VPN tunnel through ASA 5510

VPN Ports through Firewalls
*****For IPSec VPNs*****
UDP 500 ISAKMP
UDP 4500 Nat-Traversal*
TCP 10000 (Cisco VPN clients can use this port if its been set on the client)
Protocol 50 (ESP)


Note2:To allow Cisco Client through a PIX/ASA version 7 or above
 
add the following

policy-map global_policy
class inspection_default
inspect ipsec-pass-thru

Are you allowing the GRE protocol across the ASA 5510?

Using the Microsoft VPN client through Cisco ASA/PIX
http://www.petenetlive.com/TecBin/KB/0000009.htm

"Using the Microsoft VPN client through Cisco ASA/PIX"
I am using a Cisco Client not a Microsoft Client

Which Cisco VPN client version are you currently using?

Cisco VPN Client: Reason 412 - The remote peer is no longer responding
http://www.lamnk.com/blog/vpn/cisco-vpn-client-reason-412-the-remote-peer-is-no-longer-responding/

ProductName=Cisco Systems VPN Client 3.6.3 (B)

Suggested fixes from the link you provided
added exception rules for port 500, port 4500 and the ESP
Turned on NAT-T/TCP in your profile
Edited your profile and changed ForceKeepAlive=0 to 1

Still Cannot connect

firewall-rules.JPG
client.JPG
profile.JPG

The Cisco Systems VPN Client 3.6.3 is dated back to 2003. The latest Cisco VPN client is up to version 5.x now or you might consider the Cisco AnyConnect VPN Client v2.x as an alternative.

Cisco VPN Client
http://www.cisco.com/en/US/products/sw/secursw/ps2308/

Being that it is not my equipment that we are attempting access through VPN, I am at the mercy of what ever they give me on the client side.  We use anyconnect for our VPN connection here but I am pretty sure the security device has to be configured for anyconnect.  Would a newer client other than anyconnect make that much of a differance.  Does it look like the issue is on their end and not mine?  thanks.

Some older Cisco VPN devices doesn't support the TCP encapsulation - you could test this by trying to make a telnet to it on port 10000.  Do you get a connection?
If not, then skip trying that..  (Of cuz they could have set it to a nondefault port, but I'd expect they had told you or preconfigured the client then).

Next thing, enable logging in the client.  And change log setting - initially you're interested in IKE (ISAKMP), set that to high (lvl 3), and all others to 0.
Open log window, clear it, and then try your connection.  Might give you an idea of what goes wrong.. (or maybe us if you post it :)

> Cisco Systems VPN Client 3.6.3
>Would a newer client other than anyconnect make that much of a differance
Absolutely. The VPN client release is for the client, not the server end. If you have Vista, then you cannot use this old 3.6.3 client. You can easily upgrade your client to 4.9 or even higher on your end, regardless of the vpn server device at the other end.
You are correct that AnyConnect is a totally different animal and requires configuration (and licenses) on their end.

Tried a newer client. Version 5.something and had the same results.  I cannnot get my contact at the remote site on the phone?  Given what I ave shown already, what is the probability that problem is on his end?

Hard to say..  Try to enable logging in the client, change log settings so IKE & IPSEC are high, and then open log window.
Clear it, and try to connect.  What do you get?

Cisco Systems VPN Client Version 5.0.01.0600
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
1      13:47:33.715  04/06/09  Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 98.x.x.x.
2      13:47:33.725  04/06/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 98.x.x.x
3      13:47:33.795  04/06/09  Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
4      13:47:33.795  04/06/09  Sev=Info/4 IPSEC/0x63700014
Deleted all keys
5      13:47:38.813  04/06/09  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
6      13:47:38.813  04/06/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 98.x.x.x
7      13:47:43.830  04/06/09  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
8      13:47:43.830  04/06/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 98.x.x.x
9      13:47:48.848  04/06/09  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
10     13:47:48.848  04/06/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 98.x.x.x
11     13:47:53.865  04/06/09  Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=C060E9D0D7A9977E R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
12     13:47:54.367  04/06/09  Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=C060E9D0D7A9977E R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
13     13:47:54.417  04/06/09  Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
14     13:47:54.889  04/06/09  Sev=Info/4 IPSEC/0x63700014
Deleted all keys
15     13:47:54.889  04/06/09  Sev=Info/4 IPSEC/0x63700014
Deleted all keys
16     13:47:54.889  04/06/09  Sev=Info/4 IPSEC/0x63700014
Deleted all keys
17     13:47:54.889  04/06/09  Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

Well, client is trying hard to contact but gets no replies.

It's of cuz guesswork, but I'd say chances are biggest that it doesn't reach the destination or is denied at the destination.
If you machine otherwise have basic Internet access, and you don't have some devices behind the ASA that could block IKE.  Then I'd say chances are pretty good problem is on other end.

There is a Cisco ISR 2821 between the Workstation and the ASA but I have not set up any blocking on it.  Would something like that be enabled by default?

No, that is not likely.  And according to the dump above, you got hitcount on the ASA so the traffic did reach the ASA.
I was concerned about device between ASA and Internet.

Call Cisco for verification and got the answer I expected.  It is NOT my firewall blocking the traffice.

Update
 
I took my laptop over the remote site and used there test connection to acces the the VPN and it work, but it still will not work behind my firewall.  After talking with Cisco, I feel confident that my firewall is not blocking the traffic and I read somewhere that the remote site needs to have NAT-T enabled?  Anyone know anything ablout this?

NAT-T allows IPSEC to work through NAT/PAT - but you never even get a reply to your first IKE packet..  Yes, it'll need NAT-T, but it might already have that.  Your problems begin before that.

I wonder.. what is it that you found in that document, which PeteLong didn't have in his first post?

The rules added per his post were partially the solution but did not fix the problem.  The ultimate fix was a Static NAT from the client machine inside my ASA to a public IP address..  2 unbearable hours on the phone with Cisco fixed the problem.

Even though the question was closed, I still recommend in the future that you also assign points to those that offered partial solutions for questions.