Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Cisco ASA5505 Client VPN

Posted on 2010-11-25
Medium Priority
Last Modified: 2012-05-10
Hi guys,

I am having some difficulty with a Cisco ASA VPN Client connection.

I configured the client VPN inbound to the ASA 5505 via the VPN wizard successfully and can connect to the ASA with the Cisco VPN client.

My problem is that we cannot reach the server inside. I've been scratching my head on this for a while and just can see where its falling down. Traffic just cannot traverse the ASA via the VPN.

the live logging says this : ( may be helpful )

3|Nov 25 2010|14:30:22|713042|||IKE Initiator unable to find policy: Intf outside, Src:, Dst:

And the full config :

ASA Version 7.2(4)
hostname XXX
name XX description XX RDP
name party1 description 3rd Party Access
name party2 description 3rd Party Access
name party3 description 3rd party access
name nmh description nmh vpn
name nmhnetwork
name MfNetwork
interface Vlan1
 nameif inside
 security-level 100
 ip address
 ospf cost 10
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group dsl
 ip address pppoe setroute
 ospf cost 10
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address
 ospf cost 10
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone GMT/IST 0
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name MF.local
same-security-traffic permit intra-interface
object-group service RDP tcp
 description RDP
 port-object eq 3389
object-group service SMTPINBOUND tcp
 description SMTP Inbound
 port-object eq smtp
object-group service TRILOGY tcp-udp
 description XX
 port-object eq 5721
object-group network RDP2Server
 network-object host party2
 network-object host XX
 network-object host party1
 network-object host party3
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service HTTP tcp
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_2
 network-object MfNetwork
 network-object host
access-list indide_access_out extended permit ip any any
access-list inside_access_in remark Allow Kaseya out
access-list inside_access_in extended permit object-group TCPUDP MfNetwork any object-group XX
access-list inside_access_in remark Mail Outbound
access-list inside_access_in extended permit tcp host any eq smtp
access-list inside_access_in remark Web Traffic Out
access-list inside_access_in extended permit tcp MfNetwork any eq www
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_2 any
access-list inside_access_in extended permit tcp any host (IP) eq smtp
access-list inside_access_in extended permit tcp MfNetwork any eq https
access-list inside_access_in extended permit ip MfNetwork nmhnetwork
access-list inside_access_in extended permit ip nmhnetwork MfNetwork
access-list outside_access_in extended permit tcp object-group RDP2Server host object-group RDP
access-list outside_access_in extended permit tcp any any eq smtp
access-list inbound extended permit tcp any any eq ssh
access-list inbound extended permit tcp any any eq https
access-list inbound extended permit tcp any any eq www
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp any host (IP) eq smtp
access-list outside_1_cryptomap extended permit ip MfNetwork
access-list outside_1_cryptomap extended permit ip MfNetwork
access-list inside_nat0_outbound extended permit ip any host (IP)
access-list inside_nat0_outbound extended deny ip any nmhnetwork
access-list inside_nat0_outbound extended permit ip host MfNetwork nmhnetwork
access-list inside_nat0_outbound extended permit ip interface outside host nmh
access-list inside_nat0_outbound extended permit ip MfNetwork host
access-list outside_nat0_outbound extended permit ip host nmh any
access-list RAVPNMF_splitTunnelAcl standard permit MfNetwork
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPN-Pool mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list outside_1_cryptomap
nat (inside) 1
nat (outside) 0 access-list outside_nat0_outbound
static (inside,outside) tcp interface smtp smtp netmask
static (inside,outside) tcp interface 3389 3389 netmask
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http MfNetwork inside
http authentication-certificate inside
http redirect inside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set rtpset esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear-df inside
crypto ipsec df-bit clear-df outside
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer nmh
crypto map outside_map 1 set transform-set rtpset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 3600
telnet inside
telnet timeout 20
ssh MfNetwork inside
ssh timeout 5
console timeout 0
vpdn group dsl request dialout pppoe
vpdn group dsl localname dmerrionfc@netsource.ie
vpdn group dsl ppp authentication chap
vpdn username dmerrionfc@XX password ********* store-local
dhcpd auto_config outside

group-policy RAVPNMF internal
group-policy RAVPNMF attributes
 wins-server value
 dns-server value
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RAVPNMF_splitTunnelAcl
 default-domain value MF.local
username trilogy password /XX encrypted privilege 0
username trilogy attributes
 vpn-group-policy RAVPNMF
username user_one password XX encrypted privilege 0
username user_one attributes
 vpn-group-policy RAVPNMF
username user_two password XX encrypted privilege 0
username user_two attributes
 vpn-group-policy RAVPNMF
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *
tunnel-group RAVPNMF type ipsec-ra
tunnel-group RAVPNMF general-attributes
 address-pool VPN-Pool
 default-group-policy RAVPNMF
tunnel-group RAVPNMF ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp

Any help is greatly received!!!!

Question by:itfocus
  • 2
  • 2
LVL 58

Expert Comment

by:Pete Long
ID: 34214789

Author Comment

ID: 34216377
Hi Pete,

no joy I'm afraid....the problem remains.!
LVL 58

Accepted Solution

Pete Long earned 1500 total points
ID: 34216870
does the client connect? what error do you see?

did you tick all these box's http://www.petenetlive.com/KB/Article/0000070.htm

Author Closing Comment

ID: 34248561
The offered solution was good and definitely got us to a point where we could get things flowing.

Appreciate the help Pete.

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question