Solved

Cisco IPSec VPN not working on Windows 7 x86 (ASA5505)

Posted on 2010-08-12
8
1,311 Views
Last Modified: 2012-05-10
Hello Experts,

I have a problem (obviously). I can't get the VPN client (v5.06 through 5.07) to pass traffic on windows 7 x86.

I just did an upgrade to ASA v8.2(3) from 8.04 (DRAM upgrade also to 512)...After which point, my VPN no longer works on XP either...I downgraded back to 8.04, and still no dice.

on a side note, I've NEVER been able to get internet to work while connected to VPN, but I don't expect that to be solved in this question; I will assign a bonus 500 points if you can make that work, too.

What is going on, and can someone see the issue based on my running config? (I am so fried this week, it's hard for me to think anymore, so I'm reaching out for a fresh set of eyes). I don';t know if something blew-up or what, and the downgrade didn't work? I'm not comfortable going to 8.3(x) yet because it has some crazy changes that I'm not ready to deal with.


Result of the command: "show running-config"



: Saved

:

ASA Version 8.2(3) 

!

hostname GateKeeper

domain-name ssvems

enable password BQ/SGet20ywDB3VY encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 10.100.10.11 SSVEMSDC01 description Domain Controller

name 10.100.10.49 SSVEMS-PC-03 description Remote Access Virtual Machine

name 10.100.10.22 DATASERVER01 description Application Server (Hyper-V)

name 10.100.10.10 NEXUS01 description Primary Hyper-V NEXUS

name 10.100.10.19 Barracuda description SPAM Firewall

name 10.100.10.17 EXCHANGE01 description Exchange Server

name 10.100.10.18 BLACKBERRY description BESx Server

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.100.10.1 255.255.255.0 

 ospf cost 10

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 67.107.12.62 255.255.252.0 

 ospf cost 10

!

banner login *****NOTICE***NOTICE***NOTICE***NOTICE***NOTICE***NOTICE***NOTICE*****

banner login **********************************************************************

banner login This system is for the use of authorized users only. Individuals using

banner login this computer system without authority, or in excess of their authority,

banner login are subject to having all of their activities on this system monitored

banner login and recorded by system personnel.

banner login In the course of monitoring individuals improperly using this system,

banner login or in the course of system maintenance, the activities of authorized

banner login users may also be monitored.

banner login Anyone using this system expressly consents to such monitoring and is

banner login advised that if such monitoring reveals possible evidence of criminal

banner login activity, system personnel may provide the evidence of such monitoring

banner login to law enforcement officials.

banner login **********************************************************************

banner motd *****NOTICE***NOTICE***NOTICE***NOTICE***NOTICE***NOTICE***NOTICE*****

banner motd **********************************************************************

banner motd This system is for the use of authorized users only. Individuals using

banner motd this computer system without authority, or in excess of their authority,

banner motd are subject to having all of their activities on this system monitored

banner motd and recorded by system personnel.

banner motd In the course of monitoring individuals improperly using this system,

banner motd or in the course of system maintenance, the activities of authorized

banner motd users may also be monitored.

banner motd Anyone using this system expressly consents to such monitoring and is

banner motd advised that if such monitoring reveals possible evidence of criminal

banner motd activity, system personnel may provide the evidence of such monitoring

banner motd to law enforcement officials.

banner motd **********************************************************************

banner asdm *****NOTICE***NOTICE***NOTICE***NOTICE***NOTICE***

banner asdm ****************************************************

banner asdm This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority,are subject to having all of their activities on this system monitored and recorded by system personnel.In the course of monitoring individuals improperly using this system,

banner asdm or in the course of system maintenance, the activities of authorized users may also be monitored.Anyone using this system expressly consents to such monitoring and is

banner asdm advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.

banner asdm **********************************************************************

boot system disk0:/asa823-k8.bin

boot system disk0:/asa832-k8.bin

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

 name-server 10.100.10.12

 domain-name ssvems

object-group service OutlookAnywhere tcp

 description RPC/HTTP

 port-object range 6000 6005

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

access-list outside_access_in remark Inbound Mail

access-list outside_access_in extended permit tcp any any eq smtp 

access-list outside_access_in remark Outlook Anywhere via RPC over HTTPs

access-list outside_access_in extended permit tcp any host EXCHANGE01 object-group OutlookAnywhere 

access-list outside_access_in remark https access for OWA

access-list outside_access_in extended permit tcp any any eq https 

access-list outside_access_in remark http access for OWA

access-list outside_access_in extended permit tcp any any eq www 

access-list outside_access_in remark VPN HTTP/Local LAN

access-list outside_access_in extended permit tcp any 10.100.10.0 255.255.255.0 eq www 

access-list outside_access_in remark DCOM

access-list outside_access_in extended permit tcp any any eq 593 

access-list outside_access_in remark SSL for SMTP

access-list outside_access_in extended permit tcp any any eq 465 

access-list outside_access_in remark SSL for POP3

access-list outside_access_in extended permit tcp any any eq 995 

access-list outside_access_in remark SSL for POP3

access-list outside_access_in extended permit tcp any any eq 587 

access-list outside_access_in remark IMAP for Exchange

access-list outside_access_in extended permit tcp any any eq imap4 

access-list outside_access_in remark NTP

access-list outside_access_in extended permit udp any any eq ntp 

access-list outside_access_in remark Spiceworks Access

access-list outside_access_in extended permit tcp any any eq 9675 

access-list outside_access_in remark RDP Access for DC

access-list outside_access_in extended permit tcp any any eq 3389 

access-list outside_access_in remark RDP Access for Medical Director

access-list outside_access_in extended permit tcp any any eq 3489 

access-list outside_access_in extended permit tcp any any eq ssh 

access-list inside_nat0_outbound extended permit ip any 10.100.10.192 255.255.255.224 

access-list RemoteAccess standard permit 10.100.10.0 255.255.255.0 

access-list RemoteAccess_splitTunnelAcl standard permit 10.100.10.0 255.255.255.0 

pager lines 24

logging enable

logging asdm informational

logging from-address GATEKEEPER@SSVEMS.COM

logging recipient-address tac@ssvems.com level critical

mtu inside 1500

mtu outside 1500

ip local pool VPN 10.100.10.200-10.100.10.210 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-633.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,outside) tcp interface 587 EXCHANGE01 587 netmask 255.255.255.255 

static (inside,outside) tcp interface 3589 NEXUS01 3389 netmask 255.255.255.255 

static (inside,outside) tcp interface 3489 DATASERVER01 3389 netmask 255.255.255.255 

static (inside,outside) tcp interface 3389 SSVEMS-PC-03 3389 netmask 255.255.255.255 

static (inside,outside) tcp interface 9675 SSVEMSDC01 9675 netmask 255.255.255.255 

static (inside,outside) udp interface ntp SSVEMSDC01 ntp netmask 255.255.255.255 

static (inside,outside) tcp interface https EXCHANGE01 https netmask 255.255.255.255 

static (inside,outside) tcp interface www EXCHANGE01 www netmask 255.255.255.255 

static (inside,outside) tcp interface 593 EXCHANGE01 593 netmask 255.255.255.255 

static (inside,outside) tcp interface smtp Barracuda smtp netmask 255.255.255.255 

static (inside,outside) tcp interface 465 EXCHANGE01 465 netmask 255.255.255.255 

static (inside,outside) tcp interface 995 EXCHANGE01 995 netmask 255.255.255.255 

static (inside,outside) tcp interface imap4 EXCHANGE01 imap4 netmask 255.255.255.255 

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 67.107.12.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

ldap attribute-map CISCOMAP

  map-name  memberOf IETF-Radius-Class

  map-value memberOf CN=VPN Users,CN=Bulitin,DC=ssvems,DC=local

  map-name  msNPAllowDialin IETF-Radius-Class

  map-value msNPAllowDialin FALSE NOACCESS

  map-value msNPAllowDialin TRUE ALLOWACCESS

dynamic-access-policy-record DfltAccessPolicy

aaa-server SSVEMSDC01 protocol ldap

aaa-server SSVEMSDC01 (inside) host SSVEMSDC01

 ldap-base-dn DC=ssvems,DC=local

 ldap-scope subtree

 ldap-naming-attribute sAMAccountName

 ldap-login-password *****

 ldap-login-dn CN=administrator,CN=Users,DC=SSVEMS,DC=local

 server-type microsoft

 ldap-attribute-map CISCOMAP

aaa-server SYNAPSE protocol ldap

aaa-server SYNAPSE (inside) host SYNAPSE

 ldap-base-dn DC=ssvems,DC=local

 ldap-naming-attribute sAMAccountName

 ldap-login-password *****

 ldap-login-dn CN=administrator,CN=Users,DC=SSVEMS,DC=local

 server-type microsoft

 ldap-attribute-map CISCOMAP

nac-policy dfltGrpPolicy-nac-framework-create nac-framework

 reval-period 36000

 sq-period 300

aaa authentication ssh console LOCAL 

aaa authentication telnet console LOCAL 

aaa authentication enable console LOCAL 

aaa authentication serial console LOCAL 

http server enable

http 10.100.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

vpn-addr-assign local reuse-delay 20

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 5



threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

 dtls port 4433

 internal-password enable

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

 nac-settings value dfltGrpPolicy-nac-framework-create

group-policy GroupPolicy1 external server-group SYNAPSE

group-policy vpnclients internal

group-policy vpnclients attributes

 dns-server value 10.100.10.20 10.100.10.11

 vpn-simultaneous-logins 1

 vpn-idle-timeout 30

 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

 default-domain value ssvems.local

username tstrosnider password Y/MRBscZV9hk/dF7 encrypted privilege 15

username gigaboy password qcNY5KGM5rctDnJl encrypted privilege 15

tunnel-group vpnclients type remote-access

tunnel-group vpnclients general-attributes

 address-pool VPN

 authentication-server-group SYNAPSE LOCAL

 authorization-server-group SYNAPSE

 default-group-policy vpnclients

 dhcp-server 10.100.10.12

tunnel-group vpnclients ipsec-attributes

 pre-shared-key *****

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect ip-options 

!

service-policy global_policy global

imap4s

 server EXCHANGE01

 default-group-policy DfltGrpPolicy

pop3s

 server EXCHANGE01

 default-group-policy DfltGrpPolicy

smtps

 server EXCHANGE01

 default-group-policy DfltGrpPolicy

smtp-server 10.100.10.16

prompt hostname context 

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:1b8c8d6ec1258b509cdb3da400c41a99

: end

Open in new window

0
Comment
Question by:GigaBoyMBZ
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 7

Expert Comment

by:willbaclimon
ID: 33432824
Did you "downgrade" and use the old config?
0
 
LVL 14

Accepted Solution

by:
anoopkmr earned 350 total points
ID: 33433693

any error is getting while connecting via vpn client  ?

can you change firewall config like below

tunnel-group vpnclients general-attributes
no address-pool VPN
no ip local pool VPN 10.100.10.200-10.100.10.210 mask 255.255.255.0
ip local pool New-VPN-Pool 192.168.200.0- 192.168.200.10 mask 255.255.255.0

( you can use any un unsed ip for the new pool , i just mentioned 192.168.200.x)


tunnel-group vpnclients general-attributes
address-pool New-VPN-Pool

crypto isakmp nat-traversal 60
sysopt connection permit-vpn

your problem " I've NEVER been able to get internet to work while connected to VPN" will be solved by adding the below commands


access-list split permit ip 10.100.10.0 255.255.255.0 any
group-policy vpnclients attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split


let me know the status
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 150 total points
ID: 33434102
>I'm not comfortable going to 8.3(x) yet because it has some crazy changes that I'm not ready to deal with.
Agree!!

But, from 8.04 to 8.23 should not have changed functionality..

From Anoop's post
>access-list split permit ip 10.100.10.0 255.255.255.0 any

Should be
access-list split standard permit 10.100.10.0 255.255.255.0

Get RID of these:  !!
>crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
>crypto map inside_map interface inside
>crypto isakmp enable inside

What is breaking? The Authentication?

>I downgraded back to 8.04, and still no dice.
so, what version is running now? Can you post your 8.04 config if it is the current one?


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 33434111
In the GUI, try enabling TCP/10000 NAT transparency
(under Advanced| IPSEC | IKE Parameters)
Then on the client, check Transport tab and enable TCP 10000 instead of UDP
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:GigaBoyMBZ
ID: 33434375
First, I want to thatnk you all for your comments/suggestions...I really apprecaite it. I am going to see what of these suggestions works (probably a combination of all of them from the way it looks)
To willbaclimon: Yes, I downgraded and used the old config, but then upgraded to 8.2(3) because I saw no relevant configuration changes, etc. listed in the Release Notes.

To anoopkmr:
VPN ERROR? Not really, I don't get an error when connecting to VPN (it takes LDAP username/password); it just doesn't allow network resources to work (exchange, mapped drives, etc.)
IP Pool? You think I should use a totally different subnet or would it be ok to just assign a new "block" of IP's?
No Internet: I will run the command and see what happens when I test the VPN again...
 
To lrmoore:
8.3(x) -  The whole "migrate configuration settings" thing looks like it can be very complicated, and since so much changes, it would probably "break" things really easily, or maybe it would be better to upgrade but with a CLEAN/FRESH config...it's just looks very unfamiliar to me because of the way CISCO mapped things out...I will probably stay with 8.2(x) at the most...
From annopkmr's post - I will drop the "any"...that looks more correct
Crypto Map - honestly, I don't remember doing these...what's the easiest way to blow them out? What would they affect both implemented or removed?
What's Breaking? Honestly, I don't know what's breaking because I don't get any errors or anything...It appears that the authentication is working because it takes the users LDAP credentials and connects almost instantly.
8.04 config - I downgraded to 8.04 with the backed-up/working config, and upgraded to 8.2(3)...the 8.04 config no longer worked after reloading it...dunno why. (I know, probably shouldn't have jsut donte it either...that one's on me)
TCP/10000 - Should I do this before or after the multi-command suggestion from anoopkmr? or does it not matter? do I need to change the setting in the VPN profile on the clients?
0
 

Author Comment

by:GigaBoyMBZ
ID: 33434667
UPDATE: Internet/Web access now works over the VPN! Nice anoopkmr! You will get the points for that one...
Now, I just need the rest to work. lol. thanks in advance for any additional assistance. I do appreciate it!
0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 350 total points
ID: 33435432

there is a type error in my command, it has to be like this
access-list split  extended permit ip 10.100.10.0 255.255.255.0 any  ( my old command is also will work ,it will  automatically take the rule  as extended.)

or u can go-ahead with lrmoore.

now the problem is u can't pass the traffic over vpn , it could be the  nat -transparency .

did u create a new vpn pool ? did u try my commands
crypto isakmp nat-traversal 60
sysopt connection permit-vpn

show me the out-put of

show crypto ipses sa  < related to ur  vpn client >

0
 

Author Closing Comment

by:GigaBoyMBZ
ID: 33470089
Thank so much guys...I apprecaite it.

I don't know why it wont let me assign any additional points (because I promised an additional 500 for solving the internet issue)...

Is there a way I can like "send" you both additional points or something?
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now