Link to home
Start Free TrialLog in
Avatar of wilsj
wilsj

asked on

ASA vpn client configuration

I am setting up a new ASA 5520. I am having a little bit of trouble getting the vpn connection up and going I tried both CLI and ASDM VPN wizard with no luck. So I removed everything and tried again from CLI still no luck. Hopefully someone can point out what I am missing. Here is what I currently have for the VPN config. Right now I don't care about split-tunnel so I have left it out.


access-list no-nat extended permit ip any 10.10.100.0 255.255.255.0
ip local pool tech 10.10.100.1-10.10.100.254 mask 255.255.255.0
group-policy vpngroup internal
group-policy vpngroup attributes
 ipsec-udp enable
crypto ipsec transform-set 3DES/MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set AES/MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set DES/MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3DES/SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES/256 esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set 3DES/SHA
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400
isakmp nat-traversal  20
isakmp am-disable
tunnel-group tech type ipsec-ra
tunnel-group tech general-attributes
 address-pool tech
 default-group-policy vpngroup
tunnel-group tech ipsec-attributes
 pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
Avatar of Les Moore
Les Moore
Flag of United States of America image
How are you testing, and what are your symptoms.
Are you testing from actually outside the firewall?
What version client are you using?
Do you get connected at all? If not, what error messages do you get?
Avatar of wilsj
wilsj

ASKER

I am trying to connect from outside the network with cisco vpn client version 4.800.0.440. I don't get any error messages the client just tries to connec and eventually stops trying and says not connected.
Avatar of Les Moore
Les Moore
Flag of United States of America image
Can you ping the public IP of the ASA from the client PC?
Open the log window on the client when you try to connect and post the result.
Avatar of wilsj
wilsj

ASKER

I can ping the ASA's outside interface. Here is what the log says


1      20:21:00.466  09/03/01  Sev=Info/4      CM/0x63100002
Begin connection process

2      20:21:00.486  09/03/01  Sev=Info/4      CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

3      20:21:00.486  09/03/01  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet

4      20:21:00.486  09/03/01  Sev=Info/4      CM/0x63100024
Attempt connection with server "74.222.42.178"

5      20:21:01.527  09/03/01  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 74.222.42.178.

6      20:21:01.547  09/03/01  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 74.222.42.178

7      20:21:01.557  09/03/01  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

8      20:21:01.557  09/03/01  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

9      20:21:06.615  09/03/01  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

10     20:21:06.615  09/03/01  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 74.222.42.178

11     20:21:11.622  09/03/01  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

12     20:21:11.622  09/03/01  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 74.222.42.178

13     20:21:16.629  09/03/01  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

14     20:21:16.629  09/03/01  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 74.222.42.178

15     20:21:21.636  09/03/01  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=49EB544214EF4382 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

16     20:21:22.147  09/03/01  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=49EB544214EF4382 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

17     20:21:22.147  09/03/01  Sev=Info/4      CM/0x63100014
Unable to establish Phase 1 SA with server "74.222.42.178" because of "DEL_REASON_PEER_NOT_RESPONDING"

18     20:21:22.157  09/03/01  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

19     20:21:22.167  09/03/01  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

20     20:21:22.187  09/03/01  Sev=Info/4      IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully

21     20:21:22.668  09/03/01  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

22     20:21:22.668  09/03/01  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

23     20:21:22.668  09/03/01  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

24     20:21:22.668  09/03/01  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Les Moore
Les Moore
Flag of United States of America image
Do you have any acls on the router in front of this ASA? I'm assuming this is followup to an earlier thread with same configuration?
Avatar of wilsj
wilsj

ASKER

lol i just took out the isakmp am-disable and it worked. Thanks again for your help.
Avatar of Les Moore
Les Moore
Flag of United States of America image
Woo hoo!