Need to allow VPN thru a Cisco ASA 5510

I have a Cisco ASA 5510 setting between 2 CIsco 2800's. I need to open up a vpn connection from some of our Technicians to VPN into client sites.

{Internet}-------[CISCO 2800]---------<CISCO ASA 5510> -----[Cisco 2800]-------(switch)---Users

Please be detailed in your explanation as I inherited this position from the network admin who left... I am more of a break fix guy
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

HB-ITAuthor Commented:
All that just to allow a user inside our network to vpn to a client outside our network.

AARGH - Was hoping it was just a port or setting I needed to change...

Will give it a shot tomorrow
in that case u need to allow some port on asa
Webinar: What were the top threats in Q2 2018?

Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that describes and analyzes the top threat trends impacting companies around the world. Are you ready to learn more about the top threats of Q2 2018? Register for our Sept. 26th webinar to learn more!

HB-ITAuthor Commented:
I had guessed as much... Anyone know what port or setting?


allow any request comming from the user to outside internet on port udp port 500
allow any request comming from the user to outside internet on port udp port 4500
allow any request comming from the user to outside internet on port udp port 10000 UDP
for example

access-list acl-in permit udp host <user ip> any eq 500
 access-list acl-in permit udp host <user ip> any eq 4500
access-list acl-in permit udp host <user ip>  eq 4500 any
access-list acl-in permit udp host <user ip> any eq 10000
access-list acl-in permit udp host <user ip>  eq 10000 any
HB-ITAuthor Commented:
and I would find this where exactly...
Told you I was more of a break fix kinda guy
sorry man , i didn't get u ?
HB-ITAuthor Commented:
where do i look on the ASA5510 to make these changes
just login to ASA  


once prompted type the password


show access-list
show access-group

please provide me the output, so that I can tell u
HB-ITAuthor Commented:
here you go
when I do Access-Group it errors
can u paste the out put in notepad and upload

if u can type  

show run

it will give all the informatons
HB-ITAuthor Commented:
Here you go:

User Access Verification

Type help or '?' for a list of available commands.
ciscoasa> enable
Password: *************
ciscoasa# show run
: Saved
ASA Version 7.1(2)
hostname ciscoasa
domain-name hbmcclure.local
enable password BQhulxZLvuLN.tza encrypted
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address
passwd /iZ5xDvy1Zd6jqaE encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name hbmcclure.local
dns server-group HBDNS
 domain-name hbmcclure.local
object-group service MOM tcp-udp
 description Microsoft Operations Manager
 port-object range 1270 1270
object-group service NAT-T udp
 description NAT-T
 port-object range 4500 4500
object-group service IPSec_UDP udp
 description IPSec over UDP for Remote Access VPN
 port-object range 10000 10000
access-list in0 extended permit tcp any host eq smtp
access-list in0 extended permit tcp any host eq https
access-list cscin extended permit ip any
access-list cscin extended permit ip any
access-list hbmcclurevpn_splitTunnelAcl standard permit
access-list natvpn extended permit ip 255.255.2
access-list OUT extended deny tcp any any eq rtsp inactive
access-list OUT extended deny tcp any any eq pop3 inactive
access-list OUT extended permit ip any any
access-list TEST standard permit host
pager lines 24
logging enable
logging buffer-size 8192
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool hbmcclurevpn mask
ip verify reverse-path interface outside
icmp permit any outside
icmp deny any outside
icmp permit any inside
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list natvpn
nat (inside) 1
nat (inside) 1
static (inside,outside) tcp https https netmask 255.255
static (inside,outside) tcp smtp smtp netmask 255.255.2
access-group in0 in interface outside
access-group OUT in interface inside
route outside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server hbmcclure protocol radius
aaa-server hbmcclure host
 key cisco123
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 70
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
  functions url-entry file-access
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not
 been met or due to some specific group policy, you do not have permission to us
e any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy hbmcclurevpn internal
group-policy hbmcclurevpn attributes
 wins-server value
 dns-server value
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value hbmcclurevpn_splitTunnelAcl
 default-domain value hbdomain.local
username gdcllcmin password P2K..irgPV0wbZX0 encrypted
http server enable
http outside
http outside
http inside
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal  20
tunnel-group hbmcclurevpn type ipsec-ra
tunnel-group hbmcclurevpn general-attributes
 address-pool hbmcclurevpn
 authentication-server-group hbmcclure
 default-group-policy hbmcclurevpn
tunnel-group hbmcclurevpn ipsec-attributes
 pre-shared-key *
telnet outside
telnet inside
telnet inside
telnet timeout 5
ssh outside
ssh outside
ssh timeout 5
console timeout 0
dhcpd address management
dhcpd lease 3600
dhcpd ping_timeout 50
class-map cscmapin
 match access-list cscin
policy-map cscpolin
 class cscmapin
  csc fail-open
policy-map global-policy
 description CSC SSM Filter
 class class-default
  csc fail-open
service-policy global-policy global
service-policy cscpolin interface inside
 svc enable
: end
can u tell me the user IP:

i can see FW is already allowed for all the IP traffic .

still the user can't connect ?  
HB-ITAuthor Commented:
I cannot even VPN out to the site
The site we need to connect to is:
u r trying from which ip ? or ?

how u are accessing the VPN server at 208.x.x. , I mean any vpn client ?

did u diable the firewall client on the PC
HB-ITAuthor Commented:
From Windows 7 VPN
kindly show me the error that u r getting at PC side ? try to enable the log on the client and give me the output .
HB-ITAuthor Commented:
the txt is attached its a long file
i will check the config of asa, meanwhile please give me the answer to below question

kindly show me the error that u r getting at PC side ? try to enable the log on the client and give me the output .
ur asa config is fine
HB-ITAuthor Commented:
Here is what I do...

ur firewall is passing the traffic corectly , thats what u r getting authentication propmpt .

need to check whether ur VPN client config is matching with other end ( vpn server)

cross check ur client config with vpn server > it should match.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.