Solved

ASA 5505 Remote VPN Assistance

Posted on 2011-03-09
12
1,277 Views
Last Modified: 2012-05-11
Cannot connect with the VPN Client Version 5.0.05.0290

Please Help!

Show Ver:
ciscoasa# show ver

Cisco Adaptive Security Appliance Software Version 8.2(4)
Device Manager Version 6.4(1)

Compiled on Tue 14-Dec-10 12:00 by builders
System image file is "disk0:/asa824-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 55 secs

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

 0: Int: Internal-Data0/0    : address is 001d.70ff.e4ad, irq 11
 1: Ext: Ethernet0/0         : address is 001d.70ff.e4a5, irq 255
 2: Ext: Ethernet0/1         : address is 001d.70ff.e4a6, irq 255
 3: Ext: Ethernet0/2         : address is 001d.70ff.e4a7, irq 255
 4: Ext: Ethernet0/3         : address is 001d.70ff.e4a8, irq 255
 5: Ext: Ethernet0/4         : address is 001d.70ff.e4a9, irq 255
 6: Ext: Ethernet0/5         : address is 001d.70ff.e4aa, irq 255
 7: Ext: Ethernet0/6         : address is 001d.70ff.e4ab, irq 255
 8: Ext: Ethernet0/7         : address is 001d.70ff.e4ac, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : 10
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has a Base license.

Show Run:
ciscoasa# show run
: Saved
:
ASA Version 8.2(4)
!
hostname ciscoasa
enable password 01CutRdzkZafqWMy encrypted
passwd 01CutRdzkZafqWMy encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.X.X.66 255.255.255.192
!
boot system disk0:/asa824-k8.bin
ftp mode passive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vtcpool 10.10.10.10-10.10.10.15
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 65.X.X.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vtctransform esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map vtcdynam 1 set transform-set vtctransform
crypto dynamic-map vtcdynam 1 set reverse-route
crypto map vtcmap 1 ipsec-isakmp dynamic vtcdynam
crypto map vtcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet timeout 5
ssh 65.X.X.0 255.255.255.192 outside
ssh 65.X.X.2 255.255.255.255 outside
ssh 173.X.X.77 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username Lawrence password UqxtX.iTNtwfRyZn encrypted
tunnel-group vtctunnelgroup type remote-access
tunnel-group vtctunnelgroup general-attributes
 address-pool vtcpool
tunnel-group vtctunnelgroup ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:02d476eefbb306162bd9003e4358fe8b
: end
0
Comment
Question by:agruber85
  • 6
  • 5
12 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 35094765
Nothing jumps out at me from your config.  What is the symptom?  Can you not connect at all?  If so, can you do a debug on the ASA to try to identify where it's failing?  Or does it connect but you can't get to anything?
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 250 total points
ID: 35096991


looks liek NAt is your problem, you are nat'ng everything including your remote VPN pool. Add a nat exception (NAT 0) so you do not nat the VPN pool.

nat (inside) 0 access-list NONAT
access-list NONAT permit ip host 10.10.10.0 255.255.255.0  (adjust mask as necessary)

harbor235 ;}

0
 

Author Comment

by:agruber85
ID: 35097015
debug crypto isakmp
ciscoasa# Mar 10 06:43:10 [IKEv1]: IP = 65.X.X.2, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'Lawrence'.
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 250 total points
ID: 35097070


your tunnel group name is vtctunnelgroup and your preshared key is whatever you set it to. In your config of the client you set the group name and preshared key, once that is accepted you will be prompted for user auth which will be lawrence and your password

I still think you will haev problems once connected because of the NAT statements.

harbor235 ;}
0
 

Author Comment

by:agruber85
ID: 35097126
The asa didn't accept the access list nonat context. Does my client setup look correct or look like it matches the vtctunnelgroup?
0
 

Author Comment

by:agruber85
ID: 35097196
Ok, I figured out the Nat context! Still no connection to the asa.


ASA Version 8.2(4)
!
hostname ciscoasa
enable password 01CutRdzkZafqWMy encrypted
passwd 01CutRdzkZafqWMy encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.X.X.66 255.255.255.192
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list nonat extended permit ip host 10.10.10.0 255.255.255.0 255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vtcpool 10.10.10.10-10.10.10.15
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 65.X.X.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vtctransform esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map vtcdynam 1 set transform-set vtctransform
crypto dynamic-map vtcdynam 1 set reverse-route
crypto map vtcmap 1 ipsec-isakmp dynamic vtcdynam
crypto map vtcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet timeout 5
ssh 65.X.X.0 255.255.255.192 outside
ssh 65.X.X.2 255.255.255.255 outside
ssh 173.X.X.77 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username Lawrence password UqxtX.iTNtwfRyZn encrypted
tunnel-group vtctunnelgroup type remote-access
tunnel-group vtctunnelgroup general-attributes
 address-pool vtcpool
tunnel-group vtctunnelgroup ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9b06c77db320fea8f453033db8d9ecab
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 32

Expert Comment

by:harbor235
ID: 35097362


You need to make sure your VPN client config reflects your vtctunnelgroup and preshared key, this is not your user password. Once the VPN client config is accepted it will then bring a window up asking for user auth, do not confuse the two. Do you understand what i mean? You are inputing lawerence in the group access name field, this should be vtctunnelgroup and the preshared key that is in the config under tunnel-group

tunnel-group vtctunnelgroup ipsec-attributes
 pre-shared-key *****

harbor235 ;}
0
 

Author Comment

by:agruber85
ID: 35097514
Mar 10 07:19:49 [IKEv1]: Group = vtctunnelgroup, IP = 65.X.X.2, Error, peer has indicated that something is wrong with our message.  This could indicate a pre-shared key mismatch.
Mar 10 07:19:49 [IKEv1]: Group = vtctunnelgroup, IP = 65.X.X.2, Information           Exchange processing failed

I changed the username and password as you stated but still get this message.
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 250 total points
ID: 35097727

not the username and password, you need to change the preshared key under tunnel group

harbor235 ;}
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 250 total points
ID: 35097751


asa> config t
asa(config)# tunnel-group vtctunnelgroup ipsec-attributes
asa(config)# preshared-key <enter ne password here>

harbor235 ;}
0
 

Accepted Solution

by:
agruber85 earned 0 total points
ID: 35098840
Harbor,

You are indeed the Genius. The problem was my vtctunnelgroup password and Nat argument.

For testing I set the password to V0ic3L@b! and after I changed it to a more normal password I connected right up.

Thanks for your help!
0
 

Author Closing Comment

by:agruber85
ID: 35135878
Harbor235 was an excellent help.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now