Users have problem accessing internet after ASAPIX install, and a config question

I just setup a new ASA/PIX 5505 firewall for a new client. I followed the Cisco document, (Link Below) as a guide:
This is a very small company with 10-15 users. They have a dedicated buisness DSL connection of 9 MB and the ASA/PIX is behind te DSL modem.

Problem: I'm getting calls that some users can connect to the internet, and they say that it is blazing, but they end up getting kicked off or can't access the internet 10-15 minutes after they get on. I have heard that it appears to happen in cycles. I have even heard that from time to time if one person gets on another one gets booted off. They are not running any type of spam/internet filter. I did put an Exchange server in place but they are not using it yet. Any ideas  or configs I should try?

Question: What is the easiest way to setup the VPN on this type of device? I can't setup the Easy VPN server because the system will tell me I have to undo all the changes I made to the outside interface.

Who is Participating?
PugglewuggleConnect With a Mentor Commented:
Hi haasjoh,
Try running these commands: they will overrule your current cryptomaps and insert working values.
Try it with this and let me know if it still takes your network down.

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
no crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

Open in new window

Can you please post the ASA config?
Regarding getting kicked off - do they all lose it all at the same time and get it back at the same?
Are the PCs using DHCP for addresses and what's the configured lease length if so? If they are using static addresses, can you verify that they all have unique IPs?
I'll address the VPN question as soon as we get this resolved since it's causing them downtime.
My initial thought is that it's either an address conflict between PCs or it's an ISP issue. Does it happen every 10-15 minues? How long?
I look forward to helping! ;-)
What model ASA? Is it the little 5505? does it have a limited 10-user license?
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Good question - check the license by running a sh ver. If it is the base license (ASA5505-BUN-K9) and hasn't had a license upgrade then this is probably the case, but run the command anyways.
Look for the line Inside Hosts on the license printout.
It would make since that this is a possibility - the only thing is that when an ASA does fill up the user limit it just blocks communication from all other hosts until one becomes disconnected (meaning the cable is actually unplugged or the machine is turned off, or if a VPN user until their session has expired). This "lockout" usually stays active a few hours. I've run into this a few times before.
Check your syslogs when this is happening - you should see a level 3 error saying you've exceeded the maximum number of licensed users and it will repeat every time a host that is not active on the ASA tries to communicate.
haasjohAuthor Commented:
Ahhhh good point. I will check this Wed Oct 1. I'll be going again in the morning. I do remember looking at the license.
Also - didn't mention this - are the users sharing computers or are there more than 10 computers?
One more piece of info for you: If it turns out this is the problem, the upgrade PN for 10 to unlimited users is ASA5505-SW-10-UL=
It usually runs a little under $400.
If it turns out this is the issue, consider other possible requirements the site might have when upgrading the license - will they need servers in the DMZ or more than 2 SSL VPN users? This all costs extra money so it's best to get it out of the way.
haasjohAuthor Commented:
Well, had I more experience with the ASA, I could have figured it out myself. Oh well, it happens. So, it looks like it was a license issue so far. I had to do a "sh ver" copy the output and email it to They reviewed the serial id and the output and sent a new license. Instructions on how to install it were also in the email. Pretty simple. So, how about the VPN setup?
With VPN - remote access or site-to-site?
Just use the VPN wizard for either one.
When you get to the part about setting up an ip address pool, choose IP's in a totally different IP subnet than the local network, and do not use 192.168.1.x either..
That's correct. The reason I was asking is that sometimes the VPN Wizard can mess you up if you don't know exactly what it means.
haasjohAuthor Commented:
All I am trying to do is setup basic VPN access for about 10 users. It is not site to site. Just an average user on the road. I tried to use the ADSM and click on "Easy VPN". However, it failed to take the settings and said I had to under all the mods I did with the outside interface. As mentioned above, I used the Cisco doc as a reference to setup a single subnet FIRST. Then I tried to do the VPN second. I did create a VPN IP pool as a test, but for some reason I am still unable to get it to work. Basically I would like to create a connection by using Windows instead of installing Cisco's software.
Easy VPN is actually a site-to-site thing.
From the menu in the ASDM just select Remote Access VPN Wizard and follow the steps. Make sure you set the DH group to 2 when asked or the Cisco VPN client won't work. Use the same VPN IP pool as long as it doesn't conflict with any other networks on the ASA or inside your network.
Don't do EasyVPN, use the Wizard and select Remote Access VPN
I highly discourage you from using Windows PPTP for the VPN. The Cisco VPN client is free, simple to install and SECURE.
Check out this document
haasjohAuthor Commented:
The problem I have ran into with the Cisco software is that it kills my network and wireless connections or make them not want to connect to the network. This is w/o me trying to logon to the VPN. I did try Cisco software on a HP laptop, rebooted, then it would not let me log onto any wireless or wired connections. I guess I would use the Cisco software if I didn't have a problem with the network connections.
I've been using it for years and have deployed it with many many clients and have never had an issue like that.
Same here on the usage - although I'll tell you what the problem is. I took down a network of 500+ users with it for 10 minutes one time by accident.
You have the crypto map mistakenly applied to the inside interface without all necessary parts. Please post the config you had when experiencing this problem and I'll see what I can do. One other thing to note - the Remote Access VPN Wizard doesn't always work (I mentioned this above). You might give Cisco TAC a call and they'll help you get it straightened out if you're in a time pinch!
Lol why do I only get paid $10 an hour!? Seems I can roll with the pros on this stuff but I get paid $10 an hour! I guess it's because I'm 20... :(
>why do I only get paid $10 an hour!?
>I took down a network of 500+ users with it for 10 minutes one time by accident.
Just kidding.....
Lol well that was actually TAC that remotely entered the command. :-P Gotta love them when they help you out like that.
haasjohAuthor Commented:
Here it is. I changed some stuff for obvious reasons. Let me know.

ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name ain'
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any unreachable
access-list 100 extended permit tcp any host 67.77.18x.x eq www
access-list 100 extended permit tcp any host 67.77.18x.x eq pop3
access-list 100 extended permit tcp any host 67.77.18x.x eq 995
access-list 100 extended permit tcp any host 67.77.18x.x eq smtp
access-list 100 extended permit tcp any host 67.77.18x.x eq https
access-list 100 extended permit tcp any host 67.77.18x.x eq 1034
access-list 100 extended permit tcp any host 67.77.18x.x eq 587
access-list 100 extended permit tcp any host 67.77.18x.x eq 589
access-list 100 extended permit tcp any host 67.77.18x.x eq imap4
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any
access-list inside_nat0_outbound extended permit ip any
pager lines 24
logging enable
logging buffered errors
logging trap notifications
mtu inside 1500
mtu outside 1500
ip local pool IPPOOL mask
ip local pool TEST mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
static (inside,outside) 67.77.18X.X netmask
static (inside,outside) 67.77.18X.X netmask
access-group 100 in interface outside
route outside 67.77.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
no vpn-addr-assign local
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpnclient server 67.77.18X.X
vpnclient mode client-mode
vpnclient vpngroup EXAMPLE password ********
vpnclient username EXAMPLE password ********
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value ain'
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
 dns-server value .
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 default-domain value ain'
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy AIAGP internal
tunnel-group DefaultL2LGroup general-attributes
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
 address-pool IPPOOL
 address-pool TEST
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 authentication ms-chap-v2
 authentication eap-proxy
prompt hostname context

Open in new window

lrmooreConnect With a Mentor Commented:
Didn't I mention that you should use a totally different ip subnet for the vpn address pool?
inside = 10.200.1.x
vpn pool = 10.200.1.x
Not different
haasjohAuthor Commented:
This was all setup before I read your post. I didn't make any changes yet :)
Where are you with testing? What works, what doesn't?
haasjohAuthor Commented:
I need to start testing again today. I didn't want to mess with the ASA while they were all working. However they don't work weekends (good for me) and I plan on getting in today to do just that.
Just remember, that you can only test the VPN from actually outside the network.
I usually open up http to my home IP address so that I can use the ASDM GUI from home to setup the VPN and then to test it at the same time.
 just add:
   http <home ip> outside
Yes indeed :-) If you don't have another internet connection available try linking a laptop to your cellphone if your phone supports it (most smartphones and even little phones like the RAZR do). That's plenty fast to establish a VPN connection and test if it's functioning correctly/debug the error messages.
Oh woops - didn't read the line about using your home address.
You do have to have the ASDM on your home computer though, as well as a VPN connecion to home.
lrmoore and I may, but you may not, so the phone will work if you don't. :)
Cheers lr! Didn't mean to overlap your post.
haasjohAuthor Commented:
Sorry for the delay. I haven't been out to the site yet. I was working on their Exchange stuff. I will work on your soultions soon.
No problem! Just let me know!
haasjohAuthor Commented:
Thanks Guys!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.