Can't connect with Cisco VPN Client to ASA 5505

I keep getting a time out error on the client.  It will not connect.  Can you see what is going on with my config here?




ASA Version 7.2(3)
!
hostname Tech
domain-name technologies.net
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.101.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.150 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name technologies.net
access-list outsidein extended permit icmp any any
access-list outsidein extended permit tcp any interface outside eq 3389
access-list outsidein extended permit tcp any any eq smtp
access-list outsidein extended permit tcp any any eq www
access-list outsidein extended permit tcp any any eq pop3
access-list outsidein extended permit tcp any any eq https
access-list outsidein extended permit tcp any eq telnet host 192.168.101.1 eq telnet
access-list outsidein extended permit tcp any any eq 3389
access-list Tech_splitTunnelAcl standard permit 192.168.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.101.0 255.255.255.0 192.168.111.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 192.168.111.1-192.168.111.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 XX.XX.XX.150 3389 netmask 255.255.255.255
static (inside,outside) udp interface 3389 XX.XX.XX.150 3389 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.146 192.168.101.20 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.147 192.168.101.21 netmask 255.255.255.255
access-group outsidein in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.101.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http XX.XX.XX.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
group-policy Tech internal
group-policy Tech attributes
 wins-server value 192.168.101.21
 dns-server value 192.168.101.21 66.180.96.12
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Tech_splitTunnelAcl
 default-domain value Technologies.Net
username eb password 0000000000 encrypted privilege 0
username eb attributes
 vpn-group-policy Tech
username mb password 000000000 encrypted privilege 0
username mb attributes
 vpn-group-policy Tech
tunnel-group Tech type ipsec-ra
tunnel-group Tech general-attributes
 address-pool VPN_Pool
 default-group-policy Tech
tunnel-group Tech ipsec-attributes
 pre-shared-key *
prompt hostname context
LVL 1
rcooper83Asked:
Who is Participating?
 
stuknhawaiiConnect With a Mentor Commented:
I think I found it...Cisco dropped straight DES support in VPN CLient 4.0. So let change you DES to 3DES. But first make sure you have a 3DES license. If you do a show version, toward the bottom of the output is should list your licenses, just make sure a 3DES license is there. If not, go here:
https://tools.cisco.com/SWIFT/Licensing/jsp/formGenerator/Pix3DesMsgDisplay.jsp
to get your free PIX 3DES upgrade licenses. If you do have a 3DES license then use the following commands to change your DES to 3DES !

no crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-3des esp-sha-hmac

isakmp policy 10 encryption 3des
0
 
stuknhawaiiCommented:
First off are you logging in with the gourpname "Tech" and username "eb" ? It is case sensitive.
Then I would add the following lines in the config:
no access-list Tech_splitTunnelAcl standard permit 192.168.101.0 255.255.255.0

access-list Tech_splitTunnelAcl extended permit ip 192.168.101.0 255.255.255.0 192.168.111.0 255.255.255.0

sysopt connection permit-ipsec
This way the VPN tunnel is using extended ACL to allow traffic by defining source/destination and the "sysopt connectoin permit-ipsec" allows your vpn traffic to come through without being filtered by your ACL's.
0
 
rcooper83Author Commented:
Still not connecting.  It just shows "Contacting the Security Gateway" the entire time then it times out.
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
stuknhawaiiCommented:
Do you have the correct IP, groupname, and shared key (secret) in the VPN Client?
0
 
rcooper83Author Commented:
Connecting to:

 ip address XX.XX.XX.150
Group name: Tech
Key is for sure the same
0
 
rcooper83Author Commented:
It doesnt even get to the point to verify the key.  It just says "Contacting the security gateway" before it throws the 412 error.
0
 
rcooper83Author Commented:
DES as compared to 3DES shouldn't matter should it?

0
 
stuknhawaiiCommented:
Yes, they should be the same on both sides.
0
 
rcooper83Author Commented:
I know that.  But there is no configuration in the client to change to DES.  
0
 
stuknhawaiiCommented:
I see it now, there's no isakmp configuration!  I'll put it together and post it in a few minutes.
0
 
stuknhawaiiCommented:
Try this:
config t
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside

0
 
rcooper83Author Commented:
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10


Same thing as that, just numbered differently.....Still no connection either way.
0
 
rcooper83Author Commented:
Should there be something like this?  I don't see it before but see it in some of my PIX configs.

access-list outside_cryptomap_dyn_20 permit ip any 192.168.111.0 255.255.255.0
0
 
stuknhawaiiCommented:
You should have something like this:
access-list outside_cryptomap_dyn_20 permit ip [inside ip] [inside subnetmask] 192.168.111.0 255.255.255.0
0
 
rcooper83Author Commented:
Added that ACL and still nothing....ready to pull out the shotgun.
0
 
stuknhawaiiCommented:
can you repost the "show run" so I can see it after the changes to go over it? Thanks.
0
 
rcooper83Author Commented:


hostname Tech

domain-name technologies.net
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.101.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.150 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2            
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name technologies.net
access-list outsidein extended permit icmp any any            
access-list outsidein extended permit tcp any interface outside eq 3389
access-list outsidein extended permit tcp any any eq smtp
access-list outsidein extended permit tcp any any eq www
access-list outsidein extended permit tcp any any eq pop3
access-list outsidein extended permit tcp any any eq https
access-list outsidein extended permit tcp any eq telnet host 192.168.101.1 eq telnet
access-list outsidein extended permit tcp any any eq 3389
access-list Tech_splitTunnelAcl extended permit ip 192.168.101.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.101.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list outside_dyn_map extended permit ip 192.168.101.0 255.255.255.0 192.168.111.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 192.168.111.1-192.168.111.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 XX.XX.XX.150 3389 netmask 255.255.255.255
static (inside,outside) udp interface 3389 XX.XX.XX.150 3389 netmask 255.255.255.255              
static (inside,outside) XX.XX.XX.146 192.168.101.20 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.147 192.168.101.21 netmask 255.255.255.255
access-group outsidein in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 74.7.25.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
http 192.168.101.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share            
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh            
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
group-policy Tech internal
group-policy Tech attributes
 wins-server value 192.168.101.21
 dns-server value 192.168.101.21 66.180.96.12
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Tech_splitTunnelAcl
 default-domain value Technologies.Net
username eb password 00000000 encrypted privilege 0
username eb attributes
 vpn-group-policy Tech
username mb password 00000000 encrypted privilege 0
username mb attributes
 vpn-group-policy Tech
tunnel-group Tech type ipsec-ra
tunnel-group Tech general-attributes
 address-pool VPN_Pool
 default-group-policy Tech
tunnel-group Tech ipsec-attributes
 pre-shared-key *
prompt hostname context
0
 
stuknhawaiiCommented:
What version of OS are you running? (vista/xp) and what version of the VPN Client?
0
 
stuknhawaiiCommented:
Try this:
no crypto dynamic-map outside_dyn_map 20 set pfs
It's trying to use two different ipsec transform-sets, this will get rid of the "pfs" transform set, that I dont see in the config.
0
 
rcooper83Author Commented:
Done.  Still nothing.  Using 4.6 on XP Pro machine.
0
 
rcooper83Author Commented:
Here is the log on the client:

1      12:03:22.474  01/28/08  Sev=Warning/2      IKE/0xE3000099
Invalid SPI size (PayloadNotify:116)

2      12:03:22.474  01/28/08  Sev=Warning/3      IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)

3      12:03:27.645  01/28/08  Sev=Warning/2      IKE/0xE3000099
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

4      12:03:27.661  01/28/08  Sev=Warning/2      IKE/0xE3000099
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

5      12:03:33.129  01/28/08  Sev=Warning/2      IKE/0xE3000099
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

6      12:03:33.145  01/28/08  Sev=Warning/2      IKE/0xE3000099
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

7      12:03:38.629  01/28/08  Sev=Warning/2      IKE/0xE3000099
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

8      12:03:38.629  01/28/08  Sev=Warning/2      IKE/0xE3000099
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
0
 
rcooper83Author Commented:
OK...That helped me move forward.

Now we got the username and password prompt, enter that and it says "Securing Communications Channel" and then it just shows disconnected.
0
 
rcooper83Author Commented:
I think with all of the changes something is missing
0
 
stuknhawaiiCommented:
can you provide the VPN CLient log? Logs always help !!!
0
 
rcooper83Author Commented:
The client isn't giving me a log this time...Here is the config now though...

-------------------------------------------------------------



domain-name captech
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.101.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.150 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2          
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
passwd 0000000000000 encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name captech.net
access-list outsidein extended permit icmp any any              
access-list outsidein extended permit tcp any interface outside eq 3389
access-list outsidein extended permit tcp any any eq smtp
access-list outsidein extended permit tcp any any eq www
access-list outsidein extended permit tcp any any eq pop3
access-list outsidein extended permit tcp any any eq https
access-list outsidein extended permit tcp any eq telnet host 192.168.101.1 eq telnet
access-list outsidein extended permit tcp any any eq 3389
access-list Captech_splitTunnelAcl extended permit ip 192.168.101.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list outside_dyn_map extended permit ip 192.168.101.0 255.255.255.0 192.168.111.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 192.168.111.1-192.168.111.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 XX.XX.XX.150 3389 netmask 255.255.255.255
static (inside,outside) udp interface 3389 XX.XX.XX.150 3389 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.146 192.168.101.20 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.147 192.168.101.21 netmask 255.255.255.255
access-group outsidein in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.101.0 255.255.255.0 inside
http XX.XX.XX.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.101.0 255.255.255.0 inside
telnet 74.7.25.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp              
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
group-policy Captech internal
group-policy Captech attributes
 wins-server value 192.168.101.21
 dns-server value 192.168.101.21 66.180.96.12
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Captech_splitTunnelAcl
 default-domain value Captech.local
username ebosarge password 00000000 encrypted privilege 0
username ebosarge attributes
 vpn-group-policy Captech
username mbosarge password 0000000 encrypted privilege 0
username mbosarge attributes            
 vpn-group-policy Captech
tunnel-group Captech type ipsec-ra
tunnel-group Captech general-attributes
 address-pool VPN_Pool
 default-group-policy Captech
tunnel-group Captech ipsec-attributes
 pre-shared-key *
prompt hostname context
0
 
stuknhawaiiCommented:
Your transform set's still showing DES instead of 3DES:
crypto ipsec transform-set ESP-3DES-SHA esp-des esp-sha-hmac
Can you change it to:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

0
 
rcooper83Author Commented:
Ok!  VPN is connected, but can't see the other side of the network....When I ping the router 192.168.101.1 I resolve a public IP Address and when I ping the DC by address I get nothing and by name it doesn't resolve.
0
 
stuknhawaiiCommented:
I dont see:
sysopt connection permit-ipsec
in your config, if you add this it will allow your VPN traffic to bypass your ACL's.
Also, can you ping your 192.168.101.21 DNS Server?
0
 
rcooper83Author Commented:
The DC is running DNS.  That is the same address I meant.  I will add the line there though and see if that fixes it.
0
 
rcooper83Author Commented:
When I add the line in it won't connect anymore.  As soon as I removed it the connection came right back up.
0
 
rcooper83Author Commented:
Still can't communicate with the network when connected though.  Any more ideas?
0
All Courses

From novice to tech pro — start learning today.