Cisco ASA and VPN Configuration - Can't establish Connection

Ok, I'm having issues getting this VPN Connectivity up...any you pros out there want to give it a quick lookover?

When I try and connect I get, 'Cannot establish TCP Connection'

It doesn;t even look like the ASA is responding.

My client is a subnet away and can ping the device.  Below is part of the config:

interface GigabitEthernet0/0
 nameif External
 security-level 0
 ip address 68.14.18.241 255.255.255.248
!
interface GigabitEthernet0/3
 nameif Internal
 security-level 100
 ip address 68.14.18.156 255.255.255.192
!
interface Management0/0
 nameif management
 security-level 100
 ip address 68.14.18.121 255.255.255.128
 management-only
!
boot system disk0:/asa802-k8.bin
ftp mode passive
dns domain-lookup Internal
dns server-group DefaultDNS
 domain-name cshado.org
dns server-group NAP
 name-server 68.14.18.8
 name-server 68.14.18.9
 domain-name cshado.org
access-list Admins_splitTunnelAcl standard permit any
access-list Internal_nat0_outbound extended permit ip any 68.14.18.128 255.255.255.240
access-list Internal_nat0_outbound extended permit ip any 68.14.18.160 255.255.255.240
access-list Internal_access_in extended permit ip any any
pager lines 24
mtu management 1500
mtu Internal 1500
mtu External 1500
ip local pool Admins 68.14.18.129-68.14.18.142
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
asdm history enable
arp timeout 14400
global (External) 101 interface
nat (Internal) 0 access-list Internal_nat0_outbound
nat (Internal) 101 0.0.0.0 0.0.0.0
access-group Internal_access_in in interface Internal control-plane
route External 0.0.0.0 0.0.0.0 68.14.18.246 1
route Internal 68.14.18.192 255.255.255.240 68.14.18.158 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server Admin protocol radius
aaa-server Client protocol radius
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authorization exec authentication-server
http server enable
http 68.14.18.128 255.255.255.128 Internal
http 68.14.18.0 255.255.255.128 management
no snmp-server location
no snmp-server contact
snmp-server community NAP
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto map External_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map External_map interface External
crypto isakmp enable External
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 5
management-access management
dhcpd ping_timeout 750
!
threat-detection basic-threat
threat-detection statistics access-list
!
!
ntp server 68.14.18.249 source External prefer
group-policy Admins internal
group-policy Admins attributes
 dns-server value 68.14.18.8 68.14.18.9
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Admins_splitTunnelAcl
 default-domain value cshado.org
tunnel-group Admins type remote-access
tunnel-group Admins general-attributes
 address-pool Admins
 default-group-policy Admins
tunnel-group Admins ipsec-attributes
 pre-shared-key *



Thanks!
wiltimAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ksims1129Commented:
Is you client coming in on the external or internal interface?
0
wiltimAuthor Commented:
External
0
ksims1129Commented:
are you using the cisco vpn client or some other client?
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

ksims1129Commented:
can traffic traverse the firewall appliance? Is there an access-list between the subnet your are on and the asa
0
wiltimAuthor Commented:
Yes the cisco VPN Client

There's a router between the client and ASA...no access lists.

I can ping the ASA box fine so I know layer 2 and layer 3 connectivity is working...in theory
0
nasirshCommented:
crypto map External_map interface External
crypto isakmp enable External
Try changing them to the interface name rather then external
0
devangshroffCommented:
I think VPN POOL is missing .

Please ckeck wahyt ip u r getting when u connect VPN client .
0
devangshroffCommented:
is it site to site or remotet VPN
0
wiltimAuthor Commented:
I actually found the solution on another post.  It was the lack of 3DES support...I guess the new VPN clients only support 3DES and if its DES they disconnect.

But so I got that resolved, but now I have a new problem.  We can connect now but we can;t get anywhere.  Can't pin anything on the inside of the network or anything more than that.

I'll post the new config here...my thoughts right now is that it's because the VPN Pool is a portion of the local subnet.  So response traffic doesn't know how to get back...

Anyway, take a look:

hostname COMPANY-VPN1
domain-name sample.org
enable password xxxxxxxxxxxxx encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 description External Interface to NAP Router (FE1/2)
 nameif External
 security-level 0
 ip address 67.18.21.241 255.255.255.248
!
interface GigabitEthernet0/1
 description DISABLED
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 description DISABLED
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 description Internal Interface to COMPANY-EXTSWTCH (FE0/3)
 nameif Internal
 security-level 100
 ip address 67.18.21.156 255.255.255.192
!
interface Management0/0
 description Management Interface to COMPANY-INTSWTCH (FE0/23)
 nameif management
 security-level 100
 ip address 67.18.21.121 255.255.255.128
 management-only
!
passwd xxxxxxxxxxxxxxxxxxx
boot system disk0:/asa802-k8.bin
ftp mode passive
dns domain-lookup management
dns domain-lookup Internal
dns domain-lookup External
dns server-group DefaultDNS
 domain-name sample.org
dns server-group NCE-Miami
 name-server 67.18.21.8
 name-server 67.18.21.9
 domain-name sample.org
dns-group NCE-Miami
same-security-traffic permit inter-interface
access-list NCE-MIA-ADMIN_splitTunnelAcl standard permit any
access-list Internal_nat0_outbound extended permit ip any 67.18.21.128 255.255.255.240
access-list Internal_nat0_outbound extended permit ip any 67.18.21.160 255.255.255.240
access-list Internal_access_in extended permit ip any any
pager lines 24
mtu management 1500
mtu Internal 1500
mtu External 1500
ip local pool COMPANY-CLIENT 67.18.21.161-67.18.21.174
ip local pool COMPANY-ADMIN 67.18.21.129-67.18.21.135 mask 255.255.255.192
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any External
asdm image disk0:/asdm-611.bin
asdm history enable
arp timeout 14400
global (External) 101 interface
nat (Internal) 0 access-list Internal_nat0_outbound
nat (Internal) 101 0.0.0.0 0.0.0.0
access-group Internal_access_in in interface Internal control-plane
route External 0.0.0.0 0.0.0.0 67.18.21.246 1
route External 67.18.21.192 255.255.255.224 67.18.21.246 1
route Internal 67.18.21.192 255.255.255.240 67.18.21.158 1
route External 67.18.21.224 255.255.255.240 67.18.21.246 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server Admin protocol radius
aaa-server Client protocol radius
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authorization exec authentication-server
http server enable
http 0.0.0.0 0.0.0.0 Internal
http 0.0.0.0 0.0.0.0 External
http 67.18.21.0 255.255.255.128 management
no snmp-server location
no snmp-server contact
snmp-server community NCE-MIAMI
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto map External_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map External_map interface External
crypto isakmp enable External
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh scopy enable
ssh 67.18.21.0 255.255.255.128 management
ssh 0.0.0.0 0.0.0.0 Internal
ssh 0.0.0.0 0.0.0.0 External
ssh timeout 5
ssh version 2
console timeout 5
management-access management
dhcpd ping_timeout 750
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
ntp server 67.18.21.158 source Internal prefer
ntp server 67.18.21.249 source External prefer
ssl encryption rc4-sha1
webvpn
 enable External
group-policy COMPANY-GROUP internal
group-policy ADMIN-GROUP attributes
 banner value You have connected to NCE-MIAMI-VPN! Have a great day!
group-policy COMPANY-GROUP internal
username xadmin password xxxxxxxxxxxxx encrypted
username xadmin attributes
 service-type nas-prompt
tunnel-group ADMIN-GROUP type remote-access
tunnel-group ADMIN-GROUP general-attributes
 address-pool COMPANY-ADMIN
 default-group-policy NCE-ADMIN-GROUP
tunnel-group ADMIN-GROUP ipsec-attributes
 pre-shared-key *
Cryptochecksum:37a53a24e34c9907eab421325a4bf396
: end
COMPANY-VPN1#   sh ver

Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.1(1)

Compiled on Fri 15-Jun-07 19:29 by builders
System image file is "disk0:/asa802-k8.bin"
Config file at boot was "startup-config"

COMPANY-VPN1 up 7 days 6 hours

Hardware:   ASA5540, 1024 MB RAM, CPU Pentium 4 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Ext: GigabitEthernet0/0  : address is 001f.ca09.07fe, irq 9
 1: Ext: GigabitEthernet0/1  : address is 001f.ca09.07ff, irq 9
 2: Ext: GigabitEthernet0/2  : address is 001f.ca09.0800, irq 9
 3: Ext: GigabitEthernet0/3  : address is 001f.ca09.0801, irq 9
 4: Ext: Management0/0       : address is 001f.ca09.07fd, irq 11
 5: Int: Not used            : irq 11
 6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 200
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : 5000
WebVPN Peers                 : 2
Advanced Endpoint Assessment : Disabled

This platform has an ASA 5540 VPN Premium license.

COMPANY-VPN1#


0
wiltimAuthor Commented:
I screwed up the config above trying to clean it...here's a correct one:

COMPANY-VPN1# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname COMPANY-VPN1
domain-name COMPANY.org
enable password 0e53SZdxezxawxDG encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 description External Interface to NAP Router (FE1/2)
 nameif External
 security-level 0
 ip address 67.18.21.241 255.255.255.248
!
interface GigabitEthernet0/3
 description Internal Interface to COMPANY-EXTSWTCH (FE0/3)
 nameif Internal
 security-level 100
 ip address 67.18.21.156 255.255.255.192
!
interface Management0/0
 description Management Interface to COMPANY-INTSWTCH (FE0/23)
 nameif management
 security-level 100
 ip address 67.18.21.121 255.255.255.128
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
dns domain-lookup management
dns domain-lookup Internal
dns domain-lookup External
dns server-group DefaultDNS
 domain-name COMPANY.org
dns server-group COMP
 name-server 67.18.21.8
 name-server 67.18.21.9
 domain-name COMPANY.org
dns-group COMP
same-security-traffic permit inter-interface
access-list LNDNADMIN_splitTunnelAcl standard permit any
access-list Internal_nat0_outbound extended permit ip any 67.18.21.128 255.255.255.240
access-list Internal_nat0_outbound extended permit ip any 67.18.21.160 255.255.255.240
access-list Internal_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
logging from-address VPN1@COMPANY.org
logging recipient-address tim_williams@emainc.com level errors
logging flash-bufferwrap
mtu management 1500
mtu Internal 1500
mtu External 1500
ip local pool LNDN-COMP-CLIENT 67.18.21.161-67.18.21.174
ip local pool LNDNADMIN 67.18.21.129-67.18.21.135 mask 255.255.255.192
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any External
asdm image disk0:/asdm-611.bin
asdm history enable
arp timeout 14400
global (External) 101 interface
nat (Internal) 0 access-list Internal_nat0_outbound
nat (Internal) 101 0.0.0.0 0.0.0.0
access-group Internal_access_in in interface Internal control-plane
route External 0.0.0.0 0.0.0.0 67.18.21.246 1
route External 67.18.21.192 255.255.255.224 67.18.21.246 1
route Internal 67.18.21.192 255.255.255.240 67.18.21.158 1
route External 67.18.21.224 255.255.255.240 67.18.21.246 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server Admin protocol radius
aaa-server Client protocol radius
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authorization exec authentication-server
http server enable
http 0.0.0.0 0.0.0.0 Internal
http 0.0.0.0 0.0.0.0 External
http 67.18.21.0 255.255.255.128 management
no snmp-server location
no snmp-server contact
snmp-server community COMP
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto map External_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map External_map interface External
crypto isakmp enable External
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh scopy enable
ssh 67.18.21.0 255.255.255.128 management
ssh 0.0.0.0 0.0.0.0 Internal
ssh 0.0.0.0 0.0.0.0 External
ssh timeout 5
ssh version 2
console timeout 5
management-access management
dhcpd ping_timeout 750
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
ntp server 67.18.21.158 source Internal prefer
ntp server 67.18.21.249 source External prefer
ssl encryption rc4-sha1
webvpn
 enable External
group-policy COMP-ADMIN-GROUP internal
group-policy COMP-ADMIN-GROUP attributes
 banner value You have connected to COMP-VPN! Have a great day!
group-policy CLIENT-GROUP internal
username xadmin password zb6W1mcU3unBcPa3 encrypted
tunnel-group COMP-ADMIN-GROUP type remote-access
tunnel-group COMP-ADMIN-GROUP general-attributes
 address-pool LNDNADMIN
 default-group-policy COMP-ADMIN-GROUP
tunnel-group COMP-ADMIN-GROUP ipsec-attributes
 pre-shared-key *
tunnel-group CLIENT-GROUP type remote-access
tunnel-group CLIENT-GROUP general-attributes
 address-pool LNDN-COMP-CLIENT
 default-group-policy CLIENT-GROUP
tunnel-group CLIENT-GROUP ipsec-attributes
 pre-shared-key *

0
ksims1129Commented:
can you attach a "debug crypto isakmp 255" showing the output while you are attempting to establish a VPN connection to the firewall
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ksims1129Commented:
what did you figure out the problem to be?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.