Remote Access VPN with existing site-to-site tunnel

Similar Messages

• Remote access VPN with ASA 5510 using DHCP server

  Hi,
  Can someone please share your knowledge to help me find why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?
  I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
  ASA Version 8.2(5)
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 10.6.0.12 255.255.254.0
  ip local pool testpool 10.6.240.150-10.6.240.159 mask 255.255.248.0 !(worked with this)
  route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
  crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map dyn1 1 set transform-set FirstSet
  crypto map mymap 1 ipsec-isakmp dynamic dyn1
  crypto map mymap interface inside
  crypto isakmp enable inside
  crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 43200
  vpn-addr-assign aaa
  vpn-addr-assign dhcp
  group-policy testgroup internal
  group-policy testgroup attributes
  dhcp-network-scope 10.6.192.1
  ipsec-udp enable
  ipsec-udp-port 10000
  username testlay password *********** encrypted
  tunnel-group testgroup type remote-access
  tunnel-group testgroup general-attributes
  default-group-policy testgroup
  dhcp-server 10.6.20.3
  tunnel-group testgroup ipsec-attributes
  pre-shared-key *****
  I got following output when I test connect to ASA with Cisco VPN client 5.0
  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDO
  4024 bytesR copied in 3.41 0 secs (1341 by(tes/sec)13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 853
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing SA payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ISA_KE payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing nonce payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received xauth V6 VID
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received DPD VID
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Fragmentation VID
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received NAT-Traversal ver 02 VID
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Cisco Unity client VID
  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, Connection landed on tunnel_group testgroup
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing IKE SA payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA Proposal # 1, Transform # 9 acceptable  Matches global IKE entry # 1
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ISAKMP SA payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ke payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing nonce payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for Responder...
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing hash payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Cisco Unity VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing xauth V6 VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing dpd vid payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Traversal VID ver 02 payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Fragmentation VID + extended capabilities payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Received Cisco Unity client VID
  Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
  [OK]
  kens-mgmt-012# P = 10.15.200.108, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing blank hash payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing qm hash payload
  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
  Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 87
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): Enter!
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing MODE_CFG Reply attributes.
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = cleared
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = cleared
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary WINS = cleared
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary WINS = cleared
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: IP Compression = disabled
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling Policy = Disabled
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Setting = no-modify
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
  Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, User (testlay) authenticated.
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
  Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
  Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg ACK attributes
  Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=49ae1bb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 182
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg Request attributes
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 address!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 net mask!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DNS server address!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for WINS server address!
  Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Received unsupported transaction mode attribute: 5
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Banner!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Save PW setting!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Default Domain Name!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split Tunnel List!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split DNS!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for PFS setting!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Browser Proxy Setting!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for backup ip-sec peer list!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Application Version!
  Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Client Type: WinNT  Client Application Version: 5.0.07.0440
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for FWTYPE!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DHCP hostname for DDNS is: DEC20128!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for UDP Port!
  Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected.  No last packet to retransmit.
  Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=b04e830f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
  Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
  Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
  Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected.  No last packet to retransmit.
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE received response of type [] to a request from the IP address utility
  Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Cannot obtain an IP address for remote peer
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE TM V6 FSM error history (struct &0xd8030048)  <state>, <event>:  TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE AM Responder FSM error history (struct &0xd82b6740)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b terminating:  flags 0x0945c001, refcnt 0, tuncnt 0
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending delete/delete with reason message
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing IKE delete payload
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
  Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=9de30522) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
  Regards,
  Lay

  For RADIUS you need a aaa-server-definition:
  aaa-server NPS-RADIUS protocol radius
  aaa-server NPS-RADIUS (inside) host 10.10.18.12
    key *****   
    authentication-port 1812
    accounting-port 1813
  and tell your tunnel-group to ask that server:
  tunnel-group VPN general-attributes
    authentication-server-group NPS-RADIUS LOCAL
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Remote Access VPN with IPSec on a stick

  Hello there,
  I'm trying to establish a connection into the internet over a Remote Access VPN Tunnel.
  The VPN-Client connects to Cisco PIX via IPSec-Tunnel and then connects to any web-server on the internet over the IPSec Tunnel.
  This Connection is never established.
  Normal IPSec-Traffic is no problem. I think I've got a problem with NAT. Where do I have to configure the NAT Rule for the VPN-Clients - on the "INSIDE" iface???
  Other configurations like ACLs or "same-security-traffic permit intra-interface" are already done.
  Please help
  See ya
  Jens

  same-security-traffic permit intra-interface
  global (outside) 1 interface
  nat (outside) 1
  Make sure not to split tunnel, tunnel all traffic.

• Remote access VPN with Cisco Router - Can not get the Internal Lan .

  Dear Sir ,
  I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .Please see the attachment for Scenario, Configuration and Ping status.
  I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
  Below is the IP address of the device.
  Local PC connect with Router -2 (Through MS Loopback) Router -2 Router-1 PC -01
  IP Address :10.10.10.2 Mask : 255.255.255.0 F0/01
  IP address:10.10.10.1
  Mask:255.255.255.0 F0/0
  IP Address :20.20.20.1
  Mask :255.255.255.0
  F0/1
  IP address :192.168.1.3
  Mask:255.255.255.0
  F0/0
  IP address :20.20.20.2
  Mask :255.255.255.0
  F0/1
  IP address :192.168.1.1
  Mask:255.255.255.0
  I can ping from local PC to the network 10.10.10.0 and 20.20.20.0 .Please find the attach file for ping status .So connectivity is ok from my local PC to Remote Router 1 and 2.
  Through Cisco remote vpn client, I can get connected with the VPN Router R1 (Please see the VPN Client pic.)But cannot ping the network 192.168.1.0
  Need your help to fix the problem.
  Router R2 Configuration :!
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R2
  boot-start-marker
  boot-end-marker
  no aaa new-model
  memory-size iomem 5
  no ip icmp rate-limit unreachable
  ip cef
  no ip domain lookup
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  ip tcp synwait-time 5
  interface FastEthernet0/0
  ip address 20.20.20.2 255.255.255.0
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 10.10.10.1 255.255.255.0
  duplex auto
  speed auto
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  control-plane
  line con 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  line aux 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  line vty 0 4
  login
  end
  Router R1 Configuration :
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R1
  boot-start-marker
  boot-end-marker
  aaa new-model
  aaa authentication login USERAUTH local
  aaa authorization network NETAUTHORIZE local
  aaa session-id common
  memory-size iomem 5
  no ip icmp rate-limit unreachable
  ip cef
  no ip domain lookup
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  username vpnuser password 0 strongpassword
  ip tcp synwait-time 5
  crypto keyring vpnclientskey
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp client configuration group remotevpn
  key cisco123
  dns 192.168.1.2
  wins 192.168.1.2
  domain mycompany.com
  pool vpnpool
  acl VPN-ACL
  crypto isakmp profile remoteclients
  description remote access vpn clients
  keyring vpnclientskey
  match identity group remotevpn
  client authentication list USERAUTH
  isakmp authorization list NETAUTHORIZE
  client configuration address respond
  crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
  crypto dynamic-map DYNMAP 10
  set transform-set TRSET
  set isakmp-profile remoteclients
  crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
  interface FastEthernet0/0
  ip address 20.20.20.1 255.255.255.0
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map VPNMAP
  interface FastEthernet0/1
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip local pool vpnpool 192.168.50.1 192.168.50.10
  ip forward-protocol nd
  ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
  no ip http server
  no ip http secure-server
  ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
  ip access-list extended NAT-ACL
  deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 any
  ip access-list extended VPN-ACL
  permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
  control-plane
  line con 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  line aux 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  line vty 0 4
  end

  Dear All,
  I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .
  Please see the attachment for Scenario, Configuration and Ping status. I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
  Waiting for your responce .
  --Milon

• Remote access VPN with Softphone

  Dear all,
  I have configured a Remote Access VPN on a 5520 ASA and the users from out side are able to connect to this VPN successfuly using VPN client version 5.3.
  The clients have a softphone (IP Phone) installed on thier laptops, and when they make a call over the RA-VPN, the call is successfuly made to the LAN but when i dial a number outside the LAN (over the PSTN using Voice gateway) the call is initiated successfuly (Ring), but when the other side asnwers my call, i cannot hear him and also he cannot hear me as well, this situation lasts for 2 to 3 minutes, then we can hear each other.
  i have tried to sniff from the laptop side and found that the IP-Phone sends RTP packets to the VG but it doesnt recieve any until the 2 to 3 minutes pass.
  i also red that the stateful firewall from the VPN client could be the reason so i have tried to disable it from the laptop side, but a message appeared that the firewall service is disabled.
  any idea about this?
  many thanx in advance.
  Mamoun

  Another firewall in between our lan and the wan was the problem,

• Remote Access VPN to Site-to-Site VPN

  We have a remote access VPN and a site-to-site VPN. Both work fine except that clients of the remote access VPN can not access hosts on the site-to-site VPN.
  We are 10.5.5.0
  Site-to-Site VPN goes to 10.2.2.0
  Remote access clients can access anything on 10.5.5.0 but nothing on 10.2.2.0.
  What needs to be done to allow this to happen?

  Is this ASA/PIX 7?
  You need to add the traffic between the lans to the nat exemption and crypto acls on the firewalls.
  Headend Firewall
  same-security-traffic permit intra-interface
  access-list extended permit ip 10.2.2.0 255.255.255.0
  Remote Firewall
  access-list extended permit ip 10.2.2.0 255.255.255.0
  access-list extended permit ip 10.2.2.0 255.255.255.0
  Also, if you are split tunnelling you need to add the remote subnet to be tunneled.
  Please rate helpful posts.

• Remote access Vpn issue

  Dear All,
  I have configured remote access vpn without using split tunnel.Everything is working fine.I can access all the inside network which is allowed in acl.
  I am facing strange issue now. I have created a pool for remote access vpn with a range 192.168.5.8/29.I can access my internal subnets 10.10.0.0/16.
  I have below acess-list for acl-in.
  access-list acl-in extended permit ip object-group vpnclients 192.168.5.8 255.255.255.248
  object-group network vpnclients
  network-object host 10.110.100.26
  network-object host 10.106.100.15
  network-object host 10.10.10.6
  network-object host 10.10.20.82
  network-object host 10.110.100.48
  network-object host 10.10.20.53
  network-object host 10.10.20.54
  network-object host 10.60.100.1
  network-object host 10.10.10.75
  network-object host 10.10.20.100
  network-object host 10.10.130.136
  network-object host 10.106.100.16
  network-object host 10.106.100.9
  network-object host 10.170.100.1
  network-object host 10.170.100.2
  network-object host 10.170.100.21
  network-object host 10.101.100.20
  network-object host 10.170.100.25
  So whichever IPs i have called in vpnclient group is able to access via RA vpn.Issue is when i try to access internal network of 192.168.198.0/24, i am able to access it without adding in vpnclient group. Even for 192.168.197.0/24,192.168.197.0/24 the same. But for 10.10.0.0/16 we can access only after adding in vpnclient group. Any one has face this issue before. Is this because of same network i mean 192.168.0.0 something like that.There is no other staement in acl-in for 192.168.0.0
  Regards
  -Danesh Ahammad

  Hi,
  If i read correctly you made the RA vpn "without"  split tunnel, correct? if that is the case, all of the traffic will traverse the vpn connection (tunnel all) , the access-list "acl-in" is of no use to it.
  try converting it to use split tunnel, i am sure that way you can not access resources that are not mentioned in the list.
  ~Harry

• ACS 5.0 and remote access VPN

  I have problem for authenticar a remote access VPN with ACS 5.0, not work.
  When I try with ACS 4.1, the authentication work fine.
  I hope someone can help me.
  Regards.

  I have the same problem. I'm using ASA v8.21 and ACS v5.0.0.21, which I'm using as tacacs and radius server. I have no problem with accessing devices via tacacs (except that changing pass with first login doesn't work). The problem is with VPN authentication. I tested radius with Radlogin and PAP is working fine, CHAP goes in timeout, but as I know ACS 5.0 doesn't suport CHAP.
  Here are some logs from ASA:
  the end of debug crypto isakmp:
  Sep 04 15:01:35 [IKEv1]: Group = radiusACS, Username = user1, IP = X.X.X.X, Error: Unable to remove PeerTblEntry
  Sep 04 15:01:35 [IKEv1 DEBUG]: Deleting active auth handle during SA deletion: handle = 1844
  debug radius:
  Sep 04 2010 15:08:53: %ASA-7-713906: IP = X.X.X.X, Connection landed on tunnel_group radiusACS
  Sep 04 2010 15:08:53: %ASA-6-713172: Group = radiusACS, IP = X.X.X.X, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
  Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, IP = X.X.X.X, constructing blank hash payload
  Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, IP = X.X.X.X, constructing qm hash payload
  Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=f9163eb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
  Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=f9163eb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 86
  Sep 04 2010 15:08:53: %ASA-7-715001: Group = radiusACS, IP = X.X.X.X, process_attr(): Enter!
  Sep 04 2010 15:08:53: %ASA-7-715001: Group = radiusACS, IP = X.X.X.X, Processing MODE_CFG Reply attributes.
  Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, Authentication Failure: Unsupported server type!
  Sep 04 2010 15:08:53: %ASA-7-715065: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE TM V6 FSM error history (struct &0xa7b636a8)  , :  TM_DONE, EV_ERROR-->TM_AUTH, EV_DO_AUTH-->TM_WAIT_REPLY, EV_CHK_MSCHAPV2-->TM_WAIT_REPLY, EV_PROC_MSG-->TM_WAIT_REPLY, EV_HASH_OK-->TM_WAIT_REPLY, NullEvent-->TM_WAIT_REPLY, EV_COMP_HASH-->TM_WAIT_REPLY, EV_VALIDATE_MSG
  Sep 04 2010 15:08:53: %ASA-7-715065: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE AM Responder FSM error history (struct &0xac417310)  , :  AM_DONE, EV_ERROR-->AM_TM_INIT_XAUTH_V6H, EV_TM_FAIL-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_START_TM-->AM_TM_INIT_XAUTH, EV_START_TM-->AM_PROC_MSG3, EV_TEST_TM_H6
  Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE SA AM:f7beee8e terminating:  flags 0x0105c001, refcnt 0, tuncnt 0
  Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, sending delete/delete with reason message
  Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing blank hash payload
  Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing IKE delete payload
  Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing qm hash payload
  Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=e0cd7809) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
  Sep 04 2010 15:08:53: %ASA-3-713902: Group = radiusACS, Username = user1, IP = X.X.X.X, Removing peer from peer table failed, no match!
  Sep 04 2010 15:08:53: %ASA-4-713903: Group = radiusACS, Username = user1, IP = X.X.X.X, Error: Unable to remove PeerTblEntry
  Sep 04 2010 15:08:53: %ASA-7-715040: Deleting active auth handle during SA deletion: handle = 1861
  Sep 04 2010 15:08:53: %ASA-4-113019: Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
  Regards

• Easy VPN and remote access VPN

  Hi all,
  I have a pix running version 7.2, with two VPN connection:
  1- normal remote access vpn with cisco vpn client.
  2- easy vpn with another pix running version 6.3
  both are working fine and i can access everything in HQ netweok.
  questions is i need to enable communication between cisco vpn clinet to that remote side which has pix easy vpn . ??
  please adivce what kind of configuration we need !!!!
  regards,
  hasan

  Take a look at this link for easy VPN configuration.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008019e6d7.shtml

• Site to Site and Remote Access VPN

  Hi All,
      Is it possible to configure Site to Site and Remote Access VPN on same interface of Cisco ASA 5505 ?
  Regards
  Abhishek
  This topic first appeared in the Spiceworks Community

  A document exists where PIX/ASA maintains LAN-ti-LAN IPsec tunnel at two end points and there is overlapping networks at ther inside interface of both the asa. Probably, the basic configuration for both asa and IOS routers are nat config. So, this particular document might be useful for your requirement
  PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT (Overlapping Private Networks) Configuration Example
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

• Problem with Remote Access VPN on ASA 5505

  I am currently having an issue configuring an ASA 5505 to connect via remote access VPN using the Cisco VPN Client 5.0.07.0440 running on Windows 8 Pro x64. The VPN client prompts for the username and password during the connect process, but fails soon after.
  The VPN client logs are as follows:
  Cisco Systems VPN Client Version 5.0.07.0440
  Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
  Client Type(s): Windows, WinNT
  Running on: 6.2.9200
  2      15:09:21.240  12/11/12  Sev=Info/4    CM/0x63100002
  Begin connection process
  3      15:09:21.287  12/11/12  Sev=Info/4    CM/0x63100004
  Establish secure connection
  4      15:09:21.287  12/11/12  Sev=Info/4    CM/0x63100024
  Attempt connection with server "**.**.***.***"
  5      15:09:21.287  12/11/12  Sev=Info/6    IKE/0x6300003B
  Attempting to establish a connection with **.**.***.***.
  6      15:09:21.287  12/11/12  Sev=Info/4    IKE/0x63000001
  Starting IKE Phase 1 Negotiation
  7      15:09:21.303  12/11/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to **.**.***.***
  8      15:09:21.365  12/11/12  Sev=Info/6    GUI/0x63B00012
  Authentication request attributes is 6h.
  9      15:09:21.334  12/11/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  10     15:09:21.334  12/11/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from **.**.***.***
  11     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
  Peer is a Cisco-Unity compliant peer
  12     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
  Peer supports XAUTH
  13     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
  Peer supports DPD
  14     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
  Peer supports NAT-T
  15     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
  Peer supports IKE fragmentation payloads
  16     15:09:21.334  12/11/12  Sev=Info/6    IKE/0x63000001
  IOS Vendor ID Contruction successful
  17     15:09:21.334  12/11/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to **.**.***.***
  18     15:09:21.334  12/11/12  Sev=Info/6    IKE/0x63000055
  Sent a keepalive on the IPSec SA
  19     15:09:21.334  12/11/12  Sev=Info/4    IKE/0x63000083
  IKE Port in use - Local Port =  0xFBCE, Remote Port = 0x1194
  20     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000072
  Automatic NAT Detection Status:
     Remote end is NOT behind a NAT device
     This   end IS behind a NAT device
  21     15:09:21.334  12/11/12  Sev=Info/4    CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
  22     15:09:21.365  12/11/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  23     15:09:21.365  12/11/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
  24     15:09:21.365  12/11/12  Sev=Info/4    CM/0x63100015
  Launch xAuth application
  25     15:09:21.474  12/11/12  Sev=Info/4    IPSEC/0x63700008
  IPSec driver successfully started
  26     15:09:21.474  12/11/12  Sev=Info/4    IPSEC/0x63700014
  Deleted all keys
  27     15:09:27.319  12/11/12  Sev=Info/4    CM/0x63100017
  xAuth application returned
  28     15:09:27.319  12/11/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
  29     15:09:27.365  12/11/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  30     15:09:27.365  12/11/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
  31     15:09:27.365  12/11/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
  32     15:09:27.365  12/11/12  Sev=Info/4    CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
  33     15:09:27.365  12/11/12  Sev=Info/5    IKE/0x6300005E
  Client sending a firewall request to concentrator
  34     15:09:27.365  12/11/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
  35     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  36     15:09:27.397  12/11/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
  37     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
  38     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
  39     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
  40     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
  41     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
  42     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000E
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO
  43     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
  44     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000E
  MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.2(5) built by builders on Fri 20-May-11 16:00
  45     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
  46     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
  47     15:09:27.397  12/11/12  Sev=Info/4    CM/0x63100019
  Mode Config data received
  48     15:09:27.412  12/11/12  Sev=Info/4    IKE/0x63000056
  Received a key request from Driver: Local IP = 192.168.2.70, GW IP = **.**.***.***, Remote IP = 0.0.0.0
  49     15:09:27.412  12/11/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to **.**.***.***
  50     15:09:27.444  12/11/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  51     15:09:27.444  12/11/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
  52     15:09:27.444  12/11/12  Sev=Info/5    IKE/0x63000045
  RESPONDER-LIFETIME notify has value of 86400 seconds
  53     15:09:27.444  12/11/12  Sev=Info/5    IKE/0x63000047
  This SA has already been alive for 6 seconds, setting expiry to 86394 seconds from now
  54     15:09:27.459  12/11/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  55     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from **.**.***.***
  56     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to **.**.***.***
  57     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000049
  Discarding IPsec SA negotiation, MsgID=CE99A8A8
  58     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000017
  Marking IKE SA for deletion  (I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
  59     15:09:27.459  12/11/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  60     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000058
  Received an ISAKMP message for a non-active SA, I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924
  61     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(Dropped) from **.**.***.***
  62     15:09:27.490  12/11/12  Sev=Info/4    IPSEC/0x63700014
  Deleted all keys
  63     15:09:30.475  12/11/12  Sev=Info/4    IKE/0x6300004B
  Discarding IKE SA negotiation (I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
  64     15:09:30.475  12/11/12  Sev=Info/4    CM/0x63100012
  Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
  65     15:09:30.475  12/11/12  Sev=Info/5    CM/0x63100025
  Initializing CVPNDrv
  66     15:09:30.475  12/11/12  Sev=Info/6    CM/0x63100046
  Set tunnel established flag in registry to 0.
  67     15:09:30.475  12/11/12  Sev=Info/4    IKE/0x63000001
  IKE received signal to terminate VPN connection
  68     15:09:30.475  12/11/12  Sev=Info/4    IPSEC/0x63700014
  Deleted all keys
  69     15:09:30.475  12/11/12  Sev=Info/4    IPSEC/0x63700014
  Deleted all keys
  70     15:09:30.475  12/11/12  Sev=Info/4    IPSEC/0x63700014
  Deleted all keys
  71     15:09:30.475  12/11/12  Sev=Info/4    IPSEC/0x6370000A
  IPSec driver successfully stopped
  The running configuration is as follows (there is a site-to-site VPN set up as well to another ASA 5505, but that is working flawlessly):
  : Saved
  ASA Version 8.2(5)
  hostname NCHCO
  enable password hTjwXz/V8EuTw9p9 encrypted
  passwd hTjwXz/V8EuTw9p9 encrypted
  names
  name 192.168.2.0 NCHCO description City Offices
  name 192.168.2.80 VPN_End
  name 192.168.2.70 VPN_Start
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address **.**.***.*** 255.255.255.248
  boot system disk0:/asa825-k8.bin
  ftp mode passive
  access-list outside_nat0_outbound extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
  access-list outside_1_cryptomap extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
  access-list outside_1_cryptomap_1 extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
  access-list LAN_Access standard permit NCHCO 255.255.255.0
  access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (outside) 0 access-list outside_nat0_outbound
  route outside 0.0.0.0 0.0.0.0 74.219.208.49 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  network-acl outside_nat0_outbound
  webvpn
    svc ask enable default svc
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http **.**.***.*** 255.255.255.255 outside
  http 74.218.158.238 255.255.255.255 outside
  http NCHCO 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set l2tp-transform esp-3des esp-sha-hmac
  crypto ipsec transform-set l2tp-transform mode transport
  crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map dyn-map 10 set pfs group1
  crypto dynamic-map dyn-map 10 set transform-set l2tp-transform vpn-transform
  crypto dynamic-map dyn-map 10 set reverse-route
  crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 74.219.208.50
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto map vpn-map 1 match address outside_1_cryptomap_1
  crypto map vpn-map 1 set pfs group1
  crypto map vpn-map 1 set peer 74.219.208.50
  crypto map vpn-map 1 set transform-set ESP-3DES-SHA
  crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
  crypto isakmp identity address
  crypto isakmp enable inside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 15
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 35
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp ipsec-over-tcp port 10000
  client-update enable
  telnet 192.168.1.0 255.255.255.0 inside
  telnet NCHCO 255.255.255.0 inside
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh NCHCO 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.150-192.168.2.225 inside
  dhcpd dns 216.68.4.10 216.68.5.10 interface inside
  dhcpd lease 64000 interface inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  dns-server value 192.168.2.1
  vpn-tunnel-protocol IPSec l2tp-ipsec
  default-domain value nchco.local
  group-policy DfltGrpPolicy attributes
  dns-server value 192.168.2.1
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  password-storage enable
  ipsec-udp enable
  intercept-dhcp 255.255.255.0 enable
  address-pools value VPN_Pool
  group-policy NCHVPN internal
  group-policy NCHVPN attributes
  dns-server value 192.168.2.1 8.8.8.8
  vpn-tunnel-protocol IPSec l2tp-ipsec
  default-domain value NCHCO
  username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
  username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
  username NCHvpn99 password QhZZtJfwbnowceB7 encrypted
  tunnel-group DefaultRAGroup general-attributes
  address-pool (inside) VPN_Pool
  address-pool VPN_Pool
  authentication-server-group (inside) LOCAL
  authentication-server-group (outside) LOCAL
  authorization-server-group LOCAL
  authorization-server-group (inside) LOCAL
  authorization-server-group (outside) LOCAL
  default-group-policy DefaultRAGroup
  strip-realm
  strip-group
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *****
  peer-id-validate nocheck
  tunnel-group DefaultRAGroup ppp-attributes
  no authentication chap
  no authentication ms-chap-v1
  authentication ms-chap-v2
  tunnel-group DefaultWEBVPNGroup ppp-attributes
  authentication pap
  authentication ms-chap-v2
  tunnel-group 74.219.208.50 type ipsec-l2l
  tunnel-group 74.219.208.50 ipsec-attributes
  pre-shared-key *****
  tunnel-group NCHVPN type remote-access
  tunnel-group NCHVPN general-attributes
  address-pool VPN_Pool
  default-group-policy NCHVPN
  tunnel-group NCHVPN ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:15852745977ff159ba808c4a4feb61fa
  : end
  asdm image disk0:/asdm-645.bin
  asdm location VPN_Start 255.255.255.255 inside
  asdm location VPN_End 255.255.255.255 inside
  no asdm history enable
  Anyone have any idea why this is happening?
  Thanks!

  Thanks again for your reply, and sorry about the late response, havent gotten back to this issue until just now. I applied the above command as you specified, and unfortunately, it did not resolve the problem. Below are the logs from the VPN Client for the connection + attempted browsing of a network share that is behind the ASA, and the new running configuration.
  VPN Client Log:
  Cisco Systems VPN Client Version 5.0.07.0440
  Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
  Client Type(s): Windows, WinNT
  Running on: 6.2.9200
  331    13:11:41.362  12/17/12  Sev=Info/4    CM/0x63100002
  Begin connection process
  332    13:11:41.362  12/17/12  Sev=Info/4    CM/0x63100004
  Establish secure connection
  333    13:11:41.362  12/17/12  Sev=Info/4    CM/0x63100024
  Attempt connection with server "69.61.228.178"
  334    13:11:41.362  12/17/12  Sev=Info/6    IKE/0x6300003B
  Attempting to establish a connection with 69.61.228.178.
  335    13:11:41.362  12/17/12  Sev=Info/4    IKE/0x63000001
  Starting IKE Phase 1 Negotiation
  336    13:11:41.424  12/17/12  Sev=Info/6    GUI/0x63B00012
  Authentication request attributes is 6h.
  337    13:11:41.362  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 69.61.228.178
  338    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = 69.61.228.178
  339    13:11:41.393  12/17/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 69.61.228.178
  340    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
  Peer is a Cisco-Unity compliant peer
  341    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
  Peer supports XAUTH
  342    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
  Peer supports DPD
  343    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
  Peer supports NAT-T
  344    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
  Peer supports IKE fragmentation payloads
  345    13:11:41.393  12/17/12  Sev=Info/6    IKE/0x63000001
  IOS Vendor ID Contruction successful
  346    13:11:41.393  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 69.61.228.178
  347    13:11:41.393  12/17/12  Sev=Info/6    IKE/0x63000055
  Sent a keepalive on the IPSec SA
  348    13:11:41.393  12/17/12  Sev=Info/4    IKE/0x63000083
  IKE Port in use - Local Port =  0xD271, Remote Port = 0x1194
  349    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000072
  Automatic NAT Detection Status:
     Remote end is NOT behind a NAT device
     This   end IS behind a NAT device
  350    13:11:41.393  12/17/12  Sev=Info/4    CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
  351    13:11:41.424  12/17/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = 69.61.228.178
  352    13:11:41.424  12/17/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
  353    13:11:41.424  12/17/12  Sev=Info/4    CM/0x63100015
  Launch xAuth application
  354    13:11:41.424  12/17/12  Sev=Info/4    CM/0x63100017
  xAuth application returned
  355    13:11:41.424  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
  356    13:11:41.456  12/17/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = 69.61.228.178
  357    13:11:41.456  12/17/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
  358    13:11:41.456  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
  359    13:11:41.456  12/17/12  Sev=Info/4    CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
  360    13:11:41.456  12/17/12  Sev=Info/5    IKE/0x6300005E
  Client sending a firewall request to concentrator
  361    13:11:41.456  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
  362    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = 69.61.228.178
  363    13:11:41.502  12/17/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
  364    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
  365    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
  366    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
  367    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
  368    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
  369    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
  370    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000F
  SPLIT_NET #1
      subnet = 192.168.2.0
      mask = 255.255.255.0
      protocol = 0
      src port = 0
      dest port=0
  371    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000E
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO.local
  372    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
  373    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000E
  MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.4(1) built by builders on Mon 31-Jan-11 02:11
  374    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
  375    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
  376    13:11:41.502  12/17/12  Sev=Info/4    CM/0x63100019
  Mode Config data received
  377    13:11:41.502  12/17/12  Sev=Info/4    IKE/0x63000056
  Received a key request from Driver: Local IP = 192.168.2.70, GW IP = 69.61.228.178, Remote IP = 0.0.0.0
  378    13:11:41.502  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 69.61.228.178
  379    13:11:41.534  12/17/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = 69.61.228.178
  380    13:11:41.534  12/17/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 69.61.228.178
  381    13:11:41.534  12/17/12  Sev=Info/5    IKE/0x63000045
  RESPONDER-LIFETIME notify has value of 86400 seconds
  382    13:11:41.534  12/17/12  Sev=Info/5    IKE/0x63000047
  This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now
  383    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = 69.61.228.178
  384    13:11:41.549  12/17/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 69.61.228.178
  385    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x63000045
  RESPONDER-LIFETIME notify has value of 28800 seconds
  386    13:11:41.549  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK QM *(HASH) to 69.61.228.178
  387    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x63000059
  Loading IPsec SA (MsgID=C4F5B5A6 OUTBOUND SPI = 0xD2DBADEA INBOUND SPI = 0x14762837)
  388    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x63000025
  Loaded OUTBOUND ESP SPI: 0xD2DBADEA
  389    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x63000026
  Loaded INBOUND ESP SPI: 0x14762837
  390    13:11:41.549  12/17/12  Sev=Info/5    CVPND/0x63400013
      Destination           Netmask           Gateway         Interface   Metric
          0.0.0.0           0.0.0.0       192.168.1.1     192.168.1.162       10
        127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
        127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
  127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
      192.168.1.0     255.255.255.0     192.168.1.162     192.168.1.162      266
    192.168.1.162   255.255.255.255     192.168.1.162     192.168.1.162      266
    192.168.1.255   255.255.255.255     192.168.1.162     192.168.1.162      266
        224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
        224.0.0.0         240.0.0.0     192.168.1.162     192.168.1.162      266
  255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
  255.255.255.255   255.255.255.255     192.168.1.162     192.168.1.162      266
  391    13:11:41.877  12/17/12  Sev=Info/6    CVPND/0x63400001
  Launch VAInst64 to control IPSec Virtual Adapter
  392    13:11:43.455  12/17/12  Sev=Info/4    CM/0x63100034
  The Virtual Adapter was enabled:
      IP=192.168.2.70/255.255.255.0
      DNS=192.168.2.1,8.8.8.8
      WINS=0.0.0.0,0.0.0.0
      Domain=NCHCO.local
      Split DNS Names=
  393    13:11:43.455  12/17/12  Sev=Info/5    CVPND/0x63400013
      Destination           Netmask           Gateway         Interface   Metric
          0.0.0.0           0.0.0.0       192.168.1.1     192.168.1.162       10
        127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
        127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
  127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
      192.168.1.0     255.255.255.0     192.168.1.162     192.168.1.162      266
    192.168.1.162   255.255.255.255     192.168.1.162     192.168.1.162      266
    192.168.1.255   255.255.255.255     192.168.1.162     192.168.1.162      266
        224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
        224.0.0.0         240.0.0.0     192.168.1.162     192.168.1.162      266
        224.0.0.0         240.0.0.0           0.0.0.0           0.0.0.0      266
  255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
  255.255.255.255   255.255.255.255     192.168.1.162     192.168.1.162      266
  255.255.255.255   255.255.255.255           0.0.0.0           0.0.0.0      266
  394    13:11:47.517  12/17/12  Sev=Info/4    CM/0x63100038
  Successfully saved route changes to file.
  395    13:11:47.517  12/17/12  Sev=Info/5    CVPND/0x63400013
      Destination           Netmask           Gateway         Interface   Metric
          0.0.0.0           0.0.0.0       192.168.1.1     192.168.1.162       10
    69.61.228.178   255.255.255.255       192.168.1.1     192.168.1.162      100
        127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
        127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
  127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
      192.168.1.0     255.255.255.0     192.168.1.162     192.168.1.162      266
      192.168.1.2   255.255.255.255     192.168.1.162     192.168.1.162      100
    192.168.1.162   255.255.255.255     192.168.1.162     192.168.1.162      266
    192.168.1.255   255.255.255.255     192.168.1.162     192.168.1.162      266
      192.168.2.0     255.255.255.0      192.168.2.70      192.168.2.70      266
      192.168.2.0     255.255.255.0       192.168.2.1      192.168.2.70      100
     192.168.2.70   255.255.255.255      192.168.2.70      192.168.2.70      266
    192.168.2.255   255.255.255.255      192.168.2.70      192.168.2.70      266
        224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
        224.0.0.0         240.0.0.0     192.168.1.162     192.168.1.162      266
        224.0.0.0         240.0.0.0      192.168.2.70      192.168.2.70      266
  255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
  255.255.255.255   255.255.255.255     192.168.1.162     192.168.1.162      266
  255.255.255.255   255.255.255.255      192.168.2.70      192.168.2.70      266
  396    13:11:47.517  12/17/12  Sev=Info/6    CM/0x63100036
  The routing table was updated for the Virtual Adapter
  397    13:11:47.517  12/17/12  Sev=Info/4    CM/0x6310001A
  One secure connection established
  398    13:11:47.517  12/17/12  Sev=Info/4    CM/0x6310003B
  Address watch added for 192.168.1.162.  Current hostname: MATT-PC, Current address(es): 192.168.2.70, 192.168.1.162.
  399    13:11:47.517  12/17/12  Sev=Info/4    CM/0x6310003B
  Address watch added for 192.168.2.70.  Current hostname: MATT-PC, Current address(es): 192.168.2.70, 192.168.1.162.
  400    13:11:47.517  12/17/12  Sev=Info/5    CM/0x63100001
  Did not find the Smartcard to watch for removal
  401    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700008
  IPSec driver successfully started
  402    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700014
  Deleted all keys
  403    13:11:47.517  12/17/12  Sev=Info/6    IPSEC/0x6370002C
  Sent 109 packets, 0 were fragmented.
  404    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700014
  Deleted all keys
  405    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700010
  Created a new key structure
  406    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x6370000F
  Added key with SPI=0xeaaddbd2 into key list
  407    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700010
  Created a new key structure
  408    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x6370000F
  Added key with SPI=0x37287614 into key list
  409    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x6370002F
  Assigned VA private interface addr 192.168.2.70
  410    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700037
  Configure public interface: 192.168.1.162. SG: 69.61.228.178
  411    13:11:47.517  12/17/12  Sev=Info/6    CM/0x63100046
  Set tunnel established flag in registry to 1.
  412    13:11:52.688  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
  413    13:11:52.688  12/17/12  Sev=Info/6    IKE/0x6300003D
  Sending DPD request to 69.61.228.178, our seq# = 2722476009
  414    13:11:52.704  12/17/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = 69.61.228.178
  415    13:11:52.704  12/17/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
  416    13:11:52.704  12/17/12  Sev=Info/5    IKE/0x63000040
  Received DPD ACK from 69.61.228.178, seq# received = 2722476009, seq# expected = 2722476009
  417    13:12:03.187  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
  418    13:12:03.187  12/17/12  Sev=Info/6    IKE/0x6300003D
  Sending DPD request to 69.61.228.178, our seq# = 2722476010
  419    13:12:03.202  12/17/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = 69.61.228.178
  420    13:12:03.202  12/17/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
  421    13:12:03.202  12/17/12  Sev=Info/5    IKE/0x63000040
  Received DPD ACK from 69.61.228.178, seq# received = 2722476010, seq# expected = 2722476010
  422    13:12:14.185  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
  423    13:12:14.185  12/17/12  Sev=Info/6    IKE/0x6300003D
  Sending DPD request to 69.61.228.178, our seq# = 2722476011
  424    13:12:14.201  12/17/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = 69.61.228.178
  425    13:12:14.201  12/17/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
  426    13:12:14.201  12/17/12  Sev=Info/5    IKE/0x63000040
  Received DPD ACK from 69.61.228.178, seq# received = 2722476011, seq# expected = 2722476011
  427    13:12:24.762  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
  428    13:12:24.762  12/17/12  Sev=Info/6    IKE/0x6300003D
  Sending DPD request to 69.61.228.178, our seq# = 2722476012
  429    13:12:24.778  12/17/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = 69.61.228.178
  430    13:12:24.778  12/17/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
  431    13:12:24.778  12/17/12  Sev=Info/5    IKE/0x63000040
  Received DPD ACK from 69.61.228.178, seq# received = 2722476012, seq# expected = 2722476012
  New running configuration:
  : Saved
  ASA Version 8.4(1)
  hostname NCHCO
  enable password hTjwXz/V8EuTw9p9 encrypted
  passwd hTjwXz/V8EuTw9p9 encrypted
  names
  name 192.168.2.0 NCHCO description City Offices
  name 192.168.2.80 VPN_End
  name 192.168.2.70 VPN_Start
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 69.61.228.178 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  boot system disk0:/asa841-k8.bin
  ftp mode passive
  object network NCHCO
  subnet 192.168.2.0 255.255.255.0
  object network obj-192.168.1.0
  subnet 192.168.1.0 255.255.255.0
  object network obj-192.168.2.64
  subnet 192.168.2.64 255.255.255.224
  object network obj-0.0.0.0
  subnet 0.0.0.0 255.255.255.0
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
  access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
  access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
  access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
  access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
  access-list AnyConnect_Client_Local_Print extended deny ip any any
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-649.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
  nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
  nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
  object network obj_any
  nat (inside,outside) dynamic interface
  route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  network-acl outside_nat0_outbound
  webvpn
    svc ask enable default svc
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 69.61.228.178 255.255.255.255 outside
  http 74.218.158.238 255.255.255.255 outside
  http NCHCO 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set l2tp-transform mode transport
  crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map dyn-map 10 set pfs group1
  crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
  crypto dynamic-map dyn-map 10 set reverse-route
  crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 74.219.208.50
  crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
  crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto map vpn-map 1 match address outside_1_cryptomap_1
  crypto map vpn-map 1 set pfs group1
  crypto map vpn-map 1 set peer 74.219.208.50
  crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
  crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
  crypto isakmp identity address
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  crypto ikev1 ipsec-over-tcp port 10000
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto ikev1 policy 15
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 35
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  client-update enable
  telnet 192.168.1.0 255.255.255.0 inside
  telnet NCHCO 255.255.255.0 inside
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh NCHCO 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.150-192.168.2.225 inside
  dhcpd dns 216.68.4.10 216.68.5.10 interface inside
  dhcpd lease 64000 interface inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  dns-server value 192.168.2.1
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  default-domain value nchco.local
  group-policy DfltGrpPolicy attributes
  dns-server value 192.168.2.1
  vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
  password-storage enable
  ipsec-udp enable
  intercept-dhcp 255.255.255.0 enable
  address-pools value VPN_Pool
  group-policy NCHCO internal
  group-policy NCHCO attributes
  dns-server value 192.168.2.1 8.8.8.8
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value NCHCO_splitTunnelAcl_1
  default-domain value NCHCO.local
  username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
  username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
  username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
  tunnel-group DefaultRAGroup general-attributes
  address-pool (inside) VPN_Pool
  address-pool VPN_Pool
  authentication-server-group (inside) LOCAL
  authentication-server-group (outside) LOCAL
  authorization-server-group LOCAL
  authorization-server-group (inside) LOCAL
  authorization-server-group (outside) LOCAL
  default-group-policy DefaultRAGroup
  strip-realm
  strip-group
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  peer-id-validate nocheck
  tunnel-group DefaultRAGroup ppp-attributes
  no authentication chap
  no authentication ms-chap-v1
  authentication ms-chap-v2
  tunnel-group DefaultWEBVPNGroup ppp-attributes
  authentication pap
  authentication ms-chap-v2
  tunnel-group 74.219.208.50 type ipsec-l2l
  tunnel-group 74.219.208.50 ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group NCHCO type remote-access
  tunnel-group NCHCO general-attributes
  address-pool VPN_Pool
  default-group-policy NCHCO
  tunnel-group NCHCO ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:b6ce58676b6aaeba48caacbeefea53a5
  : end
  asdm image disk0:/asdm-649.bin
  asdm location VPN_Start 255.255.255.255 inside
  asdm location VPN_End 255.255.255.255 inside
  no asdm history enable
  I'm at a loss myself as to why this isn't working, and i'm sure that you are running out of solutions yourself. Any other ideas? I really need to get this working.
  Thanks so much!
  Matthew

• Remote Access VPN Users with CX Active Authentication.

  I have ASA 5515 with CX for webfiltering , also have enabled remote access vpn . All my inside users are able to get active and passive authentication correctly . But for remote access VPN users , they are redirected to ASA external ip and CX authentication port 9000 but a blank page comes in and there is no prompt for authentication. I wasnt doing split tunneling , but now i have excluded ASA WAN ip from the tunnel and still have the same issue.
  The CX version we have is 9.3.1.1

  Have you excluded the VPN traffic from being NATed when traffic is going between clients?
  Please post a full sanitised configuration of the router so we can check it for configuration issues.
  Please remember to select a correct answer and rate helpful posts

• Remote Access VPN posturing with Cisco ISE 1.1.1

  Hi all,
  we would like to start using our ISE for Remote VPN access.
  We have run a proof of concept with the ISE & IPEP with a Cisco ASA5505. We got the authentication working however posturing of the client did not work.
  That was a few months ago and so I was wondering whether any design document is available specifically around Using the Cisco ISE for Authenticating & Posturing Remote Access VPN clients.
  I understand that version 9 of the ASA code is supposed to eliminate the need for Inline Posture, does anyone know whether this will also allow posturing too?
  We do intend to by Cisco ASR's aswell, but I am sceptical of this as i do not know how many VPN licenses you get out of the box. The ASA's we have allow up to 5000 IPSec VPNs without having to purchase any licensing. What I do not want to do is to switch to SSL VPNs as this again will increase cost.
  I know ISR's are support NADs but what about ASRs? There is no mention.
  Any advise will be appreciated!
  Mario

  OK, I have come accross the Cisco Validated design for BYOD and in there it has a section about Authenticating VPNs.
  thats great... however it does not mention using the Inline posture node. Does anyone know if there is a limitation using Inline Posture and SSL VPNs...?
  essentially my requirements are
  2-factor authentication VPN using a Certificate & RSA Token
  Posturing of the VPN endpoint.
  Ideally i would like to use IPSec VPNs as i have licenses already for these on my ASAs. But if it will only work with SSL & AnyConnect, then so be it.
  Can anyone help?
  Mario

• Remote Access VPN Design Sizing Values with Radius or PKI Stress Test

  Hello,
  We would like to guess about the maximum number of  Remote Access VPN Clients (IPSEC or SSL VPN). The Endpoint may be ISRG2 or ASA FW series.  In the attached documents, the maximum numbers are given as a general guideline, but we think this number may decrease if the Radius Authentication is used instead of Local User Authentication, or PKI is used. We don't want to underestimate or overestimate and design with a 20% Margin. Is there a testing done for these effects, wrt CPU, Memory or similar Router or Firewall Resources,  or  method we can test this?   If there is a tool or method that we may simulate a number of Remote Access VPN Clients simultaneously (i.e 500) for different Authentication scenarios? We have found that IXVPN from Ixia or Load Runner from HP may be helpful, but complex to configure and use.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e39.html
  Devices include a license for two Premium VPN users for evaluation and remote management purposes. The total concurrent IPsec and SSL (clientless and tunnel-based) VPN sessions may not exceed the maximum concurrent IPsec session count shown in the chart. The SSL/IPsec IKEv2 VPN session number (clientless or AnyConnect client) may also not exceed the number of licensed sessions on the device. The ASA 5580 supports greater simultaneous users than the ASA 5550 at comparable overall SSL VPN throughput to the ASA 5550. VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken in to consideration as part of your capacity planning.
  Thanks in Advance,
  Best Regards,

  Hello,
  We would like to guess about the maximum number of  Remote Access VPN Clients (IPSEC or SSL VPN). The Endpoint may be ISRG2 or ASA FW series.  In the attached documents, the maximum numbers are given as a general guideline, but we think this number may decrease if the Radius Authentication is used instead of Local User Authentication, or PKI is used. We don't want to underestimate or overestimate and design with a 20% Margin. Is there a testing done for these effects, wrt CPU, Memory or similar Router or Firewall Resources,  or  method we can test this?   If there is a tool or method that we may simulate a number of Remote Access VPN Clients simultaneously (i.e 500) for different Authentication scenarios? We have found that IXVPN from Ixia or Load Runner from HP may be helpful, but complex to configure and use.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e39.html
  Devices include a license for two Premium VPN users for evaluation and remote management purposes. The total concurrent IPsec and SSL (clientless and tunnel-based) VPN sessions may not exceed the maximum concurrent IPsec session count shown in the chart. The SSL/IPsec IKEv2 VPN session number (clientless or AnyConnect client) may also not exceed the number of licensed sessions on the device. The ASA 5580 supports greater simultaneous users than the ASA 5550 at comparable overall SSL VPN throughput to the ASA 5550. VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken in to consideration as part of your capacity planning.
  Thanks in Advance,
  Best Regards,

• VM with remote access VPN without split tunneling

  Hello experts,
  I have customers who require to use VM in their laptop. These users also require to VPN to Corporate network  to do their job. However when they do remote VPN to corporate Network (ASA VPN concentrator) from their VM host machine, they loose their access to their VM guest machines. This problem was not happening when they used cisco VPN client which has gone end of life and support as of end of July 31, 2012. In Cisco VPN client (IKEV1) if we set the protocol to udp they had no problem to keep their connectivity to VM machines while connected to corporate with remote access VPN. However this feature does not work in new Cisco VPN client which is called AnyConnect. ( NOTE: I am using IPSEC IKEV2. NO SSL at this time).
  My Question to Experts:
  1. Was the ability to maintain connection to VM guest machines, while connected to VPN without enabling split tunneling a security flaw in the old cisco VPN client?
  2. Is there a way to maintain connectivy to VM machines installed in a computer and still connect to remote access VPN concentrator through host machine? (My question is about AnyConnect client only using IPSEC IKEV2 and I do not want to enable split tunneling)
  Thanks for your help,
  Razi                

  Did you figure this out?