Solved

Problems setting up Remote Access VPN on CIsco ASA 5505

Posted on 2008-10-17
23
1,571 Views
Last Modified: 2012-08-13
I am attempting to set up a Remote Access VPN on our Cisco ASA 5505. I have been working myself through several issues along the way including too many different IP Sec Rules and getting PSF turned off. I have finally got this connection to give me a Phase 2 Completed; but, I am hitting a snag I can't figure out. After getting the Phase 2 Completed, I get a "PPP virtual interface 2 missing aaa server group info" error and the tunnel dies. If there is any more information I should post to help i.e. router config, etc... , please let me know. Thank you in advance.
0
Comment
Question by:CFCMattrix
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 9
23 Comments
 

Author Comment

by:CFCMattrix
ID: 22743443
Looking around via ASDM I see that there is a field for AAA server group under VPN Group Policy; but, I am unable to change that value from --N/A--.
0
 

Author Comment

by:CFCMattrix
ID: 22743456
Nevermind... I can only change that if it is an external group.
0
 

Author Comment

by:CFCMattrix
ID: 22743770
Result of the command: "show running"

: Saved
:
ASA Version 7.2(3)
!
hostname CiscoASA5505
ADMIN EDIT TO DELETE SENSITIVE INFORMATION
VEE_MOD, EE MODERATOR
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22752255
Hello CFCMattrix,
      Pretty complex config for a RA VPN :) Here are some missing parts at a first look

crypto isakmp nat-traversal 20
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.1.214 255.255.255.248
   According to the error you get, I think firewall assumes LOCAL an aaa server group when typed under tunnel--group as
 authorization-server-group LOCAL
 authorization-server-group (outside) LOCAL
 authorization-server-group (inside) LOCAL
    I put a ? after "authorization-server-group" in my firewall and saw that it asks me the name of group in 17 chars, which means "local", the firewall itself, is not an option. The other option was specifying interface, which again elects local. That means firewall itself (local) can not handle authorization in VPN termination.
    Maybe you mean "authentication", which has the option for Local.

Regards
0
 

Author Comment

by:CFCMattrix
ID: 22754557
Thank you for your reply MrHusy,

If I am understanding you correctly, a Cisco ASA 5505 can not do a RA VPN by itself? It needs an external AAA server? I may be a little lost here. Maybe I should start over on this. Is there any way to alow a user to log in remotly to our network via a VPN? I am used to simple PPTP servers in simple VPN routers.

0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22754956
"a Cisco ASA 5505 can not do a RA VPN by itself?"
   No, Cisco ASA can do RA VPN itself for sure, but not the "authorization" for VPN . I think you mean "authentication", which means checking for a username and password in its local database and comparing the provided credidentals against that database. For achieving this, you have to type authentication-server-group local
0
 

Author Comment

by:CFCMattrix
ID: 22758435
When I type that command I get:

"authorization-server-group LOCAL
    ^
ERROR: % Invalid input detected at '^' marker."
0
 

Author Comment

by:CFCMattrix
ID: 22758548
I mean:

"authentication-server-group LOCAL
    ^
ERROR: % Invalid input detected at '^' marker"
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22758762
You should enter this command under tunnel-group attributes

CiscoASA5505# conf t
CiscoASA5505(conf)# tunnel-group DefaultRAGroup general-attributes
CiscoASA5505(config-tunnel-general)# authentication-server-group LOCAL
CiscoASA5505(config-tunnel-general)#  no authorization-server-group LOCAL
CiscoASA5505(config-tunnel-general)# no authorization-server-group (outside) LOCAL
CiscoASA5505(config-tunnel-general)# no authorization-server-group (inside) LOCAL
0
 

Author Comment

by:CFCMattrix
ID: 22759896
Thank you MrHusy... The firewall accepted the commands with no errors as soon as they were typed into the correct config; but, I am still getting "PPP virtual interface 2 missing aaa server group info" in my syslog messages when I try to connect.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22760155
Please post the latest config occured after modifications
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22760243
also try removing "the authentication-server-group LOCAL" too and try again. It should authenticate through local database by default when left empty. Also add the following

tunnel-group DefaultRAGroup type ipsec-ra

   And let only the following appear in tunnelgroup config


tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup general-attributes
   address-pool CIscoPool
   default-group-policy DefaultRAGroup
0
 

Author Comment

by:CFCMattrix
ID: 22761055
You may need to walk me through thoes steps command by command again. It is not liking something I am doing.
I am attaching the current configuration.
: Saved
:
ASA Version 7.2(3) 
!
 
ADMIN EDIT TO DELETE SENSITIVE INFORMATION
 
VEE_MOD, EE MODERATOR

Open in new window

0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22761345
CiscoASA5505# conf t
CiscoASA5505(conf)# no tunnel-group DefaultRAGroup ppp-attributes
CiscoASA5505(conf)# tunnel-group DefaultRAGroup type remote-access
CiscoASA5505(conf)# tunnel-group DefaultRAGroup general-attributes
CiscoASA5505(config-tunnel-general)# no address-pool CiscoPool     (this will remove one of the duplicate entries)
CiscoASA5505(config-tunnel-general)# exit
CiscoASA5505(conf)# tunnel-group DefaultRAGroup ipsec-attributes
CiscoASA5505(config-tunnel-ipsec)# no peer-id-validate nocheck
CiscoASA5505(config-tunnel-ipsec)# no isakmp ikev1-user-authentication none

Then paste the latest config again
0
 

Author Comment

by:CFCMattrix
ID: 22762720
OK im getting the same error as before.

"tunnel-group DefaultRAGroup type remote-access
                            ^
ERROR: % Invalid input detected at '^' marker."

All the other commands went through though.

 Saved
:
ASA Version 7.2(3) 
!
hostname xxx
domain-name xxx
enable password xxx encrypted
names
name 206.130.xxx.xxx Public_Route
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.254 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group PPPoE-Group
 ip address 66.172.xxx.xxx 255.255.255.255 pppoe setroute 
!
interface Vlan100
 nameif Public_Routed
 security-level 0
 ip address 206.130.xxx.xxx 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 12
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport access vlan 3
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 100
!
passwd xxx encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name xxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any interface outside eq smtp 
access-list outside_access_in extended permit udp any Public_Route 255.255.255.248 
access-list outside_access_in extended permit tcp any Public_Route 255.255.255.248 
access-list inside_access_out extended permit tcp any eq www any eq www 
access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.1.1.2 
access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.1.1.13 
access-list inside_nat0_outbound extended permit ip host 10.1.1.2 10.20.30.96 255.255.255.240 
access-list inside_nat0_outbound extended permit ip host 10.1.1.13 10.20.30.96 255.255.255.240 
access-list inside_nat0_outbound extended permit ip any 10.1.1.236 255.255.255.252 
access-list inside_nat0_outbound extended permit ip any 10.1.1.224 255.255.255.240 
access-list inside_nat0_outbound extended permit ip 192.168.69.0 255.255.255.0 192.168.195.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.145.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.195.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.195.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.200.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.11.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.15.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 10.1.1.216 255.255.255.252 
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit any 
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.195.0 255.255.255.0 
access-list outside_2_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.11.0 255.255.255.0 
access-list Public_Routed_access_out extended permit udp any any 
access-list Public_Routed_access_out extended permit tcp any any 
access-list Public_Routed_access_in extended permit udp any any 
access-list Public_Routed_access_in extended permit tcp any any 
access-list outside_3_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.15.0 255.255.255.0 
access-list DefaultRAGroup_splitTunnelAcl_2 standard permit any 
access-list Remote_Access_VPN_splitTunnelAcl standard permit any 
access-list outside_authentication extended permit tcp any any inactive 
access-list inside_authentication extended permit tcp any any inactive 
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging asdm informational
logging facility 23
logging host inside 10.1.1.199 format emblem
logging debug-trace
mtu inside 1500
mtu outside 1452
mtu Public_Routed 1452
ip local pool CIscoPool 10.1.1.216-10.1.1.219 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface Public_Routed
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 206.130.xxx.xxx netmask 255.255.255.255
global (Public_Routed) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Public_Routed) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.1.1.5 smtp netmask 255.255.255.255 
access-group outside_access_in in interface outside
access-group Public_Routed_access_in in interface Public_Routed
access-group Public_Routed_access_out out interface Public_Routed
route inside 10.1.2.0 255.255.255.0 10.1.1.1 1
route inside 10.1.3.0 255.255.255.0 10.1.1.1 1
route outside 0.0.0.0 0.0.0.0 66.172.96.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL 
aaa authentication match outside_authentication outside LOCAL
aaa authentication match inside_authentication inside LOCAL
aaa authentication enable console LOCAL 
aaa authorization command LOCAL 
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_AES-128_SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_AES-128_SHA mode transport
crypto ipsec transform-set Null_Transform esp-null esp-none 
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 66.172.xxx.xxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs 
crypto map outside_map 2 set peer 64.146.xxx.xxx
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs 
crypto map outside_map 3 set peer 66.172.xxx.xxx
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 110
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 10.1.1.199 255.255.255.255 inside
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh 66.172.xxx.xxx 255.255.255.255 outside
ssh timeout 5
console timeout 0
vpdn group PPPoE-Group request dialout pppoe
vpdn group PPPoE-Group localname xxx
vpdn group PPPoE-Group ppp authentication chap
vpdn username xxx password ********* store-local
dhcpd auto_config outside
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect pptp 
!
service-policy global_policy global
webvpn
 enable outside
 url-list Email "Check Your Email" http://10.1.1.2/exchange 1
 url-list WebApps "Check Email" http://10.1.1.2/exchange 1
 url-list WebApps "Administer Web Filter" https://10.1.1.251 2
 url-list WebApps "Administer Email Filter" https://10.1.1.5 3
 port-forward RDP 3389 10.1.1.13 3389 TBCNTAPPSERVER
 port-forward Administrators 3389 10.1.1.13 3389 TBCNTAPPSERVER
 port-forward Administrators 3388 10.1.1.2 3389 CFCMAINSERVER
 port-forward Administrators telnet 10.1.1.12 telnet AS400 CONNECT
 port-forward Administrators 3386 10.1.1.246 3389 PAULS COMPUTER
 port-forward Administrators 3387 10.1.1.199 3389 MATTS COMPUTER
 port-forward Administrators imap4 10.1.1.2 imap4 IMAP4
 port-forward Administrators 995 10.1.1.2 995 POP3/SSL
 port-forward Administrators 993 10.1.1.2 993 IMAP4/SSL
 port-forward Administrators pop3 10.1.1.2 pop3 POP3
 port-forward Aweta 3085 10.1.1.217 3085 NetAdminService
 port-forward Compac telnet 10.1.1.12 telnet Telnet AS/400
 port-forward Compac 3388 10.1.1.19 3389 TS-Compac Test System
 port-forward Exchange_Server imap4 10.1.1.2 imap4 IMAP4
 port-forward Exchange_Server 995 10.1.1.2 995 POP3/SSL
 port-forward Exchange_Server 993 10.1.1.2 993 IMAP4/SSL
 port-forward Exchange_Server pop3 10.1.1.2 pop3 POP3
 port-forward WadeB 3390 10.1.1.227 3389 Wades Computer
 port-forward ConceptSystemsINC 3389 10.1.1.231 3389 TS/Remote Desktop
 port-forward ConceptSystemsINC telnet 10.1.1.12 telnet AS/400 Telnet
 port-forward ConceptSystemsINC 3388 10.1.1.231 3389 TS/RDP 2
 port-forward AppServer 3389 10.1.1.13 3389 TBCNTAPPSERVER
 port-forward ReggieC 3388 10.1.1.225 3389 RDP Reggies Computer
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 banner value xxx
 wins-server value 10.1.1.2 10.1.1.13
 dns-server value 10.1.1.2 206.130.130.2
 group-lock value DefaultRAGroup
 default-domain value xxx
 address-pools value CIscoPool
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs enable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools value CIscoPool
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
username xxx
username xxx attributes
 webvpn
  functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy auto-download
  homepage none
  url-list value WebApps
  customization value DfltCustomization
  port-forward value Administrators
  port-forward-name value Application Access
username xxx
username xxx attributes
 webvpn
  functions none
  url-list value Email
username xxx
username xxx attributes
 webvpn
  functions port-forward
  html-content-filter java images scripts cookies
  port-forward value xxx
  port-forward-name value Application Access
username xxx
username xxx attributes
 webvpn
  url-list value Email
username xxx
username xxx
 webvpn
  functions port-forward http-proxy auto-download
  url-list value Email
  customization none
  port-forward value xxx
username xxx
privilege 0
username xxx attributes
 webvpn
  functions url-entry mapi port-forward auto-download
  url-list value Email
  port-forward value xxx
username xxx 
username xxx attributes
 webvpn
  functions port-forward filter
  url-list value Email
  port-forward value AppServer
username nwinternet password JbHFvASTD/qICYu3 encrypted privilege 15
username RichStiner password cikqhsO8SUhx9QiX encrypted
username RichStiner attributes
 webvpn
  functions url-entry mapi port-forward
  url-list value Email
  port-forward value Exchange_Server
username xxx
username xxx attributes
 vpn-group-policy DfltGrpPolicy
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 group-lock value DefaultRAGroup
 webvpn
  functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy auto-download citrix
  homepage none
  http-comp gzip
  filter none
  url-list value WebApps
  customization value DfltCustomization
  port-forward value Administrators
  port-forward-name value Application Access
  sso-server none
username xxx 
username xxx attributes
 webvpn
  functions port-forward
  port-forward value xxx
username xxx
username xxx attributes
 webvpn
  functions port-forward
  url-list none
  customization none
  port-forward value xxx
  port-forward-name value Application Access
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup general-attributes
 address-pool CIscoPool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group 66.172.xxx.xxx type ipsec-l2l
tunnel-group 66.172.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group 64.146.xxx.xxx type ipsec-l2l
tunnel-group 64.146.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group 66.172.xxx.xxx type ipsec-l2l
tunnel-group 66.172.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group-map enable rules
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context 
Cryptochecksum:e008640ede0ece4e8d6f0a1f055ba54d
: end

Open in new window

0
 

Author Comment

by:CFCMattrix
ID: 22762742
In the error that I am getting in the above post should be under "type".
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22771902
its Ok, its already the default for RA, thats why it doesnt accept it.
Add this one

CiscoASA5505(conf)# ip local pool VPNPool 10.1.7.1-10.1.7.15 mask 255.255.255.240
CiscoASA5505(conf)# access-list inside_nat0_outbound permit ip 10.1.1.0 255.255.255.0 10.1.7.0 255.255.255.240
CiscoASA5505(conf)# tunnel-group DefaultRAGroup general-attributes
CiscoASA5505(config-tunnel-general)#  address-pool VPNPool
CiscoASA5505(config-tunnel-general)# no address-pool CIscoPool
CiscoASA5505(config-tunnel-general)# no address-pool CIscoPool
CiscoASA5505(config-tunnel-general)#  exit
CiscoASA5505(conf)# tunnel-group DefaultRAGroup ipsec-attributes
CiscoASA5505(config-tunnel-ipsec)# no peer-id-validate nocheck
CiscoASA5505(config-tunnel-ipsec)# no isakmp ikev1-user-authentication none
CiscoASA5505(conf)# group-policy DefaultRAGroup attributes
CiscoASA5505(config-group-policy)# no address-pools value CIscoPool



0
 

Author Comment

by:CFCMattrix
ID: 22772873
Man... we are sooooo close! I am getting a "AAA user authentication Rejected : reason = Invalid password : local database : user = xxx" in my syslog and my VPN client gets to the "Verifying User Name and Password". I should also note that I have tripple checked and tried several different user accounts to sign in and none seem to work.
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 22772946
is authentication-server-group LOCAL command issued under tunnel-group DefaultRAGroup general-attributes ? I cant see it issued in the latest config you posted.
You have usernames for webvpns different privs etc, create a new user
username test password test
0
 

Author Comment

by:CFCMattrix
ID: 22773423
I have issued the commands:
tunnel-group DefaultRAGroup geral-attributes
authentication-server-group local

But I do not see it listed either. Not sure what is going on there. Also I can't seem to get the CIscoPool to go away via commands:

group-pollicy DefaultRAGroup attributes
no address-pools value CIscoPool




: Saved
:
ASA Version 7.2(3) 
!
hostname CiscoASA5505
domain-name xxx
enable password xxx encrypted
names
name 206.130.xxx.xxx Public_Route
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.254 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group PPPoE-Group
 ip address 66.172.xxx.xxx 255.255.255.255 pppoe setroute 
!
interface Vlan100
 nameif Public_Routed
 security-level 0
 ip address 206.130.xxx.xxx 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 12
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport access vlan 3
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 100
!
passwd xxx encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name ChelanFruitCo.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any interface outside eq smtp 
access-list outside_access_in extended permit udp any Public_Route 255.255.255.248 
access-list outside_access_in extended permit tcp any Public_Route 255.255.255.248 
access-list inside_access_out extended permit tcp any eq www any eq www 
access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.1.1.2 
access-list DefaultRAGroup_splitTunnelAcl standard permit host 10.1.1.13 
access-list inside_nat0_outbound extended permit ip host 10.1.1.2 10.20.30.96 255.255.255.240 
access-list inside_nat0_outbound extended permit ip host 10.1.1.13 10.20.30.96 255.255.255.240 
access-list inside_nat0_outbound extended permit ip any 10.1.1.236 255.255.255.252 
access-list inside_nat0_outbound extended permit ip any 10.1.1.224 255.255.255.240 
access-list inside_nat0_outbound extended permit ip 255.255.255.0 192.168.195.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.145.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.195.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.195.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.200.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.11.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.15.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 10.1.1.216 255.255.255.252 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.7.0 255.255.255.240 
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit any 
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.195.0 255.255.255.0 
access-list outside_2_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.11.0 255.255.255.0 
access-list Public_Routed_access_out extended permit udp any any 
access-list Public_Routed_access_out extended permit tcp any any 
access-list Public_Routed_access_in extended permit udp any any 
access-list Public_Routed_access_in extended permit tcp any any 
access-list outside_3_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.15.0 255.255.255.0 
access-list DefaultRAGroup_splitTunnelAcl_2 standard permit any 
access-list Remote_Access_VPN_splitTunnelAcl standard permit any 
access-list outside_authentication extended permit tcp any any inactive 
access-list inside_authentication extended permit tcp any any inactive 
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging asdm informational
logging facility 23
logging host inside 10.1.1.199 format emblem
logging debug-trace
mtu inside 1500
mtu outside 1452
mtu Public_Routed 1452
ip local pool VPNPool 10.1.7.1-10.1.7.15 mask 255.255.255.240
no failover
monitor-interface inside
monitor-interface outside
monitor-interface Public_Routed
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 206.130.133.163 netmask 255.255.255.255
global (Public_Routed) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Public_Routed) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.1.1.5 smtp netmask 255.255.255.255 
access-group outside_access_in in interface outside
access-group Public_Routed_access_in in interface Public_Routed
access-group Public_Routed_access_out out interface Public_Routed
route inside 10.1.2.0 255.255.255.0 10.1.1.1 1
route inside 10.1.3.0 255.255.255.0 10.1.1.1 1
route outside 0.0.0.0 0.0.0.0 66.172.96.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL 
aaa authentication match outside_authentication outside LOCAL
aaa authentication match inside_authentication inside LOCAL
aaa authentication enable console LOCAL 
aaa authorization command LOCAL 
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_AES-128_SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_AES-128_SHA mode transport
crypto ipsec transform-set Null_Transform esp-null esp-none 
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 66.172.102.90 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs 
crypto map outside_map 2 set peer 64.146.141.24 
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs 
crypto map outside_map 3 set peer 66.172.97.209 
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 110
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 10.1.1.199 255.255.255.255 inside
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh 66.172.xxx.xxx 255.255.255.255 outside
ssh timeout 5
console timeout 0
vpdn group PPPoE-Group request dialout pppoe
vpdn group PPPoE-Group localname xxx
vpdn group PPPoE-Group ppp authentication chap
vpdn username xxx password ********* store-local
dhcpd auto_config outside
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect pptp 
!
service-policy global_policy global
webvpn
 enable outside
 url-list Email "Check Your Email" http://10.1.1.2/exchange 1
 url-list WebApps "Check Email" http://10.1.1.2/exchange 1
 url-list WebApps "Administer Web Filter" https://10.1.1.251 2
 url-list WebApps "Administer Email Filter" https://10.1.1.5 3
 port-forward Administrators 3389 10.1.1.13 3389 TBCNTAPPSERVER
 port-forward Administrators 3388 10.1.1.2 3389 CFCMAINSERVER
 port-forward Administrators telnet 10.1.1.12 telnet AS400 CONNECT
 port-forward Administrators 3386 10.1.1.246 3389 PAULS COMPUTER
 port-forward Administrators 3387 10.1.1.199 3389 MATTS COMPUTER
 port-forward Administrators imap4 10.1.1.2 imap4 IMAP4
 port-forward Administrators 995 10.1.1.2 995 POP3/SSL
 port-forward Administrators 993 10.1.1.2 993 IMAP4/SSL
 port-forward Administrators pop3 10.1.1.2 pop3 POP3
 port-forward Administrators 3385 10.1.1.225 3389 Reggies connection
 port-forward WadeB 3390 10.1.1.227 3389 Wades Computer
 port-forward AppServer 3389 10.1.1.13 3389 TBCNTAPPSERVER
 port-forward ReggieC 3387 10.1.1.225 3389 RDP Reggies Computer
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 10.1.1.2 10.1.1.13
 dns-server value 10.1.1.2 206.130.130.2
 group-lock value DefaultRAGroup
 address-pools value VPNPool
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs enable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools value CIscoPool
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
username xxx password xxx encrypted
username xxx attributes
 webvpn
  functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy auto-download
  homepage none
  url-list value WebApps
  customization value DfltCustomization
  port-forward value Administrators
  port-forward-name value Application Access
username xxx password xxx encrypted
username xxx attributes
 webvpn
  functions port-forward http-proxy auto-download
  url-list value Email
  customization none
  port-forward value 
username VPNUser password xxx encrypted
username VPNUser attributes
 vpn-group-policy DefaultRAGroup
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 group-lock value DefaultRAGroup
username xxx password xxx encrypted privilege 0
username xxx attributes
 webvpn
  functions url-entry mapi port-forward auto-download
  url-list value Email
  port-forward value xxx
username xxx password xxx encrypted
username xxx attributes
 webvpn
  functions port-forward filter
  url-list value Email
  port-forward value AppServer
username xxx password xxx encrypted privilege 15
username xxx password xxx encrypted privilege 15
username xxx attributes
 vpn-group-policy DfltGrpPolicy
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 group-lock value DefaultRAGroup
 webvpn
  functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy auto-download citrix
  homepage none
  http-comp gzip
  filter none
  url-list value WebApps
  customization value DfltCustomization
  port-forward value Administrators
  port-forward-name value Application Access
  sso-server none
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup general-attributes
 address-pool VPNPool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 authentication ms-chap-v2
 authentication eap-proxy
tunnel-group 66.172.xxx.xxx type ipsec-l2l
tunnel-group 66.172.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group 64.146.xxx.xxx type ipsec-l2l
tunnel-group 64.146.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group 66.172.xxx.xxx type ipsec-l2l
tunnel-group 66.172.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group-map enable rules
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context 
Cryptochecksum:6e9a02938d894d6b92eca013964dde4e
: end

Open in new window

0
 

Author Comment

by:CFCMattrix
ID: 22964373
Time to sell the Cisco ASA 5505... we are dropping it for a Fortigate 60b. I am closing this question and awarding MrHusky the points because he is the only one who even tried to help me.
0
 

Author Closing Comment

by:CFCMattrix
ID: 31507201
Thank you for taking so much time to help me.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22966656
Thanks :)
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question