Solved

Problems setting up Remote Access VPN on CIsco ASA 5505

Posted on 2008-10-17
23
1,508 Views
Last Modified: 2012-08-13
I am attempting to set up a Remote Access VPN on our Cisco ASA 5505. I have been working myself through several issues along the way including too many different IP Sec Rules and getting PSF turned off. I have finally got this connection to give me a Phase 2 Completed; but, I am hitting a snag I can't figure out. After getting the Phase 2 Completed, I get a "PPP virtual interface 2 missing aaa server group info" error and the tunnel dies. If there is any more information I should post to help i.e. router config, etc... , please let me know. Thank you in advance.
0
Comment
Question by:CFCMattrix
  • 14
  • 9
23 Comments
 

Author Comment

by:CFCMattrix
ID: 22743443
Looking around via ASDM I see that there is a field for AAA server group under VPN Group Policy; but, I am unable to change that value from --N/A--.
0
 

Author Comment

by:CFCMattrix
ID: 22743456
Nevermind... I can only change that if it is an external group.
0
 

Author Comment

by:CFCMattrix
ID: 22743770
Result of the command: "show running"

: Saved
:
ASA Version 7.2(3)
!
hostname CiscoASA5505
ADMIN EDIT TO DELETE SENSITIVE INFORMATION
VEE_MOD, EE MODERATOR
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22752255
Hello CFCMattrix,
      Pretty complex config for a RA VPN :) Here are some missing parts at a first look

crypto isakmp nat-traversal 20
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.1.214 255.255.255.248
   According to the error you get, I think firewall assumes LOCAL an aaa server group when typed under tunnel--group as
 authorization-server-group LOCAL
 authorization-server-group (outside) LOCAL
 authorization-server-group (inside) LOCAL
    I put a ? after "authorization-server-group" in my firewall and saw that it asks me the name of group in 17 chars, which means "local", the firewall itself, is not an option. The other option was specifying interface, which again elects local. That means firewall itself (local) can not handle authorization in VPN termination.
    Maybe you mean "authentication", which has the option for Local.

Regards
0
 

Author Comment

by:CFCMattrix
ID: 22754557
Thank you for your reply MrHusy,

If I am understanding you correctly, a Cisco ASA 5505 can not do a RA VPN by itself? It needs an external AAA server? I may be a little lost here. Maybe I should start over on this. Is there any way to alow a user to log in remotly to our network via a VPN? I am used to simple PPTP servers in simple VPN routers.

0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22754956
"a Cisco ASA 5505 can not do a RA VPN by itself?"
   No, Cisco ASA can do RA VPN itself for sure, but not the "authorization" for VPN . I think you mean "authentication", which means checking for a username and password in its local database and comparing the provided credidentals against that database. For achieving this, you have to type authentication-server-group local
0
 

Author Comment

by:CFCMattrix
ID: 22758435
When I type that command I get:

"authorization-server-group LOCAL
    ^
ERROR: % Invalid input detected at '^' marker."
0
 

Author Comment

by:CFCMattrix
ID: 22758548
I mean:

"authentication-server-group LOCAL
    ^
ERROR: % Invalid input detected at '^' marker"
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22758762
You should enter this command under tunnel-group attributes

CiscoASA5505# conf t
CiscoASA5505(conf)# tunnel-group DefaultRAGroup general-attributes
CiscoASA5505(config-tunnel-general)# authentication-server-group LOCAL
CiscoASA5505(config-tunnel-general)#  no authorization-server-group LOCAL
CiscoASA5505(config-tunnel-general)# no authorization-server-group (outside) LOCAL
CiscoASA5505(config-tunnel-general)# no authorization-server-group (inside) LOCAL
0
 

Author Comment

by:CFCMattrix
ID: 22759896
Thank you MrHusy... The firewall accepted the commands with no errors as soon as they were typed into the correct config; but, I am still getting "PPP virtual interface 2 missing aaa server group info" in my syslog messages when I try to connect.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22760155
Please post the latest config occured after modifications
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22760243
also try removing "the authentication-server-group LOCAL" too and try again. It should authenticate through local database by default when left empty. Also add the following

tunnel-group DefaultRAGroup type ipsec-ra

   And let only the following appear in tunnelgroup config


tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup general-attributes
   address-pool CIscoPool
   default-group-policy DefaultRAGroup
0
 

Author Comment

by:CFCMattrix
ID: 22761055
You may need to walk me through thoes steps command by command again. It is not liking something I am doing.
I am attaching the current configuration.
: Saved

:

ASA Version 7.2(3) 

!
 

ADMIN EDIT TO DELETE SENSITIVE INFORMATION
 

VEE_MOD, EE MODERATOR

Open in new window

0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22761345
CiscoASA5505# conf t
CiscoASA5505(conf)# no tunnel-group DefaultRAGroup ppp-attributes
CiscoASA5505(conf)# tunnel-group DefaultRAGroup type remote-access
CiscoASA5505(conf)# tunnel-group DefaultRAGroup general-attributes
CiscoASA5505(config-tunnel-general)# no address-pool CiscoPool     (this will remove one of the duplicate entries)
CiscoASA5505(config-tunnel-general)# exit
CiscoASA5505(conf)# tunnel-group DefaultRAGroup ipsec-attributes
CiscoASA5505(config-tunnel-ipsec)# no peer-id-validate nocheck
CiscoASA5505(config-tunnel-ipsec)# no isakmp ikev1-user-authentication none

Then paste the latest config again
0
 

Author Comment

by:CFCMattrix
ID: 22762720
OK im getting the same error as before.

"tunnel-group DefaultRAGroup type remote-access
                            ^
ERROR: % Invalid input detected at '^' marker."

All the other commands went through though.

 Saved

:

ASA Version 7.2(3) 

!

hostname xxx

domain-name xxx

enable password xxx encrypted

names

name 206.130.xxx.xxx Public_Route

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.1.1.254 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 pppoe client vpdn group PPPoE-Group

 ip address 66.172.xxx.xxx 255.255.255.255 pppoe setroute 

!

interface Vlan100

 nameif Public_Routed

 security-level 0

 ip address 206.130.xxx.xxx 255.255.255.248 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

 switchport access vlan 12

!

interface Ethernet0/3

!

interface Ethernet0/4

 switchport access vlan 3

!

interface Ethernet0/5

 switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

 switchport access vlan 100

!

passwd xxx encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name xxx

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit tcp any interface outside eq smtp 

access-list outside_access_in extended permit udp any Public_Route 255.255.255.248 

access-list outside_access_in extended permit tcp any Public_Route 255.255.255.248 

access-list inside_access_out extended permit tcp any eq www any eq www 

access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.1.1.2 

access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.1.1.13 

access-list inside_nat0_outbound extended permit ip host 10.1.1.2 10.20.30.96 255.255.255.240 

access-list inside_nat0_outbound extended permit ip host 10.1.1.13 10.20.30.96 255.255.255.240 

access-list inside_nat0_outbound extended permit ip any 10.1.1.236 255.255.255.252 

access-list inside_nat0_outbound extended permit ip any 10.1.1.224 255.255.255.240 

access-list inside_nat0_outbound extended permit ip 192.168.69.0 255.255.255.0 192.168.195.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.145.0 255.255.255.0 10.1.1.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.195.0 255.255.255.0 10.1.1.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.195.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.200.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.11.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.15.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip any 10.1.1.216 255.255.255.252 

access-list DefaultRAGroup_splitTunnelAcl_1 standard permit any 

access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.195.0 255.255.255.0 

access-list outside_2_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.11.0 255.255.255.0 

access-list Public_Routed_access_out extended permit udp any any 

access-list Public_Routed_access_out extended permit tcp any any 

access-list Public_Routed_access_in extended permit udp any any 

access-list Public_Routed_access_in extended permit tcp any any 

access-list outside_3_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.15.0 255.255.255.0 

access-list DefaultRAGroup_splitTunnelAcl_2 standard permit any 

access-list Remote_Access_VPN_splitTunnelAcl standard permit any 

access-list outside_authentication extended permit tcp any any inactive 

access-list inside_authentication extended permit tcp any any inactive 

pager lines 24

logging enable

logging timestamp

logging trap debugging

logging asdm informational

logging facility 23

logging host inside 10.1.1.199 format emblem

logging debug-trace

mtu inside 1500

mtu outside 1452

mtu Public_Routed 1452

ip local pool CIscoPool 10.1.1.216-10.1.1.219 mask 255.255.255.0

no failover

monitor-interface inside

monitor-interface outside

monitor-interface Public_Routed

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (outside) 1 206.130.xxx.xxx netmask 255.255.255.255

global (Public_Routed) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (Public_Routed) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp 10.1.1.5 smtp netmask 255.255.255.255 

access-group outside_access_in in interface outside

access-group Public_Routed_access_in in interface Public_Routed

access-group Public_Routed_access_out out interface Public_Routed

route inside 10.1.2.0 255.255.255.0 10.1.1.1 1

route inside 10.1.3.0 255.255.255.0 10.1.1.1 1

route outside 0.0.0.0 0.0.0.0 66.172.96.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa authentication ssh console LOCAL 

aaa authentication match outside_authentication outside LOCAL

aaa authentication match inside_authentication inside LOCAL

aaa authentication enable console LOCAL 

aaa authorization command LOCAL 

http server enable

http 10.1.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_AES-128_SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_AES-128_SHA mode transport

crypto ipsec transform-set Null_Transform esp-null esp-none 

crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs 

crypto map outside_map 1 set peer 66.172.xxx.xxx

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs 

crypto map outside_map 2 set peer 64.146.xxx.xxx

crypto map outside_map 2 set transform-set ESP-AES-128-SHA

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set pfs 

crypto map outside_map 3 set peer 66.172.xxx.xxx

crypto map outside_map 3 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 30

 authentication pre-share

 encryption des

 hash md5

 group 2

 lifetime 86400

crypto isakmp policy 50

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 70

 authentication pre-share

 encryption des

 hash md5

 group 1

 lifetime 86400

crypto isakmp policy 90

 authentication pre-share

 encryption aes

 hash sha

 group 5

 lifetime 86400

crypto isakmp policy 110

 authentication pre-share

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

telnet 10.1.1.199 255.255.255.255 inside

telnet timeout 5

ssh 10.1.1.0 255.255.255.0 inside

ssh 66.172.xxx.xxx 255.255.255.255 outside

ssh timeout 5

console timeout 0

vpdn group PPPoE-Group request dialout pppoe

vpdn group PPPoE-Group localname xxx

vpdn group PPPoE-Group ppp authentication chap

vpdn username xxx password ********* store-local

dhcpd auto_config outside

!
 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

  inspect pptp 

!

service-policy global_policy global

webvpn

 enable outside

 url-list Email "Check Your Email" http://10.1.1.2/exchange 1

 url-list WebApps "Check Email" http://10.1.1.2/exchange 1

 url-list WebApps "Administer Web Filter" https://10.1.1.251 2

 url-list WebApps "Administer Email Filter" https://10.1.1.5 3

 port-forward RDP 3389 10.1.1.13 3389 TBCNTAPPSERVER

 port-forward Administrators 3389 10.1.1.13 3389 TBCNTAPPSERVER

 port-forward Administrators 3388 10.1.1.2 3389 CFCMAINSERVER

 port-forward Administrators telnet 10.1.1.12 telnet AS400 CONNECT

 port-forward Administrators 3386 10.1.1.246 3389 PAULS COMPUTER

 port-forward Administrators 3387 10.1.1.199 3389 MATTS COMPUTER

 port-forward Administrators imap4 10.1.1.2 imap4 IMAP4

 port-forward Administrators 995 10.1.1.2 995 POP3/SSL

 port-forward Administrators 993 10.1.1.2 993 IMAP4/SSL

 port-forward Administrators pop3 10.1.1.2 pop3 POP3

 port-forward Aweta 3085 10.1.1.217 3085 NetAdminService

 port-forward Compac telnet 10.1.1.12 telnet Telnet AS/400

 port-forward Compac 3388 10.1.1.19 3389 TS-Compac Test System

 port-forward Exchange_Server imap4 10.1.1.2 imap4 IMAP4

 port-forward Exchange_Server 995 10.1.1.2 995 POP3/SSL

 port-forward Exchange_Server 993 10.1.1.2 993 IMAP4/SSL

 port-forward Exchange_Server pop3 10.1.1.2 pop3 POP3

 port-forward WadeB 3390 10.1.1.227 3389 Wades Computer

 port-forward ConceptSystemsINC 3389 10.1.1.231 3389 TS/Remote Desktop

 port-forward ConceptSystemsINC telnet 10.1.1.12 telnet AS/400 Telnet

 port-forward ConceptSystemsINC 3388 10.1.1.231 3389 TS/RDP 2

 port-forward AppServer 3389 10.1.1.13 3389 TBCNTAPPSERVER

 port-forward ReggieC 3388 10.1.1.225 3389 RDP Reggies Computer

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 banner value xxx

 wins-server value 10.1.1.2 10.1.1.13

 dns-server value 10.1.1.2 206.130.130.2

 group-lock value DefaultRAGroup

 default-domain value xxx

 address-pools value CIscoPool

group-policy DfltGrpPolicy attributes

 banner none

 wins-server none

 dns-server none

 dhcp-network-scope none

 vpn-access-hours none

 vpn-simultaneous-logins 3

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

 password-storage disable

 ip-comp disable

 re-xauth disable

 group-lock none

 pfs enable

 ipsec-udp disable

 ipsec-udp-port 10000

 split-tunnel-policy tunnelall

 split-tunnel-network-list none

 default-domain none

 split-dns none

 intercept-dhcp 255.255.255.255 disable

 secure-unit-authentication disable

 user-authentication disable

 user-authentication-idle-timeout 30

 ip-phone-bypass disable

 leap-bypass disable

 nem disable

 backup-servers keep-client-config

 msie-proxy server none

 msie-proxy method no-modify

 msie-proxy except-list none

 msie-proxy local-bypass disable

 nac disable

 nac-sq-period 300

 nac-reval-period 36000

 nac-default-acl none

 address-pools value CIscoPool

 smartcard-removal-disconnect enable

 client-firewall none

 client-access-rule none

 webvpn

  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list none

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

username xxx

username xxx attributes

 webvpn

  functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy auto-download

  homepage none

  url-list value WebApps

  customization value DfltCustomization

  port-forward value Administrators

  port-forward-name value Application Access

username xxx

username xxx attributes

 webvpn

  functions none

  url-list value Email

username xxx

username xxx attributes

 webvpn

  functions port-forward

  html-content-filter java images scripts cookies

  port-forward value xxx

  port-forward-name value Application Access

username xxx

username xxx attributes

 webvpn

  url-list value Email

username xxx

username xxx

 webvpn

  functions port-forward http-proxy auto-download

  url-list value Email

  customization none

  port-forward value xxx

username xxx

privilege 0

username xxx attributes

 webvpn

  functions url-entry mapi port-forward auto-download

  url-list value Email

  port-forward value xxx

username xxx 

username xxx attributes

 webvpn

  functions port-forward filter

  url-list value Email

  port-forward value AppServer

username nwinternet password JbHFvASTD/qICYu3 encrypted privilege 15

username RichStiner password cikqhsO8SUhx9QiX encrypted

username RichStiner attributes

 webvpn

  functions url-entry mapi port-forward

  url-list value Email

  port-forward value Exchange_Server

username xxx

username xxx attributes

 vpn-group-policy DfltGrpPolicy

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

 group-lock value DefaultRAGroup

 webvpn

  functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy auto-download citrix

  homepage none

  http-comp gzip

  filter none

  url-list value WebApps

  customization value DfltCustomization

  port-forward value Administrators

  port-forward-name value Application Access

  sso-server none

username xxx 

username xxx attributes

 webvpn

  functions port-forward

  port-forward value xxx

username xxx

username xxx attributes

 webvpn

  functions port-forward

  url-list none

  customization none

  port-forward value xxx

  port-forward-name value Application Access

tunnel-group DefaultL2LGroup ipsec-attributes

 pre-shared-key *

tunnel-group DefaultRAGroup general-attributes

 address-pool CIscoPool

 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

tunnel-group 66.172.xxx.xxx type ipsec-l2l

tunnel-group 66.172.xxx.xxx ipsec-attributes

 pre-shared-key *

tunnel-group 64.146.xxx.xxx type ipsec-l2l

tunnel-group 64.146.xxx.xxx ipsec-attributes

 pre-shared-key *

tunnel-group 66.172.xxx.xxx type ipsec-l2l

tunnel-group 66.172.xxx.xxx ipsec-attributes

 pre-shared-key *

tunnel-group-map enable rules

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command uauth

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context 

Cryptochecksum:e008640ede0ece4e8d6f0a1f055ba54d

: end

Open in new window

0
 

Author Comment

by:CFCMattrix
ID: 22762742
In the error that I am getting in the above post should be under "type".
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22771902
its Ok, its already the default for RA, thats why it doesnt accept it.
Add this one

CiscoASA5505(conf)# ip local pool VPNPool 10.1.7.1-10.1.7.15 mask 255.255.255.240
CiscoASA5505(conf)# access-list inside_nat0_outbound permit ip 10.1.1.0 255.255.255.0 10.1.7.0 255.255.255.240
CiscoASA5505(conf)# tunnel-group DefaultRAGroup general-attributes
CiscoASA5505(config-tunnel-general)#  address-pool VPNPool
CiscoASA5505(config-tunnel-general)# no address-pool CIscoPool
CiscoASA5505(config-tunnel-general)# no address-pool CIscoPool
CiscoASA5505(config-tunnel-general)#  exit
CiscoASA5505(conf)# tunnel-group DefaultRAGroup ipsec-attributes
CiscoASA5505(config-tunnel-ipsec)# no peer-id-validate nocheck
CiscoASA5505(config-tunnel-ipsec)# no isakmp ikev1-user-authentication none
CiscoASA5505(conf)# group-policy DefaultRAGroup attributes
CiscoASA5505(config-group-policy)# no address-pools value CIscoPool



0
 

Author Comment

by:CFCMattrix
ID: 22772873
Man... we are sooooo close! I am getting a "AAA user authentication Rejected : reason = Invalid password : local database : user = xxx" in my syslog and my VPN client gets to the "Verifying User Name and Password". I should also note that I have tripple checked and tried several different user accounts to sign in and none seem to work.
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 22772946
is authentication-server-group LOCAL command issued under tunnel-group DefaultRAGroup general-attributes ? I cant see it issued in the latest config you posted.
You have usernames for webvpns different privs etc, create a new user
username test password test
0
 

Author Comment

by:CFCMattrix
ID: 22773423
I have issued the commands:
tunnel-group DefaultRAGroup geral-attributes
authentication-server-group local

But I do not see it listed either. Not sure what is going on there. Also I can't seem to get the CIscoPool to go away via commands:

group-pollicy DefaultRAGroup attributes
no address-pools value CIscoPool




: Saved

:

ASA Version 7.2(3) 

!

hostname CiscoASA5505

domain-name xxx

enable password xxx encrypted

names

name 206.130.xxx.xxx Public_Route

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.1.1.254 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 pppoe client vpdn group PPPoE-Group

 ip address 66.172.xxx.xxx 255.255.255.255 pppoe setroute 

!

interface Vlan100

 nameif Public_Routed

 security-level 0

 ip address 206.130.xxx.xxx 255.255.255.248 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

 switchport access vlan 12

!

interface Ethernet0/3

!

interface Ethernet0/4

 switchport access vlan 3

!

interface Ethernet0/5

 switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

 switchport access vlan 100

!

passwd xxx encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name ChelanFruitCo.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit tcp any interface outside eq smtp 

access-list outside_access_in extended permit udp any Public_Route 255.255.255.248 

access-list outside_access_in extended permit tcp any Public_Route 255.255.255.248 

access-list inside_access_out extended permit tcp any eq www any eq www 

access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.1.1.2 

access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.1.1.13 

access-list inside_nat0_outbound extended permit ip host 10.1.1.2 10.20.30.96 255.255.255.240 

access-list inside_nat0_outbound extended permit ip host 10.1.1.13 10.20.30.96 255.255.255.240 

access-list inside_nat0_outbound extended permit ip any 10.1.1.236 255.255.255.252 

access-list inside_nat0_outbound extended permit ip any 10.1.1.224 255.255.255.240 

access-list inside_nat0_outbound extended permit ip 255.255.255.0 192.168.195.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.145.0 255.255.255.0 10.1.1.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.195.0 255.255.255.0 10.1.1.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.195.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.200.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.11.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.15.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip any 10.1.1.216 255.255.255.252 

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.7.0 255.255.255.240 

access-list DefaultRAGroup_splitTunnelAcl_1 standard permit any 

access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.195.0 255.255.255.0 

access-list outside_2_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.11.0 255.255.255.0 

access-list Public_Routed_access_out extended permit udp any any 

access-list Public_Routed_access_out extended permit tcp any any 

access-list Public_Routed_access_in extended permit udp any any 

access-list Public_Routed_access_in extended permit tcp any any 

access-list outside_3_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.15.0 255.255.255.0 

access-list DefaultRAGroup_splitTunnelAcl_2 standard permit any 

access-list Remote_Access_VPN_splitTunnelAcl standard permit any 

access-list outside_authentication extended permit tcp any any inactive 

access-list inside_authentication extended permit tcp any any inactive 

pager lines 24

logging enable

logging timestamp

logging trap debugging

logging asdm informational

logging facility 23

logging host inside 10.1.1.199 format emblem

logging debug-trace

mtu inside 1500

mtu outside 1452

mtu Public_Routed 1452

ip local pool VPNPool 10.1.7.1-10.1.7.15 mask 255.255.255.240

no failover

monitor-interface inside

monitor-interface outside

monitor-interface Public_Routed

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (outside) 1 206.130.133.163 netmask 255.255.255.255

global (Public_Routed) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (Public_Routed) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp 10.1.1.5 smtp netmask 255.255.255.255 

access-group outside_access_in in interface outside

access-group Public_Routed_access_in in interface Public_Routed

access-group Public_Routed_access_out out interface Public_Routed

route inside 10.1.2.0 255.255.255.0 10.1.1.1 1

route inside 10.1.3.0 255.255.255.0 10.1.1.1 1

route outside 0.0.0.0 0.0.0.0 66.172.96.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa authentication ssh console LOCAL 

aaa authentication match outside_authentication outside LOCAL

aaa authentication match inside_authentication inside LOCAL

aaa authentication enable console LOCAL 

aaa authorization command LOCAL 

http server enable

http 10.1.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_AES-128_SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_AES-128_SHA mode transport

crypto ipsec transform-set Null_Transform esp-null esp-none 

crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs 

crypto map outside_map 1 set peer 66.172.102.90 

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs 

crypto map outside_map 2 set peer 64.146.141.24 

crypto map outside_map 2 set transform-set ESP-AES-128-SHA

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set pfs 

crypto map outside_map 3 set peer 66.172.97.209 

crypto map outside_map 3 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 30

 authentication pre-share

 encryption des

 hash md5

 group 2

 lifetime 86400

crypto isakmp policy 50

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 70

 authentication pre-share

 encryption des

 hash md5

 group 1

 lifetime 86400

crypto isakmp policy 90

 authentication pre-share

 encryption aes

 hash sha

 group 5

 lifetime 86400

crypto isakmp policy 110

 authentication pre-share

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

telnet 10.1.1.199 255.255.255.255 inside

telnet timeout 5

ssh 10.1.1.0 255.255.255.0 inside

ssh 66.172.xxx.xxx 255.255.255.255 outside

ssh timeout 5

console timeout 0

vpdn group PPPoE-Group request dialout pppoe

vpdn group PPPoE-Group localname xxx

vpdn group PPPoE-Group ppp authentication chap

vpdn username xxx password ********* store-local

dhcpd auto_config outside

!
 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

  inspect pptp 

!

service-policy global_policy global

webvpn

 enable outside

 url-list Email "Check Your Email" http://10.1.1.2/exchange 1

 url-list WebApps "Check Email" http://10.1.1.2/exchange 1

 url-list WebApps "Administer Web Filter" https://10.1.1.251 2

 url-list WebApps "Administer Email Filter" https://10.1.1.5 3

 port-forward Administrators 3389 10.1.1.13 3389 TBCNTAPPSERVER

 port-forward Administrators 3388 10.1.1.2 3389 CFCMAINSERVER

 port-forward Administrators telnet 10.1.1.12 telnet AS400 CONNECT

 port-forward Administrators 3386 10.1.1.246 3389 PAULS COMPUTER

 port-forward Administrators 3387 10.1.1.199 3389 MATTS COMPUTER

 port-forward Administrators imap4 10.1.1.2 imap4 IMAP4

 port-forward Administrators 995 10.1.1.2 995 POP3/SSL

 port-forward Administrators 993 10.1.1.2 993 IMAP4/SSL

 port-forward Administrators pop3 10.1.1.2 pop3 POP3

 port-forward Administrators 3385 10.1.1.225 3389 Reggies connection

 port-forward WadeB 3390 10.1.1.227 3389 Wades Computer

 port-forward AppServer 3389 10.1.1.13 3389 TBCNTAPPSERVER

 port-forward ReggieC 3387 10.1.1.225 3389 RDP Reggies Computer

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 wins-server value 10.1.1.2 10.1.1.13

 dns-server value 10.1.1.2 206.130.130.2

 group-lock value DefaultRAGroup

 address-pools value VPNPool

group-policy DfltGrpPolicy attributes

 banner none

 wins-server none

 dns-server none

 dhcp-network-scope none

 vpn-access-hours none

 vpn-simultaneous-logins 3

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

 password-storage disable

 ip-comp disable

 re-xauth disable

 group-lock none

 pfs enable

 ipsec-udp disable

 ipsec-udp-port 10000

 split-tunnel-policy tunnelall

 split-tunnel-network-list none

 default-domain none

 split-dns none

 intercept-dhcp 255.255.255.255 disable

 secure-unit-authentication disable

 user-authentication disable

 user-authentication-idle-timeout 30

 ip-phone-bypass disable

 leap-bypass disable

 nem disable

 backup-servers keep-client-config

 msie-proxy server none

 msie-proxy method no-modify

 msie-proxy except-list none

 msie-proxy local-bypass disable

 nac disable

 nac-sq-period 300

 nac-reval-period 36000

 nac-default-acl none

 address-pools value CIscoPool

 smartcard-removal-disconnect enable

 client-firewall none

 client-access-rule none

 webvpn

  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list none

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

username xxx password xxx encrypted

username xxx attributes

 webvpn

  functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy auto-download

  homepage none

  url-list value WebApps

  customization value DfltCustomization

  port-forward value Administrators

  port-forward-name value Application Access

username xxx password xxx encrypted

username xxx attributes

 webvpn

  functions port-forward http-proxy auto-download

  url-list value Email

  customization none

  port-forward value 

username VPNUser password xxx encrypted

username VPNUser attributes

 vpn-group-policy DefaultRAGroup

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

 group-lock value DefaultRAGroup

username xxx password xxx encrypted privilege 0

username xxx attributes

 webvpn

  functions url-entry mapi port-forward auto-download

  url-list value Email

  port-forward value xxx

username xxx password xxx encrypted

username xxx attributes

 webvpn

  functions port-forward filter

  url-list value Email

  port-forward value AppServer

username xxx password xxx encrypted privilege 15

username xxx password xxx encrypted privilege 15

username xxx attributes

 vpn-group-policy DfltGrpPolicy

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

 group-lock value DefaultRAGroup

 webvpn

  functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy auto-download citrix

  homepage none

  http-comp gzip

  filter none

  url-list value WebApps

  customization value DfltCustomization

  port-forward value Administrators

  port-forward-name value Application Access

  sso-server none

tunnel-group DefaultL2LGroup ipsec-attributes

 pre-shared-key *

tunnel-group DefaultRAGroup general-attributes

 address-pool VPNPool

 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

 authentication pap

 authentication ms-chap-v2

 authentication eap-proxy

tunnel-group 66.172.xxx.xxx type ipsec-l2l

tunnel-group 66.172.xxx.xxx ipsec-attributes

 pre-shared-key *

tunnel-group 64.146.xxx.xxx type ipsec-l2l

tunnel-group 64.146.xxx.xxx ipsec-attributes

 pre-shared-key *

tunnel-group 66.172.xxx.xxx type ipsec-l2l

tunnel-group 66.172.xxx.xxx ipsec-attributes

 pre-shared-key *

tunnel-group-map enable rules

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command uauth

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context 

Cryptochecksum:6e9a02938d894d6b92eca013964dde4e

: end

Open in new window

0
 

Author Comment

by:CFCMattrix
ID: 22964373
Time to sell the Cisco ASA 5505... we are dropping it for a Fortigate 60b. I am closing this question and awarding MrHusky the points because he is the only one who even tried to help me.
0
 

Author Closing Comment

by:CFCMattrix
ID: 31507201
Thank you for taking so much time to help me.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22966656
Thanks :)
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now