davidgeeee
asked on
Setup Cisco VPN Client access on an ASA 5512-x not working
I have tried repeated to setup Cisco Vpn Client access on a Cisco ASA 5512-x with no success. Have even tried getting Cisco techs to help again without success. Is there anyone out there that has experience with this?
Patrick Bogers
Please upload your config but first strip your passwords out.
ASKER
SETFW# sh run
: Saved
:
ASA Version 8.6(1)2
!
hostname SETFW
domain-name sfcu.local
enable password ngK4FpmdDvb1KBKL encrypted
passwd ngK4FpmdDvb1KBKL encrypted
names
!
interface GigabitEthernet0/0
description Outside
nameif Outside
security-level 0
ip address 24.213.xx.46 255.255.255.252
!
interface GigabitEthernet0/1
description Inside
nameif Inside
security-level 100
ip address 192.168.41.253 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.3 255.255.255.0
management-only
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name sfcu.local
same-security-traffic permit intra-interface
object network vpnsourcesubnets
subnet 192.168.41.0 255.255.255.0
object network vpndestinations
subnet 192.168.42.0 255.255.255.0
object network obj-192.168.41.5
host 192.168.41.5
object network NETWORK_OBJ_192.168.40.0_2
subnet 192.168.40.0 255.255.254.0
object network NETWORK_OBJ_192.168.41.224
subnet 192.168.41.224 255.255.255.240
object service SMTP
service tcp source eq smtp
object network obj-192.168.41.10
host 192.168.41.10
object service IMAPS
service tcp source eq 993
object service POP3
service tcp source eq pop3
object service IMAP4
service tcp source eq imap4
object service POP3S
service tcp source eq 995
object service obj-https
service tcp source eq https
object network NETWORK_OBJ_10.10.10.0_28
subnet 10.10.10.0 255.255.255.240
access-list encryptACL extended permit ip 192.168.41.0 255.255.255.0 192.168.42.0 255.255.255.0
access-list Outside_access_in extended permit tcp any host 192.168.41.10 eq https
access-list Outside_access_in extended permit ip any host 192.168.41.10
access-list Outside_access_in extended permit tcp any host 192.168.41.5 eq smtp
access-list split standard permit 192.168.41.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool vpn 192.168.40.6-192.168.41.10
ip local pool BradScott 192.168.41.230-192.168.41.
ip local pool VPNPool 10.10.10.5-10.10.10.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (Inside,Outside) source static obj-192.168.41.10 interface service obj-https obj-https
nat (Inside,Outside) source static obj-192.168.41.10 interface service POP3S POP3S
nat (Inside,Outside) source static obj-192.168.41.10 interface service POP3 POP3
nat (Inside,Outside) source static obj-192.168.41.10 interface service IMAP4 IMAP4
nat (Inside,Outside) source static obj-192.168.41.10 interface service IMAPS IMAPS
nat (Inside,Outside) source static obj-192.168.41.5 interface service SMTP SMTP
nat (Inside,Outside) source static vpnsourcesubnets vpnsourcesubnets destination static vpndestinations vpndestinations no-proxy-arp route-lookup
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_192.168.41.224
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_192.168.40.0_2
nat (Outside,Outside) source dynamic NETWORK_OBJ_192.168.40.0_2
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
!
nat (Inside,Outside) after-auto source dynamic any interface
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 24.213.xx.45 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set VPNset esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set L2TP esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set L2TP mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set L2TP ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map emap 20 match address encryptACL
crypto map emap 20 set peer 71.13.110.26
crypto map emap 20 set ikev1 transform-set VPNset
crypto map emap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map emap interface Outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
fqdn settlers.com
subject-name CN=SETFW.sfcu.local,O=Sett
crl configure
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 1800
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect image disk0:/anyconnect-win-2.5.
anyconnect enable
group-policy BradScott internal
group-policy BradScott attributes
wins-server value 192.168.41.10
dns-server value 192.168.41.10
vpn-tunnel-protocol ikev1 ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value sfcu.local
group-policy Bradford internal
group-policy Bradford attributes
dns-server value 24.213.60.93 8.8.8.8
vpn-tunnel-protocol ikev1
default-domain value sfcu.local
group-policy BradScottVPN internal
group-policy BradScottVPN attributes
dns-server value 24.213.60.93 8.8.8.8
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value sfcu.local
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.41.10
vpn-tunnel-protocol l2tp-ipsec
default-domain value sfcu.local
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
username Bradford2 password OwXhtJaJ5GjHsr2z encrypted privilege 15
username bradscott password hu7kXAHXA8wbGi1Bt5DBIw== nt-encrypted privilege 0
username bradscott attributes
vpn-group-policy DefaultRAGroup
username bsset password tOqCpC5z7Y58/NZ9 encrypted privilege 15
username 906admin password JzgQej1vXGNhZy5G encrypted
username 906tech password FFdr21Do.ETFHxn3 encrypted privilege 15
username cisco password ffIRPGpDSOJh9YLq encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool vpn
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group 71.13.110.26 type ipsec-l2l
tunnel-group 71.13.110.26 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group BradScott type remote-access
tunnel-group BradScott general-attributes
address-pool BradScott
default-group-policy BradScott
tunnel-group BradScott webvpn-attributes
group-alias BradScott enable
tunnel-group BradScott ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group BradScottVPN type remote-access
tunnel-group BradScottVPN general-attributes
address-pool VPNPool
default-group-policy BradScottVPN
tunnel-group BradScottVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group Bradford type remote-access
tunnel-group Bradford general-attributes
address-pool VPNPool
default-group-policy Bradford
tunnel-group Bradford ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:512622cb03a
: Saved
:
ASA Version 8.6(1)2
!
hostname SETFW
domain-name sfcu.local
enable password ngK4FpmdDvb1KBKL encrypted
passwd ngK4FpmdDvb1KBKL encrypted
names
!
interface GigabitEthernet0/0
description Outside
nameif Outside
security-level 0
ip address 24.213.xx.46 255.255.255.252
!
interface GigabitEthernet0/1
description Inside
nameif Inside
security-level 100
ip address 192.168.41.253 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.3 255.255.255.0
management-only
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name sfcu.local
same-security-traffic permit intra-interface
object network vpnsourcesubnets
subnet 192.168.41.0 255.255.255.0
object network vpndestinations
subnet 192.168.42.0 255.255.255.0
object network obj-192.168.41.5
host 192.168.41.5
object network NETWORK_OBJ_192.168.40.0_2
subnet 192.168.40.0 255.255.254.0
object network NETWORK_OBJ_192.168.41.224
subnet 192.168.41.224 255.255.255.240
object service SMTP
service tcp source eq smtp
object network obj-192.168.41.10
host 192.168.41.10
object service IMAPS
service tcp source eq 993
object service POP3
service tcp source eq pop3
object service IMAP4
service tcp source eq imap4
object service POP3S
service tcp source eq 995
object service obj-https
service tcp source eq https
object network NETWORK_OBJ_10.10.10.0_28
subnet 10.10.10.0 255.255.255.240
access-list encryptACL extended permit ip 192.168.41.0 255.255.255.0 192.168.42.0 255.255.255.0
access-list Outside_access_in extended permit tcp any host 192.168.41.10 eq https
access-list Outside_access_in extended permit ip any host 192.168.41.10
access-list Outside_access_in extended permit tcp any host 192.168.41.5 eq smtp
access-list split standard permit 192.168.41.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool vpn 192.168.40.6-192.168.41.10
ip local pool BradScott 192.168.41.230-192.168.41.
ip local pool VPNPool 10.10.10.5-10.10.10.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (Inside,Outside) source static obj-192.168.41.10 interface service obj-https obj-https
nat (Inside,Outside) source static obj-192.168.41.10 interface service POP3S POP3S
nat (Inside,Outside) source static obj-192.168.41.10 interface service POP3 POP3
nat (Inside,Outside) source static obj-192.168.41.10 interface service IMAP4 IMAP4
nat (Inside,Outside) source static obj-192.168.41.10 interface service IMAPS IMAPS
nat (Inside,Outside) source static obj-192.168.41.5 interface service SMTP SMTP
nat (Inside,Outside) source static vpnsourcesubnets vpnsourcesubnets destination static vpndestinations vpndestinations no-proxy-arp route-lookup
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_192.168.41.224
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_192.168.40.0_2
nat (Outside,Outside) source dynamic NETWORK_OBJ_192.168.40.0_2
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
!
nat (Inside,Outside) after-auto source dynamic any interface
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 24.213.xx.45 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set VPNset esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set L2TP esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set L2TP mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set L2TP ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map emap 20 match address encryptACL
crypto map emap 20 set peer 71.13.110.26
crypto map emap 20 set ikev1 transform-set VPNset
crypto map emap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map emap interface Outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
fqdn settlers.com
subject-name CN=SETFW.sfcu.local,O=Sett
crl configure
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 1800
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect image disk0:/anyconnect-win-2.5.
anyconnect enable
group-policy BradScott internal
group-policy BradScott attributes
wins-server value 192.168.41.10
dns-server value 192.168.41.10
vpn-tunnel-protocol ikev1 ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value sfcu.local
group-policy Bradford internal
group-policy Bradford attributes
dns-server value 24.213.60.93 8.8.8.8
vpn-tunnel-protocol ikev1
default-domain value sfcu.local
group-policy BradScottVPN internal
group-policy BradScottVPN attributes
dns-server value 24.213.60.93 8.8.8.8
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value sfcu.local
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.41.10
vpn-tunnel-protocol l2tp-ipsec
default-domain value sfcu.local
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
username Bradford2 password OwXhtJaJ5GjHsr2z encrypted privilege 15
username bradscott password hu7kXAHXA8wbGi1Bt5DBIw== nt-encrypted privilege 0
username bradscott attributes
vpn-group-policy DefaultRAGroup
username bsset password tOqCpC5z7Y58/NZ9 encrypted privilege 15
username 906admin password JzgQej1vXGNhZy5G encrypted
username 906tech password FFdr21Do.ETFHxn3 encrypted privilege 15
username cisco password ffIRPGpDSOJh9YLq encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool vpn
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group 71.13.110.26 type ipsec-l2l
tunnel-group 71.13.110.26 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group BradScott type remote-access
tunnel-group BradScott general-attributes
address-pool BradScott
default-group-policy BradScott
tunnel-group BradScott webvpn-attributes
group-alias BradScott enable
tunnel-group BradScott ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group BradScottVPN type remote-access
tunnel-group BradScottVPN general-attributes
address-pool VPNPool
default-group-policy BradScottVPN
tunnel-group BradScottVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group Bradford type remote-access
tunnel-group Bradford general-attributes
address-pool VPNPool
default-group-policy Bradford
tunnel-group Bradford ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:512622cb03a
Think natting is missing for the vpn access
The BradScottVPN looks closest to correct
Note the Address pool should not be part of the inside network
And the no nat for the vpn is needed
This looks reversed
Look like
object network inside-network
subnet 192.168.41.0 255.255.255.0
object network vpn-pool-network
subnet 10.10.10.0 255.255.255.240
pool the-vpn-pool 10.10.10.1 10.10.10.14 netmask 255.255.255.240
nat (Inside,Outside) source static inside-network inside-network destination static vpn-pool-network vpn-pool-network
access-list split permit 192.168.41.0 255.255.255.0
tunnel-group BradScottVPN type remote-access
tunnel-group BradScottVPN general-attributes
address-pool VPNPool ------------------------>>
default-group-policy BradScottVPN
tunnel-group BradScottVPN ipsec-attributes
ikev1 pre-shared-key *****
group-policy BradScottVPN internal
group-policy BradScottVPN attributes
dns-server value 24.213.60.93 8.8.8.8
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value sfcu.local
Just add
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
And this should be close to correct
The BradScottVPN looks closest to correct
Note the Address pool should not be part of the inside network
And the no nat for the vpn is needed
This looks reversed
Look like
object network inside-network
subnet 192.168.41.0 255.255.255.0
object network vpn-pool-network
subnet 10.10.10.0 255.255.255.240
pool the-vpn-pool 10.10.10.1 10.10.10.14 netmask 255.255.255.240
nat (Inside,Outside) source static inside-network inside-network destination static vpn-pool-network vpn-pool-network
access-list split permit 192.168.41.0 255.255.255.0
tunnel-group BradScottVPN type remote-access
tunnel-group BradScottVPN general-attributes
address-pool VPNPool ------------------------>>
default-group-policy BradScottVPN
tunnel-group BradScottVPN ipsec-attributes
ikev1 pre-shared-key *****
group-policy BradScottVPN internal
group-policy BradScottVPN attributes
dns-server value 24.213.60.93 8.8.8.8
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value sfcu.local
Just add
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
And this should be close to correct
ASKER
Thanks I'll try this in the morning!
ASKER
Cisco VPN client give this error:
Secure VPN Connection terminated locally by the Client.
Reason 412: The remote peer is no longer responding.
I think I entered things the way you suggested. See Config below:
SETFW# sh run
: Saved
:
ASA Version 8.6(1)2
!
hostname SETFW
domain-name sfcu.local
enable password ngK4FpmdDvb1KBKL encrypted
passwd ngK4FpmdDvb1KBKL encrypted
names
!
interface GigabitEthernet0/0
description Outside
nameif Outside
security-level 0
ip address 24.213.24.46 255.255.255.252
!
interface GigabitEthernet0/1
description Inside
nameif Inside
security-level 100
ip address 192.168.41.253 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.3 255.255.255.0
management-only
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name sfcu.local
same-security-traffic permit intra-interface
object network vpnsourcesubnets
subnet 192.168.41.0 255.255.255.0
object network vpndestinations
subnet 192.168.42.0 255.255.255.0
object network obj-192.168.41.5
host 192.168.41.5
object network NETWORK_OBJ_192.168.40.0_2
subnet 192.168.40.0 255.255.254.0
object network NETWORK_OBJ_192.168.41.224
subnet 192.168.41.224 255.255.255.240
object service SMTP
service tcp source eq smtp
object network obj-192.168.41.10
host 192.168.41.10
object service IMAPS
service tcp source eq 993
object service POP3
service tcp source eq pop3
object service IMAP4
service tcp source eq imap4
object service POP3S
service tcp source eq 995
object service obj-https
service tcp source eq https
object network NETWORK_OBJ_10.10.10.0_28
subnet 10.10.10.0 255.255.255.240
object network inside-network
subnet 192.168.41.0 255.255.255.0
object network vpn-pool-network
subnet 10.10.10.0 255.255.255.240
access-list encryptACL extended permit ip 192.168.41.0 255.255.255.0 192.168.42.0 255.255.255.0
access-list Outside_access_in extended permit tcp any host 192.168.41.10 eq https
access-list Outside_access_in extended permit ip any host 192.168.41.10
access-list Outside_access_in extended permit tcp any host 192.168.41.5 eq smtp
access-list split standard permit 192.168.41.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool vpn 192.168.40.6-192.168.41.10
ip local pool BradScott 192.168.41.230-192.168.41.
ip local pool VPNPool 10.10.10.5-10.10.10.10 mask 255.255.255.0
ip local pool vpn-pool 10.10.10.11-10.10.10.14 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (Inside,Outside) source static obj-192.168.41.10 interface service obj-https obj-https
nat (Inside,Outside) source static obj-192.168.41.10 interface service POP3S POP3S
nat (Inside,Outside) source static obj-192.168.41.10 interface service POP3 POP3
nat (Inside,Outside) source static obj-192.168.41.10 interface service IMAP4 IMAP4
nat (Inside,Outside) source static obj-192.168.41.10 interface service IMAPS IMAPS
nat (Inside,Outside) source static obj-192.168.41.5 interface service SMTP SMTP
nat (Inside,Outside) source static vpnsourcesubnets vpnsourcesubnets destination static vpndestinations vpndestinations no-proxy-arp route-lookup
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_192.168.41.224
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_192.168.40.0_2
nat (Outside,Outside) source dynamic NETWORK_OBJ_192.168.40.0_2
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
nat (Inside,Outside) source static inside-network inside-network destination static vpn-pool-network vpn-pool-network
!
nat (Inside,Outside) after-auto source dynamic any interface
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 24.213.24.45 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
crypto map emap 20 match address encryptACL
crypto map emap 20 set peer 71.13.110.26
crypto map emap 20 set ikev1 transform-set VPNset
crypto map emap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map emap interface Outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
fqdn settlers.com
subject-name CN=SETFW.sfcu.local,O=Sett
crl configure
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 1800
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect image disk0:/anyconnect-win-2.5.
anyconnect enable
group-policy BradScott internal
group-policy BradScott attributes
wins-server value 192.168.41.10
dns-server value 192.168.41.10
vpn-tunnel-protocol ikev1 ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value sfcu.local
group-policy Bradford internal
group-policy Bradford attributes
dns-server value 24.213.60.93 8.8.8.8
vpn-tunnel-protocol ikev1
default-domain value sfcu.local
group-policy BradScottVPN internal
group-policy BradScottVPN attributes
dns-server value 24.213.60.93 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value sfcu.local
address-pools value vpn-pool
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.41.10
vpn-tunnel-protocol l2tp-ipsec
default-domain value sfcu.local
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
group-policy Bluewater internal
group-policy Bluewater attributes
dns-server value 208.67.222.222 8.8.8.8
vpn-tunnel-protocol ikev1
default-domain value sfcu.local
username Bradford2 password OwXhtJaJ5GjHsr2z encrypted privilege 15
username Bradford2 attributes
vpn-group-policy BradScottVPN
username bradscott password hu7kXAHXA8wbGi1Bt5DBIw== nt-encrypted privilege 0
username bradscott attributes
vpn-group-policy DefaultRAGroup
username bsset password tOqCpC5z7Y58/NZ9 encrypted privilege 15
username 906admin password JzgQej1vXGNhZy5G encrypted
username 906tech password FFdr21Do.ETFHxn3 encrypted privilege 15
username cisco password ffIRPGpDSOJh9YLq encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool vpn
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group 71.13.110.26 type ipsec-l2l
tunnel-group 71.13.110.26 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group BradScott type remote-access
tunnel-group BradScott general-attributes
address-pool BradScott
default-group-policy BradScott
tunnel-group BradScott webvpn-attributes
group-alias BradScott enable
tunnel-group BradScott ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group BradScottVPN type remote-access
tunnel-group BradScottVPN general-attributes
address-pool vpn-pool
default-group-policy BradScottVPN
tunnel-group BradScottVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group Bradford type remote-access
tunnel-group Bradford general-attributes
address-pool VPNPool
default-group-policy Bradford
tunnel-group Bradford ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group Bluewater type remote-access
tunnel-group Bluewater general-attributes
address-pool VPNPool
default-group-policy Bluewater
tunnel-group Bluewater ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:47e67548945
: end
Secure VPN Connection terminated locally by the Client.
Reason 412: The remote peer is no longer responding.
I think I entered things the way you suggested. See Config below:
SETFW# sh run
: Saved
:
ASA Version 8.6(1)2
!
hostname SETFW
domain-name sfcu.local
enable password ngK4FpmdDvb1KBKL encrypted
passwd ngK4FpmdDvb1KBKL encrypted
names
!
interface GigabitEthernet0/0
description Outside
nameif Outside
security-level 0
ip address 24.213.24.46 255.255.255.252
!
interface GigabitEthernet0/1
description Inside
nameif Inside
security-level 100
ip address 192.168.41.253 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.3 255.255.255.0
management-only
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name sfcu.local
same-security-traffic permit intra-interface
object network vpnsourcesubnets
subnet 192.168.41.0 255.255.255.0
object network vpndestinations
subnet 192.168.42.0 255.255.255.0
object network obj-192.168.41.5
host 192.168.41.5
object network NETWORK_OBJ_192.168.40.0_2
subnet 192.168.40.0 255.255.254.0
object network NETWORK_OBJ_192.168.41.224
subnet 192.168.41.224 255.255.255.240
object service SMTP
service tcp source eq smtp
object network obj-192.168.41.10
host 192.168.41.10
object service IMAPS
service tcp source eq 993
object service POP3
service tcp source eq pop3
object service IMAP4
service tcp source eq imap4
object service POP3S
service tcp source eq 995
object service obj-https
service tcp source eq https
object network NETWORK_OBJ_10.10.10.0_28
subnet 10.10.10.0 255.255.255.240
object network inside-network
subnet 192.168.41.0 255.255.255.0
object network vpn-pool-network
subnet 10.10.10.0 255.255.255.240
access-list encryptACL extended permit ip 192.168.41.0 255.255.255.0 192.168.42.0 255.255.255.0
access-list Outside_access_in extended permit tcp any host 192.168.41.10 eq https
access-list Outside_access_in extended permit ip any host 192.168.41.10
access-list Outside_access_in extended permit tcp any host 192.168.41.5 eq smtp
access-list split standard permit 192.168.41.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool vpn 192.168.40.6-192.168.41.10
ip local pool BradScott 192.168.41.230-192.168.41.
ip local pool VPNPool 10.10.10.5-10.10.10.10 mask 255.255.255.0
ip local pool vpn-pool 10.10.10.11-10.10.10.14 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (Inside,Outside) source static obj-192.168.41.10 interface service obj-https obj-https
nat (Inside,Outside) source static obj-192.168.41.10 interface service POP3S POP3S
nat (Inside,Outside) source static obj-192.168.41.10 interface service POP3 POP3
nat (Inside,Outside) source static obj-192.168.41.10 interface service IMAP4 IMAP4
nat (Inside,Outside) source static obj-192.168.41.10 interface service IMAPS IMAPS
nat (Inside,Outside) source static obj-192.168.41.5 interface service SMTP SMTP
nat (Inside,Outside) source static vpnsourcesubnets vpnsourcesubnets destination static vpndestinations vpndestinations no-proxy-arp route-lookup
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_192.168.41.224
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_192.168.40.0_2
nat (Outside,Outside) source dynamic NETWORK_OBJ_192.168.40.0_2
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
nat (Inside,Outside) source static inside-network inside-network destination static vpn-pool-network vpn-pool-network
!
nat (Inside,Outside) after-auto source dynamic any interface
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 24.213.24.45 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
crypto map emap 20 match address encryptACL
crypto map emap 20 set peer 71.13.110.26
crypto map emap 20 set ikev1 transform-set VPNset
crypto map emap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map emap interface Outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
fqdn settlers.com
subject-name CN=SETFW.sfcu.local,O=Sett
crl configure
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 1800
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect image disk0:/anyconnect-win-2.5.
anyconnect enable
group-policy BradScott internal
group-policy BradScott attributes
wins-server value 192.168.41.10
dns-server value 192.168.41.10
vpn-tunnel-protocol ikev1 ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value sfcu.local
group-policy Bradford internal
group-policy Bradford attributes
dns-server value 24.213.60.93 8.8.8.8
vpn-tunnel-protocol ikev1
default-domain value sfcu.local
group-policy BradScottVPN internal
group-policy BradScottVPN attributes
dns-server value 24.213.60.93 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value sfcu.local
address-pools value vpn-pool
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.41.10
vpn-tunnel-protocol l2tp-ipsec
default-domain value sfcu.local
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
group-policy Bluewater internal
group-policy Bluewater attributes
dns-server value 208.67.222.222 8.8.8.8
vpn-tunnel-protocol ikev1
default-domain value sfcu.local
username Bradford2 password OwXhtJaJ5GjHsr2z encrypted privilege 15
username Bradford2 attributes
vpn-group-policy BradScottVPN
username bradscott password hu7kXAHXA8wbGi1Bt5DBIw== nt-encrypted privilege 0
username bradscott attributes
vpn-group-policy DefaultRAGroup
username bsset password tOqCpC5z7Y58/NZ9 encrypted privilege 15
username 906admin password JzgQej1vXGNhZy5G encrypted
username 906tech password FFdr21Do.ETFHxn3 encrypted privilege 15
username cisco password ffIRPGpDSOJh9YLq encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool vpn
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group 71.13.110.26 type ipsec-l2l
tunnel-group 71.13.110.26 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group BradScott type remote-access
tunnel-group BradScott general-attributes
address-pool BradScott
default-group-policy BradScott
tunnel-group BradScott webvpn-attributes
group-alias BradScott enable
tunnel-group BradScott ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group BradScottVPN type remote-access
tunnel-group BradScottVPN general-attributes
address-pool vpn-pool
default-group-policy BradScottVPN
tunnel-group BradScottVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group Bradford type remote-access
tunnel-group Bradford general-attributes
address-pool VPNPool
default-group-policy Bradford
tunnel-group Bradford ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group Bluewater type remote-access
tunnel-group Bluewater general-attributes
address-pool VPNPool
default-group-policy Bluewater
tunnel-group Bluewater ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:47e67548945
: end
ASKER
Also, I don't get prompted for a username and password.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
User accounts are setup. If I change the transport method in the VPN Client to TCP, I then get a username and password pop-up. After entering username and password, I see "Securing Communication Channels..." Then say Not Connected. Must be close!