Solved

Cisco 5510 VPN client setup

Posted on 2010-11-17
4
1,566 Views
Last Modified: 2012-05-10
I used the wizard to try and quickly configure our ASA5510 to accept VPN connections from the Cisco VPN client.

Here is the current config.

ASA Version 8.2(1)
!
hostname ASA
domain-name default.domain.invalid
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 5.5.5.5 255.255.255.248
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.8.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!            
interface Ethernet0/3
 shutdown    
 no nameif    
 no security-level
 no ip address
!            
interface Management0/0
 shutdown    
 no nameif    
 no security-level
 no ip address
!            
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list Outside-In extended permit icmp any any
access-list 101 extended permit ip any 192.168.8.0 255.255.255.0
access-list 101 extended permit ip 192.168.8.0 255.255.255.0 172.19.0.0 255.255.0.0
access-list 101 extended permit ip 192.168.8.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list 101 extended permit ip 192.168.8.0 255.255.255.0 192.168.160.0 255.255.255.0
access-list 102 extended permit ip 192.168.8.0 255.255.255.0 172.19.0.0 255.255.0.0
access-list 103 extended permit ip 192.168.8.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list vpn3000_splitTunnelAcl standard permit 192.168.8.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
ip local pool VPNPool 192.168.160.1-192.168.160.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list 101
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) 5.5.5.6 192.168.8.220 netmask 255.255.255.255
access-group Outside-In in interface Outside
route Outside 0.0.0.0 0.0.0.0 5.5.5.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set GGS esp-des esp-md5-hmac
crypto ipsec transform-set Vestal esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set GGS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map VPNMAP 125 match address 102
crypto map VPNMAP 125 set peer 10.10.10.10
crypto map VPNMAP 125 set transform-set GGS
crypto map VPNMAP 126 match address 103
crypto map VPNMAP 126 set peer 12.12.12.12
crypto map VPNMAP 126 set transform-set Vestal
crypto map VPNMAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map VPNMAP interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 60
 authentication pre-share
 encryption des
 hash md5    
 group 1      
 lifetime 86400
crypto isakmp policy 70
 authentication pre-share
 encryption des
 hash md5    
 group 1      
 lifetime 11000
crypto isakmp policy 90
 authentication pre-share
 encryption 3des
 hash md5    
 group 1      
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 10
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn        
group-policy vpn3000 internal
group-policy vpn3000 attributes
 dns-server value 192.168.8.240 4.2.2.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn3000_splitTunnelAcl
 default-domain value ggs.corp
username user1 password XXXXXXXXXXXXXXX encrypted privilege 15
username user2 password XXXXXXXXXXXXXXX encrypted privilege 0
username user2 attributes
 vpn-group-policy vpn3000
username user3 password XXXXXXXXXXXXXX encrypted privilege 0
username user3 attributes
 vpn-group-policy vpn3000
tunnel-group 10.10.10.10 type ipsec-l2l
tunnel-group 10.10.10.10 ipsec-attributes
 pre-shared-key *
tunnel-group 12.12.12.12 type ipsec-l2l
tunnel-group 12.12.12.12 ipsec-attributes
 pre-shared-key *
tunnel-group vpn3000 type remote-access
tunnel-group vpn3000 general-attributes
 address-pool VPNPool
 default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
 pre-shared-key *
!            
!            
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fd64811b293102765008d10e07e7eac5
: end
[OK]


When I run the client and try to connect the log file returns:

Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

48     21:18:40.106  11/17/10  Sev=Info/4      CM/0x63100002
Begin connection process

49     21:18:40.123  11/17/10  Sev=Info/4      CM/0x63100004
Establish secure connection

50     21:18:40.123  11/17/10  Sev=Info/4      CM/0x63100024
Attempt connection with server "5.5.5.5"

51     21:18:40.127  11/17/10  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 5.5.5.5.

52     21:18:40.133  11/17/10  Sev=Info/4      IKE/0x63000001
Starting IKE Phase 1 Negotiation

53     21:18:40.137  11/17/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 5.5.5.5

54     21:18:40.280  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 5.5.5.5

55     21:18:40.280  11/17/10  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 5.5.5.5

56     21:18:40.280  11/17/10  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

57     21:18:40.281  11/17/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

58     21:18:40.281  11/17/10  Sev=Info/4      IPSEC/0x6370000D
Key(s) deleted by Interface (172.19.13.98)

59     21:18:40.281  11/17/10  Sev=Info/4      IPSEC/0x6370000D
Key(s) deleted by Interface (75.206.217.64)

60     21:18:40.281  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 5.5.5.5

61     21:18:40.281  11/17/10  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 5.5.5.5

62     21:18:40.282  11/17/10  Sev=Info/5      IKE/0x63000073
All fragments received.

63     21:18:40.282  11/17/10  Sev=Warning/2      IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)

64     21:18:40.282  11/17/10  Sev=Info/4      IKE/0xE30000A6
Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)

65     21:18:40.282  11/17/10  Sev=Warning/3      IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)

66     21:18:45.224  11/17/10  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

67     21:18:45.224  11/17/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 5.5.5.5

68     21:18:45.348  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 5.5.5.5

69     21:18:45.348  11/17/10  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

70     21:18:45.351  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 5.5.5.5

71     21:18:45.351  11/17/10  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

72     21:18:50.294  11/17/10  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

73     21:18:50.294  11/17/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 5.5.5.5

74     21:18:50.417  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 5.5.5.5

75     21:18:50.417  11/17/10  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

76     21:18:50.418  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 5.5.5.5

77     21:18:50.418  11/17/10  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

78     21:18:55.369  11/17/10  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

79     21:18:55.369  11/17/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 5.5.5.5

80     21:18:55.537  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 5.5.5.5

81     21:18:55.537  11/17/10  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

82     21:18:55.537  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 5.5.5.5

83     21:18:55.537  11/17/10  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

84     21:19:00.433  11/17/10  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=A7B6807CE57AB138 R_Cookie=5F49D32CA22C3F93) reason = DEL_REASON_PEER_NOT_RESPONDING

85     21:19:00.947  11/17/10  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=A7B6807CE57AB138 R_Cookie=5F49D32CA22C3F93) reason = DEL_REASON_PEER_NOT_RESPONDING

86     21:19:00.947  11/17/10  Sev=Info/4      CM/0x63100014
Unable to establish Phase 1 SA with server "5.5.5.5" because of "DEL_REASON_PEER_NOT_RESPONDING"

87     21:19:00.947  11/17/10  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

88     21:19:00.963  11/17/10  Sev=Info/6      CM/0x63100046
Set tunnel established flag in registry to 0.

89     21:19:00.963  11/17/10  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

90     21:19:01.966  11/17/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

91     21:19:01.966  11/17/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

92     21:19:01.966  11/17/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

93     21:19:01.966  11/17/10  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped


The VPN client never asks for  a password.

Need some help to make this work.
0
Comment
Question by:stuart100
  • 2
4 Comments
 
LVL 11

Expert Comment

by:diprajbasu
ID: 34161716
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 34163818
heres the problem https://supportforums.cisco.com/docs/DOC-3023

I notice all your phase 1 policies have DH group 1 - you might want to try group 2
0
 

Author Closing Comment

by:stuart100
ID: 34164417
Group 2 setting did it.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 34165003
:) thanq
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now