[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1681
  • Last Modified:

Cisco 5510 VPN client setup

I used the wizard to try and quickly configure our ASA5510 to accept VPN connections from the Cisco VPN client.

Here is the current config.

ASA Version 8.2(1)
!
hostname ASA
domain-name default.domain.invalid
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 5.5.5.5 255.255.255.248
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.8.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!            
interface Ethernet0/3
 shutdown    
 no nameif    
 no security-level
 no ip address
!            
interface Management0/0
 shutdown    
 no nameif    
 no security-level
 no ip address
!            
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list Outside-In extended permit icmp any any
access-list 101 extended permit ip any 192.168.8.0 255.255.255.0
access-list 101 extended permit ip 192.168.8.0 255.255.255.0 172.19.0.0 255.255.0.0
access-list 101 extended permit ip 192.168.8.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list 101 extended permit ip 192.168.8.0 255.255.255.0 192.168.160.0 255.255.255.0
access-list 102 extended permit ip 192.168.8.0 255.255.255.0 172.19.0.0 255.255.0.0
access-list 103 extended permit ip 192.168.8.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list vpn3000_splitTunnelAcl standard permit 192.168.8.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
ip local pool VPNPool 192.168.160.1-192.168.160.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list 101
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) 5.5.5.6 192.168.8.220 netmask 255.255.255.255
access-group Outside-In in interface Outside
route Outside 0.0.0.0 0.0.0.0 5.5.5.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set GGS esp-des esp-md5-hmac
crypto ipsec transform-set Vestal esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set GGS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map VPNMAP 125 match address 102
crypto map VPNMAP 125 set peer 10.10.10.10
crypto map VPNMAP 125 set transform-set GGS
crypto map VPNMAP 126 match address 103
crypto map VPNMAP 126 set peer 12.12.12.12
crypto map VPNMAP 126 set transform-set Vestal
crypto map VPNMAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map VPNMAP interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 60
 authentication pre-share
 encryption des
 hash md5    
 group 1      
 lifetime 86400
crypto isakmp policy 70
 authentication pre-share
 encryption des
 hash md5    
 group 1      
 lifetime 11000
crypto isakmp policy 90
 authentication pre-share
 encryption 3des
 hash md5    
 group 1      
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 10
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn        
group-policy vpn3000 internal
group-policy vpn3000 attributes
 dns-server value 192.168.8.240 4.2.2.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn3000_splitTunnelAcl
 default-domain value ggs.corp
username user1 password XXXXXXXXXXXXXXX encrypted privilege 15
username user2 password XXXXXXXXXXXXXXX encrypted privilege 0
username user2 attributes
 vpn-group-policy vpn3000
username user3 password XXXXXXXXXXXXXX encrypted privilege 0
username user3 attributes
 vpn-group-policy vpn3000
tunnel-group 10.10.10.10 type ipsec-l2l
tunnel-group 10.10.10.10 ipsec-attributes
 pre-shared-key *
tunnel-group 12.12.12.12 type ipsec-l2l
tunnel-group 12.12.12.12 ipsec-attributes
 pre-shared-key *
tunnel-group vpn3000 type remote-access
tunnel-group vpn3000 general-attributes
 address-pool VPNPool
 default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
 pre-shared-key *
!            
!            
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fd64811b293102765008d10e07e7eac5
: end
[OK]


When I run the client and try to connect the log file returns:

Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

48     21:18:40.106  11/17/10  Sev=Info/4      CM/0x63100002
Begin connection process

49     21:18:40.123  11/17/10  Sev=Info/4      CM/0x63100004
Establish secure connection

50     21:18:40.123  11/17/10  Sev=Info/4      CM/0x63100024
Attempt connection with server "5.5.5.5"

51     21:18:40.127  11/17/10  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 5.5.5.5.

52     21:18:40.133  11/17/10  Sev=Info/4      IKE/0x63000001
Starting IKE Phase 1 Negotiation

53     21:18:40.137  11/17/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 5.5.5.5

54     21:18:40.280  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 5.5.5.5

55     21:18:40.280  11/17/10  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 5.5.5.5

56     21:18:40.280  11/17/10  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

57     21:18:40.281  11/17/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

58     21:18:40.281  11/17/10  Sev=Info/4      IPSEC/0x6370000D
Key(s) deleted by Interface (172.19.13.98)

59     21:18:40.281  11/17/10  Sev=Info/4      IPSEC/0x6370000D
Key(s) deleted by Interface (75.206.217.64)

60     21:18:40.281  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 5.5.5.5

61     21:18:40.281  11/17/10  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 5.5.5.5

62     21:18:40.282  11/17/10  Sev=Info/5      IKE/0x63000073
All fragments received.

63     21:18:40.282  11/17/10  Sev=Warning/2      IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)

64     21:18:40.282  11/17/10  Sev=Info/4      IKE/0xE30000A6
Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)

65     21:18:40.282  11/17/10  Sev=Warning/3      IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)

66     21:18:45.224  11/17/10  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

67     21:18:45.224  11/17/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 5.5.5.5

68     21:18:45.348  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 5.5.5.5

69     21:18:45.348  11/17/10  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

70     21:18:45.351  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 5.5.5.5

71     21:18:45.351  11/17/10  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

72     21:18:50.294  11/17/10  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

73     21:18:50.294  11/17/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 5.5.5.5

74     21:18:50.417  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 5.5.5.5

75     21:18:50.417  11/17/10  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

76     21:18:50.418  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 5.5.5.5

77     21:18:50.418  11/17/10  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

78     21:18:55.369  11/17/10  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

79     21:18:55.369  11/17/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 5.5.5.5

80     21:18:55.537  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 5.5.5.5

81     21:18:55.537  11/17/10  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

82     21:18:55.537  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 5.5.5.5

83     21:18:55.537  11/17/10  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

84     21:19:00.433  11/17/10  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=A7B6807CE57AB138 R_Cookie=5F49D32CA22C3F93) reason = DEL_REASON_PEER_NOT_RESPONDING

85     21:19:00.947  11/17/10  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=A7B6807CE57AB138 R_Cookie=5F49D32CA22C3F93) reason = DEL_REASON_PEER_NOT_RESPONDING

86     21:19:00.947  11/17/10  Sev=Info/4      CM/0x63100014
Unable to establish Phase 1 SA with server "5.5.5.5" because of "DEL_REASON_PEER_NOT_RESPONDING"

87     21:19:00.947  11/17/10  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

88     21:19:00.963  11/17/10  Sev=Info/6      CM/0x63100046
Set tunnel established flag in registry to 0.

89     21:19:00.963  11/17/10  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

90     21:19:01.966  11/17/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

91     21:19:01.966  11/17/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

92     21:19:01.966  11/17/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

93     21:19:01.966  11/17/10  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped


The VPN client never asks for  a password.

Need some help to make this work.
0
stuart100
Asked:
stuart100
  • 2
1 Solution
 
Pete LongConsultantCommented:
heres the problem https://supportforums.cisco.com/docs/DOC-3023

I notice all your phase 1 policies have DH group 1 - you might want to try group 2
0
 
stuart100Author Commented:
Group 2 setting did it.
0
 
Pete LongConsultantCommented:
:) thanq
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now