Avatar of Member_2_4777786
Member_2_4777786
Flag for Finland asked on

ASA Remote Access VPN (ipsec)

Hi all,

im trying to configure a remote ipsec vpn on a asa 5520 (8.3.2), on the client side im usinge the cisco vpn client 5.0.07.0290 ( one of the matest version)

as show on the cisco knowledge base i follow the guidelines listed on this link :
Configuring Remote Access VPNs

but it dosent work, when i make sh cryptos iskamp sa it tell me that there is no iskamp sa's !!!
the error message coming from my vpn client is :

 this is a copy paste of my configuration
Secure VPN Connection terminated locally by the Client.
Reason 412: The remote peer is no longer responding.

isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
ip local pool testpool 10.10.10.1-10.10.10.100
username testuser password 12345678
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
address-pool testpool
tunnel-group testgroup ipsec-attributes
pre-shared-key 123456789
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
CiscoVPNHardware Firewalls

Avatar of undefined
Last Comment
Member_2_4777786

8/22/2022 - Mon
Ernie Beek

What do you see in the logging of the ASA (if any)?
Member_2_4777786

ASKER
hi erniebeek

yes i see only this


6      Aug 11 2011      03:47:52            87.231.10.242      55449      10.230.0.0      500      Built inbound UDP connection 407 for outside:87.231.10.242/55449 (87.231.10.242/55449) to inside:10.230.0.0/500 (213.182.41.233/500)
Ernie Beek

Hm, Any statics in place forwarding port 500?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Member_2_4777786

ASKER
no there is no forwards to port 500, is a new appliance a just configured  2 interface with securtiy level : outside 0 / inside 50
Ernie Beek

Could you post a complete (sanitized) config over here?
Member_2_4777786

ASKER

yes that's my config



ASA Version 8.3(2)
!

!
interface GigabitEthernet0/0
 description wan interface
 nameif outside
 security-level 0
 ip address 2xx.1xx.4x.2xx 255.255.255.224
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 0
 ip address 10.231.0.15 255.255.255.0
 management-only
!
interface Redundant1
 member-interface GigabitEthernet0/1
 member-interface GigabitEthernet0/2
 nameif inside
 security-level 50
 ip address 10.230.0.15 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 195.xxxxxxxxxx
object network xxxxxxxxxxxxx
 subnet 10.230.0.0 255.255.255.0
object network xxxxxxxxxx
 host 10.230.0.16
 description 10.230.0.16
object network xxxxxxxxx
 host 10.230.0.50
object network xxxxxxxxxxxx
 host 10.230.0.53
object network xxxxxxxxxxxxx
 host 10.230.0.55
object service RDP
 service tcp source eq 3389 destination eq 3389
object network xxxxxxxx
 host 10.230.0.52
object network G
 host 10.230.0.52
object-group network DM_INLINE_NETWORK_1
 network-object object xxxxxxxxxxxx
 network-object object xxxxxxxxxxxxx
object-group network DM_INLINE_NETWORK_2
 network-object object xxxxxxxx
 network-object object xxxxxxx
 network-object object xxxxxxxx
 network-object object xxxxxx
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_3
 network-object object DNS-PRIMAIRE-ECRITEL
 network-object object DNS-SECONDAIRE-ECRITEL
object-group service DM_INLINE_SERVICE_1
 service-object gre
 service-object esp
 service-object ah
 service-object udp destination eq isakmp
access-list inside_access_in extended permit ip 10.45.0.0 255.255.255.248 interface outside
access-list inside_access_in_1 extended permit tcp object-group DM_INLINE_NETWORK_1 any eq smtp
access-list inside_access_in_1 extended permit tcp object xxxxxxxxxx-KERIO any eq pop3
access-list inside_access_in_1 extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_3 eq domain
access-list inside_access_in_1 remark Accés provisoire en sortie pour la configuration du serveur
access-list inside_access_in_1 extended permit ip object xxxxxxxxxx-BACKUP any
access-list inside_access_in_1 extended permit object-group TCPUDP object xxxxxxxxxx-VOIP any eq sip
access-list inside_access_in_1 extended permit ip object xxxxxxxxxx-AV any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit ip any object xxxxxxxxxx-AV
access-list global_access extended permit object-group DM_INLINE_SERVICE_1 any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu management 1500
mtu inside 1500
ip local pool testpool 10.10.10.1-10.10.10.100
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network xxxxxxxxxx-VLAN2
 nat (inside,outside) static interface
object network xxxxxxxxxx-AV
 nat (inside,outside) static xxxxxxxxxx-ip-213.182.41.234 service tcp 3389 3389
object network G
 nat (inside,outside) static xxxxxxxxxx-ip-213.182.41.234 service tcp 445 445
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 213.182.41.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption des-sha1
webvpn
group-policy DfltGrpPolicy attributes
username testuser password IqY6lTColo8VIF24 encrypted
username test password litqLhZaMn7GFIih encrypted privilege 15
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
 address-pool testpool
tunnel-group testgroup ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map type inspect im msn
 parameters
 match protocol msn-im yahoo-im
  drop-connection log
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect dns preset_dns_map dynamic-filter-snoop
  inspect im msn
!
service-policy global_policy global
prompt hostname context
hpm topN enable
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Ernie Beek

One more question, are you able to ping/tracert to the outside ip of the ASA?
Member_2_4777786

ASKER
from the outside interface i can ping withour any problem
Ernie Beek

Just to make sure we're talking about the same, I meant ping/tracert from the VPN client to the outside ip of the ASA.

What happens if you connect a machine directly to the outside interface of the ASA and try to setup a VPN from there?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Member_2_4777786

ASKER
helo,

the ping dosent work.

-it was because the nat rule was static :

object network xxxxxxxxxx-VLAN2
 nat (inside,outside) static interface

-i delete all the nat rules and replace them by this pat rule

    object network tt
          nat (any,outside) dynamic interface


-and the result that i have something new both at the level of my asa logging and vpn client messages

asa message:

4      Aug 12 2011      01:06:21                                    Group = testgroup, IP = 8x.xxx.1x.xxx, Information Exchange processing failed
5      Aug 12 2011      01:06:21                                    Group = testgroup, IP = 8x.xxx.1x.xxx, Received an un-encrypted AUTH_FAILED notify message, dropping
4      Aug 12 2011      01:11:35                                    Group = testgroup, IP = 8x.xxx.1x.xxx, Information Exchange processing failed
4      Aug 12 2011      01:11:35                                    Group = testgroup, IP = 8x.xxx.1x.xxx, Error, peer has indicated that something is wrong with our message.  This could indicate a pre-shared key mismatch.
5      Aug 12 2011      01:11:35                                    Group = testgroup, IP = 8x.xxx.1x.xxx, Received an un-encrypted INVALID_HASH_INFO notify message, dropping


Client message

nitializing the connection...
Contacting the security gateway at xxx.xxx.xxx.xxx...
Secure VPN Connection terminated locally by the Client.
Reason 401: An unrecognized error occurred while establishing the VPN connection.

Connection terminated on: août 12, 2011 12:35:50        Duration: 0 day(s), 00:00.00
Not connected.


it seems to be like the authentification is not well configurated on the asa
Ernie Beek

Did you see this in the messages: This could indicate a pre-shared key mismatch?
Member_2_4777786

ASKER
i fixed, the preshared key was too wek, the appliance does not accept this kind of pre-shared key, i replaced with a high secure preshared key and i conect.
now i can t join the network, shoul i add an access li or an nat exampt rule ?


Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Ernie Beek

Try adding:
sysopt connection permit-vpn
object network NETWORK_OBJ_10.10.10.0_25
    subnet 10.10.10.0 255.255.255.128
nat (inside,outside) source static xxxxxxxxxxxxx xxxxxxxxxxxxx destination static NETWORK_OBJ_10.10.10.0_25 NETWORK_OBJ_10.10.10.0_25


I used:
object network xxxxxxxxxxxxx
 subnet 10.230.0.0 255.255.255.0

As the inside network.
Member_2_4777786

ASKER
no it dosent work
Ernie Beek

Let's have another look at the logs then.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Member_2_4777786

ASKER
attention im on asa 8.3.2 many commands was changed

this an example for ping packets

this is the logs:


Built inbound ICMP connection for faddr 10.10.10.1/1 gaddr 10.230.0.15/0 laddr 10.230.0.15/0 (vpn_user)
Teardown ICMP connection for faddr 10.10.10.1/1 gaddr 10.230.0.15/0 laddr 10.230.0.15/0 (vpn_user)
Built inbound ICMP connection for faddr 10.10.10.1/1 gaddr 10.230.0.15/0 laddr 10.230.0.15/0 (vpn_user)
Teardown ICMP connection for faddr 10.10.10.1/1 gaddr 10.230.0.15/0 laddr 10.230.0.15/0 (vpn_user)
Built inbound ICMP connection for faddr 10.10.10.1/1 gaddr 10.230.0.15/0 laddr 10.230.0.15/0 (vpn_user)
Teardown ICMP connection for faddr 10.10.10.1/1 gaddr 10.230.0.15/0 laddr 10.230.0.15/0 (vpn_user)
Built inbound ICMP connection for faddr 10.10.10.1/1 gaddr 10.230.0.15/0 laddr 10.230.0.15/0 (vpn_user)
Ernie Beek

Could you post your config again, to see what it looks like now?
Member_2_4777786

ASKER
hello that's my config



ASA Version 8.3(2)
!
hostname ciscoasa
enable password 6Tmu9/.9WmTO95p8 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 description wan interface
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.224
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
!            
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 0
 ip address 10.231.0.15 255.255.255.0
 management-only
!
interface Redundant1
 member-interface GigabitEthernet0/1
 member-interface GigabitEthernet0/2
 nameif inside
 security-level 50
 ip address 10.230.0.15 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 195.200.97.54
object network ECRITEL-GW1
 host xxx.xxx.xxx.xxx
 description 255.255.255.224    
object network XXX-ip-xxx.xxx.xxx.xxx
 host xxx.xxx.xxx.xxx
object network XXX-VLAN2
 subnet 10.230.0.0 255.255.255.0
object network JAMIL
 host 10.230.0.16
 description 10.230.0.16    
object network XXX-AD
 host 10.230.0.50
object network XXX-KERIO
 host 10.230.0.53
object network XXX-WWW
 host 10.230.0.55
object network XXX-ip-xxx.xxx.xxx.xxx
 host xxx.xxx.xxx.xxx
object network XXX-BACKUP
 host 10.230.0.32
object network XXX-NAS
 host 10.230.0.30
object network XXX-POSTFIX
 host 10.230.0.54
object network DNS-PRIMAIRE-ECxxxx
 host 195.200.97.54
object network DNS-SECONDAIRE-ECxxxx
 host 195.200.116.151
object network XXX-VOIP
 host 10.230.0.31
object network XXX-ip-xxx.xxx.xxx.xxx
 host xxx.xxx.xxx.xxx
object network XXX-ip-xxx.xxx.xxx.xxx
 host xxx.xxx.xxx.xxx
object network XXX-ip-xxx.xxx.xxx.xxx
 host xxx.xxx.xxx.xxx
object service RDP
 service tcp source eq 3389 destination eq 3389
object network XXX-AV
 host 10.230.0.52
object network G
 host 10.230.0.52
object network tt
 subnet 10.230.0.0 255.255.255.0
object network VPN-REMOTE-ACESS
 subnet 10.10.10.0 255.255.255.0
object network NETWORK_OBJ_10.10.10.0_26
 subnet 10.10.10.0 255.255.255.192
object-group network DM_INLINE_NETWORK_1
 network-object object XXX-KERIO
 network-object object XXX-POSTFIX
object-group network DM_INLINE_NETWORK_2
 network-object object XXX-AD
 network-object object XXX-KE
 network-object object XXX-POSTFIX
 network-object object XXX-WWW
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_3
 network-object object DNS-PRIMAIRE-ECRITEL
 network-object object DNS-SECONDAIRE-ECRITEL
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo
 icmp-object echo-reply
access-list inside_access_in extended permit ip 10.45.0.0 255.255.255.248 interface outside inactive
access-list inside_access_in_1 extended permit tcp object-group DM_INLINE_NETWORK_1 any eq smtp
access-list inside_access_in_1 extended permit tcp object XXX-KERIO any eq pop3
access-list inside_access_in_1 extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_3 eq domain
access-list inside_access_in_1 remark Accés provisoire en sortie pour la configuration du serveur
access-list inside_access_in_1 extended permit ip object XXX-BACKUP any
access-list inside_access_in_1 extended permit object-group TCPUDP object XXX-VOIP any eq sip
access-list inside_access_in_1 extended permit ip object XXX-AV any
access-list inside_access_in_1 extended permit icmp 10.230.0.0 255.255.255.0 object VPN-REMOTE-ACESS object-group DM_INLINE_ICMP_1
access-list outside_access_in extended permit icmp any any echo-reply inactive
access-list outside_access_in extended permit ip any object XXX-AV inactive
access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply
access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded
access-list no_nat extended permit ip object XXX-VLAN2 object VPN-REMOTE-ACESS inactive
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu management 1500
mtu inside 1500
ip local pool REMOTE-VPN 10.10.10.1-10.10.10.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_26 NETWORK_OBJ_10.10.10.0_26
!
object network tt
 nat (any,outside) dynamic interface
access-group OUTSIDE_IN_ACL in interface outside
access-group inside_access_in_1 in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption des-sha1
webvpn
group-policy XXX internal
group-policy XXX attributes
 wins-server value 10.230.0.50
 dns-server value 10.230.0.50
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value no_nat
username test password test encrypted privilege 15
tunnel-group XXX type remote-access
tunnel-group XXX general-attributes
 address-pool REMOTE-VPN
 default-group-policy XXX
tunnel-group XXX ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map type inspect im msn
 parameters
 match protocol msn-im yahoo-im
  drop-connection log
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect dns preset_dns_map dynamic-filter-snoop
  inspect im msn
!
service-policy global_policy global
prompt hostname context
hpm topN enable
Cryptochecksum:5fea4cc11cda4679fbb64c081ce6b6ad
: end
ciscoasa#  
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Member_2_4777786

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Member_2_4777786

ASKER
i found the solution by my self