Cisco ASA 5505 ipsec client connection problem

hello,

my client as a asa 5505

we have configure a site to site tunel with a Cisco rv042g that work fine.

we need to configure  ipsec vpn to work with Cisco vpn client but i am misssing something because it not working see my config would realy like some help.


When i try with the Cisco client a get an error 412

Also if with the same Cisco client a connect to another asa of another client it work fine


Result of the command: "show config"

: Saved
: Written by enable_15 at 07:50:55.083 UTC Thu May 28 2015
!
ASA Version 8.2(5)
!
hostname ciscoasa
enable password jsc7kAZMCN1pVdry encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.17.10.3 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 111.111.111.111 255.255.255.252
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 24.200.241.37
 name-server 24.201.245.77
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service alarm1 tcp
 port-object eq 5001
object-group service alarm2 tcp
 port-object eq 10501
object-group service alarm3 udp
 port-object eq 5001
object-group service alarm4 udp
 port-object eq 10501
access-list outside_1_cryptomap extended permit ip 172.17.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.10.0 255.255.255.0 172.17.10.128 255.255.255.240
access-list inside_nat0_outbound extended permit ip 172.17.10.0 255.255.255.0 192.168.250.8 255.255.255.248
access-list outside_access_in extended permit tcp any any eq 5001
access-list outside_access_in extended permit tcp any any eq 10501
access-list outside_access_in extended permit udp any any eq 5001
access-list outside_access_in extended permit udp any any eq 10501
access-list VPN-VAL_splitTunnelAcl standard permit 172.17.10.0 255.255.255.0
access-list VPN123_splitTunnelAcl standard permit 172.17.10.0 255.255.255.0
access-list VALVPN_splitTunnelAcl standard permit 172.17.10.0 255.255.255.0
access-list VPNVAL_splitTunnelAcl standard permit 172.17.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 192.168.250.10-192.168.250.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 5001 172.17.10.50 5001 netmask 255.255.255.255
static (inside,outside) tcp interface 10501 172.17.10.50 10501 netmask 255.255.255.255
static (inside,inside) udp interface 5001 172.17.10.50 5001 netmask 255.255.255.255
static (inside,inside) udp interface 10501 172.17.10.50 10501 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 24.37.52.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.17.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 222.222.222.222
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 24.200.241.37 24.201.245.77
dhcpd auto_config outside
!
dhcpd address 172.17.10.100-172.17.10.135 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
group-policy GroupPolicy1 internal
group-policy VPNVAL internal
group-policy VPNVAL attributes
 dns-server value 24.200.241.37 24.201.245.77
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPNVAL_splitTunnelAcl
 default-domain value WORKGROUP
username fanny password LyjAphJrIjjzdNkE encrypted privilege 0
username fanny attributes
 vpn-group-policy VPNVAL
username anne password gYihZDvUj/Nmivtd encrypted privilege 0
username anne attributes
 vpn-group-policy VPNVAL
tunnel-group 222.222.222.222 type ipsec-l2l
tunnel-group 222.222.222.222 ipsec-attributes
 pre-shared-key *
tunnel-group VPNVAL type remote-access
tunnel-group VPNVAL general-attributes
 address-pool VPNpool
 default-group-policy VPNVAL
tunnel-group VPNVAL ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:938f498472aac75996088c67911275e0

here what  in for the licenses

Licensed features for this platform:
Maximum Physical Interfaces    : 8        
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : 50        
Failover                       : Disabled
VPN-DES                        : Enabled  
VPN-3DES-AES                   : Enabled  
SSL VPN Peers                  : 2        
Total VPN Peers                : 10        
Dual ISPs                      : Disabled  
VLAN Trunk Ports               : 0        
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled  
AnyConnect for Cisco VPN Phone : Disabled  
AnyConnect Essentials          : Disabled  
Advanced Endpoint Assessment   : Disabled  
UC Phone Proxy Sessions        : 2        
Total UC Proxy Sessions        : 2        
Botnet Traffic Filter          : Disabled  

Hello,

My client as a asa 5505

We have configure a site to site tunnel with a Cisco rv042g that work fine.

we need to configure  IPsec vpn to work with Cisco vpn client but I am missing something because it not working see my config would really like some help.


Result of the command: "show config"

: Saved
: Written by enable_15 at 07:50:55.083 UTC Thu May 28 2015
!
ASA Version 8.2(5)
!
hostname ciscoasa
enable password jsc7kAZMCN1pVdry encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.17.10.3 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 111.111.111.111 255.255.255.252
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 24.200.241.37
 name-server 24.201.245.77
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service alarm1 tcp
 port-object eq 5001
object-group service alarm2 tcp
 port-object eq 10501
object-group service alarm3 udp
 port-object eq 5001
object-group service alarm4 udp
 port-object eq 10501
access-list outside_1_cryptomap extended permit ip 172.17.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.10.0 255.255.255.0 172.17.10.128 255.255.255.240
access-list inside_nat0_outbound extended permit ip 172.17.10.0 255.255.255.0 192.168.250.8 255.255.255.248
access-list outside_access_in extended permit tcp any any eq 5001
access-list outside_access_in extended permit tcp any any eq 10501
access-list outside_access_in extended permit udp any any eq 5001
access-list outside_access_in extended permit udp any any eq 10501
access-list VPN-VAL_splitTunnelAcl standard permit 172.17.10.0 255.255.255.0
access-list VPN123_splitTunnelAcl standard permit 172.17.10.0 255.255.255.0
access-list VALVPN_splitTunnelAcl standard permit 172.17.10.0 255.255.255.0
access-list VPNVAL_splitTunnelAcl standard permit 172.17.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 192.168.250.10-192.168.250.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 5001 172.17.10.50 5001 netmask 255.255.255.255
static (inside,outside) tcp interface 10501 172.17.10.50 10501 netmask 255.255.255.255
static (inside,inside) udp interface 5001 172.17.10.50 5001 netmask 255.255.255.255
static (inside,inside) udp interface 10501 172.17.10.50 10501 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 24.37.52.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.17.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 222.222.222.222
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 24.200.241.37 24.201.245.77
dhcpd auto_config outside
!
dhcpd address 172.17.10.100-172.17.10.135 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
group-policy GroupPolicy1 internal
group-policy VPNVAL internal
group-policy VPNVAL attributes
 dns-server value 24.200.241.37 24.201.245.77
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPNVAL_splitTunnelAcl
 default-domain value WORKGROUP
username fanny password LyjAphJrIjjzdNkE encrypted privilege 0
username fanny attributes
 vpn-group-policy VPNVAL
username anne password gYihZDvUj/Nmivtd encrypted privilege 0
username anne attributes
 vpn-group-policy VPNVAL
tunnel-group 222.222.222.222 type ipsec-l2l
tunnel-group 222.222.222.222 ipsec-attributes
 pre-shared-key *
tunnel-group VPNVAL type remote-access
tunnel-group VPNVAL general-attributes
 address-pool VPNpool
 default-group-policy VPNVAL
tunnel-group VPNVAL ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:938f498472aac75996088c67911275e0

here what  in for the licenses

Licensed features for this platform:
Maximum Physical Interfaces    : 8        
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : 50        
Failover                       : Disabled
VPN-DES                        : Enabled  
VPN-3DES-AES                   : Enabled  
SSL VPN Peers                  : 2        
Total VPN Peers                : 10        
Dual ISPs                      : Disabled  
VLAN Trunk Ports               : 0        
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled  
AnyConnect for Cisco VPN Phone : Disabled  
AnyConnect Essentials          : Disabled  
Advanced Endpoint Assessment   : Disabled  
UC Phone Proxy Sessions        : 2        
Total UC Proxy Sessions        : 2        
Botnet Traffic Filter          : Disabled  
This platform has a Base license.
ncfreAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
OK


This appears to be doing nothing

group-policy GroupPolicy1 internal


Pertinent Config

ip local pool VPNpool 192.168.250.10-192.168.250.15 mask 255.255.255.0
!
access-list inside_nat0_outbound extended permit ip 172.17.10.0 255.255.255.0 192.168.250.8 255.255.255.248
!
nat (inside) 0 access-list inside_nat0_outbound
!
group-policy VPNVAL internal
group-policy VPNVAL attributes
 dns-server value 24.200.241.37 24.201.245.77
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPNVAL_splitTunnelAcl
 default-domain value WORKGROUP
!
tunnel-group VPNVAL type remote-access
tunnel-group VPNVAL general-attributes
 address-pool VPNpool
 default-group-policy VPNVAL
tunnel-group VPNVAL ipsec-attributes
 pre-shared-key *
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
!
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

---------

To be honest nothing is screaming out at me, when you say the problem client can successfully connect to another ASA is that ASA running pre 8.3 code?

Have you enabled NAT traversal?

crypto isakmp nat-traversal 20
ncfreAuthor Commented:
sorry i am not very good at this i have use the Wizard on that cisco and yes the other is pre 8.3
Pete LongTechnical ConsultantCommented:
Hang about!

that 8 should be a zero!

access-list inside_nat0_outbound extended permit ip 172.17.10.0 255.255.255.0 192.168.250.8 255.255.255.248
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

ncfreAuthor Commented:
ok thank, you  will look in to it,

but why  do i get a  The error, "Secure VPN connection terminated locally by the Client. Reason 412. The remote peer is no longer responding
ncfreAuthor Commented:
forgot to tell you the version of the VPN client

the version is 5.0.07.0440
ncfreAuthor Commented:
Problem is resolved i have change the unit make the same config and it work.

i told the client to take the smartnet on this new one so next time it will be replace free

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ncfreAuthor Commented:
because i have change the unit
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.