We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


CISCO 5505 remote acces VPN issue

ssdd2009 asked
Medium Priority
Last Modified: 2012-05-06
Hi Guys, here is my problem, I setup this 5505 at home and want to be able to vpn to my home network from work, but I get "Secure VPN connection terminated locally by the client, reason 412, the remote peer is no longer responding"
However when I try to use my iPhone , I can vpn in but can not ping any of my internal PC at home netowork, below is the config

TEST-ASA# sh run
: Saved
ASA Version 8.0(4)
hostname TEST-ASA
domain-name RCOM.COM
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server *.*.*.*
 domain-name Home.COM
access-list RA_VPN_ACL extended permit ip any
access-list RA_VPN_SplitTunnel_ACL standard permit
access-list NoNAT_ACL extended permit ip
pager lines 24
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RA_VPN_POOL
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT_ACL
nat (inside) 1
route outside 1
route inside tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http outside
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA_VPN_SET esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA_VPN_MAP 1 match address RA_VPN_ACL
crypto dynamic-map RA_VPN_MAP 1 set transform-set RA_VPN_SET
crypto dynamic-map RA_VPN_MAP 1 set security-association lifetime seconds 28800
crypto dynamic-map RA_VPN_MAP 1 set security-association lifetime kilobytes 4608000
crypto map RA_VPN 65535 ipsec-isakmp dynamic RA_VPN_MAP
crypto map RA_VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet inside
telnet timeout 30
ssh inside
ssh inside
ssh outside
ssh timeout 5
console timeout 0
dhcpd dns x.x.x.x x.x.x.x.x
dhcpd address inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy RA_VPN_Policy internal
group-policy RA_VPN_Policy attributes
 dns-server value x.x.x.x
 vpn-tunnel-protocol IPSec
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RA_VPN_SplitTunnel_ACL
 split-dns value Home.COM
username iPhone password M7GRAtivQEqe87mS encrypted
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
 address-pool RA_VPN_POOL
 default-group-policy RA_VPN_Policy
tunnel-group RA_VPN ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
: end

Open in new window

Watch Question

your problem from work is most likely that their firewall will not allow protocol 50 (ESP) through the firewall, making your vpn client connection break.

check the log for entries related to the failed iphone pings, and please paste in.

Sr. Systems Engineer
Top Expert 2008
>route inside tunneled
Remove this line

>crypto dynamic-map RA_VPN_MAP 1 match address RA_VPN_ACL
You should also be able to remove this line

I also don't see nat-traversal enabled. Add the following:

 crypto isakmp nat-traversal 25

If none of that works, enable TCP for the VPN. If you are using the ASDM GUI, it's a checkbox.
You could also remove the line to enable UDP 10000 and let it use the default 4500. I don't think the iPhone has a place to change that in the setup.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
hey thanks for jumping in lrmoore, nothing i like better than more chefs. I'll remove this question, you take it from here.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.