rcooper83
asked on
Can't connect with Cisco VPN Client to ASA 5505
I keep getting a time out error on the client. It will not connect. Can you see what is going on with my config here?
ASA Version 7.2(3)
!
hostname Tech
domain-name technologies.net
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.150 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name technologies.net
access-list outsidein extended permit icmp any any
access-list outsidein extended permit tcp any interface outside eq 3389
access-list outsidein extended permit tcp any any eq smtp
access-list outsidein extended permit tcp any any eq www
access-list outsidein extended permit tcp any any eq pop3
access-list outsidein extended permit tcp any any eq https
access-list outsidein extended permit tcp any eq telnet host 192.168.101.1 eq telnet
access-list outsidein extended permit tcp any any eq 3389
access-list Tech_splitTunnelAcl standard permit 192.168.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.101.0 255.255.255.0 192.168.111.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 192.168.111.1-192.168.111. 200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 XX.XX.XX.150 3389 netmask 255.255.255.255
static (inside,outside) udp interface 3389 XX.XX.XX.150 3389 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.146 192.168.101.20 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.147 192.168.101.21 netmask 255.255.255.255
access-group outsidein in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.101.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http XX.XX.XX.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy Tech internal
group-policy Tech attributes
wins-server value 192.168.101.21
dns-server value 192.168.101.21 66.180.96.12
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Tech_splitTunnelAcl
default-domain value Technologies.Net
username eb password 0000000000 encrypted privilege 0
username eb attributes
vpn-group-policy Tech
username mb password 000000000 encrypted privilege 0
username mb attributes
vpn-group-policy Tech
tunnel-group Tech type ipsec-ra
tunnel-group Tech general-attributes
address-pool VPN_Pool
default-group-policy Tech
tunnel-group Tech ipsec-attributes
pre-shared-key *
prompt hostname context
ASA Version 7.2(3)
!
hostname Tech
domain-name technologies.net
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.150 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name technologies.net
access-list outsidein extended permit icmp any any
access-list outsidein extended permit tcp any interface outside eq 3389
access-list outsidein extended permit tcp any any eq smtp
access-list outsidein extended permit tcp any any eq www
access-list outsidein extended permit tcp any any eq pop3
access-list outsidein extended permit tcp any any eq https
access-list outsidein extended permit tcp any eq telnet host 192.168.101.1 eq telnet
access-list outsidein extended permit tcp any any eq 3389
access-list Tech_splitTunnelAcl standard permit 192.168.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.101.0 255.255.255.0 192.168.111.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 192.168.111.1-192.168.111.
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 XX.XX.XX.150 3389 netmask 255.255.255.255
static (inside,outside) udp interface 3389 XX.XX.XX.150 3389 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.146 192.168.101.20 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.147 192.168.101.21 netmask 255.255.255.255
access-group outsidein in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.101.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http XX.XX.XX.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy Tech internal
group-policy Tech attributes
wins-server value 192.168.101.21
dns-server value 192.168.101.21 66.180.96.12
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Tech_splitTunnelAcl
default-domain value Technologies.Net
username eb password 0000000000 encrypted privilege 0
username eb attributes
vpn-group-policy Tech
username mb password 000000000 encrypted privilege 0
username mb attributes
vpn-group-policy Tech
tunnel-group Tech type ipsec-ra
tunnel-group Tech general-attributes
address-pool VPN_Pool
default-group-policy Tech
tunnel-group Tech ipsec-attributes
pre-shared-key *
prompt hostname context
ASKER
Still not connecting. It just shows "Contacting the Security Gateway" the entire time then it times out.
Do you have the correct IP, groupname, and shared key (secret) in the VPN Client?
ASKER
Connecting to:
ip address XX.XX.XX.150
Group name: Tech
Key is for sure the same
ip address XX.XX.XX.150
Group name: Tech
Key is for sure the same
ASKER
It doesnt even get to the point to verify the key. It just says "Contacting the security gateway" before it throws the 412 error.
ASKER
DES as compared to 3DES shouldn't matter should it?
Yes, they should be the same on both sides.
ASKER
I know that. But there is no configuration in the client to change to DES.
I see it now, there's no isakmp configuration! I'll put it together and post it in a few minutes.
Try this:
config t
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
config t
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
ASKER
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
Same thing as that, just numbered differently.....Still no connection either way.
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
Same thing as that, just numbered differently.....Still no connection either way.
ASKER
Should there be something like this? I don't see it before but see it in some of my PIX configs.
access-list outside_cryptomap_dyn_20 permit ip any 192.168.111.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.111.0 255.255.255.0
You should have something like this:
access-list outside_cryptomap_dyn_20 permit ip [inside ip] [inside subnetmask] 192.168.111.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip [inside ip] [inside subnetmask] 192.168.111.0 255.255.255.0
ASKER
Added that ACL and still nothing....ready to pull out the shotgun.
can you repost the "show run" so I can see it after the changes to go over it? Thanks.
ASKER
hostname Tech
domain-name technologies.net
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.150 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name technologies.net
access-list outsidein extended permit icmp any any
access-list outsidein extended permit tcp any interface outside eq 3389
access-list outsidein extended permit tcp any any eq smtp
access-list outsidein extended permit tcp any any eq www
access-list outsidein extended permit tcp any any eq pop3
access-list outsidein extended permit tcp any any eq https
access-list outsidein extended permit tcp any eq telnet host 192.168.101.1 eq telnet
access-list outsidein extended permit tcp any any eq 3389
access-list Tech_splitTunnelAcl extended permit ip 192.168.101.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.101.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list outside_dyn_map extended permit ip 192.168.101.0 255.255.255.0 192.168.111.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 192.168.111.1-192.168.111.
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 XX.XX.XX.150 3389 netmask 255.255.255.255
static (inside,outside) udp interface 3389 XX.XX.XX.150 3389 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.146 192.168.101.20 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.147 192.168.101.21 netmask 255.255.255.255
access-group outsidein in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 74.7.25.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
http 192.168.101.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy Tech internal
group-policy Tech attributes
wins-server value 192.168.101.21
dns-server value 192.168.101.21 66.180.96.12
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Tech_splitTunnelAcl
default-domain value Technologies.Net
username eb password 00000000 encrypted privilege 0
username eb attributes
vpn-group-policy Tech
username mb password 00000000 encrypted privilege 0
username mb attributes
vpn-group-policy Tech
tunnel-group Tech type ipsec-ra
tunnel-group Tech general-attributes
address-pool VPN_Pool
default-group-policy Tech
tunnel-group Tech ipsec-attributes
pre-shared-key *
prompt hostname context
What version of OS are you running? (vista/xp) and what version of the VPN Client?
Try this:
no crypto dynamic-map outside_dyn_map 20 set pfs
It's trying to use two different ipsec transform-sets, this will get rid of the "pfs" transform set, that I dont see in the config.
no crypto dynamic-map outside_dyn_map 20 set pfs
It's trying to use two different ipsec transform-sets, this will get rid of the "pfs" transform set, that I dont see in the config.
ASKER
Done. Still nothing. Using 4.6 on XP Pro machine.
ASKER
Here is the log on the client:
1 12:03:22.474 01/28/08 Sev=Warning/2 IKE/0xE3000099
Invalid SPI size (PayloadNotify:116)
2 12:03:22.474 01/28/08 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)
3 12:03:27.645 01/28/08 Sev=Warning/2 IKE/0xE3000099
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
4 12:03:27.661 01/28/08 Sev=Warning/2 IKE/0xE3000099
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
5 12:03:33.129 01/28/08 Sev=Warning/2 IKE/0xE3000099
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
6 12:03:33.145 01/28/08 Sev=Warning/2 IKE/0xE3000099
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
7 12:03:38.629 01/28/08 Sev=Warning/2 IKE/0xE3000099
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
8 12:03:38.629 01/28/08 Sev=Warning/2 IKE/0xE3000099
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
1 12:03:22.474 01/28/08 Sev=Warning/2 IKE/0xE3000099
Invalid SPI size (PayloadNotify:116)
2 12:03:22.474 01/28/08 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)
3 12:03:27.645 01/28/08 Sev=Warning/2 IKE/0xE3000099
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
4 12:03:27.661 01/28/08 Sev=Warning/2 IKE/0xE3000099
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
5 12:03:33.129 01/28/08 Sev=Warning/2 IKE/0xE3000099
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
6 12:03:33.145 01/28/08 Sev=Warning/2 IKE/0xE3000099
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
7 12:03:38.629 01/28/08 Sev=Warning/2 IKE/0xE3000099
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
8 12:03:38.629 01/28/08 Sev=Warning/2 IKE/0xE3000099
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK...That helped me move forward.
Now we got the username and password prompt, enter that and it says "Securing Communications Channel" and then it just shows disconnected.
Now we got the username and password prompt, enter that and it says "Securing Communications Channel" and then it just shows disconnected.
ASKER
I think with all of the changes something is missing
can you provide the VPN CLient log? Logs always help !!!
ASKER
The client isn't giving me a log this time...Here is the config now though...
-------------------------- ---------- ---------- ---------- -----
domain-name captech
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.150 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd 0000000000000 encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name captech.net
access-list outsidein extended permit icmp any any
access-list outsidein extended permit tcp any interface outside eq 3389
access-list outsidein extended permit tcp any any eq smtp
access-list outsidein extended permit tcp any any eq www
access-list outsidein extended permit tcp any any eq pop3
access-list outsidein extended permit tcp any any eq https
access-list outsidein extended permit tcp any eq telnet host 192.168.101.1 eq telnet
access-list outsidein extended permit tcp any any eq 3389
access-list Captech_splitTunnelAcl extended permit ip 192.168.101.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list outside_dyn_map extended permit ip 192.168.101.0 255.255.255.0 192.168.111.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 192.168.111.1-192.168.111. 200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 XX.XX.XX.150 3389 netmask 255.255.255.255
static (inside,outside) udp interface 3389 XX.XX.XX.150 3389 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.146 192.168.101.20 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.147 192.168.101.21 netmask 255.255.255.255
access-group outsidein in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.101.0 255.255.255.0 inside
http XX.XX.XX.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.101.0 255.255.255.0 inside
telnet 74.7.25.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
group-policy Captech internal
group-policy Captech attributes
wins-server value 192.168.101.21
dns-server value 192.168.101.21 66.180.96.12
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Captech_splitTunnelAcl
default-domain value Captech.local
username ebosarge password 00000000 encrypted privilege 0
username ebosarge attributes
vpn-group-policy Captech
username mbosarge password 0000000 encrypted privilege 0
username mbosarge attributes
vpn-group-policy Captech
tunnel-group Captech type ipsec-ra
tunnel-group Captech general-attributes
address-pool VPN_Pool
default-group-policy Captech
tunnel-group Captech ipsec-attributes
pre-shared-key *
prompt hostname context
--------------------------
domain-name captech
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.150 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd 0000000000000 encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name captech.net
access-list outsidein extended permit icmp any any
access-list outsidein extended permit tcp any interface outside eq 3389
access-list outsidein extended permit tcp any any eq smtp
access-list outsidein extended permit tcp any any eq www
access-list outsidein extended permit tcp any any eq pop3
access-list outsidein extended permit tcp any any eq https
access-list outsidein extended permit tcp any eq telnet host 192.168.101.1 eq telnet
access-list outsidein extended permit tcp any any eq 3389
access-list Captech_splitTunnelAcl extended permit ip 192.168.101.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list outside_dyn_map extended permit ip 192.168.101.0 255.255.255.0 192.168.111.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 192.168.111.1-192.168.111.
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 XX.XX.XX.150 3389 netmask 255.255.255.255
static (inside,outside) udp interface 3389 XX.XX.XX.150 3389 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.146 192.168.101.20 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.147 192.168.101.21 netmask 255.255.255.255
access-group outsidein in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.101.0 255.255.255.0 inside
http XX.XX.XX.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.101.0 255.255.255.0 inside
telnet 74.7.25.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
group-policy Captech internal
group-policy Captech attributes
wins-server value 192.168.101.21
dns-server value 192.168.101.21 66.180.96.12
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Captech_splitTunnelAcl
default-domain value Captech.local
username ebosarge password 00000000 encrypted privilege 0
username ebosarge attributes
vpn-group-policy Captech
username mbosarge password 0000000 encrypted privilege 0
username mbosarge attributes
vpn-group-policy Captech
tunnel-group Captech type ipsec-ra
tunnel-group Captech general-attributes
address-pool VPN_Pool
default-group-policy Captech
tunnel-group Captech ipsec-attributes
pre-shared-key *
prompt hostname context
Your transform set's still showing DES instead of 3DES:
crypto ipsec transform-set ESP-3DES-SHA esp-des esp-sha-hmac
Can you change it to:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-des esp-sha-hmac
Can you change it to:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
ASKER
Ok! VPN is connected, but can't see the other side of the network....When I ping the router 192.168.101.1 I resolve a public IP Address and when I ping the DC by address I get nothing and by name it doesn't resolve.
I dont see:
sysopt connection permit-ipsec
in your config, if you add this it will allow your VPN traffic to bypass your ACL's.
Also, can you ping your 192.168.101.21 DNS Server?
sysopt connection permit-ipsec
in your config, if you add this it will allow your VPN traffic to bypass your ACL's.
Also, can you ping your 192.168.101.21 DNS Server?
ASKER
The DC is running DNS. That is the same address I meant. I will add the line there though and see if that fixes it.
ASKER
When I add the line in it won't connect anymore. As soon as I removed it the connection came right back up.
ASKER
Still can't communicate with the network when connected though. Any more ideas?
Then I would add the following lines in the config:
no access-list Tech_splitTunnelAcl standard permit 192.168.101.0 255.255.255.0
access-list Tech_splitTunnelAcl extended permit ip 192.168.101.0 255.255.255.0 192.168.111.0 255.255.255.0
sysopt connection permit-ipsec
This way the VPN tunnel is using extended ACL to allow traffic by defining source/destination and the "sysopt connectoin permit-ipsec" allows your vpn traffic to come through without being filtered by your ACL's.