wilsj
asked on
ASA vpn client configuration
I am setting up a new ASA 5520. I am having a little bit of trouble getting the vpn connection up and going I tried both CLI and ASDM VPN wizard with no luck. So I removed everything and tried again from CLI still no luck. Hopefully someone can point out what I am missing. Here is what I currently have for the VPN config. Right now I don't care about split-tunnel so I have left it out.
access-list no-nat extended permit ip any 10.10.100.0 255.255.255.0
ip local pool tech 10.10.100.1-10.10.100.254 mask 255.255.255.0
group-policy vpngroup internal
group-policy vpngroup attributes
ipsec-udp enable
crypto ipsec transform-set 3DES/MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set AES/MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set DES/MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3DES/SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES/256 esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set 3DES/SHA
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400
isakmp nat-traversal 20
isakmp am-disable
tunnel-group tech type ipsec-ra
tunnel-group tech general-attributes
address-pool tech
default-group-policy vpngroup
tunnel-group tech ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
access-list no-nat extended permit ip any 10.10.100.0 255.255.255.0
ip local pool tech 10.10.100.1-10.10.100.254 mask 255.255.255.0
group-policy vpngroup internal
group-policy vpngroup attributes
ipsec-udp enable
crypto ipsec transform-set 3DES/MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set AES/MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set DES/MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3DES/SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES/256 esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set 3DES/SHA
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400
isakmp nat-traversal 20
isakmp am-disable
tunnel-group tech type ipsec-ra
tunnel-group tech general-attributes
address-pool tech
default-group-policy vpngroup
tunnel-group tech ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
ASKER
I am trying to connect from outside the network with cisco vpn client version 4.800.0.440. I don't get any error messages the client just tries to connec and eventually stops trying and says not connected.
Can you ping the public IP of the ASA from the client PC?
Open the log window on the client when you try to connect and post the result.
Open the log window on the client when you try to connect and post the result.
ASKER
I can ping the ASA's outside interface. Here is what the log says
1 20:21:00.466 09/03/01 Sev=Info/4 CM/0x63100002
Begin connection process
2 20:21:00.486 09/03/01 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
3 20:21:00.486 09/03/01 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
4 20:21:00.486 09/03/01 Sev=Info/4 CM/0x63100024
Attempt connection with server "74.222.42.178"
5 20:21:01.527 09/03/01 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 74.222.42.178.
6 20:21:01.547 09/03/01 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 74.222.42.178
7 20:21:01.557 09/03/01 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
8 20:21:01.557 09/03/01 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
9 20:21:06.615 09/03/01 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
10 20:21:06.615 09/03/01 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 74.222.42.178
11 20:21:11.622 09/03/01 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
12 20:21:11.622 09/03/01 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 74.222.42.178
13 20:21:16.629 09/03/01 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
14 20:21:16.629 09/03/01 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 74.222.42.178
15 20:21:21.636 09/03/01 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=49EB544214EF4382 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPON DING
16 20:21:22.147 09/03/01 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=49EB544214EF4382 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPON DING
17 20:21:22.147 09/03/01 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "74.222.42.178" because of "DEL_REASON_PEER_NOT_RESPO NDING"
18 20:21:22.157 09/03/01 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
19 20:21:22.167 09/03/01 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
20 20:21:22.187 09/03/01 Sev=Info/4 IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully
21 20:21:22.668 09/03/01 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
22 20:21:22.668 09/03/01 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
23 20:21:22.668 09/03/01 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
24 20:21:22.668 09/03/01 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
1 20:21:00.466 09/03/01 Sev=Info/4 CM/0x63100002
Begin connection process
2 20:21:00.486 09/03/01 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
3 20:21:00.486 09/03/01 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
4 20:21:00.486 09/03/01 Sev=Info/4 CM/0x63100024
Attempt connection with server "74.222.42.178"
5 20:21:01.527 09/03/01 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 74.222.42.178.
6 20:21:01.547 09/03/01 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 74.222.42.178
7 20:21:01.557 09/03/01 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
8 20:21:01.557 09/03/01 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
9 20:21:06.615 09/03/01 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
10 20:21:06.615 09/03/01 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 74.222.42.178
11 20:21:11.622 09/03/01 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
12 20:21:11.622 09/03/01 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 74.222.42.178
13 20:21:16.629 09/03/01 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
14 20:21:16.629 09/03/01 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 74.222.42.178
15 20:21:21.636 09/03/01 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=49EB544214EF4382
16 20:21:22.147 09/03/01 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=49EB544214EF4382
17 20:21:22.147 09/03/01 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "74.222.42.178" because of "DEL_REASON_PEER_NOT_RESPO
18 20:21:22.157 09/03/01 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
19 20:21:22.167 09/03/01 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
20 20:21:22.187 09/03/01 Sev=Info/4 IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully
21 20:21:22.668 09/03/01 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
22 20:21:22.668 09/03/01 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
23 20:21:22.668 09/03/01 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
24 20:21:22.668 09/03/01 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Do you have any acls on the router in front of this ASA? I'm assuming this is followup to an earlier thread with same configuration?
ASKER
lol i just took out the isakmp am-disable and it worked. Thanks again for your help.
Woo hoo!
Are you testing from actually outside the firewall?
What version client are you using?
Do you get connected at all? If not, what error messages do you get?