[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

ASA VPN client setup in Asa Config

Posted on 2009-04-27
1
Medium Priority
?
1,290 Views
Last Modified: 2012-05-06
I cannot connect remotely with the Cisco VPN client, using local user DB. Please help with the config.
ASA Version 7.2(3)
!
hostname Acme-ASA
domain-name AcmeArms.com
enable password eQWIsP.AIf4tBrGw encrypted
names
!
interface Vlan1
 nameif outside
 security-level 0
 ip address 21.35.199.110 255.255.255.224
!
interface Vlan2
 nameif inside
 security-level 100
 ip address 10.80.100.1 255.255.255.0
!
interface Vlan3
 shutdown
 no forward interface Vlan2
 nameif dmz
 security-level 50
 ip address dhcp
!
interface Ethernet0/0
 speed 100
 duplex full
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
 switchport access vlan 2
!
interface Ethernet0/3
 switchport access vlan 2
!
interface Ethernet0/4
 switchport access vlan 2
!
interface Ethernet0/5
 switchport access vlan 2
!
interface Ethernet0/6
 switchport access vlan 2
!
interface Ethernet0/7
 switchport access vlan 2
 shutdown
!
passwd eQWIsP.AIf4tBrGw encrypted
banner exec This is a private system operated for Acme Arms Inc. company business.
banner exec Authorization from Acme Arms management is required to use this system.
banner exec Use by unauthorized persons is prohibited. All transactions and IP addresses are logged.
banner login Welcome to Acme-asa.AcmeArms.com the Acme Arms Inc. Adaptive Security Appliance
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.80.100.85
 name-server 10.80.100.87
 domain-name AcmeArms.com
object-group service REFLECTION_WEB tcp
 description Reflection_Web_Access
 port-object range 3001 3001
 port-object range 8080 8080
 port-object range 8443 8443
 port-object eq www
 port-object eq https
access-list inside_nat0_outbound extended permit ip 10.80.100.0 255.255.255.0 172.16.0.0 255.255.255.224
access-list incoming extended permit icmp any any echo-reply
access-list incoming extended permit icmp any any time-exceeded
access-list incoming extended permit icmp any any unreachable
access-list incoming extended permit icmp any any source-quench
access-list incoming extended permit tcp any host 21.35.199.99 eq 8080
access-list incoming extended permit tcp any host 21.35.199.99 eq https
access-list incoming extended permit tcp any host 21.35.199.99 eq 8443
access-list incoming extended permit tcp any host 21.35.199.99 eq 3389
access-list incoming extended permit tcp any host 21.35.199.99 eq 3001
access-list incoming extended permit tcp any host 21.35.199.99 eq 3000
access-list incoming extended permit tcp any host 21.35.199.99 eq www
access-list incoming extended permit tcp any host 21.35.199.100 eq 3389
access-list incoming extended permit tcp any host 21.35.199.100 eq smtp
access-list incoming extended permit tcp any host 21.35.199.100 eq ldap
access-list incoming extended permit tcp any host 21.35.199.100 eq 587
access-list incoming extended permit tcp any host 21.35.199.100 eq 465
access-list incoming extended permit tcp any host 21.35.199.100 eq https
access-list incoming extended permit tcp any host 21.35.199.100 eq www
access-list incoming extended permit udp any host 21.35.199.100 eq 4069
access-list incoming extended permit tcp any host 21.35.199.100 eq 366
access-list incoming extended permit tcp any host 21.35.199.100 eq 993
access-list incoming extended permit tcp any host 21.35.199.100 eq pop3
access-list incoming extended permit tcp any host 21.35.199.100 eq 1000
access-list incoming extended permit tcp any host 21.35.199.100 eq imap4
access-list incoming extended permit tcp any host 21.35.199.100 eq 995
access-list incoming extended permit tcp any host 21.35.199.101 eq ftp-data
access-list incoming extended permit tcp any host 21.35.199.101 eq ftp
access-list incoming extended permit tcp any host 21.35.199.101 eq www
access-list incoming extended permit tcp any host 21.35.199.101 eq 3389
access-list incoming extended permit tcp any host 21.35.199.101 eq https
access-list incoming extended permit tcp any host 21.35.199.102 eq 2564
access-list incoming extended permit tcp any host 21.35.199.102 eq 1570
access-list incoming extended permit tcp any host 21.35.199.104 eq ssh
access-list incoming extended permit tcp any host 21.35.199.104 eq 5222
access-list incoming extended permit udp any host 21.35.199.104 eq sip
access-list incoming extended permit tcp any host 21.35.199.104 eq 4569
access-list incoming extended permit icmp any host 21.35.199.104
access-list incoming extended permit udp any host 21.35.199.104 eq ntp
access-list incoming extended permit tcp any host 21.35.199.104 eq 6600
access-list incoming extended permit udp any host 21.35.199.104 range 9710 20000
access-list incoming extended permit tcp any host 21.35.199.108
access-list incoming extended permit tcp any host 21.35.199.109
access-list Remote_splitTunnelAcl standard permit 10.80.100.0 255.255.255.0
access-list TEST_splitTunnelAcl standard permit 10.80.100.0 255.255.255.0
access-list bfvpn_splitTunnelAcl standard permit 10.80.100.0 255.255.255.0
access-list incomming extended permit tcp any host 21.35.199.113 eq ssh
pager lines 24
logging enable
logging list All-Alerts level errors
logging asdm informational
logging from-address Acme-asa@AcmeArms.com
logging recipient-address danderson@AcmeArms.com level errors
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool VPN 172.16.0.1-172.16.0.31 mask 255.255.255.224
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 21.35.199.101 10.80.100.85 netmask 255.255.255.255
static (inside,outside) 21.35.199.102 10.80.100.10 netmask 255.255.255.255
static (inside,outside) 21.35.199.104 10.80.100.15 netmask 255.255.255.255
static (inside,outside) 21.35.199.108 10.80.100.98 netmask 255.255.255.255
static (inside,outside) 21.35.199.109 10.80.100.97 netmask 255.255.255.255
static (inside,outside) 21.35.199.100 10.80.100.87 netmask 255.255.255.255
static (inside,outside) 21.35.199.99 10.80.100.88 netmask 255.255.255.255
static (inside,outside) 21.35.199.113 10.80.100.7 netmask 255.255.255.255
access-group incoming in interface outside
route outside 0.0.0.0 0.0.0.0 21.35.199.97 1
route inside 10.242.5.0 255.255.255.0 10.80.100.2 1
route inside 10.242.35.0 255.255.255.0 10.80.100.2 1
route inside 192.168.1.0 255.255.255.0 10.80.100.2 1
route inside 192.168.170.0 255.255.255.0 10.80.100.2 1
route inside 10.80.111.0 255.255.255.0 10.80.100.2 1
route inside 192.168.0.0 255.255.255.0 10.80.100.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 77.197.60.0 255.255.255.0 outside
http 66.60.143.96 255.255.255.224 outside
http 10.80.100.0 255.255.255.0 inside
http 76.178.204.0 255.255.248.0 outside
http 76.74.77.0 255.255.255.0 outside
snmp-server host outside 76.177.75.131 community Acme_public
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Prompt
auth-prompt accept Welcome!
auth-prompt reject User Rejected...
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 80 set pfs
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 66.6x.x3.96 255.255.255.224 outside
ssh 76.1x7.6.0 255.255.248.0 outside
ssh 76.1x5.x0.0 255.255.255.0 outside
ssh 10.80.100.0 255.255.255.0 inside
ssh timeout 15
console timeout 0
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
!
service-policy global_policy global
ntp server 204.152.184.72 source outside prefer
group-policy bfvpn internal
group-policy bfvpn attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value bfvpn_splitTunnelAcl
username ray password Ph4u9D6DWcbZsJiS encrypted
username danderson password K8TCH248BnwPW3FI encrypted
username gAcme3 password uaQ0g1MOixaRyTwN encrypted
tunnel-group bfvpn type ipsec-ra
tunnel-group bfvpn general-attributes
 address-pool VPN
 default-group-policy bfvpn
tunnel-group bfvpn ipsec-attributes
 pre-shared-key *
smtp-server 10.100.80.88 21.35.199.100
prompt hostname context
Cryptochecksum:163ab8855f92f951c7541a4b83171a0a
: end

Open in new window

0
Comment
Question by:gbosko
1 Comment
 
LVL 15

Accepted Solution

by:
bignewf earned 2000 total points
ID: 24247564
If you cannot connect with the vpn client at all, first check the shared secret on the vpn tunnel group in the vpnclient matches that in the asa. Also check the tunnel group name for typos.

I am sure you did the above.
Next, add this:
Acme-ASA(config)#crypto isakmp nat-traversal 20
on the client, choose enable Transparent tunneling and IPSEC over UDP (NAT>PAT radio button)

Also add:

isakmp ipsec-over-tcp prt 10000

on the client do the same under transparent tunneling.
add:

ada (config)# group-policy DfltGrpPolicy attributes
asa(config-group-policy)# ipsec-udp enable
asa(config-group-policy)# ipsec-udp-port 10000

also add this:

syspot connection permit-vpn

if you still can't connect, enable debugging and capture output when client trys to connect, send output in the next post and we will go from there
 

s




0

Featured Post

How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question