Site-to-Site IPSec VPN between Cisco ASA 5505 and Cisco 1710

Hi Guys,
    We're switching out old PIX 501s for ASA 5505 appliances and I need some help here as I'm new to the ASA product. Currently, we have a few locations terminated via PIX into a Cisco 1710 which is acting as the Hub for the Spokes.

The relevant information from the 1710 is as follows:
1710
------------------
crypto isakmp policy 1
   hash md5
   authentication pre-share
!
crypto isakmp policy 3
   encr 3des
   authentication pre-share
   group 2
!
crypto isakmp key <crypto key here> address <ip of remote host here> no-xauth
!
crypto isakmp client configuration group 3000client
   key <key here>
   dns 192.168.200.100 192.168.1.11
   domain domain.com
   pool ippool
   acl 108
!
!
crypto ipsec transform-set store esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 99
   set transform-set myset
!
!
crypto map clientmap client auhentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap 20 ipsec-isakmp
   set peer <ip of peer>
   set transform-set store
   match address 131
crypto map clientmap 99 ipsec-isakmp dynamic dynmap
!
!
access-list 131 permit ip 192.168.1.0 0.0.0.255 192.168.15.0 0.0.0.255

The information from one of the OLD PIXs in question is as follows:
PIX 501
----------------------------
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map mymap 21 ipsec-isakmp
crypto map mymap 21 match address ipsec
crypto map mymap 21 set peer <ip of HUB 1710>
crypto map mymap 21 set transform-set myset
crypto map mymap interface outside
!
isakmp enable outside
isakmp key <key here> address <IP of HUB 1710> netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 7200



The above configuration is up and working perfectly. We're migrating off of the PIX platform due to end-of-life and the myriad of issues they have. What I need to know is what would the ASA config look like to connect to the 1710 Router with the above configuration.

Also, I'm being asked if we can enable remote VPN connectivity into the ASA 5505 as well for VPN users to connect into it. If this is possible with this configuration, could you shed some insight on that as well?

Thanks in Advance Guys.
LVL 2
hypknightAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wilsjCommented:
The ASA is the same as a PIX the only real diffence will be in the IOS that comes with the device. The below config is for ver 7.x

All your crypto maps will stay the same. The only thing that will be different is the Pre-shared key. It will look like this.

tunnel-group (IP of HUB 1710) type ipsec-l2l
tunnel-group (IP of HUB 1710) ipsec-attributes
pre-shared-key secret key

As for VPN it would look something like this

access-list remoteusers_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0(for local lan access)
access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0 (network that you want remote users to see)
ip local pool remoteusers 10.10.10.1-10.10.10.254 (range of ip's you want he remote users to have when connected)

crypto dynamic-map outside_dyn_map 20 set transform-set 3DES/MD5 (you can change this to whatever fits for you)
crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map

group-policy remoteusers internal
group-policy remoteusers attributes
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remoteusers_splitTunnelAcl(is you want the users to keep local lan access)

tunnel-group remoteusers type ipsec-ra
tunnel-group remoteusers general-attributes
 address-pool remoteusers
 default-group-policy remoteusers
tunnel-group remoteusers ipsec-attributes
 pre-shared-key secret key




0
wilsjCommented:
also you will not need this in your crypto map.

crypto map mymap 21 ipsec-isakmp
0
hypknightAuthor Commented:
so do i still need all of the isakmp policy information?

isakmp enable outside
isakmp key <key here> address <IP of HUB 1710> netmask 255.255.255.255 no-xauth no-config-mode -- removed
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 7200

Sorry, not trying to be thick. I just want to make sure I understand properly.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

wilsjCommented:
you do not need
isakmp key <key here> address <IP of HUB 1710> netmask 255.255.255.255 no-xauth no-config-mode -- removed

you still need the following
isakmp enable outside
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 7200
0
hypknightAuthor Commented:
Hub Network: 192.168.1.0
Spoke Network: 192.168.15.0


so here's what I have currently on the ASA:


access-list ipsec extended permit 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
!
crypto ipsec transform-set primaryTransformSet esp-des esp-md5-hmac
crypto map primaryCryptoMap 21 match address ipsec
crypto map primaryCryptoMap 21 set peer <IP of HUB 1710>
crypto map primaryCryptoMap 21 set transform-set primaryTransformSet
crypto map primaryCryptoMap interface outside
!
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 21
   authentication pre-share
   encryption des
   hash md5
   group 1
   lifetime 7200
!
tunnel-group <IP of HUB 1710> type ipsec-l2l
tunnel-group <IP of HUB 1710> ipsec-attributes
   pre-shared-key <Key Here>
!

No VPN light is lit on the ASA... if the above is correct ( I haven't made any changes to the 1710 side), is there a command I need to do to instigate the tunnel connection? Again, sorry for the simplistic questions.
0
wilsjCommented:
no worries.

Pleas post your nat and global statements for the ASA. Do the following and paste info here

sh run nat
sh run global
0
hypknightAuthor Commented:
sh run nat
-------------------------
nat (inside) 1 0.0.0.0 0.0.0.0

sh run global
-------------------------
global (outside) 1 interface


nice and easy, nothing complex.
0
wilsjCommented:
ok add this to your nat statements and add this acl also

access-list no-nat permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list no-nat
0
hypknightAuthor Commented:
Alrighty, done:

sh run nat
---------------------------
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0


Still no light after reload...
0
wilsjCommented:
no need to reload. Also did you save the config before reloading?

If the config is still intact issue a ping from a host on the 192.168.15.0 network to 192.168.1.0 network and see if you get a reply.

While you are pinging you can issue the command sh isakmp sa to see if you see the tunnel initializing.
0
hypknightAuthor Commented:
Yes i did save it. Just reloaded for good measure.


during the ping attempt I get this:

hostname# sh isakmp sa

       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1

1        IKE Peer: <IP of HUB 1710>
               Type: L2L               Role: initiator
             Rekey: no                State: MM_WAIT_MSG6

after the ping attempt finishes it immediately disappears.
0
hypknightAuthor Commented:
It actually takes about 15 seconds then disappears and says : There are no isakmp sas
0
wilsjCommented:
yeah it seems like the tunnel doesn't like something.

can you post the ACL's, crypto, isakmp and tunnel-group statments.

In the mean time you can issue this command to see if you see any errors. You'll have to keep a continous ping going to see anything.

deb crypto isakmp 10
0
hypknightAuthor Commented:
Here's the pertinent configuration of the ASA:

ASA Version 7.2(4)
!
hostname hostname
domain-name domain.com
enable password <password> encrypted
passwd <password> encrypted
!
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.15.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.0.248 255.255.255.0
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 10.10.100.1 255.255.255.0  
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list ipsec extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
!
access-list no-nat extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
!
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
!
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 <IP of gateway> 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
!
http server enable
http 192.168.15.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
             
crypto ipsec transform-set primaryTransformSet esp-des esp-md5-hmac
crypto map primaryCryptoMap 21 match address ipsec
crypto map primaryCryptoMap 21 set peer <IP of HUB 1710>
crypto map primaryCryptoMap 21 set transform-set primaryTransformSet
crypto map primaryCryptoMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 21
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 7200
!
telnet timeout 5
ssh timeout 5
console timeout 0
!
tunnel-group <IP of HUB 1710> type ipsec-l2l
tunnel-group <IP of HUB 1710> ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
!
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet            
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context


Here's a snippet of the results of the debug:

Nov 10 11:45:00 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 10 11:45:00 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 10 11:45:05 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 10 11:45:05 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 10 11:45:10 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, IKE MM Initiator FSM error history (struct &0x175ccc8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_TIMEOUT-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_TIMEOUT
Nov 10 11:45:10 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, IKE SA MM:281efe24 terminating:  flags 0x0100c022, refcnt 0, tuncnt 0
Nov 10 11:45:10 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, sending delete/delete with reason message
Nov 10 11:45:10 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, constructing blank hash payload
Nov 10 11:45:10 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, constructing IKE delete payload
Nov 10 11:45:10 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, constructing qm hash payload
Nov 10 11:45:10 [IKEv1]: IP = <IP of HUB 1710>, IKE_DECODE SENDING Message (msgid=d58497e8) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Nov 10 11:45:10 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Removing peer from peer table failed, no match!
Nov 10 11:45:10 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Error: Unable to remove PeerTblEntry
Nov 10 11:45:11 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 10 11:45:11 [IKEv1]: IP = <IP of HUB 1710>, IKE Initiator: New Phase 1, Intf inside, IKE Peer <IP of HUB 1710>  local Proxy Address 192.168.15.0, remote Proxy Address 192.168.1.0,  Crypto map (primaryCryptoMap)
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, constructing ISAKMP SA payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, constructing Fragmentation VID + extended capabilities payload
Nov 10 11:45:11 [IKEv1]: IP = <IP of HUB 1710>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Nov 10 11:45:11 [IKEv1]: IP = <IP of HUB 1710>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 80
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing SA payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Oakley proposal is acceptable
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, constructing ke payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, constructing nonce payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, constructing Cisco Unity VID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, constructing xauth V6 VID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Send IOS VID
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, constructing VID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Nov 10 11:45:11 [IKEv1]: IP = <IP of HUB 1710>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
Nov 10 11:45:11 [IKEv1]: IP = <IP of HUB 1710>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing ke payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing ISA_KE payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing nonce payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing VID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Received Cisco Unity client VID
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing VID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Received DPD VID
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing VID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 0000007f)
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing VID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Received xauth V6 VID
Nov 10 11:45:11 [IKEv1]: IP = <IP of HUB 1710>, Connection landed on tunnel_group <IP of HUB 1710>
Nov 10 11:45:11 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Generating keys for Initiator...
Nov 10 11:45:11 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, constructing ID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, constructing hash payload
Nov 10 11:45:11 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Computing hash for ISAKMP
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Nov 10 11:45:11 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, constructing dpd vid payload
Nov 10 11:45:11 [IKEv1]: IP = <IP of HUB 1710>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Nov 10 11:45:12 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Rxed Encrypted Notify without a message Id!
Nov 10 11:45:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 10 11:45:16 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 10 11:45:19 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Rxed Encrypted Notify without a message Id!
Nov 10 11:45:22 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 10 11:45:22 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
0
wilsjCommented:
looks like it doesn't like something with phase 2.  Are you sure you entered the correct Pre-shared key?
0
hypknightAuthor Commented:
I'm relatively certain, I'll re-enter it though.
0
wilsjCommented:
One other thing does the cisco 1710 still point to the pix? Or did you change the peer IP on the router to point to the new ASA 5505?
0
hypknightAuthor Commented:
Alrighty, the tunnel itself appears to be up!

shh isakmp sa

    Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1     IKE Peer: <IP of HUB 1710>
            Type: L2L                Role: initiator
          Rekey: no                 State: MM_ACTIVE


and the VPN light is on and solid.

However, I can't ping across the tunnel and get a reply.. I've tried 2 seperate remote IP addresses. Any ideas?
0
wilsjCommented:
Try it in the other direction. so ping from 192.168.1.0/24 network to a host onthe 192.168.15.0/24 network. Keep the ping going on the host on the 15 network at the same time. Then issue the command deb icmp trace and see if u see the traffic.
0
hypknightAuthor Commented:
You're a genius. Had a missing route in an intermediate router... =) Now with the configuration you see above, is split-tunneling enabled?
0
wilsjCommented:
split-tunneling will be for the people using the VPN clients.

The configuration we just went over will allow remote and local access.
0
hypknightAuthor Commented:
Right, but I mean for the point-to-point from hub to spoke, is there a way to ensure the internet traffic is routed directly out the gateway and not across the tunnel? or does the no-nat ACL ensure that already?
0
wilsjCommented:
The crypto maps that you set up seperate the tunnel traffic from the internet traffic. So yes the inside hosts that are trying to access anything outside of 192.168.1.0/24 will go to the internet.
0
hypknightAuthor Commented:
alright, I thought that was the case, I just wanted to be sure.  So I'm going to attempt the remote vpn portion now... I should be able to put one of the switchports in the DMZ and use that port to test the software client correct?
0
wilsjCommented:
I've never tested it coming from the DMZ. I have an additional cable line coming in that I test it on. You can give it a shot but I think for trouble shooting testing on aline outside of your network including DMZ would be the easiest way.
0
hypknightAuthor Commented:
OK, so for the ACLs you mentioned above:

"As for VPN it would look something like this

access-list remoteusers_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0(for local lan access)
access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0 (network that you want remote users to see)
ip local pool remoteusers 10.10.10.1-10.10.10.254 (range of ip's you want he remote users to have when connected)"

The first one says that the VPN users (getting 10.10.10.x addresses) should be able to access my Hub network.
The second one says that it shouldn't be applied to NAT  right? Do I need to put one in from the 10. 10.10.0/24 network to my 192.168.15.0/24 network?
0
wilsjCommented:
If you want the users to access the network behind the ASA it should look like this.

access-list remoteusers_splitTunnelAcl permit ip 192.168.5.0 255.255.255.0 10.10.10.0 255.255.255.0(for local lan access)
access-list no-nat permit ip 192.168.15.0 255.255.255.0 10.10.10.0 255.255.255.0 (network that you want remote users to see)

Sorry I was just giving an example in the first config.
0
hypknightAuthor Commented:
Would I need to do anything after that to let them access the HUB network then? (192.168.1.0/24)
0
wilsjCommented:
I believe these statements allow for that. Once connected try to ping one of the hosts on the 192.168.1.0 network.

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
0
wilsjCommented:
oops and also add this to the acl's

access-list no-nat permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ipsec permit ip 10.10.10.0 255.255.255.0 192.168.15.0 255.255.255.0
0
wilsjCommented:
the last acl should be

access-list ipsec permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
0
hypknightAuthor Commented:
Alright.

Here's the config as it stands now...

ASA Version 7.2(4)
!
hostname hostname
domain-name domain.com
enable password <password> encrypted
passwd <password> encrypted
!
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.15.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.0.248 255.255.255.0
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 10.10.100.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
!
dns server-group DefaultDNS
 domain-name tollgas.com
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list ipsec extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ipsec permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ipsec extended permit ip 10.10.10.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list no-nat extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list no-nat extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list remoteusers_splitTunnelAcl extended permit ip 192.168.15.0 255.255.255.0 10.10.10.0 255.255.255.0
!
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
!
ip local pool remoteUserIPpool 10.10.10.1-10.10.10.254
!
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
!
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
!
http server enable
http 192.168.15.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set primaryTransformSet esp-des esp-md5-hmac
crypto dynamic-map outsideDynamicMap 20 set transform-set primaryTransformSet
crypto map primaryCryptoMap 21 match address ipsec
crypto map primaryCryptoMap 21 set peer <IP of HUB 1710>
crypto map primaryCryptoMap 21 set transform-set primaryTransformSet
crypto map primaryCryptoMap 65535 ipsec-isakmp dynamic outsideDynamicMap
crypto map primaryCryptoMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 21
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 7200
!
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
group-policy remoteusers internal
group-policy remoteusers attributes
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remoteusers_splitTunnelAcl
!
username testVPNuser password 2ydLgHrVzyJixLyT encrypted
!
tunnel-group <IP of HUB 1710> type ipsec-l2l
tunnel-group <IP of HUB 1710> ipsec-attributes
 pre-shared-key *
tunnel-group remoteusers type ipsec-ra
tunnel-group remoteusers general-attributes
 address-pool remoteUserIPpool
 default-group-policy remoteusers            
tunnel-group remoteusers ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context



Here's what I'm getting from a laptop in the (outside) network (192.168.0.x) connecting via software client to the (outside) interface....

1      14:29:50.671  11/10/08  Sev=Warning/2      IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)

2      14:29:50.671  11/10/08  Sev=Warning/3      IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)

3      14:29:55.718  11/10/08  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

4      14:29:55.718  11/10/08  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

5      14:30:00.718  11/10/08  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

6      14:30:00.718  11/10/08  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

7      14:30:05.718  11/10/08  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

8      14:30:05.718  11/10/08  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
0
wilsjCommented:
Does it prompt you for the usename and password?
0
hypknightAuthor Commented:
Nope
0
wilsjCommented:
what version of cisco vpn client are you using?
0
hypknightAuthor Commented:
5.0.02.0090
0
wilsjCommented:
You might have to change the encryption I don't think version 5 will use des/md5. Try using 3des/md5 and see if that works.
0
hypknightAuthor Commented:
New Config:
ASA Version 7.2(4)
!
hostname hostname
domain-name domain.com
enable password dNfKG7AX49Kx69an encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.15.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.0.248 255.255.255.0
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 10.10.100.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.com
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list ipsec extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ipsec extended permit ip 10.10.10.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list ipsec extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list no-nat extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list remoteusers_splitTunnelAcl extended permit ip 192.168.15.0 255.255.255.0 10.10.10.0 255.255.255.0
!
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
!
ip local pool remoteUserIPpool 10.10.10.1-10.10.10.254
!
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
!
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
!
http server enable
http 192.168.15.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set primaryTransformSet esp-des esp-md5-hmac
crypto ipsec transform-set remoteUserTransformSet esp-3des esp-md5-hmac
!
crypto dynamic-map outsideDynamicMap 20 set transform-set primaryTransformSet remoteUserTransformSet
crypto map primaryCryptoMap 21 match address ipsec
crypto map primaryCryptoMap 21 set peer <IP of HUB 1710>
crypto map primaryCryptoMap 21 set transform-set primaryTransformSet
crypto map primaryCryptoMap 65535 ipsec-isakmp dynamic outsideDynamicMap
crypto map primaryCryptoMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 21
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 7200
!
telnet timeout 5
ssh timeout 5
console timeout 0
!
group-policy remoteusers internal
group-policy remoteusers attributes
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remoteusers_splitTunnelAcl
!
username testVPNuser password 2ydLgHrVzyJixLyT encrypted
!
tunnel-group <IP of HUB 1710> type ipsec-l2l
tunnel-group <IP of HUB 1710> ipsec-attributes
 pre-shared-key *
tunnel-group remoteusers type ipsec-ra
tunnel-group remoteusers general-attributes
 address-pool remoteUserIPpool
 default-group-policy remoteusers
tunnel-group remoteusers ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context


New Debug Information:
25     15:23:52.562  11/10/08  Sev=Warning/2      IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)

26     15:23:52.562  11/10/08  Sev=Warning/3      IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)

27     15:23:57.875  11/10/08  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

28     15:23:57.875  11/10/08  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

29     15:24:02.875  11/10/08  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

30     15:24:02.875  11/10/08  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

31     15:24:07.875  11/10/08  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

32     15:24:07.875  11/10/08  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
0
hypknightAuthor Commented:
Verified both Pre-Shared-Keys just for good measure... they match.
0
wilsjCommented:
also add another crypto isakmp policy statement for 3des/md5
crypto isakmp policy 31
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
0
hypknightAuthor Commented:
Again, you're a genius!

I can login and establish a tunnel... I can ping from a host in the 192.168.15.0/24 network to the host that is software-vpn-connected with a 10.10.10.0/24 address. I cannot however ping from the 10.10.10.0/24 client to the 192.168.15.0/24 client, or into the 192.168.1.0/24 client.

Any ideas?
0
wilsjCommented:
Where are pinging from? The DMZ or an outside line?

try this command

icmp permit any any

Also I believe you would have to create another ACL on the router to allow the 10.10.10.0/24 network.

access-list 131 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
0
hypknightAuthor Commented:
Pinging from an outside source, connected via Cisco VPN Client to the ASA.

Ping from the Software client to 192.168.15.x  - no reply
Ping from the Software client to 192.168.1.x - no reply

Ping from computer attached via wire to the ASA

Ping to 192.168.1.x - reply
Ping to 10.10.10.x - reply

I'm not as concerned with the getting into the 192.168.1.x network as there will need to be routes inserted to do so, however, the not being able to ping into the 192.168.15.x network from the software client troubles me a bit.
0
wilsjCommented:
also Remove these ACL

no access-list ipsec extended permit ip 10.10.10.0 255.255.255.0 192.168.15.0 255.255.255.0
no access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
0
hypknightAuthor Commented:
If I do an 'ipconfig' and look at the ip address information I receive via Cisco VPN Client, I don't get a gateway. Could this cause a problem?
0
wilsjCommented:
No you don't need a gateway. The only proble you would have on the client side is if the the network of the host is the same as the network that it is connecting to. For example is the ASA is on the 192.168.15.0/24 network then the host trying to connect would have to have a different network i.e 192.168.100.0/24
0
hypknightAuthor Commented:
Alright, that's what I though -- figured I would ask...

Here's the config as it stands:

ASA Version 7.2(4)
!
hostname Rose-ASA
domain-name domain.com
enable password dNfKG7AX49Kx69an encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.15.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.0.248 255.255.255.0
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 10.10.100.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.com
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list ipsec extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ipsec extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list remoteusers_splitTunnelAcl extended permit ip 192.168.15.0 255.255.255.0 10.10.10.0 255.255.255.0
!
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
!
ip local pool remoteUserIPpool 10.10.10.1-10.10.10.254
!
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
!
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
!
http server enable
http 192.168.15.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set primaryTransformSet esp-des esp-md5-hmac
crypto ipsec transform-set remoteUserTransformSet esp-3des esp-md5-hmac
!
crypto dynamic-map outsideDynamicMap 20 set transform-set primaryTransformSet remoteUserTransformSet
crypto map primaryCryptoMap 21 match address ipsec
crypto map primaryCryptoMap 21 set peer <IP of HUB 1710>
crypto map primaryCryptoMap 21 set transform-set primaryTransformSet
crypto map primaryCryptoMap 65535 ipsec-isakmp dynamic outsideDynamicMap
crypto map primaryCryptoMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 21
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 7200
crypto isakmp policy 31
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
!
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
group-policy remoteusers internal
group-policy remoteusers attributes
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remoteusers_splitTunnelAcl
!
username testVPNuser password 2ydLgHrVzyJixLyT encrypted
!
tunnel-group <IP of HUB 1710> type ipsec-l2l
tunnel-group <IP of HUB 1710> ipsec-attributes
 pre-shared-key *
tunnel-group remoteusers type ipsec-ra
tunnel-group remoteusers general-attributes
 address-pool remoteUserIPpool
 default-group-policy remoteusers
tunnel-group remoteusers ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context

Same symptoms... you'll notice that we 'inspect icmp' which ensures all ICMP traffic passes but is logged.
0
wilsjCommented:
try this

icmp permit any inside  (test the pings after this command and if it still doesn't work take out the inspection for ICMP).

policy-map global_policy
class inspection_default
no inspect icmp

0
hypknightAuthor Commented:
tried that as well (including removing the inspection), still no go... I also tried to reach a file share via:
\\<IP in the 192.168.15.x network>

that didn't work either, which rules out (I think) a problem with ICMP
0
wilsjCommented:
The host that you are trying access the network from does it have a router in front of it? If so what is the Lan IP range?
0
hypknightAuthor Commented:
Just checked, and I CANNOT ping from the device connected by wire to the ASA to the software-connected client.
0
wilsjCommented:
oh just noticed you didn't have this in the config try

isakmp nat-traversal 20
0
hypknightAuthor Commented:
the computer that i'm connecting from is connected to the switch that is also feeding the (outside) connection of the ASA....


so...

                                         (switch)
                                           /        \
                      ASA (outside)      (host I'm connecting via software from)
                              /                               (10.10.10.1)
         (host I'm connecting to)
             (192.168.15.144)
0
hypknightAuthor Commented:
Added "isakmp nat-traversal 20" but still no go pinging from 10.10.10.1 to 192.168.15.144 or vice versa
0
wilsjCommented:
Have you been connected this whole time? If so disconnect and reconnect because if you make changes while you are connected you will not see them until you reconnect.
0
hypknightAuthor Commented:
Still no go. Disconnected and reconnected the software client.
0
wilsjCommented:
Ok, can you post your config again please.
0
hypknightAuthor Commented:
Sure,


ASA Version 7.2(4)
!
hostname hostname
domain-name domain.com
enable password dNfKG7AX49Kx69an encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.15.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.0.248 255.255.255.0
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 10.10.100.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.com
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list ipsec extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ipsec extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list remoteusers_splitTunnelAcl extended permit ip 192.168.15.0 255.255.255.0 10.10.10.0 255.255.255.0
!
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
!
ip local pool remoteUserIPpool 10.10.10.1-10.10.10.254
!
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
!
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
!
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
!
http server enable
http 192.168.15.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set primaryTransformSet esp-des esp-md5-hmac
crypto ipsec transform-set remoteUserTransformSet esp-3des esp-md5-hmac
!
crypto dynamic-map outsideDynamicMap 20 set transform-set primaryTransformSet remoteUserTransformSet
crypto map primaryCryptoMap 21 match address ipsec
crypto map primaryCryptoMap 21 set peer <IP of HUB 1710>
crypto map primaryCryptoMap 21 set transform-set primaryTransformSet
crypto map primaryCryptoMap 65535 ipsec-isakmp dynamic outsideDynamicMap
crypto map primaryCryptoMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 21
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 7200
crypto isakmp policy 31
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
!
telnet timeout 5
ssh timeout 5
console timeout 0
!
group-policy remoteusers internal
group-policy remoteusers attributes
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remoteusers_splitTunnelAcl
!              
username testVPNuser password 2ydLgHrVzyJixLyT encrypted
!
tunnel-group <IP of HUB 1710> type ipsec-l2l
tunnel-group <IP of HUB 1710> ipsec-attributes
 pre-shared-key *
tunnel-group remoteusers type ipsec-ra
tunnel-group remoteusers general-attributes
 address-pool remoteUserIPpool
 default-group-policy remoteusers
tunnel-group remoteusers ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
0
wilsjCommented:
also can you post the info for the VPN client.
0
hypknightAuthor Commented:
Did you mean the debug information for the VPN client? If so, I turned up the verbosity on a few of the parameters so I would actually get output... here's what came through:

16     17:14:33.453  11/10/08  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 192.168.0.248.

17     17:14:33.468  11/10/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 192.168.0.248

18     17:14:33.468  11/10/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.0.248

19     17:14:33.468  11/10/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 192.168.0.248

20     17:14:33.468  11/10/08  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

21     17:14:33.468  11/10/08  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

22     17:14:33.468  11/10/08  Sev=Info/5      IKE/0x63000001
Peer supports DPD

23     17:14:33.468  11/10/08  Sev=Info/5      IKE/0x63000001
Peer supports NAT-T

24     17:14:33.468  11/10/08  Sev=Info/5      IKE/0x63000001
Peer supports IKE fragmentation payloads

25     17:14:33.484  11/10/08  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

26     17:14:33.484  11/10/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 192.168.0.248

27     17:14:33.484  11/10/08  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0x0766, Remote Port = 0x01F4

28     17:14:33.484  11/10/08  Sev=Info/5      IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end is NOT behind a NAT device

29     17:14:33.484  11/10/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.0.248

30     17:14:33.484  11/10/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.168.0.248

31     17:14:33.937  11/10/08  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

32     17:14:33.937  11/10/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

33     17:14:36.890  11/10/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.168.0.248

34     17:14:36.890  11/10/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.0.248

35     17:14:36.890  11/10/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.168.0.248

36     17:14:36.890  11/10/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.168.0.248

37     17:14:36.921  11/10/08  Sev=Info/5      IKE/0x6300005E
Client sending a firewall request to concentrator

38     17:14:36.921  11/10/08  Sev=Info/5      IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

39     17:14:36.921  11/10/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.168.0.248

40     17:14:36.953  11/10/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.0.248

41     17:14:36.953  11/10/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.168.0.248

42     17:14:36.953  11/10/08  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.10.10.1

43     17:14:36.953  11/10/08  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

44     17:14:36.953  11/10/08  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

45     17:14:36.953  11/10/08  Sev=Info/5      IKE/0x6300000F
SPLIT_NET #1
      subnet = 192.168.15.0
      mask = 255.255.255.0
      protocol = 0
      src port = 0
      dest port=0

46     17:14:36.953  11/10/08  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

47     17:14:36.953  11/10/08  Sev=Info/5      IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 7.2(4) built by builders on Sun 06-Apr-08 13:39

48     17:14:36.953  11/10/08  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001

49     17:14:36.953  11/10/08  Sev=Info/4      IKE/0x63000056
Received a key request from Driver: Local IP = 10.10.10.1, GW IP = 192.168.0.248, Remote IP = 0.0.0.0

50     17:14:36.953  11/10/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 192.168.0.248

51     17:14:36.968  11/10/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.0.248

52     17:14:36.968  11/10/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 192.168.0.248

53     17:14:36.968  11/10/08  Sev=Info/5      IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

54     17:14:36.968  11/10/08  Sev=Info/5      IKE/0x63000047
This SA has already been alive for 3 seconds, setting expiry to 86397 seconds from now

55     17:14:36.968  11/10/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.0.248

56     17:14:36.968  11/10/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 192.168.0.248

57     17:14:36.968  11/10/08  Sev=Info/5      IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds

58     17:14:36.968  11/10/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to 192.168.0.248

59     17:14:36.968  11/10/08  Sev=Info/5      IKE/0x63000059
Loading IPsec SA (MsgID=E878B160 OUTBOUND SPI = 0x68242E09 INBOUND SPI = 0xAFD274D3)

60     17:14:36.968  11/10/08  Sev=Info/5      IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0x68242E09

61     17:14:36.968  11/10/08  Sev=Info/5      IKE/0x63000026
Loaded INBOUND ESP SPI: 0xAFD274D3

62     17:14:37.593  11/10/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

63     17:14:37.593  11/10/08  Sev=Info/4      IPSEC/0x63700010
Created a new key structure

64     17:14:37.593  11/10/08  Sev=Info/4      IPSEC/0x6370000F
Added key with SPI=0x092e2468 into key list

65     17:14:37.593  11/10/08  Sev=Info/4      IPSEC/0x63700010
Created a new key structure

66     17:14:37.593  11/10/08  Sev=Info/4      IPSEC/0x6370000F
Added key with SPI=0xd374d2af into key list

67     17:14:37.593  11/10/08  Sev=Info/4      IPSEC/0x6370002F
Assigned VA private interface addr 10.10.10.1

68     17:14:37.593  11/10/08  Sev=Info/4      IPSEC/0x63700037
Configure public interface: 192.168.0.191. SG: 192.168.0.248
0
wilsjCommented:
I actually meant the IP sec information on the transport tab. If you click on modify for your connection then go to the transport tab what settings are checked?
0
hypknightAuthor Commented:
"Enable Transport Tuning"
IPSec over UDP (NAT/PAT)
0
wilsjCommented:
do a sh run sysopt for me and paste output here.
0
hypknightAuthor Commented:
There is no output from that command for me.
0
wilsjCommented:
ok, enter this command in it might be different for 7.2 so if the first one does't work try the 2nd

sysopt connection permit-ipsec
or
sysopt connection permit-vpn
0
hypknightAuthor Commented:
applied the first command... still no output when running sh run sysopt

still cant ping
0
wilsjCommented:
ok, enter this command in it might be different for 7.2 so if the first one does't work try the 2nd

sysopt connection permit-ipsec
or
sysopt connection permit-vpn
0
wilsjCommented:
ok enter in the 2nd one. I believe that is the conrrect one for version 7.2
0
hypknightAuthor Commented:
sorry... meant to say I tried both... both provide the same outcome
0
wilsjCommented:
wow, We must be missing something because this is really not that hard lol. I found this entry below this is another new command with version 7.2

crypto dynamic-map outsideDynamicMap 20 set reverse-route
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hypknightAuthor Commented:
Hey There,

   Tried that as well... still no joy. I think I'm going to worry about it when it goes into production. It could be my test environment or something. Thank you so much for all of your help, you've more than surpassed any expectation I had.

500 points, more than deserved!
0
hypknightAuthor Commented:
Thanks again!
0
wilsjCommented:
Good luck thanks for the points.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.