
below is the failover history and details
ciscoasa up 17 hours 11 mins
------------------ show crashinfo ------------------
No crash file found.
------------------ show failover history ------------------
==========================================================================
<--- More --->
From State To State Reason
==========================================================================
14:28:40 UTC Apr 7 2013
Not Detected Disabled No Error
can any one tell me why this happend.
thanks in advanced
Khem

Hi,
Would seem to me that it would be best to check this through Cisco TAC to determine the cause.
It would seem though that no Crashinfo file was generated so thats kinda strange.
You should be able to confirm if the ASASM is set to save a crashinfo file with the command "show crashinfo save"
- Jouni

ASA Service Module on 6500 montoring console session

We have 6500 with ASA Service Module
On 6500 how can we configure so that if someone logs in to the ASA Service Module and reboots the firewall we can have logs of it in syslog of switch .
Thanks for help

I hate to answer my own posts, but here it is. TAC tells us that there are 2 choices to make this work. Apparently the way that worked on an ISR and ISRG2 does not work on the 4000 series routers. I guess that's progress.
Option 1. Use a physical cable to connect one of the router's interfaces to one of the etherswitches interfaces and treat it just like the etherswitch is a seperate physical switch. I'm sure there is a use case for that but I'll not cover that here.
Option 2. Use the "service instance" feature on the router's internal interface to bind it to a new "BDI" virtual interface on the router. This is what we'll do.
On our router ethernet-internal 1/0/0 maps to Gi0/18 on the etherswitch, all internal to the box. The router will be10.0.0.1 and the switch will be 10.0.0.2.
Router:
interface Ethernet-Internal 1/0/0
service instance 1 ethernet
encapsulation dot1q 50
rewrite ingress tag pop 1
interface BDI 1
mtu 9216
ip address 10.0.0.1 255.255.255.0
Switch:
interface Gi0/18
switchport trunk vlan allowed 50
switchport mode trunk
vlan 50
name Egress vlan
interface vlan 50
ip address 10.0.0.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.1
Then there are a million ways to design and configure the switch as a normal 3560X switch but that's beyond the scope of my question.

Migrating from FWSM to ASA Service Module (ASASM)

I'm migrating from a failover pair of FWSM modules across to a failover pair of ASA Service Modules. In order to avoid a "big bang" switchover I intend to migrate subnets from one to the other over a protracted period.
With that in mind, can anyone confirm whether there is any restriction on having FWSM and ASASM modules in the same chassis? A trawl of the relevant documentation hasn't revealed anything.
In this specific case it is Catalyst 6509E VSS chassis pairs with Sup-2T.
Thanks in advance.

So long as the chassis has enough power to power these modules you are good.
Upto 4 FWSMs can be installed in a chassis.
Upto 4 ASA-SM modules can be installed in a chassis.
FWSM:
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet0900aecd803e69c3.html
• Up to 4 FWSMs (20 Gbps) per Catalyst 6500 chassis
ASA-SM
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps11621/qa_c67-662207.html
Q. How many ASA Services Modules can I place in a Cisco Catalyst 6500 Series chassis?
A. Up to four independent ASA Services Modules can simultaneously run in a Cisco Catalyst 6500-E Series chassis.
-Kureli
Checkout my breakout session at Cisco Live 2013, Orlando, Florida.
BRKSEC-2024 Deploying Next-Generation Firewall Services on the ASA
Room 314A Tuesday, June 25 3:00 PM - 4:30 PM

Problem with Remote Access VPN on ASA 5505

I am currently having an issue configuring an ASA 5505 to connect via remote access VPN using the Cisco VPN Client 5.0.07.0440 running on Windows 8 Pro x64. The VPN client prompts for the username and password during the connect process, but fails soon after.
The VPN client logs are as follows:
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.2.9200
2      15:09:21.240 12/11/12 Sev=Info/4    CM/0x63100002
Begin connection process
3      15:09:21.287 12/11/12 Sev=Info/4    CM/0x63100004
Establish secure connection
4      15:09:21.287 12/11/12 Sev=Info/4    CM/0x63100024
Attempt connection with server "**.**.***.***"
5      15:09:21.287 12/11/12 Sev=Info/6    IKE/0x6300003B
Attempting to establish a connection with **.**.***.***.
6      15:09:21.287 12/11/12 Sev=Info/4    IKE/0x63000001
Starting IKE Phase 1 Negotiation
7      15:09:21.303 12/11/12 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to **.**.***.***
8      15:09:21.365 12/11/12 Sev=Info/6    GUI/0x63B00012
Authentication request attributes is 6h.
9      15:09:21.334 12/11/12 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
10     15:09:21.334 12/11/12 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from **.**.***.***
11     15:09:21.334 12/11/12 Sev=Info/5    IKE/0x63000001
Peer is a Cisco-Unity compliant peer
12     15:09:21.334 12/11/12 Sev=Info/5    IKE/0x63000001
Peer supports XAUTH
13     15:09:21.334 12/11/12 Sev=Info/5    IKE/0x63000001
Peer supports DPD
14     15:09:21.334 12/11/12 Sev=Info/5    IKE/0x63000001
Peer supports NAT-T
15     15:09:21.334 12/11/12 Sev=Info/5    IKE/0x63000001
Peer supports IKE fragmentation payloads
16     15:09:21.334 12/11/12 Sev=Info/6    IKE/0x63000001
IOS Vendor ID Contruction successful
17     15:09:21.334 12/11/12 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to **.**.***.***
18     15:09:21.334 12/11/12 Sev=Info/6    IKE/0x63000055
Sent a keepalive on the IPSec SA
19     15:09:21.334 12/11/12 Sev=Info/4    IKE/0x63000083
IKE Port in use - Local Port = 0xFBCE, Remote Port = 0x1194
20     15:09:21.334 12/11/12 Sev=Info/5    IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device
21     15:09:21.334 12/11/12 Sev=Info/4    CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
22     15:09:21.365 12/11/12 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
23     15:09:21.365 12/11/12 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
24     15:09:21.365 12/11/12 Sev=Info/4    CM/0x63100015
Launch xAuth application
25     15:09:21.474 12/11/12 Sev=Info/4    IPSEC/0x63700008
IPSec driver successfully started
26     15:09:21.474 12/11/12 Sev=Info/4    IPSEC/0x63700014
Deleted all keys
27     15:09:27.319 12/11/12 Sev=Info/4    CM/0x63100017
xAuth application returned
28     15:09:27.319 12/11/12 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
29     15:09:27.365 12/11/12 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
30     15:09:27.365 12/11/12 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
31     15:09:27.365 12/11/12 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
32     15:09:27.365 12/11/12 Sev=Info/4    CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
33     15:09:27.365 12/11/12 Sev=Info/5    IKE/0x6300005E
Client sending a firewall request to concentrator
34     15:09:27.365 12/11/12 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
35     15:09:27.397 12/11/12 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
36     15:09:27.397 12/11/12 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
37     15:09:27.397 12/11/12 Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
38     15:09:27.397 12/11/12 Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
39     15:09:27.397 12/11/12 Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
40     15:09:27.397 12/11/12 Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
41     15:09:27.397 12/11/12 Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
42     15:09:27.397 12/11/12 Sev=Info/5    IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO
43     15:09:27.397 12/11/12 Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
44     15:09:27.397 12/11/12 Sev=Info/5    IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.2(5) built by builders on Fri 20-May-11 16:00
45     15:09:27.397 12/11/12 Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
46     15:09:27.397 12/11/12 Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
47     15:09:27.397 12/11/12 Sev=Info/4    CM/0x63100019
Mode Config data received
48     15:09:27.412 12/11/12 Sev=Info/4    IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.2.70, GW IP = **.**.***.***, Remote IP = 0.0.0.0
49     15:09:27.412 12/11/12 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to **.**.***.***
50     15:09:27.444 12/11/12 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
51     15:09:27.444 12/11/12 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
52     15:09:27.444 12/11/12 Sev=Info/5    IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
53     15:09:27.444 12/11/12 Sev=Info/5    IKE/0x63000047
This SA has already been alive for 6 seconds, setting expiry to 86394 seconds from now
54     15:09:27.459 12/11/12 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
55     15:09:27.459 12/11/12 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from **.**.***.***
56     15:09:27.459 12/11/12 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to **.**.***.***
57     15:09:27.459 12/11/12 Sev=Info/4    IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=CE99A8A8
58     15:09:27.459 12/11/12 Sev=Info/4    IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
59     15:09:27.459 12/11/12 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
60     15:09:27.459 12/11/12 Sev=Info/4    IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924
61     15:09:27.459 12/11/12 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from **.**.***.***
62     15:09:27.490 12/11/12 Sev=Info/4    IPSEC/0x63700014
Deleted all keys
63     15:09:30.475 12/11/12 Sev=Info/4    IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
64     15:09:30.475 12/11/12 Sev=Info/4    CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
65     15:09:30.475 12/11/12 Sev=Info/5    CM/0x63100025
Initializing CVPNDrv
66     15:09:30.475 12/11/12 Sev=Info/6    CM/0x63100046
Set tunnel established flag in registry to 0.
67     15:09:30.475 12/11/12 Sev=Info/4    IKE/0x63000001
IKE received signal to terminate VPN connection
68     15:09:30.475 12/11/12 Sev=Info/4    IPSEC/0x63700014
Deleted all keys
69     15:09:30.475 12/11/12 Sev=Info/4    IPSEC/0x63700014
Deleted all keys
70     15:09:30.475 12/11/12 Sev=Info/4    IPSEC/0x63700014
Deleted all keys
71     15:09:30.475 12/11/12 Sev=Info/4    IPSEC/0x6370000A
IPSec driver successfully stopped
The running configuration is as follows (there is a site-to-site VPN set up as well to another ASA 5505, but that is working flawlessly):
: Saved
ASA Version 8.2(5)
hostname NCHCO
enable password hTjwXz/V8EuTw9p9 encrypted
passwd hTjwXz/V8EuTw9p9 encrypted
names
name 192.168.2.0 NCHCO description City Offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address **.**.***.*** 255.255.255.248
boot system disk0:/asa825-k8.bin
ftp mode passive
access-list outside_nat0_outbound extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
access-list outside_1_cryptomap extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
access-list LAN_Access standard permit NCHCO 255.255.255.0
access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 74.219.208.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
network-acl outside_nat0_outbound
webvpn
svc ask enable default svc
http server enable
http 192.168.1.0 255.255.255.0 inside
http **.**.***.*** 255.255.255.255 outside
http 74.218.158.238 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set l2tp-transform esp-3des esp-sha-hmac
crypto ipsec transform-set l2tp-transform mode transport
crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs group1
crypto dynamic-map dyn-map 10 set transform-set l2tp-transform vpn-transform
crypto dynamic-map dyn-map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 74.219.208.50
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map vpn-map 1 match address outside_1_cryptomap_1
crypto map vpn-map 1 set pfs group1
crypto map vpn-map 1 set peer 74.219.208.50
crypto map vpn-map 1 set transform-set ESP-3DES-SHA
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 35
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet NCHCO 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh NCHCO 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.150-192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
dhcpd lease 64000 interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value nchco.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
password-storage enable
ipsec-udp enable
intercept-dhcp 255.255.255.0 enable
address-pools value VPN_Pool
group-policy NCHVPN internal
group-policy NCHVPN attributes
dns-server value 192.168.2.1 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value NCHCO
username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
username NCHvpn99 password QhZZtJfwbnowceB7 encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) VPN_Pool
address-pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
authorization-server-group (outside) LOCAL
default-group-policy DefaultRAGroup
strip-realm
strip-group
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 74.219.208.50 type ipsec-l2l
tunnel-group 74.219.208.50 ipsec-attributes
pre-shared-key *****
tunnel-group NCHVPN type remote-access
tunnel-group NCHVPN general-attributes
address-pool VPN_Pool
default-group-policy NCHVPN
tunnel-group NCHVPN ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:15852745977ff159ba808c4a4feb61fa
: end
asdm image disk0:/asdm-645.bin
asdm location VPN_Start 255.255.255.255 inside
asdm location VPN_End 255.255.255.255 inside
no asdm history enable
Anyone have any idea why this is happening?
Thanks!

Thanks again for your reply, and sorry about the late response, havent gotten back to this issue until just now. I applied the above command as you specified, and unfortunately, it did not resolve the problem. Below are the logs from the VPN Client for the connection + attempted browsing of a network share that is behind the ASA, and the new running configuration.
VPN Client Log:
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.2.9200
331    13:11:41.362 12/17/12 Sev=Info/4    CM/0x63100002
Begin connection process
332    13:11:41.362 12/17/12 Sev=Info/4    CM/0x63100004
Establish secure connection
333    13:11:41.362 12/17/12 Sev=Info/4    CM/0x63100024
Attempt connection with server "69.61.228.178"
334    13:11:41.362 12/17/12 Sev=Info/6    IKE/0x6300003B
Attempting to establish a connection with 69.61.228.178.
335    13:11:41.362 12/17/12 Sev=Info/4    IKE/0x63000001
Starting IKE Phase 1 Negotiation
336    13:11:41.424 12/17/12 Sev=Info/6    GUI/0x63B00012
Authentication request attributes is 6h.
337    13:11:41.362 12/17/12 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 69.61.228.178
338    13:11:41.393 12/17/12 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
339    13:11:41.393 12/17/12 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 69.61.228.178
340    13:11:41.393 12/17/12 Sev=Info/5    IKE/0x63000001
Peer is a Cisco-Unity compliant peer
341    13:11:41.393 12/17/12 Sev=Info/5    IKE/0x63000001
Peer supports XAUTH
342    13:11:41.393 12/17/12 Sev=Info/5    IKE/0x63000001
Peer supports DPD
343    13:11:41.393 12/17/12 Sev=Info/5    IKE/0x63000001
Peer supports NAT-T
344    13:11:41.393 12/17/12 Sev=Info/5    IKE/0x63000001
Peer supports IKE fragmentation payloads
345    13:11:41.393 12/17/12 Sev=Info/6    IKE/0x63000001
IOS Vendor ID Contruction successful
346    13:11:41.393 12/17/12 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 69.61.228.178
347    13:11:41.393 12/17/12 Sev=Info/6    IKE/0x63000055
Sent a keepalive on the IPSec SA
348    13:11:41.393 12/17/12 Sev=Info/4    IKE/0x63000083
IKE Port in use - Local Port = 0xD271, Remote Port = 0x1194
349    13:11:41.393 12/17/12 Sev=Info/5    IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device
350    13:11:41.393 12/17/12 Sev=Info/4    CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
351    13:11:41.424 12/17/12 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
352    13:11:41.424 12/17/12 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
353    13:11:41.424 12/17/12 Sev=Info/4    CM/0x63100015
Launch xAuth application
354    13:11:41.424 12/17/12 Sev=Info/4    CM/0x63100017
xAuth application returned
355    13:11:41.424 12/17/12 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
356    13:11:41.456 12/17/12 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
357    13:11:41.456 12/17/12 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
358    13:11:41.456 12/17/12 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
359    13:11:41.456 12/17/12 Sev=Info/4    CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
360    13:11:41.456 12/17/12 Sev=Info/5    IKE/0x6300005E
Client sending a firewall request to concentrator
361    13:11:41.456 12/17/12 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
362    13:11:41.502 12/17/12 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
363    13:11:41.502 12/17/12 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
364    13:11:41.502 12/17/12 Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
365    13:11:41.502 12/17/12 Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
366    13:11:41.502 12/17/12 Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
367    13:11:41.502 12/17/12 Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
368    13:11:41.502 12/17/12 Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
369    13:11:41.502 12/17/12 Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
370    13:11:41.502 12/17/12 Sev=Info/5    IKE/0x6300000F
SPLIT_NET #1
    subnet = 192.168.2.0
    mask = 255.255.255.0
    protocol = 0
    src port = 0
    dest port=0
371    13:11:41.502 12/17/12 Sev=Info/5    IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO.local
372    13:11:41.502 12/17/12 Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
373    13:11:41.502 12/17/12 Sev=Info/5    IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.4(1) built by builders on Mon 31-Jan-11 02:11
374    13:11:41.502 12/17/12 Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
375    13:11:41.502 12/17/12 Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
376    13:11:41.502 12/17/12 Sev=Info/4    CM/0x63100019
Mode Config data received
377    13:11:41.502 12/17/12 Sev=Info/4    IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.2.70, GW IP = 69.61.228.178, Remote IP = 0.0.0.0
378    13:11:41.502 12/17/12 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 69.61.228.178
379    13:11:41.534 12/17/12 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
380    13:11:41.534 12/17/12 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 69.61.228.178
381    13:11:41.534 12/17/12 Sev=Info/5    IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
382    13:11:41.534 12/17/12 Sev=Info/5    IKE/0x63000047
This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now
383    13:11:41.549 12/17/12 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
384    13:11:41.549 12/17/12 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 69.61.228.178
385    13:11:41.549 12/17/12 Sev=Info/5    IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds
386    13:11:41.549 12/17/12 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to 69.61.228.178
387    13:11:41.549 12/17/12 Sev=Info/5    IKE/0x63000059
Loading IPsec SA (MsgID=C4F5B5A6 OUTBOUND SPI = 0xD2DBADEA INBOUND SPI = 0x14762837)
388    13:11:41.549 12/17/12 Sev=Info/5    IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0xD2DBADEA
389    13:11:41.549 12/17/12 Sev=Info/5    IKE/0x63000026
Loaded INBOUND ESP SPI: 0x14762837
390    13:11:41.549 12/17/12 Sev=Info/5    CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0       192.168.1.1     192.168.1.162       10
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
      127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
    192.168.1.0     255.255.255.0     192.168.1.162     192.168.1.162      266
192.168.1.162   255.255.255.255     192.168.1.162     192.168.1.162      266
192.168.1.255   255.255.255.255     192.168.1.162     192.168.1.162      266
      224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
      224.0.0.0         240.0.0.0     192.168.1.162     192.168.1.162      266
255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
255.255.255.255   255.255.255.255     192.168.1.162     192.168.1.162      266
391    13:11:41.877 12/17/12 Sev=Info/6    CVPND/0x63400001
Launch VAInst64 to control IPSec Virtual Adapter
392    13:11:43.455 12/17/12 Sev=Info/4    CM/0x63100034
The Virtual Adapter was enabled:
    IP=192.168.2.70/255.255.255.0
    DNS=192.168.2.1,8.8.8.8
    WINS=0.0.0.0,0.0.0.0
    Domain=NCHCO.local
    Split DNS Names=
393    13:11:43.455 12/17/12 Sev=Info/5    CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0       192.168.1.1     192.168.1.162       10
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
      127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
    192.168.1.0     255.255.255.0     192.168.1.162     192.168.1.162      266
192.168.1.162   255.255.255.255     192.168.1.162     192.168.1.162      266
192.168.1.255   255.255.255.255     192.168.1.162     192.168.1.162      266
      224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
      224.0.0.0         240.0.0.0     192.168.1.162     192.168.1.162      266
      224.0.0.0         240.0.0.0           0.0.0.0           0.0.0.0      266
255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
255.255.255.255   255.255.255.255     192.168.1.162     192.168.1.162      266
255.255.255.255   255.255.255.255           0.0.0.0           0.0.0.0      266
394    13:11:47.517 12/17/12 Sev=Info/4    CM/0x63100038
Successfully saved route changes to file.
395    13:11:47.517 12/17/12 Sev=Info/5    CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0       192.168.1.1     192.168.1.162       10
69.61.228.178   255.255.255.255       192.168.1.1     192.168.1.162      100
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
      127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
    192.168.1.0     255.255.255.0     192.168.1.162     192.168.1.162      266
    192.168.1.2   255.255.255.255     192.168.1.162     192.168.1.162      100
192.168.1.162   255.255.255.255     192.168.1.162     192.168.1.162      266
192.168.1.255   255.255.255.255     192.168.1.162     192.168.1.162      266
    192.168.2.0     255.255.255.0      192.168.2.70      192.168.2.70      266
    192.168.2.0     255.255.255.0       192.168.2.1      192.168.2.70      100
   192.168.2.70   255.255.255.255      192.168.2.70      192.168.2.70      266
192.168.2.255   255.255.255.255      192.168.2.70      192.168.2.70      266
      224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
      224.0.0.0         240.0.0.0     192.168.1.162     192.168.1.162      266
      224.0.0.0         240.0.0.0      192.168.2.70      192.168.2.70      266
255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
255.255.255.255   255.255.255.255     192.168.1.162     192.168.1.162      266
255.255.255.255   255.255.255.255      192.168.2.70      192.168.2.70      266
396    13:11:47.517 12/17/12 Sev=Info/6    CM/0x63100036
The routing table was updated for the Virtual Adapter
397    13:11:47.517 12/17/12 Sev=Info/4    CM/0x6310001A
One secure connection established
398    13:11:47.517 12/17/12 Sev=Info/4    CM/0x6310003B
Address watch added for 192.168.1.162. Current hostname: MATT-PC, Current address(es): 192.168.2.70, 192.168.1.162.
399    13:11:47.517 12/17/12 Sev=Info/4    CM/0x6310003B
Address watch added for 192.168.2.70. Current hostname: MATT-PC, Current address(es): 192.168.2.70, 192.168.1.162.
400    13:11:47.517 12/17/12 Sev=Info/5    CM/0x63100001
Did not find the Smartcard to watch for removal
401    13:11:47.517 12/17/12 Sev=Info/4    IPSEC/0x63700008
IPSec driver successfully started
402    13:11:47.517 12/17/12 Sev=Info/4    IPSEC/0x63700014
Deleted all keys
403    13:11:47.517 12/17/12 Sev=Info/6    IPSEC/0x6370002C
Sent 109 packets, 0 were fragmented.
404    13:11:47.517 12/17/12 Sev=Info/4    IPSEC/0x63700014
Deleted all keys
405    13:11:47.517 12/17/12 Sev=Info/4    IPSEC/0x63700010
Created a new key structure
406    13:11:47.517 12/17/12 Sev=Info/4    IPSEC/0x6370000F
Added key with SPI=0xeaaddbd2 into key list
407    13:11:47.517 12/17/12 Sev=Info/4    IPSEC/0x63700010
Created a new key structure
408    13:11:47.517 12/17/12 Sev=Info/4    IPSEC/0x6370000F
Added key with SPI=0x37287614 into key list
409    13:11:47.517 12/17/12 Sev=Info/4    IPSEC/0x6370002F
Assigned VA private interface addr 192.168.2.70
410    13:11:47.517 12/17/12 Sev=Info/4    IPSEC/0x63700037
Configure public interface: 192.168.1.162. SG: 69.61.228.178
411    13:11:47.517 12/17/12 Sev=Info/6    CM/0x63100046
Set tunnel established flag in registry to 1.
412    13:11:52.688 12/17/12 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
413    13:11:52.688 12/17/12 Sev=Info/6    IKE/0x6300003D
Sending DPD request to 69.61.228.178, our seq# = 2722476009
414    13:11:52.704 12/17/12 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
415    13:11:52.704 12/17/12 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
416    13:11:52.704 12/17/12 Sev=Info/5    IKE/0x63000040
Received DPD ACK from 69.61.228.178, seq# received = 2722476009, seq# expected = 2722476009
417    13:12:03.187 12/17/12 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
418    13:12:03.187 12/17/12 Sev=Info/6    IKE/0x6300003D
Sending DPD request to 69.61.228.178, our seq# = 2722476010
419    13:12:03.202 12/17/12 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
420    13:12:03.202 12/17/12 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
421    13:12:03.202 12/17/12 Sev=Info/5    IKE/0x63000040
Received DPD ACK from 69.61.228.178, seq# received = 2722476010, seq# expected = 2722476010
422    13:12:14.185 12/17/12 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
423    13:12:14.185 12/17/12 Sev=Info/6    IKE/0x6300003D
Sending DPD request to 69.61.228.178, our seq# = 2722476011
424    13:12:14.201 12/17/12 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
425    13:12:14.201 12/17/12 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
426    13:12:14.201 12/17/12 Sev=Info/5    IKE/0x63000040
Received DPD ACK from 69.61.228.178, seq# received = 2722476011, seq# expected = 2722476011
427    13:12:24.762 12/17/12 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
428    13:12:24.762 12/17/12 Sev=Info/6    IKE/0x6300003D
Sending DPD request to 69.61.228.178, our seq# = 2722476012
429    13:12:24.778 12/17/12 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
430    13:12:24.778 12/17/12 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
431    13:12:24.778 12/17/12 Sev=Info/5    IKE/0x63000040
Received DPD ACK from 69.61.228.178, seq# received = 2722476012, seq# expected = 2722476012
New running configuration:
: Saved
ASA Version 8.4(1)
hostname NCHCO
enable password hTjwXz/V8EuTw9p9 encrypted
passwd hTjwXz/V8EuTw9p9 encrypted
names
name 192.168.2.0 NCHCO description City Offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 69.61.228.178 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa841-k8.bin
ftp mode passive
object network NCHCO
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.64
subnet 192.168.2.64 255.255.255.224
object network obj-0.0.0.0
subnet 0.0.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
network-acl outside_nat0_outbound
webvpn
svc ask enable default svc
http server enable
http 192.168.1.0 255.255.255.0 inside
http 69.61.228.178 255.255.255.255 outside
http 74.218.158.238 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set l2tp-transform mode transport
crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs group1
crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
crypto dynamic-map dyn-map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 74.219.208.50
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map vpn-map 1 match address outside_1_cryptomap_1
crypto map vpn-map 1 set pfs group1
crypto map vpn-map 1 set peer 74.219.208.50
crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto isakmp identity address
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 35
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet NCHCO 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh NCHCO 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.150-192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
dhcpd lease 64000 interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value nchco.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
ipsec-udp enable
intercept-dhcp 255.255.255.0 enable
address-pools value VPN_Pool
group-policy NCHCO internal
group-policy NCHCO attributes
dns-server value 192.168.2.1 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NCHCO_splitTunnelAcl_1
default-domain value NCHCO.local
username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) VPN_Pool
address-pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
authorization-server-group (outside) LOCAL
default-group-policy DefaultRAGroup
strip-realm
strip-group
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 74.219.208.50 type ipsec-l2l
tunnel-group 74.219.208.50 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group NCHCO type remote-access
tunnel-group NCHCO general-attributes
address-pool VPN_Pool
default-group-policy NCHCO
tunnel-group NCHCO ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b6ce58676b6aaeba48caacbeefea53a5
: end
asdm image disk0:/asdm-649.bin
asdm location VPN_Start 255.255.255.255 inside
asdm location VPN_End 255.255.255.255 inside
no asdm history enable
I'm at a loss myself as to why this isn't working, and i'm sure that you are running out of solutions yourself. Any other ideas? I really need to get this working.
Thanks so much!
Matthew

ASA Remote Access VPN Clients - Multiple DNS Suffixes?

Hi community!
I am setting up a new remote access VPN using the traditional IPSec client via ASA 5515-X runnning OS 8.6.1(5).
We require to provide each client multiple DNS suffixes, but are only to provide a single DNS suffix in the grouip policy.
I have tested using an external DHCP server, but using our Windows Server 2008 infrastructure and Option 119 the list is not provided to clients, and I have read that Windows 7 clietns may ignore this option anyway.
Other than umanually configuring the clients , does anybody have any other suggestions on how we may get this to work?
Full marks for helpful posts!
Kind regards, Ash.

Hi
I am looking into the same issue, and I am finding conflicting documentation about this and wondered if you got the answers you were looking for.
I have a remote access requirement for users from separate AD's to authenticate through an ASA.
I was reading about Global Catalogue Server but this is not specifically what I want; and also creating a new AAA server group but the user would need to accept which group to use when they log in
Regards

Remote Access VPN ASA

Hi Guys
I have a problem with a Remote Access VPN on a ASA 5510 8.6.2
I have created a IPSEC Remote Access VPN through the wizard this is pretty much a base install on the ASA without much configuration.
I can connect to the ASA via the Remote Access client and get TX just no RX therefore i cannot access any of the LAN resources
here is a copy of the config any help would be appreciated.
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
interface Management0/0
nameif management
security-level 100
ip address 10.2.1.252 255.255.240.0
management-only
ftp mode passive
dns server-group DefaultDNS
domain-name perfectdomain.perfect-image.co.uk
same-security-traffic permit inter-interface
object network Inside-Network
subnet 10.2.0.0 255.255.240.0
description Inside Network
object network NETWORK_OBJ_192.168.1.0_27
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group network LOCAL_NETWORKS_VPN
access-list inside_access_in extended permit ip object NETWORK_OBJ_192.168.1.0_24 any
access-list outside_access_in extended permit ip object NETWORK_OBJ_192.168.1.0_24 object Inside-Network
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool RAIPSECPOOL 192.168.1.1-192.168.1.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside,outside) source static Inside-Network Inside-Network destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Inside-Network Inside-Network no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable 4430
http 10.2.0.0 255.255.240.0 management
http 10.2.0.0 255.255.240.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.2.0.0 255.255.240.0 inside
telnet timeout 5
ssh 10.2.0.0 255.255.240.0 management
ssh 10.2.0.0 255.255.240.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
dhcpd address 10.2.1.253-10.2.2.252 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RAIPSECTUNNEL internal
group-policy RAIPSECTUNNEL attributes
dns-server value 10.2.1.7 10.2.1.8
vpn-tunnel-protocol ikev1
default-domain value perfectdomain.perfect-image.co.uk
username KI-Admin password OMa9XVzN1OQ0Is.6 encrypted privilege 15
username PI-Admin password BEGl74DXS9pqUL6v encrypted privilege 15
tunnel-group RAIPSECTUNNEL type remote-access
tunnel-group RAIPSECTUNNEL general-attributes
address-pool RAIPSECPOOL
default-group-policy RAIPSECTUNNEL
tunnel-group RAIPSECTUNNEL ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:43c49a676e839e7821ff1473ddeaf90d
: end
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
interface Management0/0
nameif management
security-level 100
ip address 10.2.1.252 255.255.240.0
management-only
ftp mode passive
dns server-group DefaultDNS
domain-name perfectdomain.perfect-image.co.uk
same-security-traffic permit inter-interface
object network Inside-Network
subnet 10.2.0.0 255.255.240.0
description Inside Network
object network NETWORK_OBJ_192.168.1.0_27
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group network LOCAL_NETWORKS_VPN
access-list inside_access_in extended permit ip object NETWORK_OBJ_192.168.1.0_24 any
access-list outside_access_in extended permit ip object NETWORK_OBJ_192.168.1.0_24 object Inside-Network
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool RAIPSECPOOL 192.168.1.1-192.168.1.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside,outside) source static Inside-Network Inside-Network destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Inside-Network Inside-Network no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable 4430
http 10.2.0.0 255.255.240.0 management
http 10.2.0.0 255.255.240.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.2.0.0 255.255.240.0 inside
telnet timeout 5
ssh 10.2.0.0 255.255.240.0 management
ssh 10.2.0.0 255.255.240.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
dhcpd address 10.2.1.253-10.2.2.252 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RAIPSECTUNNEL internal
group-policy RAIPSECTUNNEL attributes
dns-server value 10.2.1.7 10.2.1.8
vpn-tunnel-protocol ikev1
default-domain value perfectdomain.perfect-image.co.uk
username KI-Admin password OMa9XVzN1OQ0Is.6 encrypted privilege 15
username PI-Admin password BEGl74DXS9pqUL6v encrypted privilege 15
tunnel-group RAIPSECTUNNEL type remote-access
tunnel-group RAIPSECTUNNEL general-attributes
address-pool RAIPSECPOOL
default-group-policy RAIPSECTUNNEL
tunnel-group RAIPSECTUNNEL ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:43c49a676e839e7821ff1473ddeaf90d
: end

Hi Jouni
Still not working I am afraid, here is the current running config, I have noticed when I connect via VPN client the default gateway address on the VPN client is 192.168.1.2 ?? anymore help would be appreciated
thank you
hostname PIFW01
domain-name perfectdomain.perfect-image.co.uk
enable password pBWHd.sDdzPIDYW/ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.2.1.251 255.255.255.0
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
nameif outside
security-level 0
ip address 212.135.154.130 255.255.255.252
interface Management0/0
nameif management
security-level 100
ip address 10.2.1.252 255.255.240.0
management-only
ftp mode passive
dns server-group DefaultDNS
domain-name perfectdomain.perfect-image.co.uk
same-security-traffic permit inter-interface
object network Inside-Network
subnet 10.2.0.0 255.255.240.0
description Inside Network
object network NETWORK_OBJ_192.168.1.0_27
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network VPNPool
subnet 192.168.1.0 255.255.255.0
description VPNPool
object network VPN-POOL
subnet 192.168.1.0 255.255.255.0
object network LAN
subnet 10.2.1.0 255.255.255.0
access-list inside_access_in extended permit ip object LAN any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool RAIPSECPOOL 192.168.1.1-192.168.1.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 212.135.154.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable 4430
http 10.2.0.0 255.255.240.0 management
http 10.2.0.0 255.255.240.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.2.0.0 255.255.240.0 inside
telnet timeout 5
ssh 10.2.0.0 255.255.240.0 management
ssh 10.2.0.0 255.255.240.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
dhcpd address 10.2.1.253-10.2.2.252 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RAIPSECTUNNEL internal
group-policy RAIPSECTUNNEL attributes
dns-server value 10.2.1.7 10.2.1.8
vpn-tunnel-protocol ikev1
default-domain value perfectdomain.perfect-image.co.uk
username KI-Admin password OMa9XVzN1OQ0Is.6 encrypted privilege 15
username PI-Admin password BEGl74DXS9pqUL6v encrypted privilege 15
tunnel-group RAIPSECTUNNEL type remote-access
tunnel-group RAIPSECTUNNEL general-attributes
address-pool RAIPSECPOOL
default-group-policy RAIPSECTUNNEL
tunnel-group RAIPSECTUNNEL ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f50aaad7c3ecaf94382ff0cc887bb5ac
: end

Remote Access VPN Support in Multiple Context Mode (9.1(2))?

Hi Guys,
I am currently running two Cisco ASA5520 (ASA Version: 9.1(2)) firewalls in Active/Standby failover and was contemplating the option of migrating my remote access VPN to these firewalls. However seeing that the new IOS now support mixed multiple context mode and dynamic routing. Is it safe to ask whether or not Remote Access VPN is now support in this IOS upgrade?
Multiple Context Mode New Features:
Site-to-Site VPN in multiple context mode | Site-to-site VPN tunnels are now supported in multiple context mode.
New resource type for site-to-site VPN tunnels | New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context.
Dynamic routing in Security Contexts | EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing are not supported.
New resource type for routing table entries | A new resource class, routes, was created to set the maximum number of routing table entries in each context. We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation. We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class.
Mixed firewall mode support in multiple context mode | You can set the firewall mode independently for each security context in multiple context mode, so some can run in transparent mode while others run in routed mode. We modified the following command: firewall transparent. You cannot set the firewall mode in ASDM; you must use the command-line interface. Also available in Version 8.5(1).
Regards,
Leon

Hey Leon,
According to the ASA 9.1 Configuration Guide, Remote Access VPN is not yet supported with version 9.1(2). Only Site-to-Site VPN support in multiple context was introduced with release ASA 9.0(x). This was mentioned in the 9.0(x) release notes.
Regards,
Dennis

Remote Access VPN on Cisco ASA Problem

Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
Problem is that my internet has stopped working, and default route is just showing stars.
i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
what additional required to force my internet to go to regular internet instead of getting encrypted?
Also attaching output of route print at the point when VPN is connected.
ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
crypto map VPN_MAP interface outside
isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group ITT_RA type remote-access
tunnel-group ITT_RA general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_GP
tunnel-group ITT_RA ipsec-attributes
pre-shared-key <group key>
group-policy RA_VPN_GP internal
group-policy RA_VPN_GP attributes
dns-server value 10.0.0.1 10.0.0.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value mydomain.com
address-pools value RA_VPN_POOL
access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
nat (inside) 0 access-list nonattest
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0      10.111.36.1      10.111.36.9          276
          0.0.0.0          0.0.0.0         On-link      10.1.200.100            20
       10.1.200.0    255.255.255.0         On-link      10.1.200.100    276
     10.1.200.100 255.255.255.255         On-link      10.1.200.100    276
     10.1.200.255 255.255.255.255         On-link      10.1.200.100    276
    10.110.10.150 255.255.255.255       10.1.200.1     10.1.200.100    100
      10.111.36.0    255.255.255.0         On-link       10.111.36.9    276

Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
Problem is that my internet has stopped working, and default route is just showing stars.
i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
what additional required to force my internet to go to regular internet instead of getting encrypted?
Also attaching output of route print at the point when VPN is connected.
ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
crypto map VPN_MAP interface outside
isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group ITT_RA type remote-access
tunnel-group ITT_RA general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_GP
tunnel-group ITT_RA ipsec-attributes
pre-shared-key <group key>
group-policy RA_VPN_GP internal
group-policy RA_VPN_GP attributes
dns-server value 10.0.0.1 10.0.0.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value mydomain.com
address-pools value RA_VPN_POOL
access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
nat (inside) 0 access-list nonattest
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0      10.111.36.1      10.111.36.9          276
          0.0.0.0          0.0.0.0         On-link      10.1.200.100            20
       10.1.200.0    255.255.255.0         On-link      10.1.200.100    276
     10.1.200.100 255.255.255.255         On-link      10.1.200.100    276
     10.1.200.255 255.255.255.255         On-link      10.1.200.100    276
    10.110.10.150 255.255.255.255       10.1.200.1     10.1.200.100    100
      10.111.36.0    255.255.255.0         On-link       10.111.36.9    276

Remote access VPN with ASA 5510 using DHCP server

Hi,
Can someone please share your knowledge to help me find why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?
I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
ASA Version 8.2(5)
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.6.0.12 255.255.254.0
ip local pool testpool 10.6.240.150-10.6.240.159 mask 255.255.248.0 !(worked with this)
route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface inside
crypto isakmp enable inside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
vpn-addr-assign aaa
vpn-addr-assign dhcp
group-policy testgroup internal
group-policy testgroup attributes
dhcp-network-scope 10.6.192.1
ipsec-udp enable
ipsec-udp-port 10000
username testlay password *********** encrypted
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
default-group-policy testgroup
dhcp-server 10.6.20.3
tunnel-group testgroup ipsec-attributes
pre-shared-key *****
I got following output when I test connect to ASA with Cisco VPN client 5.0
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDO
4024 bytesR copied in 3.41 0 secs (1341 by(tes/sec)13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 853
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ISA_KE payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received xauth V6 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received DPD VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Fragmentation VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: False
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received NAT-Traversal ver 02 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, Connection landed on tunnel_group testgroup
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing IKE SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ISAKMP SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for Responder...
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Cisco Unity VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing xauth V6 VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing dpd vid payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Traversal VID ver 02 payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Fragmentation VID + extended capabilities payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
[OK]
kens-mgmt-012# P = 10.15.200.108, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 87
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing MODE_CFG Reply attributes.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: IP Compression = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling Policy = Disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, User (testlay) authenticated.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg ACK attributes
Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=49ae1bb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 182
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg Request attributes
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 net mask!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DNS server address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for WINS server address!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Received unsupported transaction mode attribute: 5
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Banner!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Save PW setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Default Domain Name!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split Tunnel List!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split DNS!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for PFS setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Browser Proxy Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for backup ip-sec peer list!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Application Version!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Client Type: WinNT Client Application Version: 5.0.07.0440
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for FWTYPE!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DHCP hostname for DDNS is: DEC20128!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for UDP Port!
Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=b04e830f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE received response of type [] to a request from the IP address utility
Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Cannot obtain an IP address for remote peer
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE TM V6 FSM error history (struct &0xd8030048) <state>, <event>: TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE AM Responder FSM error history (struct &0xd82b6740) <state>, <event>: AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b terminating: flags 0x0945c001, refcnt 0, tuncnt 0
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending delete/delete with reason message
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing IKE delete payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=9de30522) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Regards,
Lay

For RADIUS you need a aaa-server-definition:
aaa-server NPS-RADIUS protocol radius
aaa-server NPS-RADIUS (inside) host 10.10.18.12
key *****
authentication-port 1812
accounting-port 1813
and tell your tunnel-group to ask that server:
tunnel-group VPN general-attributes
authentication-server-group NPS-RADIUS LOCAL
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ASA Remote Access VPN: internal LAN cannot connect to connected VPN clients

Hi community,
I configured IPSec remote Access VPN in ASA, and remote client use Cisco VPN client to connect to the HQ. The VPN is working now, VPN clients can connect to Servers inside and IT's subnet, but from my PC or Servers inside LAN cannot ping or initial a RDP to connected VPN clients. Below is my configuration:
object-group network RemoteVPN_LocalNet
network-object 172.29.168.0 255.255.255.0
network-object 172.29.169.0 255.255.255.0
network-object 172.29.173.0 255.255.255.128
network-object 172.29.172.0 255.255.255.0
access-list Split_Tunnel remark The Corporation network behind ASA
access-list Split_Tunnel extended permit ip object-group RemoteVPN_LocalNet 10.88.61.0 255.255.255.0
ip local pool remotevpnpool 10.88.61.10-10.88.61.15 mask 255.255.255.0
nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dyn1 1 set ikev1 transform-set myset
crypto map mymap 65000 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
tunnel-group remotevpngroup type remote-access
tunnel-group remotevpngroup general-attributes
address-pool remotevpnpool
authentication-server-group MS_LDAP LOCAL
default-group-policy Split_Tunnel_Policy
I don't know what I miss in order to have internal LANs initial connection to connected vpn clients. Please guide me.
Thanks in advanced.

Hi tranminhc,
Step 1: Create an object.
object network vpn_clients
subnet 10.88.61.0 mask 255.255.255.0
Step 2: Create a standard ACL.
access-list my-split standard permit ip object RemoteVPN_LocalNet
Step 3: Remove this line, because I am not sure what "Allow_Go_Internet" included for nat-exemption.
no nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
Step 4: Create new nat exemption.
nat (inside,outside) source static RemoteVPN_LocalNet RemoteVPN_LocalNet destination static vpn_clients vpn_clients
Step 5: Apply ACL on the tunnel.
group-policy Split_Tunnel_Policy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value my-split
Step 6:
I assume you have a default route on your inside L3 switch point back to ASA's inside address. If you don't have one.
Please add a default or add static route as shown below.
route 10.88.61.0 mask 255.255.255.0 xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx = equal to ASA's inside interface address.
Hope this helps.
Thanks
Rizwan Rafeek

Remote Access VPN Problem with ASA 5505

After about ~1 year of having the Cisco VPN Client connecting to a ASA 5505 without any problems, suddenly one day it stops working. The client is able to get a connection to the ASA and browse the local network for only about 30 seconds after connection. After that, no access is available to the network behind the ASA. I tried everything that I can think of to try and troubleshoot the problem, but at this point I am just banging my head against a wall. Does anyone know what could cause this?
Here is the running cfg of the ASA
: Saved
ASA Version 8.4(1)
hostname NCHCO
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxx encrypted
names
name 192.168.2.0 NCHCO description City Offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address **.**.***.*** 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa841-k8.bin
ftp mode passive
object network NCHCO
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.64
subnet 192.168.2.64 255.255.255.224
object network obj-0.0.0.0
subnet 0.0.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Webserver
object network FINX
host 192.168.2.11
object service rdp
service tcp source range 1 65535 destination eq 3389
description rdp
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list outside_access_in extended permit tcp any object FINX eq 3389
access-list outside_access_in_1 extended permit object rdp any object FINX
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
object network obj_any
nat (inside,outside) dynamic interface
object network FINX
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
network-acl outside_nat0_outbound
webvpn
svc ask enable default svc
http server enable
http 192.168.1.0 255.255.255.0 inside
http **.**.***.*** 255.255.255.255 outside
http **.**.***.*** 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
http 96.11.251.186 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set l2tp-transform mode transport
crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs group1
crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
crypto dynamic-map dyn-map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 74.219.208.50
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map vpn-map 1 match address outside_1_cryptomap_1
crypto map vpn-map 1 set pfs group1
crypto map vpn-map 1 set peer 74.219.208.50
crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto isakmp identity address
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 35
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet NCHCO 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh NCHCO 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.150-192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
dhcpd lease 64000 interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value nchco.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
ipsec-udp enable
intercept-dhcp 255.255.255.0 enable
address-pools value VPN_Pool
group-policy NCHCO internal
group-policy NCHCO attributes
dns-server value 192.168.2.1 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NCHCO_splitTunnelAcl_1
default-domain value NCHCO.local
username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) VPN_Pool
address-pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
authorization-server-group (outside) LOCAL
default-group-policy DefaultRAGroup
strip-realm
strip-group
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 74.219.208.50 type ipsec-l2l
tunnel-group 74.219.208.50 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group NCHCO type remote-access
tunnel-group NCHCO general-attributes
address-pool VPN_Pool
default-group-policy NCHCO
tunnel-group NCHCO ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a2110206e1af06974c858fb40c6de2fc
: end
asdm image disk0:/asdm-649.bin
asdm location VPN_Start 255.255.255.255 inside
asdm location VPN_End 255.255.255.255 inside
no asdm history enable
And here is the logs from the Cisco VPN Client when it browses, then fails to browse the network behind the ASA:
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
1      09:44:55.677 10/01/13 Sev=Info/6    CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
2      09:44:55.677 10/01/13 Sev=Info/6    CERT/0x63600027
Found a Certificate using Serial Hash.
3      09:44:55.693 10/01/13 Sev=Info/6    GUI/0x63B00011
Reloaded the Certificates in all Certificate Stores successfully.
4      09:45:02.802 10/01/13 Sev=Info/4    CM/0x63100002
Begin connection process
5      09:45:02.802 10/01/13 Sev=Info/4    CM/0x63100004
Establish secure connection
6      09:45:02.802 10/01/13 Sev=Info/4    CM/0x63100024
Attempt connection with server "**.**.***.***"
7      09:45:02.802 10/01/13 Sev=Info/6    IKE/0x6300003B
Attempting to establish a connection with **.**.***.***.
8      09:45:02.818 10/01/13 Sev=Info/4    IKE/0x63000001
Starting IKE Phase 1 Negotiation
9      09:45:02.865 10/01/13 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to **.**.***.***
10     09:45:02.896 10/01/13 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
11     09:45:02.896 10/01/13 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from **.**.***.***
12     09:45:02.896 10/01/13 Sev=Info/5    IKE/0x63000001
Peer is a Cisco-Unity compliant peer
13     09:45:02.896 10/01/13 Sev=Info/5    IKE/0x63000001
Peer supports XAUTH
14     09:45:02.896 10/01/13 Sev=Info/5    IKE/0x63000001
Peer supports DPD
15     09:45:02.896 10/01/13 Sev=Info/5    IKE/0x63000001
Peer supports NAT-T
16     09:45:02.896 10/01/13 Sev=Info/5    IKE/0x63000001
Peer supports IKE fragmentation payloads
17     09:45:02.927 10/01/13 Sev=Info/6    IKE/0x63000001
IOS Vendor ID Contruction successful
18     09:45:02.927 10/01/13 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to **.**.***.***
19     09:45:02.927 10/01/13 Sev=Info/4    IKE/0x63000083
IKE Port in use - Local Port = 0xDD3B, Remote Port = 0x01F4
20     09:45:02.927 10/01/13 Sev=Info/5    IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end is NOT behind a NAT device
21     09:45:02.927 10/01/13 Sev=Info/4    CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
22     09:45:02.943 10/01/13 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
23     09:45:02.943 10/01/13 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
24     09:45:02.943 10/01/13 Sev=Info/4    CM/0x63100015
Launch xAuth application
25     09:45:03.037 10/01/13 Sev=Info/6    GUI/0x63B00012
Authentication request attributes is 6h.
26     09:45:03.037 10/01/13 Sev=Info/4    CM/0x63100017
xAuth application returned
27     09:45:03.037 10/01/13 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
28     09:45:03.037 10/01/13 Sev=Info/4    IPSEC/0x63700008
IPSec driver successfully started
29     09:45:03.037 10/01/13 Sev=Info/4    IPSEC/0x63700014
Deleted all keys
30     09:45:03.083 10/01/13 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
31     09:45:03.083 10/01/13 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
32     09:45:03.083 10/01/13 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
33     09:45:03.083 10/01/13 Sev=Info/4    CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
34     09:45:03.083 10/01/13 Sev=Info/5    IKE/0x6300005E
Client sending a firewall request to concentrator
35     09:45:03.083 10/01/13 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
36     09:45:03.146 10/01/13 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
37     09:45:03.146 10/01/13 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
38     09:45:03.146 10/01/13 Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
39     09:45:03.146 10/01/13 Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
40     09:45:03.146 10/01/13 Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
41     09:45:03.146 10/01/13 Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
42     09:45:03.146 10/01/13 Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
43     09:45:03.146 10/01/13 Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
44     09:45:03.146 10/01/13 Sev=Info/5    IKE/0x6300000F
SPLIT_NET #1
    subnet = 192.168.2.0
    mask = 255.255.255.0
    protocol = 0
    src port = 0
    dest port=0
45     09:45:03.146 10/01/13 Sev=Info/5    IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO.local
46     09:45:03.146 10/01/13 Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0x00002710
47     09:45:03.146 10/01/13 Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
48     09:45:03.146 10/01/13 Sev=Info/5    IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.4(1) built by builders on Mon 31-Jan-11 02:11
49     09:45:03.146 10/01/13 Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
50     09:45:03.146 10/01/13 Sev=Info/4    CM/0x63100019
Mode Config data received
51     09:45:03.146 10/01/13 Sev=Info/4    IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.2.70, GW IP = **.**.***.***, Remote IP = 0.0.0.0
52     09:45:03.146 10/01/13 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to **.**.***.***
53     09:45:03.177 10/01/13 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
54     09:45:03.177 10/01/13 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
55     09:45:03.177 10/01/13 Sev=Info/5    IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
56     09:45:03.177 10/01/13 Sev=Info/5    IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
57     09:45:03.193 10/01/13 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
58     09:45:03.193 10/01/13 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
59     09:45:03.193 10/01/13 Sev=Info/5    IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds
60     09:45:03.193 10/01/13 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to **.**.***.***
61     09:45:03.193 10/01/13 Sev=Info/5    IKE/0x63000059
Loading IPsec SA (MsgID=967A3C93 OUTBOUND SPI = 0xAAAF4C1C INBOUND SPI = 0x3EBEBFC5)
62     09:45:03.193 10/01/13 Sev=Info/5    IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0xAAAF4C1C
63     09:45:03.193 10/01/13 Sev=Info/5    IKE/0x63000026
Loaded INBOUND ESP SPI: 0x3EBEBFC5
64     09:45:03.193 10/01/13 Sev=Info/5    CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0       96.11.251.1     96.11.251.149      261
    96.11.251.0     255.255.255.0     96.11.251.149     96.11.251.149      261
96.11.251.149   255.255.255.255     96.11.251.149     96.11.251.149      261
96.11.251.255   255.255.255.255     96.11.251.149     96.11.251.149      261
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
      127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
    192.168.1.0     255.255.255.0       192.168.1.3       192.168.1.3      261
    192.168.1.3   255.255.255.255       192.168.1.3       192.168.1.3      261
192.168.1.255   255.255.255.255       192.168.1.3       192.168.1.3      261
      224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
      224.0.0.0         240.0.0.0     96.11.251.149     96.11.251.149      261
      224.0.0.0         240.0.0.0       192.168.1.3       192.168.1.3      261
255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
255.255.255.255   255.255.255.255     96.11.251.149     96.11.251.149      261
255.255.255.255   255.255.255.255       192.168.1.3       192.168.1.3      261
65     09:45:03.521 10/01/13 Sev=Info/6    CVPND/0x63400001
Launch VAInst64 to control IPSec Virtual Adapter
66     09:45:03.896 10/01/13 Sev=Info/4    CM/0x63100034
The Virtual Adapter was enabled:
    IP=192.168.2.70/255.255.255.0
    DNS=192.168.2.1,8.8.8.8
    WINS=0.0.0.0,0.0.0.0
    Domain=NCHCO.local
    Split DNS Names=
67     09:45:03.912 10/01/13 Sev=Info/5    CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0       96.11.251.1     96.11.251.149      261
    96.11.251.0     255.255.255.0     96.11.251.149     96.11.251.149      261
96.11.251.149   255.255.255.255     96.11.251.149     96.11.251.149      261
96.11.251.255   255.255.255.255     96.11.251.149     96.11.251.149      261
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
      127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
    192.168.1.0     255.255.255.0       192.168.1.3       192.168.1.3      261
    192.168.1.3   255.255.255.255       192.168.1.3       192.168.1.3      261
192.168.1.255   255.255.255.255       192.168.1.3       192.168.1.3      261
      224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
      224.0.0.0         240.0.0.0     96.11.251.149     96.11.251.149      261
      224.0.0.0         240.0.0.0       192.168.1.3       192.168.1.3      261
      224.0.0.0         240.0.0.0           0.0.0.0           0.0.0.0      261
255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
255.255.255.255   255.255.255.255     96.11.251.149     96.11.251.149      261
255.255.255.255   255.255.255.255       192.168.1.3       192.168.1.3      261
255.255.255.255   255.255.255.255           0.0.0.0           0.0.0.0      261
68     09:45:07.912 10/01/13 Sev=Info/4    CM/0x63100038
Successfully saved route changes to file.
69     09:45:07.912 10/01/13 Sev=Info/5    CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0       96.11.251.1     96.11.251.149      261
**.**.***.***   255.255.255.255       96.11.251.1     96.11.251.149      100
    96.11.251.0     255.255.255.0     96.11.251.149     96.11.251.149      261
96.11.251.149   255.255.255.255     96.11.251.149     96.11.251.149      261
96.11.251.255   255.255.255.255     96.11.251.149     96.11.251.149      261
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
      127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
    192.168.1.0     255.255.255.0       192.168.1.3       192.168.1.3      261
    192.168.1.3   255.255.255.255       192.168.1.3       192.168.1.3      261
192.168.1.255   255.255.255.255       192.168.1.3       192.168.1.3      261
    192.168.2.0     255.255.255.0      192.168.2.70      192.168.2.70      261
    192.168.2.0     255.255.255.0       192.168.2.1      192.168.2.70      100
   192.168.2.70   255.255.255.255      192.168.2.70      192.168.2.70      261
192.168.2.255   255.255.255.255      192.168.2.70      192.168.2.70      261
      224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
      224.0.0.0         240.0.0.0     96.11.251.149     96.11.251.149      261
      224.0.0.0         240.0.0.0       192.168.1.3       192.168.1.3      261
      224.0.0.0         240.0.0.0      192.168.2.70      192.168.2.70      261
255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
255.255.255.255   255.255.255.255     96.11.251.149     96.11.251.149      261
255.255.255.255   255.255.255.255       192.168.1.3       192.168.1.3      261
255.255.255.255   255.255.255.255      192.168.2.70      192.168.2.70      261
70     09:45:07.912 10/01/13 Sev=Info/6    CM/0x63100036
The routing table was updated for the Virtual Adapter
71     09:45:07.912 10/01/13 Sev=Info/4    CM/0x6310001A
One secure connection established
72     09:45:07.943 10/01/13 Sev=Info/4    CM/0x6310003B
Address watch added for 96.11.251.149. Current hostname: psaserver, Current address(es): 192.168.2.70, 96.11.251.149, 192.168.1.3.
73     09:45:07.943 10/01/13 Sev=Info/4    CM/0x6310003B
Address watch added for 192.168.2.70. Current hostname: psaserver, Current address(es): 192.168.2.70, 96.11.251.149, 192.168.1.3.
74     09:45:07.943 10/01/13 Sev=Info/5    CM/0x63100001
Did not find the Smartcard to watch for removal
75     09:45:07.943 10/01/13 Sev=Info/4    IPSEC/0x63700014
Deleted all keys
76     09:45:07.943 10/01/13 Sev=Info/4    IPSEC/0x63700010
Created a new key structure
77     09:45:07.943 10/01/13 Sev=Info/4    IPSEC/0x6370000F
Added key with SPI=0x1c4cafaa into key list
78     09:45:07.943 10/01/13 Sev=Info/4    IPSEC/0x63700010
Created a new key structure
79     09:45:07.943 10/01/13 Sev=Info/4    IPSEC/0x6370000F
Added key with SPI=0xc5bfbe3e into key list
80     09:45:07.943 10/01/13 Sev=Info/4    IPSEC/0x6370002F
Assigned VA private interface addr 192.168.2.70
81     09:45:07.943 10/01/13 Sev=Info/4    IPSEC/0x63700037
Configure public interface: 96.11.251.149. SG: **.**.***.***
82     09:45:07.943 10/01/13 Sev=Info/6    CM/0x63100046
Set tunnel established flag in registry to 1.
83     09:45:13.459 10/01/13 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to **.**.***.***
84     09:45:13.459 10/01/13 Sev=Info/6    IKE/0x6300003D
Sending DPD request to **.**.***.***, our seq# = 107205276
85     09:45:13.474 10/01/13 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
86     09:45:13.474 10/01/13 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from **.**.***.***
87     09:45:13.474 10/01/13 Sev=Info/5    IKE/0x63000040
Received DPD ACK from **.**.***.***, seq# received = 107205276, seq# expected = 107205276
88     09:45:15.959 10/01/13 Sev=Info/4    IPSEC/0x63700019
Activate outbound key with SPI=0x1c4cafaa for inbound key with SPI=0xc5bfbe3e
89     09:46:00.947 10/01/13 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to **.**.***.***
90     09:46:00.947 10/01/13 Sev=Info/6    IKE/0x6300003D
Sending DPD request to **.**.***.***, our seq# = 107205277
91     09:46:01.529 10/01/13 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
92     09:46:01.529 10/01/13 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from **.**.***.***
93     09:46:01.529 10/01/13 Sev=Info/5    IKE/0x63000040
Received DPD ACK from **.**.***.***, seq# received = 107205277, seq# expected = 107205277
94     09:46:11.952 10/01/13 Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to **.**.***.***
95     09:46:11.952 10/01/13 Sev=Info/6    IKE/0x6300003D
Sending DPD request to **.**.***.***, our seq# = 107205278
96     09:46:11.979 10/01/13 Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
97     09:46:11.979 10/01/13 Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from **.**.***.***
98     09:46:11.979 10/01/13 Sev=Info/5    IKE/0x63000040
Received DPD ACK from **.**.***.***, seq# received = 107205278, seq# expected = 107205278
Any help would be appreciated, thanks!

I made the change that you requested by moving the VPN pool to the 192.168.3.0 network. Unfortunately, now traffic isn't flowing to the inside network at all. I was going to make a specific route as you suggested, but as far as I can see the routes are already being created correctly on the VPN client's end.
Here is the route print off of the computer behind the (test) client:
===========================================================================
Interface List
21...00 05 9a 3c 78 00 ......Cisco Systems VPN Adapter for 64-bit Windows
10...00 15 5d 01 02 01 ......Microsoft Hyper-V Network Adapter
15...00 15 5d 01 02 02 ......Microsoft Hyper-V Network Adapter #2
1...........................Software Loopback Interface 1
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
14...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
23...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0      96.11.251.1    96.11.251.149    261
    69.61.228.178 255.255.255.255      96.11.251.1    96.11.251.149    100
      96.11.251.0    255.255.255.0         On-link     96.11.251.149    261
    96.11.251.149 255.255.255.255         On-link     96.11.251.149    261
    96.11.251.255 255.255.255.255         On-link     96.11.251.149    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1 255.255.255.255         On-link         127.0.0.1    306
127.255.255.255 255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link       192.168.1.3    261
      192.168.1.3 255.255.255.255         On-link       192.168.1.3    261
    192.168.1.255 255.255.255.255         On-link       192.168.1.3    261
      192.168.2.0    255.255.255.0      192.168.3.1     192.168.3.70    100
      192.168.3.0    255.255.255.0         On-link      192.168.3.70    261
     192.168.3.70 255.255.255.255         On-link      192.168.3.70    261
    192.168.3.255 255.255.255.255         On-link      192.168.3.70    261
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.1.3    261
        224.0.0.0        240.0.0.0         On-link     96.11.251.149    261
        224.0.0.0        240.0.0.0         On-link      192.168.3.70    261
255.255.255.255 255.255.255.255         On-link         127.0.0.1    306
255.255.255.255 255.255.255.255         On-link       192.168.1.3    261
255.255.255.255 255.255.255.255         On-link     96.11.251.149    261
255.255.255.255 255.255.255.255         On-link      192.168.3.70    261
===========================================================================
Persistent Routes:
Network Address          Netmask Gateway Address Metric
          0.0.0.0          0.0.0.0      96.11.251.1 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
14   1020 ::/0                     2002:c058:6301::c058:6301
14   1020 ::/0                     2002:c058:6301::1
1    306 ::1/128                  On-link
14   1005 2002::/16                On-link
14    261 2002:600b:fb95::600b:fb95/128
                                    On-link
15    261 fe80::/64                On-link
10    261 fe80::/64                On-link
21    261 fe80::/64                On-link
10    261 fe80::64ae:bae7:3dc0:c8c4/128
                                    On-link
21    261 fe80::e9f7:e24:3147:bd/128
                                    On-link
15    261 fe80::f116:2dfd:1771:125a/128
                                    On-link
1    306 ff00::/8                 On-link
15    261 ff00::/8                 On-link
10    261 ff00::/8                 On-link
21    261 ff00::/8                 On-link
===========================================================================
Persistent Routes:
None
And here is the updated running config in case you need it:
: Saved
ASA Version 8.4(1)
hostname NCHCO
enable password hTjwXz/V8EuTw9p9 encrypted
passwd hTjwXz/V8EuTw9p9 encrypted
names
name 192.168.2.0 NCHCO description City Offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 69.61.228.178 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa841-k8.bin
ftp mode passive
object network NCHCO
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.64
subnet 192.168.2.64 255.255.255.224
object network obj-0.0.0.0
subnet 0.0.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Webserver
object network FINX
host 192.168.2.11
object service rdp
service tcp source range 1 65535 destination eq 3389
description rdp
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list outside_access_in extended permit tcp any object FINX eq 3389
access-list outside_access_in_1 extended permit object rdp any object FINX
access-list outside_specific_blocks extended deny ip host 121.168.66.35 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
ip local pool VPN_Split_Pool 192.168.3.70-192.168.3.80 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
object network obj_any
nat (inside,outside) dynamic interface
object network FINX
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
network-acl outside_nat0_outbound
webvpn
svc ask enable default svc
http server enable
http 192.168.1.0 255.255.255.0 inside
http 69.61.228.178 255.255.255.255 outside
http 74.218.158.238 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
http 96.11.251.186 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set l2tp-transform mode transport
crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs group1
crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
crypto dynamic-map dyn-map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 74.219.208.50
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map vpn-map 1 match address outside_1_cryptomap_1
crypto map vpn-map 1 set pfs group1
crypto map vpn-map 1 set peer 74.219.208.50
crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto isakmp identity address
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 35
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet NCHCO 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh NCHCO 255.255.255.0 inside
ssh 96.11.251.186 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.150-192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
dhcpd lease 64000 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value nchco.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
ipsec-udp enable
intercept-dhcp 255.255.255.0 enable
address-pools value VPN_Split_Pool
group-policy NCHCO internal
group-policy NCHCO attributes
dns-server value 192.168.2.1 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NCHCO_splitTunnelAcl_1
default-domain value NCHCO.local
username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) VPN_Pool
address-pool VPN_Split_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
authorization-server-group (outside) LOCAL
default-group-policy DefaultRAGroup
strip-realm
strip-group
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 74.219.208.50 type ipsec-l2l
tunnel-group 74.219.208.50 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group NCHCO type remote-access
tunnel-group NCHCO general-attributes
address-pool VPN_Split_Pool
default-group-policy NCHCO
tunnel-group NCHCO ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9e8466cd318c0bd35bc660fa65ba7a03
: end
asdm image disk0:/asdm-649.bin
asdm location VPN_Start 255.255.255.255 inside
asdm location VPN_End 255.255.255.255 inside
no asdm history enable
Thanks again for your help,
Matthew

Active directory domain services stopped after removing routing and remote access role

Hello everyone;;
I am in deep trouble.. I did install routing and remote access and then lost connection to the server remotely. Then I connected a monitor to the server and removed the role... then it asked me to restart the server . After logging back in I found
all my active directory service has gone... I can see red cross on active directory domain services.. Also I am able to ping other pcs but other pcs cannot ping my server..
However when I go into the active directory services, it shows all services are running except file replication service. I have tried to start that service but it give error 1053 error..
My server in between loses LAN connection... I dont know what is going on.. Please help!!!
My server is win 2008 R2 ser pack 1
Only one DC....
Has fixed ip,
no DNS server running..

Hi,
The File Replication Service Start Error 1053 error can be caused by damaged Windows system files. Corrupted system files entries can threaten the well-being of your computer. Many events can result in creating system file errors.
Please refer to the articles below to troubleshoot the issue:
File Replication Service Start Error 1053
http://repairerrors.net/file-replication-service-start-error-1053.html
Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Regards,
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Multicast via Remotes Access VPN (ASA)

Hi all,
I have an ASA 5505 that I would like to use as a head end device for several customers to RA into so they can access our TEST network. The trouble is that the TEST net provides multicast video streams that my clients need to see. I am currently doing this with a Windows Server and Clients via L2TP. How can I do this with the ASA instead? I know IPSEC doesn't support multicast.....can anything be done?

Hi,
Currently IPSec / Any connect doesn't support multicast over vpn tunnel. As you have now it is possible through L2TP with L2TP client / ASA / Windows Server or if you have IOS router it can be possible through DMVPN/GETVPN....
Regards
Karthik

What is/are the best Remote Access/VPN services for my Mac system?

2009 Macbook Pro
2009 Macbook
2010 iMac
2 iPad 2s
2 iPhone 4s
Computers on Snow Leopard
iOS 5
Everything is updated
I want :
1. to have everything working together, with remote access from anywhere on the internet, file sharing, streaming & transfer.
2. the security of a VPN connection.
I will soon update my existing router w/an Airport Extreme. What VPN/Remote Access client(s) should I get? Is there one solution for both jobs, or do I need to get more than one service? I have looked at LogMeIn, Witopia. Thanks for the help.

I've been down this road and settled on a much simpler solution...
VPNs are ok... but the performance is bad, they send TCP packets inside TCP packets... which is a bad thing, some connections completely break down. security is o-k, but openVPN is much better yet more complicated to set up. Also you have to go through all the mess of setting up the server.
I tried using VPNs for a while, and then instead settled with tunneling specific connections over ssh... it is more secure and elegant, there is no server setup, however it is not seemless.. you have to set up the connections/ports individually each time, this can get messy if you want access to lots of things at once.
I eventually came accross sshuttle, and this is what i have stuck with because it's just bloody great... it's like a VPN but uses SSH. So you don't have to set up a VPN server... you just need access to an ssh server (i.e your home mac with "remote login" (ssh) enabled, and your router to foward ssh requests to that machine).
not only do you not have to mess around with server configs, but it also give far better performance, stability, and the security of ssh (i.e whichever cypher you want). This is because unlike VPN, sshuttle pulls the TCP packets apart before sending them over SSH (which is allready using TCP) and then re-assembles them the other side with python. the result is comparably better performance and stability than VPN protocols.
you can route individual IPs from the servers subnet, or tell it to automatically find and merge all host names / IPs it can find with your current subnet.
Theory of Operation
sshuttle is not exactly a VPN, and not exactly port forwarding. It's kind of both, and kind of neither.
It's like a VPN, since it can forward every port on an entire network, not just ports you specify. Conveniently, it lets you use the "real" IP addresses of each host rather than faking port numbers on localhost.
On the other hand, the way it works is more like ssh port forwarding than a VPN. Normally, a VPN forwards your data one packet at a time, and doesn't care about individual connections; ie. it's "stateless" with respect to the traffic. sshuttle is the opposite of stateless; it tracks every single connection.
You could compare sshuttle to something like the old Slirp program, which was a userspace TCP/IP implementation that did something similar. But it operated on a packet-by-packet basis on the client side, reassembling the packets on the server side. That worked okay back in the "real live serial port" days, because serial ports had predictable latency and buffering.
But you can't safely just forward TCP packets over a TCP session (like ssh), because TCP's performance depends fundamentally on packet loss; it must experience packet loss in order to know when to slow down! At the same time, the outer TCP session (ssh, in this case) is a reliable transport, which means that what you forward through the tunnel never experiences packet loss. The ssh session itself experiences packet loss, of course, but TCP fixes it up and ssh (and thus you) never know the difference. But neither does your inner TCP session, and extremely screwy performance ensues.
sshuttle assembles the TCP stream locally, multiplexes it statefully over an ssh session, and disassembles it back into packets at the other end. So it never ends up doing TCP-over-TCP. It's just data-over-TCP, which is safe.
Anyway, you can find it on github here https://github.com/apenwarr/sshuttle
if you uncomfortable using the command line, someone has also bundled it into an app here: https://github.com/apenwarr/sshuttle/commits/dist/macos
IMPORTANT, the latest version invokes a bug in one of apple's drivers after a while which causes a kernel panic, (this isn't the same as the bug where you have to reset your network interface like it says in the readme, this WILL cause a kernel panic) stick with version 0.53 untill ether Apple fixes the bug, or sshuttle stops antagonising it. 0.53 works perfectly at the moment. you can ether install git and clone the specific version or download the 0.53 app here instead:
http://mac.softpedia.com/progDownload/sshuttle-Download-97917.html
alternatively, if your loging in from linux there aren't any problems with 0.60 because the system would have different dirvers of course.
One last note... you said you wanted everything to work together, one thing that will not work over VPNs, SSH, and sshuttle is bojour... this is significant because things like AFP shares wont pop up automatically, you will have to specify them ... i.e command+k in finder and type AFP://192.168.0.x or VNC://192.168.0.x etc this is because none of these options support multicasting which bonjour requires. This isn't such a big deal so long as you know what services are available on your machine and how to manually connect to them (like i said above)

Does ASA Service Module on 6509-E support Remote Access VPN ?

Similar Messages

Maybe you are looking for