Advertisement

07.11.2007 at 07:20AM PDT, ID: 22688804 | Points: 500
[x]
Attachment Details

ASA 5505 VPN Client Issues

Asked by mtproviders in Networking Hardware Firewalls, Virtual Private Networking (VPN), Cisco PIX Firewall

Tags: , , ,

My ASA configuration is below. The VPN client connects and authenticates with my SBS but then just dies off. In the VPN Client log, I see a "Received an ISAKMP message for a non-active SA". Anyone have an idea of why this is?

: Saved
:
ASA Version 7.2(2)
!
hostname ********
domain-name ********
enable password 862W3vQn3V6g/Zdu encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.168 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address ******** 255.255.255.248
!
interface Vlan3
 shutdown
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name ********
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network smtp_hosts_allowed
 network-object ******** 255.255.255.240
 network-object ******** 255.255.255.240
 network-object ******** 255.255.240.0
 network-object ******** 255.255.240.0
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp object-group smtp_hosts_allowed interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat_outbound extended permit ip any any
access-list NYOFFICEVPN extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list acl_inside_outbound extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_nat_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 any
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.224
access-list NYAPTVPN extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool LSAVPNPool 192.168.20.1-192.168.20.20 mask 255.255.255.0
no failover  
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 access-list inside_nat_outbound_1
static (inside,outside) tcp interface smtp 192.168.1.150 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.150 https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.150 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ******** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
 port-forward PAT smtp 192.168.1.150 smtp SMTP Forwarding
 port-forward PAT https 192.168.1.150 https HTTPS Forwarding
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server WindowsIAS protocol radius
aaa-server WindowsIAS host 192.168.1.150
 key ********
 radius-common-pw ********
group-policy LSAVPNGroup internal
group-policy LSAVPNGroup attributes
 wins-server value 192.168.1.150
 dns-server value 192.168.1.150
 vpn-tunnel-protocol IPSec
 default-domain value LSA.local
username LEWIS01 password iIv/j6l3cgkB.VgW encrypted
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http ******** 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set myset2 esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set myset2
crypto dynamic-map dynmap 40 set pfs
crypto dynamic-map dynmap 40 set transform-set ESP-3DES-SHA
crypto map mymap 7 match address NYOFFICEVPN
crypto map mymap 7 set peer ********
crypto map mymap 7 set transform-set myset2
crypto map mymap 8 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 18000
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  40
tunnel-group ******** type ipsec-l2l
tunnel-group ******** ipsec-attributes
 pre-shared-key *
tunnel-group ******** type ipsec-l2l
tunnel-group ******** ipsec-attributes
 pre-shared-key *
tunnel-group LSAVPNGroup type ipsec-ra
tunnel-group LSAVPNGroup general-attributes
 address-pool LSAVPNPool
 authentication-server-group WindowsIAS
 default-group-policy LSAVPNGroup
tunnel-group LSAVPNGroup ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
telnet timeout 5
ssh ******** 255.255.255.0 inside
ssh ******** 255.255.255.255 outside
ssh ******** 255.255.255.255 outside
ssh ******** 255.255.255.252 outside
ssh ******** 255.255.255.255 outside
ssh ******** 255.255.255.255 outside
ssh ******** 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

!
class-map inspection-default
class-map inspection_default
class-map traffic
 match any
!
!
policy-map global_policy
 class inspection_default
  inspect dns
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
!
service-policy global_policy global
ntp server ******** source outside
prompt hostname context
Cryptochecksum:b7b8b83e20b50247c76357526c639eb3
: endStart Free Trial
[+][-]07.11.2007 at 09:17AM PDT, ID: 19464099

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.11.2007 at 11:16AM PDT, ID: 19465170

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.11.2007 at 11:19AM PDT, ID: 19465201

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32