Cisco ASA 5505 Remote acess VPN

nobs
nobs used Ask the Experts™
on
I have configured my IPSEC VPN for remoote access VPN via, ASDM configuration wizard, but i cant seem to make a connection.  I will attach my configure. When i try to configure my VPN client, it asks me for a tunnelgroup password which i had not specified. On my ASDM syslog i get these messages.

roup = DefaultRAGroup, IP = x.x.x.x, Error: Unable to remove PeerTblEntry
JuGroup = DefaultRAGroup, IP = x.x.x.x , Removing peer from peer table failed, no match!
Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'Branchvpn'.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name motor.gx.za
enable password DjGOaLXBWWiqnfoU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.1.100 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 196.x.x.x 255.255.255.x
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name motorx.gx.za
access-list outside_in extended permit icmp any any
access-list outside_in extended permit tcp any any eq www
access-list outside_in extended permit tcp any any eq https
access-list outside_in extended permit udp any any eq www
access-list outside_in extended permit tcp any host 41.203.18.57 eq smtp
access-list outside_in extended permit tcp any host 41.203.18.57 eq pop3
access-list outside_in extended permit tcp any any eq 3389
access-list outside_in extended permit udp any any eq dnsix
access-list inside_in extended permit tcp any any
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.6.12.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.6.13.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.6.12.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.6.13.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.6.11.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.6.11.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool LocalIPvpnpoolforRemoteVpnClients 10.0.1.102-10.0.1.255 mask 255.255.255.0 ( will change this to a range outside our LAN Range)
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 10.0.1.3 3389 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 196.25.145.57 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.0.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.1.104-10.0.1.254 inside
dhcpd dns 10.0.1.2 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy BranchVPN internal
group-policy BranchVPN attributes
 dns-server value 10.0.1.2
 vpn-tunnel-protocol IPSec
 default-domain value elundini.gov.za
username nobsv password M7YrvRDshm2JKbIX encrypted privilege 0
username nobsv attributes
 vpn-group-policy BranchVPN
username mount password Lb69G.OtcZB33mKq encrypted privilege 0
username mount attributes
 vpn-group-policy BranchVPN
username gugut password ZgeqFizl9IbSi087 encrypted privilege 0
username gugut attributes
 vpn-group-policy BranchVPN
username Ugie password gCVjSFahpJxnRXQ8 encrypted privilege 0
username Ugie attributes
 vpn-group-policy BranchVPN
username elundini password VlvHxx6rDymYa8li encrypted privilege 0
username elundini attributes
 vpn-group-policy BranchVPN
tunnel-group BranchVPN type remote-access
tunnel-group BranchVPN general-attributes
 address-pool LocalIPvpnpoolforRemoteVpnClients
 default-group-policy BranchVPN
tunnel-group BranchVPN ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:cb8ba867cd7a2e8dbea6065b4794d994
: end
no asdm history enable
By looking at your configuration, you are trying to establish VPN connection using tunnel group named branchvpn.

IPSec attributes uses something called preshared key for connection creation which needs to be same on both side of the FW.  Try to configure the same preshared key (case sensitive) on both FW and check.

You can do it either through cmd or through ASDM.

Best,
Sankar.K

Author

Commented:
what do you mean on both sides of the firewall,
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

Author

Commented:
getting 2 logs now,

Group = DefaultRAGroup, IP = 41.247.233.13, Error: Unable to remove PeerTblEntry
Group = DefaultRAGroup, IP = 41.247.233.13, Removing peer from peer table failed, no match!

Also i wanted to use local database not tunnelgroup to authenticate, how do i do that.
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
>tunnel-group BranchVPN ipsec-attributes
> pre-shared-key *

On your client setup, BranchVPN is the group name. It is case sensitive!
Whatever you set for the pre-shared-key is the group password...


Well if you are using IPSecattributes, then you should mention preshared key.  It is a way to start the communication.

you should have this settings on both Initiator(branch) and receiver(headqtrs) firewall.  
After entering the tunnelgroup it should ask for username/password using the local user database you defined.

Here is the official Cisco how-to on Remote Access VPN via GUI:
http://www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5505/quick/guide/rem_acc.html

And here is the CLI:
http://cisco.biz/en/US/docs/security/asa/asa72/configuration/guide/vpnrmote.html#wp1002608

Author

Commented:
I only had VPN -DES enabled and i enabled VPN-3DES-AES and used 3DES. and changed my IP pool to point to a range not on my LAN and that sorted my problem, Now all remote access clients are happy

Author

Commented:
The documentation link provided made me read some more
Glad I could help!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial