[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
7.0

Help with a Cisco client connecting to an ASA remote vpn server

Asked by robclarke41 in Networking Hardware Firewalls, Virtual Private Networking (VPN), Network Routers

Tags: CISCO, ASA, 5510, ASDM 7.2

Hi there,

Any help would be greatly appreciated with this one, I have be working at it for hours with no luck.  Basically I have been through the Cisco ASA remote VPN wizard and setup an IPSEC vpn tunnel.  I have installed the Cisco VPN client version 5.0.01.0600 on a desktop on an ASDL line.  I cannot get the client to connect to the VPN server whatever I try.  The client gets as far as 'Authenticating user' at which point I put in the credentials and it disconnects.  I have attached my ASAs config as a code snippet below and if anyone can help with anything I've done wrong that would be great!  The log on the ASA is saying:

4      Jun 03 2008      15:12:59      113019                   Group = 81.x.x.154, Username = rob_admin, IP = 81.x.x.154, Session disconnected. Session Type: IPSec, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

3      Jun 03 2008      15:12:59      713902                   Group = 81.x.x.x, Username = rob_admin, IP = 81.x.x.154, Removing peer from correlator table failed, no match!

3      Jun 03 2008      15:12:59      713902                   Group = 81.x.x.154, Username = rob_admin, IP = 81.x.x.154, QM FSM error (P2 struct &0x4346ff8, mess id 0x928330f3)!

5      Jun 03 2008      15:12:59      713904                   Group = 81.x.x.154, Username = rob_admin, IP = 81.x.x.154, All IPSec SA proposals found unacceptable!

3      Jun 03 2008      15:12:59      713119                   Group = 81.x.x.154, Username = rob_admin, IP = 81.x.x.154, PHASE 1 COMPLETED

6      Jun 03 2008      15:12:59      713228                   Group = 81.x.x.154, Username = rob_admin, IP = 81.x.x.154, Assigned private IP address 194.129.15.140 to remote user

6      Jun 03 2008      15:12:59      713184                   Group = 81.x.x.154, Username = rob_admin, IP = 81.x.x.154, Client Type: WinNT  Client Application Version: 5.0.01.0600

5      Jun 03 2008      15:12:59      713131                   Group = 81.x.x.154, Username = rob_admin, IP = 81.x.x.154, Received unknown transaction mode attribute: 28684

5      Jun 03 2008      15:12:59      713130                   Group = 81.137.240.154, Username = rob_admin, IP = 81.x.x.154, Received unsupported transaction mode attribute: 5

The log on the client is saying:

252    15:30:39.569  06/03/08  Sev=Info/4      CM/0x63100002
Begin connection process

253    15:30:39.589  06/03/08  Sev=Info/4      CM/0x63100004
Establish secure connection

254    15:30:39.589  06/03/08  Sev=Info/4      CM/0x63100024
Attempt connection with server "194.36.23.62"

255    15:30:39.599  06/03/08  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 194.36.23.62.

256    15:30:39.619  06/03/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Unity)) to 194.36.23.62

257    15:30:39.699  06/03/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 194.36.23.62

258    15:30:39.699  06/03/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Frag), VID(?)) from 194.36.23.62

259    15:30:39.699  06/03/08  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

260    15:30:39.699  06/03/08  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

261    15:30:39.699  06/03/08  Sev=Info/5      IKE/0x63000001
Peer supports DPD

262    15:30:39.720  06/03/08  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

263    15:30:39.720  06/03/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 194.36.23.62

264    15:30:39.720  06/03/08  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0x0457, Remote Port = 0x01F4

265    15:30:39.720  06/03/08  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

266    15:30:39.760  06/03/08  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

267    15:30:39.760  06/03/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

268    15:30:39.780  06/03/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 194.36.23.62

269    15:30:39.780  06/03/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 194.36.23.62

270    15:30:39.780  06/03/08  Sev=Info/4      CM/0x63100015
Launch xAuth application

271    15:30:42.504  06/03/08  Sev=Info/4      CM/0x63100017
xAuth application returned

272    15:30:42.504  06/03/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 194.36.23.62

273    15:30:42.554  06/03/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 194.36.23.62

274    15:30:42.554  06/03/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 194.36.23.62

275    15:30:42.554  06/03/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 194.36.23.62

276    15:30:42.554  06/03/08  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

277    15:30:42.594  06/03/08  Sev=Info/5      IKE/0x6300005E
Client sending a firewall request to concentrator

278    15:30:42.594  06/03/08  Sev=Info/5      IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

279    15:30:42.594  06/03/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 194.36.23.62

280    15:30:42.644  06/03/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 194.36.23.62

281    15:30:42.644  06/03/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 194.36.23.62

282    15:30:42.644  06/03/08  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 194.129.15.140

283    15:30:42.644  06/03/08  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

284    15:30:42.644  06/03/08  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 194.129.15.203

285    15:30:42.644  06/03/08  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 194.129.15.198

286    15:30:42.644  06/03/08  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(1) (a.k.a. WINS) : , value = 194.129.15.198

287    15:30:42.644  06/03/08  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

288    15:30:42.644  06/03/08  Sev=Info/5      IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = ADROOT.PMA.CO.UK

289    15:30:42.644  06/03/08  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

290    15:30:42.644  06/03/08  Sev=Info/5      IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5510 Version 7.2(2) built by builders on Wed 22-Nov-06 14:16

291    15:30:42.644  06/03/08  Sev=Info/4      CM/0x63100019
Mode Config data received

292    15:30:42.664  06/03/08  Sev=Info/4      IKE/0x63000056
Received a key request from Driver: Local IP = 194.129.15.140, GW IP = 194.36.23.62, Remote IP = 0.0.0.0

293    15:30:42.664  06/03/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 194.36.23.62

294    15:30:42.734  06/03/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 194.36.23.62

295    15:30:42.734  06/03/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 194.36.23.62

296    15:30:42.734  06/03/08  Sev=Info/5      IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

297    15:30:42.734  06/03/08  Sev=Info/5      IKE/0x63000047
This SA has already been alive for 3 seconds, setting expiry to 86397 seconds from now

298    15:30:42.734  06/03/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 194.36.23.62

299    15:30:42.734  06/03/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 194.36.23.62

300    15:30:42.734  06/03/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 194.36.23.62

301    15:30:42.734  06/03/08  Sev=Info/4      IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=EABF34F0

302    15:30:42.734  06/03/08  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=84BAF82075BFC0F5 R_Cookie=BD979D9DDAA929D7) reason = DEL_REASON_IKE_NEG_FAILED

303    15:30:42.734  06/03/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 194.36.23.62

304    15:30:42.734  06/03/08  Sev=Info/4      IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=84BAF82075BFC0F5 R_Cookie=BD979D9DDAA929D7

305    15:30:42.734  06/03/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 194.36.23.62

306    15:30:42.754  06/03/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

307    15:30:45.758  06/03/08  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=84BAF82075BFC0F5 R_Cookie=BD979D9DDAA929D7) reason = DEL_REASON_IKE_NEG_FAILED

308    15:30:45.758  06/03/08  Sev=Info/4      CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

309    15:30:45.758  06/03/08  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

310    15:30:45.778  06/03/08  Sev=Info/6      CM/0x63100046
Set tunnel established flag in registry to 0.

311    15:30:45.778  06/03/08  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

312    15:30:45.788  06/03/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

313    15:30:45.788  06/03/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

314    15:30:45.788  06/03/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

315    15:30:45.788  06/03/08  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

Does anyone have any ideas on why this wont connect? any help will be greatly appreciated! 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:

ASA Version 7.2(2) 
!
hostname XXXciscoasa
domain-name adroot.XXX.co.uk
enable password xxxxxxxx encrypted
names
!
interface Ethernet0/0
 nameif WAN
 security-level 0
 ip address 194.x.x.62 255.255.255.0 standby 194.x.x.63 
!
interface Ethernet0/1
 nameif LAN
 security-level 50
 ip address 194.129.15.252 255.255.255.0 standby 194.129.15.251 
!
interface Ethernet0/2
 description LAN Failover Interface
!
interface Ethernet0/3
 description STATE Failover Interface
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.7 
 management-only
!
passwd xxxxxxxxx encrypted
boot system disk0:/asa722k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name adroot.XXX.co.uk
object-group service FilemakerPro tcp-udp
 port-object range 5003 5003
access-list WAN_access_out extended permit ip any any inactive 
access-list WAN_access_out extended permit udp any any eq ntp 
access-list WAN_access_out extended permit tcp any any eq 123 inactive 
access-list WAN_access_out remark Allow port 445 SMB MS File Sharing access to remote NAS device at James' Home
access-list WAN_access_out extended permit tcp interface WAN host 91.84.29.97 eq 445 
access-list WAN_access_out extended permit tcp any any eq ssh inactive 
access-list WAN_access_out remark Planning - Charnwood related documents link
access-list WAN_access_out extended permit tcp interface WAN host 193.129.245.154 eq 34965 
access-list WAN_access_out remark Planning - Barnet
access-list WAN_access_out extended permit tcp interface WAN host 195.171.200.80 eq 7778 
access-list WAN_access_out remark Planning - Breckland
access-list WAN_access_out extended permit tcp interface WAN host 212.240.79.100 eq 7778 
access-list WAN_access_out remark Planning website - havering.gov.uk
access-list WAN_access_out extended permit tcp any host 62.172.223.20 eq 7783 
access-list WAN_access_out remark Planning website - access to barking and dagenham
access-list WAN_access_out extended permit tcp interface WAN host 212.85.19.44 eq 8081 
access-list WAN_access_out remark Planning website - access to northamptonboroughcouncil.com
access-list WAN_access_out extended permit tcp interface WAN host 83.100.223.135 eq 8099 
access-list WAN_access_out remark Allow port 5003 file maker pro access to bulwein server - Bulwein allow access from our gateway IP
access-list WAN_access_out extended permit tcp any host 195.30.62.92 eq 5003 
access-list WAN_access_out remark Planning Website - Castle Morpeth Borough Council
access-list WAN_access_out extended permit tcp interface WAN host 195.224.122.231 eq 5757 
access-list WAN_access_out remark Planning website - St Helens Council
access-list WAN_access_out extended permit tcp any host 212.248.225.150 eq 7777 
access-list WAN_access_out remark planning
access-list WAN_access_out remark Planning Website - Uttlesford District Council
access-list WAN_access_out extended permit tcp any host 213.121.206.247 eq 7778 
access-list WAN_access_out remark planning
access-list WAN_access_out remark Planning Website - Ellesmere Port &amp; Neston Borough Council
access-list WAN_access_out extended permit tcp any host 193.133.69.117 eq 7778 
access-list WAN_access_out remark Planning - Hartlepool
access-list WAN_access_out extended permit tcp interface WAN host 195.172.81.205 eq 7777 
access-list WAN_access_out remark planning
access-list WAN_access_out remark Planning Website - Arun District Council
access-list WAN_access_out extended permit tcp any host 195.224.159.100 eq 7778 
access-list WAN_access_out remark Planning Website - Maidstone Council
access-list WAN_access_out extended permit tcp any host 195.188.250.22 eq 8070 
access-list WAN_access_out remark Allow port 25 SMTP access from XXX to the Internet - in reality XXXs Exchange server only sends
access-list WAN_access_out remark outbound email to Messagelabs European cluster (set under SMTP connector on Exchange server)
access-list WAN_access_out extended permit tcp host 194.x.x.62 any eq smtp 
access-list WAN_access_out remark Allow UDP Port 53 DNS access from XXX to Internet
access-list WAN_access_out extended permit udp any any eq domain 
access-list WAN_access_out remark Allow TCP Port 53 DNS access from XXX to Internet
access-list WAN_access_out extended permit tcp any any eq domain 
access-list WAN_access_out remark Allow port 21 FTP access from XXX to Internet
access-list WAN_access_out extended permit tcp any any eq ftp 
access-list WAN_access_out extended permit tcp interface WAN any eq ftp-data inactive 
access-list WAN_access_out remark Allow XXX to Ping Internet
access-list WAN_access_out extended permit icmp any any echo 
access-list WAN_access_out remark Allow XXX to Ping Internet
access-list WAN_access_out extended permit icmp any any echo-reply 
access-list WAN_access_out remark Allow UDP Port 500 IKE key exchange for secure connections from XXX to Internet
access-list WAN_access_out extended permit udp any any eq isakmp 
access-list WAN_access_out remark Allow port 443 HTTPS secure access from XXX to Internet
access-list WAN_access_out extended permit tcp any any eq https 
access-list WAN_access_out remark Allow port 8080 HTTP access from XXX to Internet
access-list WAN_access_out remark Used for access to remote XXX routers and other websites (planning sites)
access-list WAN_access_out extended permit tcp any any eq 8080 
access-list WAN_access_out remark Allow port 1755 windows media player access from XXX to internet for website video streaming
access-list WAN_access_out extended permit tcp any any eq 1755 
access-list WAN_access_out remark Allow GRE from XXX VPN server to remote VPN users
access-list WAN_access_out extended permit gre host 194.x.x.62 any 
access-list WAN_access_out remark Internal access to RTSP-Media Streaming servers on the internet - also requires TCP on same port.
access-list WAN_access_out extended permit udp any any eq 554 
access-list WAN_access_out remark Internal access to RTSP-Media Streaming servers on the internet - also requires UDP on same port.
access-list WAN_access_out extended permit tcp any any eq rtsp 
access-list WAN_access_out remark XXX LAN Access to remote users machines via Tight VNC
access-list WAN_access_out extended permit tcp any any eq 5900 
access-list WAN_access_out remark Allow port 80 HTTP access from XXX to internet - required for access to remote websites
access-list WAN_access_out extended permit tcp any any eq www 
access-list WAN_access_out remark Test Desk RDP connection
access-list WAN_access_out extended permit tcp any host 78.32.137.8 eq 3541 inactive 
access-list WAN_access_out extended permit tcp any any inactive 
access-list WAN_access_out extended permit udp any any inactive 
access-list WAN_access_out remark Default rule to block all traffic - subsequent rules allows traffic through
access-list WAN_access_out extended deny ip any any 
access-list WAN_access_in remark External access to XXX Backup WEB server.
access-list WAN_access_in remark 194.129.15.194 translated from 194.74.191.44 using one-to-one NAT (see NAT rules).
access-list WAN_access_in extended permit tcp any host 194.x.x.62 eq www 
access-list WAN_access_in remark Allow Port 1723 PPTP VPN Access from Internet to XXX VPN Server 194.129.15.207
access-list WAN_access_in remark translated on one-to-one NAT from 194.x.x.62
access-list WAN_access_in extended permit tcp any host 194.x.x.62 eq pptp 
access-list WAN_access_in remark Allow GRE protocol for PPTP VPN Access from Internet to XXX VPN Server 194.129.15.207
access-list WAN_access_in remark translated on one-to-one NAT from 194.x.x.62
access-list WAN_access_in extended permit gre any host 194.x.x.62 
access-list WAN_access_in remark Allow Internet to Ping XXX
access-list WAN_access_in extended permit icmp any any echo 
access-list WAN_access_in remark Allow Internet to Ping XXX - Public addresses only
access-list WAN_access_in extended permit icmp any any echo-reply 
access-list WAN_access_in remark Allow port 25 SMTP access to XXX Email server 194.129.15.206
access-list WAN_access_in remark translated from one-to-one NAT address 194.x.x.62
access-list WAN_access_in extended permit tcp any host 194.x.x.62 eq smtp 
access-list WAN_access_in remark messagelabs email in
access-list WAN_access_in extended permit tcp 216.82.240.0 255.255.240.0 host 194.x.x.62 eq smtp 
access-list WAN_access_in remark messagelabs email in
access-list WAN_access_in extended permit tcp 85.158.136.0 255.255.248.0 host 194.x.x.62 eq smtp 
access-list WAN_access_in remark messagelabd email in
access-list WAN_access_in extended permit tcp 193.109.254.0 255.255.254.0 host 194.x.x.62 eq smtp 
access-list WAN_access_in remark messagelabs email in
access-list WAN_access_in extended permit tcp 194.106.220.0 255.255.254.0 host 194.x.x.62 eq smtp 
access-list WAN_access_in remark messagelabs email in
access-list WAN_access_in extended permit tcp 195.245.230.0 255.255.254.0 host 194.x.x.62 eq smtp 
access-list WAN_access_in remark messagelabs email in
access-list WAN_access_in extended permit tcp host 212.125.74.44 host 194.x.x.62 eq smtp 
access-list WAN_access_in remark messagelabs email in
access-list WAN_access_in extended permit tcp host 195.216.16.211 host 194.x.x.62 eq smtp 
access-list WAN_access_in remark Allow port 80 HTTP access to XXX Web server at 194.129.15.211
access-list WAN_access_in remark translated from one-to-one NAT address of 194.x.x.62
access-list WAN_access_in extended permit tcp any host 194.x.x.62 eq www 
access-list WAN_access_in remark Allow port 80 HTTP access to XXX Web server at 194.129.15.199
access-list WAN_access_in remark translated from one-to-one NAT address of 194.x.x.62
access-list WAN_access_in extended permit tcp any host 194.x.x.62 eq www 
access-list WAN_access_in remark Allow port 443 HTTPS access to XXX Email Web server at 194.129.15.206
access-list WAN_access_in remark translated from one-to-one NAT address of 194.x.x.62
access-list WAN_access_in extended permit tcp any host 194.x.x.62 eq https 
access-list WAN_access_in remark Allow port 80 HTTP access to XXX Email Web server at 194.129.15.206
access-list WAN_access_in remark translated from one-to-one NAT address of 194.x.x.62
access-list WAN_access_in extended permit tcp any host 194.x.x.62 eq www 
access-list WAN_access_in remark Allow port 443 HTTPS access to XXX Web server at 194.129.15.211
access-list WAN_access_in remark translated from one-to-one NAT address of 194.x.x.62
access-list WAN_access_in extended permit tcp any host 194.x.x.62 eq https 
access-list WAN_access_in remark Allow port 443 HTTPS access to XXX Web server at 194.129.15.199
access-list WAN_access_in remark translated from one-to-one NAT address of 194.x.x.62
access-list WAN_access_in extended permit tcp any host 194.x.x.62 eq https 
access-list WAN_access_in extended permit udp any any eq ntp inactive 
access-list WAN_access_in extended permit tcp any host 194.x.x.62eq 15401 
access-list WAN_access_in extended permit tcp any host 194.x.x.62 eq 3541 inactive 
access-list management_nat0_outbound extended permit ip any 194.129.15.128 255.255.255.224 
access-list Inside_nat0_outbound extended permit ip any 194.129.15.128 255.255.255.224 
access-list outside_cryptomap_dyn_20 extended permit ip any 194.129.15.0 255.255.255.0 
no pager
logging enable
logging timestamp
logging list Email_Alerts level warnings
logging asdm informational
logging mail Email_Alerts
logging from-address FirewallLogs@XXX.co.uk
logging recipient-address FirewallLogs@XXX.co.uk level errors
logging class auth mail warnings 
logging class np mail warnings 
logging class sys mail warnings 
logging class vpdn mail warnings 
mtu WAN 1500
mtu LAN 1500
mtu management 1500
ip local pool VPN_IPS 194.129.15.140-194.129.15.150 mask 255.255.255.0
ip verify reverse-path interface WAN
failover
failover lan unit primary
failover lan interface LANFailover Ethernet0/2
failover key *****
failover replication http
failover link StateFailover Ethernet0/3
failover interface ip LANFailover 192.168.250.1 255.255.255.0 standby 192.168.250.2
failover interface ip StateFailover 192.168.251.1 255.255.255.0 standby 192.168.251.2
monitor-interface WAN
monitor-interface LAN
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (WAN) 10 interface
nat (LAN) 0 access-list Inside_nat0_outbound
nat (LAN) 10 0.0.0.0 0.0.0.0
nat (management) 0 access-list management_nat0_outbound
nat (management) 10 0.0.0.0 0.0.0.0
static (LAN,WAN) 194.x.x.62194.129.15.25 netmask 255.255.255.255 
static (LAN,WAN) 194.x.x.62 194.129.15.206 netmask 255.255.255.255 
static (LAN,WAN) 194.x.x.62 194.129.15.207 netmask 255.255.255.255 
static (LAN,WAN) 194.x.x.62 194.129.15.211 netmask 255.255.255.255 
static (LAN,WAN) 194.x.x.62 194.129.15.199 netmask 255.255.255.255 
static (LAN,WAN) 194.129.15.252 194.129.15.252 netmask 255.255.255.255 
static (LAN,WAN) 194.x.x.62 194.129.15.194 netmask 255.255.255.255 
access-group WAN_access_in in interface WAN
access-group WAN_access_out out interface WAN
route WAN 0.0.0.0 0.0.0.0 194.x.x.62 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server XXX_Tiger protocol radius
aaa-server XXX_Tiger (LAN) host 194.129.15.214
 timeout 5
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 vpn-tunnel-protocol IPSec 
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy 81.x.x.154internal
group-policy 81.x.x.154attributes
 wins-server value 194.129.15.198
 dns-server value 194.129.15.203 194.129.15.198
 vpn-tunnel-protocol IPSec 
 default-domain value ADROOT.XXX.CO.UK
username rob_admin password oPv83W5h./yuqWL. encrypted privilege 15
username rob_admin attributes
 vpn-group-policy 81.137.240.154
 vpn-tunnel-protocol IPSec 
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map WAN_dyn_map 20 set pfs 
crypto dynamic-map WAN_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map WAN_dyn_map 40 set pfs 
crypto dynamic-map WAN_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map WAN_dyn_map 60 set pfs 
crypto dynamic-map WAN_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map WAN_dyn_map 80 set pfs 
crypto dynamic-map WAN_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map WAN_dyn_map 100 set pfs 
crypto dynamic-map WAN_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map WAN_dyn_map 120 set pfs 
crypto dynamic-map WAN_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map WAN_dyn_map 140 set pfs 
crypto dynamic-map WAN_dyn_map 140 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map management_dyn_map 20 set pfs 
crypto dynamic-map management_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map management_dyn_map 40 set pfs 
crypto dynamic-map management_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map management_dyn_map 60 set pfs 
crypto dynamic-map management_dyn_map 60 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map management_dyn_map 80 set pfs 
crypto dynamic-map management_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map management_dyn_map 100 set pfs 
crypto dynamic-map management_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map WAN_map 65535 ipsec-isakmp dynamic WAN_dyn_map
crypto map WAN_map interface WAN
crypto map management_map 65535 ipsec-isakmp dynamic management_dyn_map
crypto map management_map interface management
crypto isakmp enable WAN
crypto isakmp enable management
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
crypto isakmp ipsec-over-tcp port 10000 
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN_IPS
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2
tunnel-group 81.x.x.154type ipsec-ra
tunnel-group 81.x.x.154general-attributes
 address-pool VPN_IPS
 default-group-policy 81.x.x.154
tunnel-group 81.x.x.154ipsec-attributes
 pre-shared-key *
vpn-sessiondb max-session-limit 250
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp 
!
service-policy global_policy global
ntp server 130.88.202.49 source WAN prefer
prompt hostname context 
Cryptochecksum:66c9d6d26b71da2fd561b87573c18e00
: end
 
Related Solutions
Keywords: Help with a Cisco client connecting to a…
Title
1 Limited access to local network for VP…
2 Site-to-Site IPSec VPN between Cisc…
3 Cisco ASA vpn and Site-to Site
4 Site to Site VPN using ASA 5505 & …
5 Cisco 5505 vpn question.
 
Loading Advertisement...
 
[+][-]06/04/08 09:03 AM, ID: 21711436Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zones: Networking Hardware Firewalls, Virtual Private Networking (VPN), Network Routers
Tags: CISCO, ASA, 5510, ASDM 7.2
Sign Up Now!
Solution Provided By: robclarke41
Participating Experts: 1
Solution Grade: A
 
[+][-]06/03/08 09:44 AM, ID: 21702169Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]06/03/08 09:47 AM, ID: 21702197Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/03/08 10:09 AM, ID: 21702400Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]06/04/08 03:10 AM, ID: 21708432Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/04/08 08:09 AM, ID: 21710878Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]06/04/08 08:34 AM, ID: 21711133Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/04/08 08:51 AM, ID: 21711322Assisted Solution

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 30-day free trial to view this Assisted Solution or ask the Experts your question.

 
 
Loading Advertisement...
20091118-EE-VQP-93 / EE_QW_2_20070628