Cisco ASA 5510 Remote VPN Setup

Trying o set up a remote VPN connection and getting the following log file on the client.

Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1

1007   17:05:54.106  08/29/13  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with x.x.x.x.

1008   17:05:54.111  08/29/13  Sev=Info/4      IKE/0x63000001
Starting IKE Phase 1 Negotiation

1009   17:05:54.114  08/29/13  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x

1010   17:05:54.141  08/29/13  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x

1011   17:05:54.141  08/29/13  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from x.x.x.x

1012   17:05:54.141  08/29/13  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

1013   17:05:54.141  08/29/13  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

1014   17:05:54.141  08/29/13  Sev=Info/5      IKE/0x63000001
Peer supports DPD

1015   17:05:54.141  08/29/13  Sev=Info/5      IKE/0x63000001
Peer supports NAT-T

1016   17:05:54.141  08/29/13  Sev=Info/5      IKE/0x63000001
Peer supports IKE fragmentation payloads

1017   17:05:54.145  08/29/13  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

1018   17:05:54.145  08/29/13  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x

1019   17:05:54.145  08/29/13  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

1020   17:05:54.145  08/29/13  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0xC700, Remote Port = 0x1194

1021   17:05:54.145  08/29/13  Sev=Info/5      IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

1022   17:05:54.178  08/29/13  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x

1023   17:05:54.179  08/29/13  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x

1024   17:05:57.037  08/29/13  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x

1025   17:05:57.061  08/29/13  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x

1026   17:05:57.061  08/29/13  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x

1027   17:05:57.061  08/29/13  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x

1028   17:05:57.067  08/29/13  Sev=Info/5      IKE/0x6300005E
Client sending a firewall request to concentrator

1029   17:05:57.067  08/29/13  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x

1030   17:05:57.116  08/29/13  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x

1031   17:05:57.116  08/29/13  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x

1032   17:05:57.116  08/29/13  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 172.30.1.10

1033   17:05:57.116  08/29/13  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

1034   17:05:57.116  08/29/13  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = x.x.x.x

1035   17:05:57.116  08/29/13  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = x.x.x.x

1036   17:05:57.116  08/29/13  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

1037   17:05:57.116  08/29/13  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

1038   17:05:57.116  08/29/13  Sev=Info/5      IKE/0x6300000F
SPLIT_NET #1
      subnet = 172.30.1.0
      mask = 255.255.255.0
      protocol = 0
      src port = 0
      dest port=0

1039   17:05:57.116  08/29/13  Sev=Info/5      IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = xxxx.com

1040   17:05:57.116  08/29/13  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

1041   17:05:57.116  08/29/13  Sev=Info/5      IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5510 Version 8.0(3) built by builders on Tue 06-Nov-07 22:59

1042   17:05:57.116  08/29/13  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001

1043   17:05:57.116  08/29/13  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

1044   17:05:57.129  08/29/13  Sev=Info/4      IKE/0x63000056
Received a key request from Driver: Local IP = 172.30.1.10, GW IP = x.x.x.x, Remote IP = 0.0.0.0

1045   17:05:57.130  08/29/13  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to x.x.x.x

1046   17:05:57.164  08/29/13  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x

1047   17:05:57.164  08/29/13  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x

1048   17:05:57.164  08/29/13  Sev=Info/5      IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

1049   17:05:57.164  08/29/13  Sev=Info/5      IKE/0x63000047
This SA has already been alive for 3 seconds, setting expiry to 86397 seconds from now

1050   17:05:57.165  08/29/13  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x

1051   17:05:57.165  08/29/13  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from x.x.x.x

1052   17:05:57.166  08/29/13  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to x.x.x.x

1053   17:05:57.166  08/29/13  Sev=Info/4      IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=B81DC977

1054   17:05:57.166  08/29/13  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=6749980360DBE9B7 R_Cookie=8EFCCBDB220EC30F) reason = DEL_REASON_IKE_NEG_FAILED

1055   17:05:57.166  08/29/13  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x

1056   17:05:57.166  08/29/13  Sev=Info/4      IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=6749980360DBE9B7 R_Cookie=8EFCCBDB220EC30F

1057   17:05:57.166  08/29/13  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from x.x.x.x

1058   17:06:00.379  08/29/13  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=6749980360DBE9B7 R_Cookie=8EFCCBDB220EC30F) reason = DEL_REASON_IKE_NEG_FAILED

1059   17:06:00.391  08/29/13  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

The ASA config is below and not sure what is the next step to get this working.

ASA Version 8.0(3)
!
hostname xxx-fw1
domain-name xxx.xxx
enable password hAR0aC67TBMYK/bG encrypted
names
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.240 standby x.x.x.x
 ospf cost 10
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address x.x.x.x 255.255.0.0 standby x.x.x.x
 ospf cost 10
!
interface Ethernet0/2
 nameif DMZ1
 security-level 50
 ip address x.x.x.x 255.255.255.0 standby x.x.x.x
 ospf cost 10
!
interface Ethernet0/3
 nameif DMZ2
 security-level 50
 ip address x.x.x.x 255.255.0.0
 ospf cost 10
!
interface Management0/0
 description LAN/STATE Failover Interface
!
passwd hAR0aC67TBMYK/bG encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name xxx.xxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
 network-object x.x.x.x 255.255.248.0
 network-object x.x.x.x 255.255.0.0
object-group network DM_INLINE_NETWORK_2
 network-object x.x.x.x 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_TCP_4 tcp
 port-object eq smtp
 port-object eq ssh
object-group service DM_INLINE_TCP_5 tcp
 port-object eq www
 port-object eq smtp
object-group service RDP tcp
 port-object eq 3389
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_TCP_7 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_2
 service-object icmp
 service-object tcp-udp eq www
 service-object tcp-udp eq domain
 service-object tcp eq https
 service-object tcp eq pop3
 service-object tcp eq smtp
 service-object tcp eq domain
object-group network DM_INLINE_NETWORK_3
 access-list inside_nat0_outbound extended permit ip any 172.30.1.0 255.255.255.128
access-list VPN-TEST_splitTunnelAcl_2 standard permit 172.30.1.0 255.255.255.128
access-list VPN-TEST_splitTunnelAcl_4 standard permit 172.30.1.0 255.255.255.0
access-list VPN-TEST_splitTunnelAcl standard permit x.x.x.x  255.0.0.0
access-list VPN-TEST_splitTunnelAcl_1 standard permit x.x.x.x 255.255.0.0
access-list DMZ extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_3 any
access-list VPN-TEST_splitTunnelAcl_5 standard permit any
access-list VPN-TEST_splitTunnelAcl_3 standard permit x.x.x.x 255.255.0.0
access-list VPN-TEST_splitTunnelAcl_6 standard permit 172.30.1.0 255.255.255.0

access-list OUTSIDE-ISP extended permit ip 172.30.1.0 255.255.255.0 Internal_Network255.255.0.0
pager lines 24
logging enable
logging asdm errors
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu DMZ2 1500
ip local pool VPN-TEST 172.30.1.10-172.30.1.100 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover Management0/0
failover link failover Management0/0
failover interface ip failover x.x.x.x 255.255.255.0 standby x.x.x.x
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 x.x.x.x 255.0.0.0
nat (DMZ1) 101 x.x.x.x 255.255.255.255
nat (DMZ2) 101 x.x.x.x 255.255.0.0
static (DMZ2,outside) x.x.x.x  x.x.x.x netmask 255.255.255.255
static (DMZ2,outside) x.x.x.x  x.x.x.x netmask 255.255.255.255
static (inside,outside) x.x.x.x  x.x.x.x netmask 255.255.255.255
static (DMZ2,outside) x.x.x.x  x.x.x.x netmask 255.255.255.255
static (DMZ1,outside) x.x.x.x  x.x.x.x netmask 255.255.255.255
static (DMZ1,outside) x.x.x.x  x.x.x.x netmask 255.255.255.255
access-group OUTSIDE-ISP in interface outside
access-group DMZ in interface DMZ1
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside x.x.x.x 255.0.0.0 x.x.x.x 1
route outside x.x.x.x  255.255.0.0 x.x.x.x  1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 2:00:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http x.x.x.x  255.255.0.0 inside
snmp-server host inside x.x.x.x community 0y$SNmp!6 version 2c
no snmp-server location
no snmp-server contact
snmp-server community 0y$SNmp!6
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_cryptomap_1
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer x.x.x.x
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
telnet timeout 5
ssh timeout 20
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy VPN-TEST internal
group-policy VPN-TEST attributes
 dns-server value x.x.x.x
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN-TEST_splitTunnelAcl_6
 default-domain value xxx.xxx.com
username test password P4ttSyrm33SV8TYp encrypted privilege 0
username test attributes
 vpn-group-policy VPN-TEST
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
tunnel-group VPN-TEST type remote-access
tunnel-group VPN-TEST general-attributes
 address-pool VPN-TEST
 default-group-policy VPN-TEST
tunnel-group VPN-TEST ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fe27c61712b68bba39f85383cd8f7599
: end

Anything that is not needed has been left out or replaced with x's. Any help is appreciated. let me know if you need any additional information.
Barry McCannAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

anoopkmrCommented:
try after adding the below commands

no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto isakmp nat-traver 60
sysopt conection permit-vpn
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Barry McCannAuthor Commented:
Perfect, worked a treat.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.