• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1328
  • Last Modified:

Cisco IPSec VPN not working on Windows 7 x86 (ASA5505)

Hello Experts,

I have a problem (obviously). I can't get the VPN client (v5.06 through 5.07) to pass traffic on windows 7 x86.

I just did an upgrade to ASA v8.2(3) from 8.04 (DRAM upgrade also to 512)...After which point, my VPN no longer works on XP either...I downgraded back to 8.04, and still no dice.

on a side note, I've NEVER been able to get internet to work while connected to VPN, but I don't expect that to be solved in this question; I will assign a bonus 500 points if you can make that work, too.

What is going on, and can someone see the issue based on my running config? (I am so fried this week, it's hard for me to think anymore, so I'm reaching out for a fresh set of eyes). I don';t know if something blew-up or what, and the downgrade didn't work? I'm not comfortable going to 8.3(x) yet because it has some crazy changes that I'm not ready to deal with.


Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(3) 
!
hostname GateKeeper
domain-name ssvems
enable password BQ/SGet20ywDB3VY encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.100.10.11 SSVEMSDC01 description Domain Controller
name 10.100.10.49 SSVEMS-PC-03 description Remote Access Virtual Machine
name 10.100.10.22 DATASERVER01 description Application Server (Hyper-V)
name 10.100.10.10 NEXUS01 description Primary Hyper-V NEXUS
name 10.100.10.19 Barracuda description SPAM Firewall
name 10.100.10.17 EXCHANGE01 description Exchange Server
name 10.100.10.18 BLACKBERRY description BESx Server
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.100.10.1 255.255.255.0 
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 67.107.12.62 255.255.252.0 
 ospf cost 10
!
banner login *****NOTICE***NOTICE***NOTICE***NOTICE***NOTICE***NOTICE***NOTICE*****
banner login **********************************************************************
banner login This system is for the use of authorized users only. Individuals using
banner login this computer system without authority, or in excess of their authority,
banner login are subject to having all of their activities on this system monitored
banner login and recorded by system personnel.
banner login In the course of monitoring individuals improperly using this system,
banner login or in the course of system maintenance, the activities of authorized
banner login users may also be monitored.
banner login Anyone using this system expressly consents to such monitoring and is
banner login advised that if such monitoring reveals possible evidence of criminal
banner login activity, system personnel may provide the evidence of such monitoring
banner login to law enforcement officials.
banner login **********************************************************************
banner motd *****NOTICE***NOTICE***NOTICE***NOTICE***NOTICE***NOTICE***NOTICE*****
banner motd **********************************************************************
banner motd This system is for the use of authorized users only. Individuals using
banner motd this computer system without authority, or in excess of their authority,
banner motd are subject to having all of their activities on this system monitored
banner motd and recorded by system personnel.
banner motd In the course of monitoring individuals improperly using this system,
banner motd or in the course of system maintenance, the activities of authorized
banner motd users may also be monitored.
banner motd Anyone using this system expressly consents to such monitoring and is
banner motd advised that if such monitoring reveals possible evidence of criminal
banner motd activity, system personnel may provide the evidence of such monitoring
banner motd to law enforcement officials.
banner motd **********************************************************************
banner asdm *****NOTICE***NOTICE***NOTICE***NOTICE***NOTICE***
banner asdm ****************************************************
banner asdm This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority,are subject to having all of their activities on this system monitored and recorded by system personnel.In the course of monitoring individuals improperly using this system,
banner asdm or in the course of system maintenance, the activities of authorized users may also be monitored.Anyone using this system expressly consents to such monitoring and is
banner asdm advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.
banner asdm **********************************************************************
boot system disk0:/asa823-k8.bin
boot system disk0:/asa832-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 10.100.10.12
 domain-name ssvems
object-group service OutlookAnywhere tcp
 description RPC/HTTP
 port-object range 6000 6005
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in remark Inbound Mail
access-list outside_access_in extended permit tcp any any eq smtp 
access-list outside_access_in remark Outlook Anywhere via RPC over HTTPs
access-list outside_access_in extended permit tcp any host EXCHANGE01 object-group OutlookAnywhere 
access-list outside_access_in remark https access for OWA
access-list outside_access_in extended permit tcp any any eq https 
access-list outside_access_in remark http access for OWA
access-list outside_access_in extended permit tcp any any eq www 
access-list outside_access_in remark VPN HTTP/Local LAN
access-list outside_access_in extended permit tcp any 10.100.10.0 255.255.255.0 eq www 
access-list outside_access_in remark DCOM
access-list outside_access_in extended permit tcp any any eq 593 
access-list outside_access_in remark SSL for SMTP
access-list outside_access_in extended permit tcp any any eq 465 
access-list outside_access_in remark SSL for POP3
access-list outside_access_in extended permit tcp any any eq 995 
access-list outside_access_in remark SSL for POP3
access-list outside_access_in extended permit tcp any any eq 587 
access-list outside_access_in remark IMAP for Exchange
access-list outside_access_in extended permit tcp any any eq imap4 
access-list outside_access_in remark NTP
access-list outside_access_in extended permit udp any any eq ntp 
access-list outside_access_in remark Spiceworks Access
access-list outside_access_in extended permit tcp any any eq 9675 
access-list outside_access_in remark RDP Access for DC
access-list outside_access_in extended permit tcp any any eq 3389 
access-list outside_access_in remark RDP Access for Medical Director
access-list outside_access_in extended permit tcp any any eq 3489 
access-list outside_access_in extended permit tcp any any eq ssh 
access-list inside_nat0_outbound extended permit ip any 10.100.10.192 255.255.255.224 
access-list RemoteAccess standard permit 10.100.10.0 255.255.255.0 
access-list RemoteAccess_splitTunnelAcl standard permit 10.100.10.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
logging from-address GATEKEEPER@SSVEMS.COM
logging recipient-address tac@ssvems.com level critical
mtu inside 1500
mtu outside 1500
ip local pool VPN 10.100.10.200-10.100.10.210 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-633.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,outside) tcp interface 587 EXCHANGE01 587 netmask 255.255.255.255 
static (inside,outside) tcp interface 3589 NEXUS01 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 3489 DATASERVER01 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 SSVEMS-PC-03 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 9675 SSVEMSDC01 9675 netmask 255.255.255.255 
static (inside,outside) udp interface ntp SSVEMSDC01 ntp netmask 255.255.255.255 
static (inside,outside) tcp interface https EXCHANGE01 https netmask 255.255.255.255 
static (inside,outside) tcp interface www EXCHANGE01 www netmask 255.255.255.255 
static (inside,outside) tcp interface 593 EXCHANGE01 593 netmask 255.255.255.255 
static (inside,outside) tcp interface smtp Barracuda smtp netmask 255.255.255.255 
static (inside,outside) tcp interface 465 EXCHANGE01 465 netmask 255.255.255.255 
static (inside,outside) tcp interface 995 EXCHANGE01 995 netmask 255.255.255.255 
static (inside,outside) tcp interface imap4 EXCHANGE01 imap4 netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.107.12.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
ldap attribute-map CISCOMAP
  map-name  memberOf IETF-Radius-Class
  map-value memberOf CN=VPN Users,CN=Bulitin,DC=ssvems,DC=local
  map-name  msNPAllowDialin IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ALLOWACCESS
dynamic-access-policy-record DfltAccessPolicy
aaa-server SSVEMSDC01 protocol ldap
aaa-server SSVEMSDC01 (inside) host SSVEMSDC01
 ldap-base-dn DC=ssvems,DC=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=administrator,CN=Users,DC=SSVEMS,DC=local
 server-type microsoft
 ldap-attribute-map CISCOMAP
aaa-server SYNAPSE protocol ldap
aaa-server SYNAPSE (inside) host SYNAPSE
 ldap-base-dn DC=ssvems,DC=local
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=administrator,CN=Users,DC=SSVEMS,DC=local
 server-type microsoft
 ldap-attribute-map CISCOMAP
nac-policy dfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
aaa authentication enable console LOCAL 
aaa authentication serial console LOCAL 
http server enable
http 10.100.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
vpn-addr-assign local reuse-delay 20
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 5

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 dtls port 4433
 internal-password enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 nac-settings value dfltGrpPolicy-nac-framework-create
group-policy GroupPolicy1 external server-group SYNAPSE
group-policy vpnclients internal
group-policy vpnclients attributes
 dns-server value 10.100.10.20 10.100.10.11
 vpn-simultaneous-logins 1
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 default-domain value ssvems.local
username tstrosnider password Y/MRBscZV9hk/dF7 encrypted privilege 15
username gigaboy password qcNY5KGM5rctDnJl encrypted privilege 15
tunnel-group vpnclients type remote-access
tunnel-group vpnclients general-attributes
 address-pool VPN
 authentication-server-group SYNAPSE LOCAL
 authorization-server-group SYNAPSE
 default-group-policy vpnclients
 dhcp-server 10.100.10.12
tunnel-group vpnclients ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
imap4s
 server EXCHANGE01
 default-group-policy DfltGrpPolicy
pop3s
 server EXCHANGE01
 default-group-policy DfltGrpPolicy
smtps
 server EXCHANGE01
 default-group-policy DfltGrpPolicy
smtp-server 10.100.10.16
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1b8c8d6ec1258b509cdb3da400c41a99
: end

Open in new window

0
GigaBoyMBZ
Asked:
GigaBoyMBZ
  • 3
  • 2
  • 2
  • +1
3 Solutions
 
willbaclimonCommented:
Did you "downgrade" and use the old config?
0
 
anoopkmrCommented:

any error is getting while connecting via vpn client  ?

can you change firewall config like below

tunnel-group vpnclients general-attributes
no address-pool VPN
no ip local pool VPN 10.100.10.200-10.100.10.210 mask 255.255.255.0
ip local pool New-VPN-Pool 192.168.200.0- 192.168.200.10 mask 255.255.255.0

( you can use any un unsed ip for the new pool , i just mentioned 192.168.200.x)


tunnel-group vpnclients general-attributes
address-pool New-VPN-Pool

crypto isakmp nat-traversal 60
sysopt connection permit-vpn

your problem " I've NEVER been able to get internet to work while connected to VPN" will be solved by adding the below commands


access-list split permit ip 10.100.10.0 255.255.255.0 any
group-policy vpnclients attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split


let me know the status
0
 
lrmooreCommented:
>I'm not comfortable going to 8.3(x) yet because it has some crazy changes that I'm not ready to deal with.
Agree!!

But, from 8.04 to 8.23 should not have changed functionality..

From Anoop's post
>access-list split permit ip 10.100.10.0 255.255.255.0 any

Should be
access-list split standard permit 10.100.10.0 255.255.255.0

Get RID of these:  !!
>crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
>crypto map inside_map interface inside
>crypto isakmp enable inside

What is breaking? The Authentication?

>I downgraded back to 8.04, and still no dice.
so, what version is running now? Can you post your 8.04 config if it is the current one?


0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
lrmooreCommented:
In the GUI, try enabling TCP/10000 NAT transparency
(under Advanced| IPSEC | IKE Parameters)
Then on the client, check Transport tab and enable TCP 10000 instead of UDP
0
 
GigaBoyMBZAuthor Commented:
First, I want to thatnk you all for your comments/suggestions...I really apprecaite it. I am going to see what of these suggestions works (probably a combination of all of them from the way it looks)
To willbaclimon: Yes, I downgraded and used the old config, but then upgraded to 8.2(3) because I saw no relevant configuration changes, etc. listed in the Release Notes.

To anoopkmr:
VPN ERROR? Not really, I don't get an error when connecting to VPN (it takes LDAP username/password); it just doesn't allow network resources to work (exchange, mapped drives, etc.)
IP Pool? You think I should use a totally different subnet or would it be ok to just assign a new "block" of IP's?
No Internet: I will run the command and see what happens when I test the VPN again...
 
To lrmoore:
8.3(x) -  The whole "migrate configuration settings" thing looks like it can be very complicated, and since so much changes, it would probably "break" things really easily, or maybe it would be better to upgrade but with a CLEAN/FRESH config...it's just looks very unfamiliar to me because of the way CISCO mapped things out...I will probably stay with 8.2(x) at the most...
From annopkmr's post - I will drop the "any"...that looks more correct
Crypto Map - honestly, I don't remember doing these...what's the easiest way to blow them out? What would they affect both implemented or removed?
What's Breaking? Honestly, I don't know what's breaking because I don't get any errors or anything...It appears that the authentication is working because it takes the users LDAP credentials and connects almost instantly.
8.04 config - I downgraded to 8.04 with the backed-up/working config, and upgraded to 8.2(3)...the 8.04 config no longer worked after reloading it...dunno why. (I know, probably shouldn't have jsut donte it either...that one's on me)
TCP/10000 - Should I do this before or after the multi-command suggestion from anoopkmr? or does it not matter? do I need to change the setting in the VPN profile on the clients?
0
 
GigaBoyMBZAuthor Commented:
UPDATE: Internet/Web access now works over the VPN! Nice anoopkmr! You will get the points for that one...
Now, I just need the rest to work. lol. thanks in advance for any additional assistance. I do appreciate it!
0
 
anoopkmrCommented:

there is a type error in my command, it has to be like this
access-list split  extended permit ip 10.100.10.0 255.255.255.0 any  ( my old command is also will work ,it will  automatically take the rule  as extended.)

or u can go-ahead with lrmoore.

now the problem is u can't pass the traffic over vpn , it could be the  nat -transparency .

did u create a new vpn pool ? did u try my commands
crypto isakmp nat-traversal 60
sysopt connection permit-vpn

show me the out-put of

show crypto ipses sa  < related to ur  vpn client >

0
 
GigaBoyMBZAuthor Commented:
Thank so much guys...I apprecaite it.

I don't know why it wont let me assign any additional points (because I promised an additional 500 for solving the internet issue)...

Is there a way I can like "send" you both additional points or something?
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now