ASA 5505 Remote VPN Assistance

Cannot connect with the VPN Client Version 5.0.05.0290

Please Help!

Show Ver:
ciscoasa# show ver

Cisco Adaptive Security Appliance Software Version 8.2(4)
Device Manager Version 6.4(1)

Compiled on Tue 14-Dec-10 12:00 by builders
System image file is "disk0:/asa824-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 55 secs

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

 0: Int: Internal-Data0/0    : address is 001d.70ff.e4ad, irq 11
 1: Ext: Ethernet0/0         : address is 001d.70ff.e4a5, irq 255
 2: Ext: Ethernet0/1         : address is 001d.70ff.e4a6, irq 255
 3: Ext: Ethernet0/2         : address is 001d.70ff.e4a7, irq 255
 4: Ext: Ethernet0/3         : address is 001d.70ff.e4a8, irq 255
 5: Ext: Ethernet0/4         : address is 001d.70ff.e4a9, irq 255
 6: Ext: Ethernet0/5         : address is 001d.70ff.e4aa, irq 255
 7: Ext: Ethernet0/6         : address is 001d.70ff.e4ab, irq 255
 8: Ext: Ethernet0/7         : address is 001d.70ff.e4ac, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : 10
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has a Base license.

Show Run:
ciscoasa# show run
: Saved
:
ASA Version 8.2(4)
!
hostname ciscoasa
enable password 01CutRdzkZafqWMy encrypted
passwd 01CutRdzkZafqWMy encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.X.X.66 255.255.255.192
!
boot system disk0:/asa824-k8.bin
ftp mode passive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vtcpool 10.10.10.10-10.10.10.15
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 65.X.X.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vtctransform esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map vtcdynam 1 set transform-set vtctransform
crypto dynamic-map vtcdynam 1 set reverse-route
crypto map vtcmap 1 ipsec-isakmp dynamic vtcdynam
crypto map vtcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet timeout 5
ssh 65.X.X.0 255.255.255.192 outside
ssh 65.X.X.2 255.255.255.255 outside
ssh 173.X.X.77 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username Lawrence password UqxtX.iTNtwfRyZn encrypted
tunnel-group vtctunnelgroup type remote-access
tunnel-group vtctunnelgroup general-attributes
 address-pool vtcpool
tunnel-group vtctunnelgroup ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:02d476eefbb306162bd9003e4358fe8b
: end
agruber85Asked:
Who is Participating?
 
agruber85Connect With a Mentor Author Commented:
Harbor,

You are indeed the Genius. The problem was my vtctunnelgroup password and Nat argument.

For testing I set the password to V0ic3L@b! and after I changed it to a more normal password I connected right up.

Thanks for your help!
0
 
John MeggersNetwork ArchitectCommented:
Nothing jumps out at me from your config.  What is the symptom?  Can you not connect at all?  If so, can you do a debug on the ASA to try to identify where it's failing?  Or does it connect but you can't get to anything?
0
 
harbor235Connect With a Mentor Commented:


looks liek NAt is your problem, you are nat'ng everything including your remote VPN pool. Add a nat exception (NAT 0) so you do not nat the VPN pool.

nat (inside) 0 access-list NONAT
access-list NONAT permit ip host 10.10.10.0 255.255.255.0  (adjust mask as necessary)

harbor235 ;}

0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
agruber85Author Commented:
debug crypto isakmp
ciscoasa# Mar 10 06:43:10 [IKEv1]: IP = 65.X.X.2, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'Lawrence'.
0
 
harbor235Connect With a Mentor Commented:


your tunnel group name is vtctunnelgroup and your preshared key is whatever you set it to. In your config of the client you set the group name and preshared key, once that is accepted you will be prompted for user auth which will be lawrence and your password

I still think you will haev problems once connected because of the NAT statements.

harbor235 ;}
0
 
agruber85Author Commented:
The asa didn't accept the access list nonat context. Does my client setup look correct or look like it matches the vtctunnelgroup?
0
 
agruber85Author Commented:
Ok, I figured out the Nat context! Still no connection to the asa.


ASA Version 8.2(4)
!
hostname ciscoasa
enable password 01CutRdzkZafqWMy encrypted
passwd 01CutRdzkZafqWMy encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.X.X.66 255.255.255.192
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list nonat extended permit ip host 10.10.10.0 255.255.255.0 255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vtcpool 10.10.10.10-10.10.10.15
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 65.X.X.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vtctransform esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map vtcdynam 1 set transform-set vtctransform
crypto dynamic-map vtcdynam 1 set reverse-route
crypto map vtcmap 1 ipsec-isakmp dynamic vtcdynam
crypto map vtcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet timeout 5
ssh 65.X.X.0 255.255.255.192 outside
ssh 65.X.X.2 255.255.255.255 outside
ssh 173.X.X.77 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username Lawrence password UqxtX.iTNtwfRyZn encrypted
tunnel-group vtctunnelgroup type remote-access
tunnel-group vtctunnelgroup general-attributes
 address-pool vtcpool
tunnel-group vtctunnelgroup ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9b06c77db320fea8f453033db8d9ecab
0
 
harbor235Commented:


You need to make sure your VPN client config reflects your vtctunnelgroup and preshared key, this is not your user password. Once the VPN client config is accepted it will then bring a window up asking for user auth, do not confuse the two. Do you understand what i mean? You are inputing lawerence in the group access name field, this should be vtctunnelgroup and the preshared key that is in the config under tunnel-group

tunnel-group vtctunnelgroup ipsec-attributes
 pre-shared-key *****

harbor235 ;}
0
 
agruber85Author Commented:
Mar 10 07:19:49 [IKEv1]: Group = vtctunnelgroup, IP = 65.X.X.2, Error, peer has indicated that something is wrong with our message.  This could indicate a pre-shared key mismatch.
Mar 10 07:19:49 [IKEv1]: Group = vtctunnelgroup, IP = 65.X.X.2, Information           Exchange processing failed

I changed the username and password as you stated but still get this message.
0
 
harbor235Connect With a Mentor Commented:

not the username and password, you need to change the preshared key under tunnel group

harbor235 ;}
0
 
harbor235Connect With a Mentor Commented:


asa> config t
asa(config)# tunnel-group vtctunnelgroup ipsec-attributes
asa(config)# preshared-key <enter ne password here>

harbor235 ;}
0
 
agruber85Author Commented:
Harbor235 was an excellent help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.