Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

CISCO 5505 remote acces VPN issue

Posted on 2009-02-12
3
Medium Priority
?
861 Views
Last Modified: 2012-05-06
Hi Guys, here is my problem, I setup this 5505 at home and want to be able to vpn to my home network from work, but I get "Secure VPN connection terminated locally by the client, reason 412, the remote peer is no longer responding"
However when I try to use my iPhone , I can vpn in but can not ping any of my internal PC at home netowork, below is the config


TEST-ASA# sh run
: Saved
:
ASA Version 8.0(4)
!
hostname TEST-ASA
domain-name RCOM.COM
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server *.*.*.*
 domain-name Home.COM
access-list RA_VPN_ACL extended permit ip any 172.30.30.0 255.255.255.0
access-list RA_VPN_SplitTunnel_ACL standard permit 192.168.0.0 255.255.255.0
access-list NoNAT_ACL extended permit ip 192.168.0.0 255.255.255.0 172.30.30.0 255.255.255.0
pager lines 24
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RA_VPN_POOL 172.30.30.100-172.30.30.200
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT_ACL
nat (inside) 1 192.168.0.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 69.115.96.1 1
route inside 0.0.0.0 0.0.0.0 192.168.0.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA_VPN_SET esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA_VPN_MAP 1 match address RA_VPN_ACL
crypto dynamic-map RA_VPN_MAP 1 set transform-set RA_VPN_SET
crypto dynamic-map RA_VPN_MAP 1 set security-association lifetime seconds 28800
crypto dynamic-map RA_VPN_MAP 1 set security-association lifetime kilobytes 4608000
crypto map RA_VPN 65535 ipsec-isakmp dynamic RA_VPN_MAP
crypto map RA_VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.0.100 255.255.255.255 inside
telnet timeout 30
ssh 192.168.0.100 255.255.255.255 inside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd dns x.x.x.x x.x.x.x.x
!
dhcpd address 192.168.0.100-192.168.0.131 inside
dhcpd enable inside
!
 
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy RA_VPN_Policy internal
group-policy RA_VPN_Policy attributes
 dns-server value x.x.x.x
 vpn-tunnel-protocol IPSec
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RA_VPN_SplitTunnel_ACL
 split-dns value Home.COM
username iPhone password M7GRAtivQEqe87mS encrypted
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
 address-pool RA_VPN_POOL
 default-group-policy RA_VPN_Policy
tunnel-group RA_VPN ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e9cd94fa51506762611857237b806f2b
: end

Open in new window

0
Comment
Question by:ssdd2009
  • 2
3 Comments
 
LVL 8

Expert Comment

by:Nothing_Changed
ID: 23634048
your problem from work is most likely that their firewall will not allow protocol 50 (ESP) through the firewall, making your vpn client connection break.

check the log for entries related to the failed iphone pings, and please paste in.

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 23640662
>route inside 0.0.0.0 0.0.0.0 192.168.0.1 tunneled
Remove this line

>crypto dynamic-map RA_VPN_MAP 1 match address RA_VPN_ACL
You should also be able to remove this line

I also don't see nat-traversal enabled. Add the following:

 crypto isakmp nat-traversal 25

If none of that works, enable TCP for the VPN. If you are using the ASDM GUI, it's a checkbox.
You could also remove the line to enable UDP 10000 and let it use the default 4500. I don't think the iPhone has a place to change that in the setup.
0
 
LVL 8

Expert Comment

by:Nothing_Changed
ID: 23641473
hey thanks for jumping in lrmoore, nothing i like better than more chefs. I'll remove this question, you take it from here.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question