We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

ASA5505 Client VPN

modathir
modathir asked
on
Medium Priority
552 Views
Last Modified: 2012-05-07
Hi Guys
I attached my config for Cisco ASA 5505 I did configure the Remote access vpn for users I am testing it at our office I need to ship it the client in 2 days. every time I try the vpn from another outside network I get error: secure vpn connection terminated by peer reason 433!
also on ASDAM realtime log:  Group=WestaimGroup ip x.x.x.x error: Unable to remove PeerTbIEntery
Group=WestaimGroup ip x.x.x.x Removing peer from peer table failed no match

Any help please
Run-Config.txt
Comment
Watch Question

Author

Commented:
also Group=WestaimGroup user xxx ip x.x.x.x  Cannot obtain IP address for remote peer
Technical Architect
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Hi PeteLong:
I followed your instructions and started over  what I did is reset to factory-default and reconfigured from scratch. the VPN is working I can connect but, I have one host connected to the local network with IP 172.17.66.30 I cannot ping it from the VPN client computer! my new config is here:

ASA Version 7.2(4)
!
hostname WESTAIM-ASA5505
domain-name default.domain.invalid
enable password iWVY0RB2EOEs8wDO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 172.17.66.3 WESTAIMSBS description Westaim SBS Server
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.17.66.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner exec #######################################################
banner exec #######################################################
banner exec ####                                               ####
banner exec ####        UNAUTHORIZED ACCESS IS PROHIBITED      ####
banner exec ####             All Activity is being Logged.     ####
banner exec #######################################################
banner exec #######################################################
banner login ##################################################################
banner login ##################################################################
banner login ###                          You have been Authenticated       ###
banner login ###  You are responsible for all activity during this session  ###
banner login ##################################################################
banner login ##################################################################
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list inside_access_in extended permit tcp any any eq https
access-list inside_access_in remark Allow Exchange server to send e-mail
access-list inside_access_in remark Allow DNS server to query DNS servers on the                                                                              Internet
access-list inside_access_in extended permit tcp host WESTAIMSBS any eq smtp
access-list inside_access_in extended permit tcp host WESTAIMSBS eq smtp any
access-list inside_access_in extended permit udp host WESTAIMSBS any eq domain
access-list remotevpn_splitTunnelAcl standard permit 172.17.66.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.66.0 255.255.255.0 17                                                                             2.17.56.0 255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool reomtevpnpool 172.17.56.30-172.17.56.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 205.206.116.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 172.17.66.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh 172.17.66.0 255.255.255.255 inside
ssh 172.17.66.30 255.255.255.255 inside
ssh WESTAIMSBS 255.255.255.255 inside
ssh timeout 60
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.17.66.30-172.17.66.50 inside
dhcpd enable inside
!
ntp server WESTAIMSBS
group-policy remotevpn internal
group-policy remotevpn attributes
 wins-server value 172.17.66.3
 dns-server value 172.17.66.3
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remotevpn_splitTunnelAcl
 default-domain value westaimc.local
username xxxxxxxxxx password xxxxxxxxx encrypted privilege 0
username westaim attributes
 vpn-group-policy remotevpn
username xxxxxx password xxxxxxxxxxx encrypted
tunnel-group remotevpn type ipsec-ra
tunnel-group remotevpn general-attributes
 address-pool reomtevpnpool
 default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
smtp-server 172.17.66.3
prompt hostname context
Cryptochecksum:16504a01e99b95dee4978a0d633bfe20
: end
WESTAIM-ASA5505#
Pete LongTechnical Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
The VPN connects? you say you cannot ping this client?  does other traffic work? if a VPN client can connect and no traffic passes usually the problem is NAT related.

Author

Commented:
Thanks PeteLong
Do you see any NAT  issue in this configration? I cannot ping anything on 172.17.66.0/24 from the VPN client or the otherway around  ping 172.17.56.0/24 from local network, so the connection is established but there is no trafic going through!
Thanks again.    

Author

Commented:
Also I notice that the VPN client doesn't have a gateway IP if that help!

Author

Commented:
Thanks PeteLong
Now it is working I just had to disable windows firewall on both machines, I can ping the remote and local computers. The full points are going toward you man you been very helpful! But I have more questions for you:
1-      I need to configure Radius server to authenticate VPN users, I need to keep the local as well. So, the command lines  for that  please, my RADIUS server would be 172.17.66.4
2-     I have  SBS server  2008 on 172.17.66.3  I need  to allow SMTP exchange server in and out, remote web workplace on SBS. Do I need to configure static NAT for that?
 
Thanks again
Pete LongTechnical Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
1- See my website here - http://www.petenetlive.com/Tech/Firewalls/Cisco/c2svpnRADIUS.htm
2- No you just need to forward the RWW Ports to the SBS Server see my website here http://www.petenetlive.com/Tech/Firewalls/Cisco/portforward.htm
Note for RWW you need TCP 443 and TCP 4125 :)
Pete LongTechnical Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
To swap from Local to RADIUS simply locate the group policy in the ADSM and change fromLOCAL to RADIUS (see my link above)

Author

Commented:
Thank you so much!
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.