asa5510 and business class dsl problems

Answered Question
Mar 12th, 2007
User Badges:

below is my setup.


business class dsl modem with a static ip (100.0.0.1) connects to a asa5510.

the isp provided me another static routable ip for the asa5510 and I configured the 5510 outside interface with this (100.0.0.2).

I also have couple of machines behind the inside interface of the 5510. (172.16.1.0)

All i want to do is let some ppl vpn into the inside network to do some troubleshooting.

I don't need anyone from the inside to access the net, so no nat needed.


I went through the normal vpn config and the remote vpn wizard.

however, using the cisco vpn client, i'm unable to log in.

I can ping the 100.0.0.1 interface but cannot vpn in.

I think there is no path from 100.0.0.1 to 100.0.0.2

any suggestions?


Correct Answer by ggilbert about 10 years 3 months ago

The group name should be EAT which is configured on the tunnel-group parameters in your ASA. It should not be "vgoradia" but what is configured on the ASA.


And the password should be the one that you have configured under the tunnel-group parameter for pre-shared key.




tunnel-group EAT type ipsec-ra

tunnel-group EAT general-attributes

address-pool vpnpool

default-group-policy EAT

tunnel-group EAT ipsec-attributes

pre-shared-key *




Let me know how this pans out.


Rate this post, if it helps.


Thanks

Gilbert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (6 ratings)
Loading.
Kamal Malhotra Mon, 03/12/2007 - 17:03
User Badges:
  • Cisco Employee,

Hi,


To begin with, do you have a default route on the ASA that points to the DSL? E.g. :


route outside 0.0.0.0 0.0.0.0 100.0.0.1


HTH,


Please rate if it helps,


Regards,


Kamal

vgoradia Mon, 03/12/2007 - 17:09
User Badges:

nope, do not have a default route set. I need to do this.

when I setup the cisco easyvpn client s/w, the ip I would want to hit is 100.0.0.2 correct?


how would 100.0.0.1 allow traffic to flow to 100.0.0.2?

what command should I use to make 100.0.0.2 pingable temporarily just to verify that the vpn works.

thanks for all the help. i will rate

Kamal Malhotra Tue, 03/13/2007 - 02:36
User Badges:
  • Cisco Employee,

Hi,


To begin with, are you able to ping 100.0.0.1 from 100.0.0.2? If not then you need to talk to your ISP. You might also want to clear the ARP table on the asa using the CLI command 'clear arp'.


Yes you are correct that the IP you would want to hit is 100.0.0.2. Since 100.0.0.2 is directly connected to 100.0.0.1, it will have .2 IP in its ARP table and will ebe able to route correctly.


Route is important even to be able to ping.


HTH,


Regards,


Kamal

vgoradia Tue, 03/13/2007 - 07:19
User Badges:

ok I cleared the arp table and put in the static route.

now, from the 5510, i can ping the inside machines using the inside interface and I can ping the outside dsl modem using the outside interface.


Also, from the net, I can now ping the ip for the dsl modem as well as the static routable ip for the asa5510 !!!!!!

this is good.


however, I am unable to vpn into the 5510.

the easyvpn client says 'connection terminated by local client' , reason 412.

I tried to play with the different transport, including checking off and on 'transparent runneling'.

any other ideas?

i'm stumped.

i feel i'm very close to this.


any help would be really appreciated!


vgoradia Tue, 03/13/2007 - 08:30
User Badges:

here's my sh run

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password xxx

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.80.98 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.16.4.231 255.255.252.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 172.16.4.192 255.255.255.192

pager lines 24

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

ip local pool vpnpool 172.16.4.220-172.16.4.230 mask 255.255.252.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

route outside 0.0.0.0 0.0.0.0 x.x.80.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy EAT internal

group-policy EAT attributes

vpn-tunnel-protocol IPSec

username vgoradia password xxx

privilege 0

username vgoradia attributes

vpn-group-policy EAT

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group EAT type ipsec-ra

tunnel-group EAT general-attributes

address-pool pool

default-group-policy EAT

tunnel-group EAT ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end


Kamal Malhotra Tue, 03/13/2007 - 09:05
User Badges:
  • Cisco Employee,

Hi,


The config looks good so we need to get debugs from the ASA and the logs from the clients. You might want to remove the PFS from the dynamic cry map. The commands would be :


no crypto map outside_map interface outside

no crypto dynamic-map outside_dyn_map 20 set pfs

crypto map outside_map interface outside


HTH,


Please rate if helps,


Regards,


Kamal

vgoradia Tue, 03/13/2007 - 09:08
User Badges:

what commands do I enable for debugs from the asa and from the client?

thanks

ggilbert Tue, 03/13/2007 - 09:15
User Badges:
  • Cisco Employee,

On the ASA you would need to run


deb cry isa 128

deb cry ipsec 128


And on the clients, go to the "Log" section

a. Enable Log

b. Go to log settings and change the severity of the logs to 1-3


Open the log window -


Connect and send the logs & debugs.


Thanks

Gilbert

vgoradia Tue, 03/13/2007 - 09:29
User Badges:

is there a cisco url where I can see a config for a basic remote access vpn on an asa device.


I don't even need to NAT and all the other stuff....

I would've thought that this would be the simplest config of all....

what's compounding the fact is that this device is in a different bldg from where I am and I have to go over everytime to make a change.

and since they do not have a phone line, I have to come back to my office and dial out to an isp and then try to vpn in!!!

(since we do not allow vpn traffic out of our work LAN)


also, is there a way I can manage the asa5510 through it's outside interface since I can ping it?

thanks once again for staying with me.

ggilbert Tue, 03/13/2007 - 10:03
User Badges:
  • Cisco Employee,

This example gives you an idea on how to configure it.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml


(Even though it says PIX, it can be used for ASA as well).



Here is another example for VPN client to connect to an ASA and also allow access through the ASA to the internet.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml


You can access your ASA through the outside interface. You can use ssh or ASDM.


ssh 0.0.0.0 0.0.0.0 outside


Use a "putty client" or some ssh client and you should be able to access the ASA.

Use the username pix which is by default.


Thanks

Gilbert


Rate this post, if it helped.



vgoradia Tue, 03/13/2007 - 11:49
User Badges:

ok, i modified the settings on the 5510 and still no go.

here's the log from the vpn client.


I could not ssh into the asa from my dial up...and niether could I use the asdm..it just timed out.....

i'm at my wits end!

please help


Cisco Systems VPN Client Version 4.8.02.0010

Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

Config file directory: C:\Program Files\Cisco Systems\VPN Client


1 14:36:23.545 03/13/07 Sev=Info/6 GUI/0x63B00011

Reloaded the Certificates in all Certificate Stores successfully.


Cisco Systems VPN Client Version 4.8.02.0010

Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

Config file directory: C:\Program Files\Cisco Systems\VPN Client


1 14:36:44.915 03/13/07 Sev=Info/4 PPP/0x63200015

Processing enumerate phone book entries command


2 14:36:44.986 03/13/07 Sev=Info/4 PPP/0x6320000D

Retrieved 2 dial entries


3 14:36:56.532 03/13/07 Sev=Info/4 CM/0x63100002

Begin connection process


4 14:36:56.582 03/13/07 Sev=Info/4 CM/0x63100004

Establish secure connection


5 14:36:56.582 03/13/07 Sev=Info/4 CM/0x63100024

Attempt connection with server "x.x.80.98"


6 14:36:56.592 03/13/07 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with x.x.80.98.


7 14:36:56.622 03/13/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Unity)) to x.x.80.98


8 14:36:56.863 03/13/07 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started


9 14:36:56.863 03/13/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys


10 14:36:56.863 03/13/07 Sev=Info/4 IPSEC/0x6370000D

Key(s) deleted by Interface (x.x.34.170)


11 14:36:56.863 03/13/07 Sev=Info/4 IPSEC/0x6370000D

Key(s) deleted by Interface (x.x.55.131)


12 14:37:01.860 03/13/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!


13 14:37:01.860 03/13/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.80.98


14 14:37:06.867 03/13/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!


15 14:37:06.867 03/13/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.80.98


16 14:37:11.874 03/13/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!


17 14:37:11.874 03/13/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.80.98


18 14:37:16.881 03/13/07 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=0D933CECB69B085E R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING


19 14:37:17.402 03/13/07 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=0D933CECB69B085E R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING


20 14:37:17.402 03/13/07 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "x.x.80.98" because of "DEL_REASON_PEER_NOT_RESPONDING"


21 14:37:17.442 03/13/07 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv


22 14:37:17.472 03/13/07 Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.


23 14:37:17.472 03/13/07 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection


24 14:37:18.514 03/13/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys


25 14:37:18.514 03/13/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys


26 14:37:18.514 03/13/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys


27 14:37:18.514 03/13/07 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped



ggilbert Tue, 03/13/2007 - 12:06
User Badges:
  • Cisco Employee,

Send me the output of the following


sh run ssh


sh cry key mypubkey rsa


from the ASA.


Thanks

Gilbert

vgoradia Tue, 03/13/2007 - 12:25
User Badges:

here you go...looks like the pubkey is blank.


ciscoasa# sh run ssh


ssh 0.0.0.0 0.0.0.0 outside


ssh timeout 5



ciscoasa# sh cry key mypubkey rsa

ciscoasa#





ggilbert Tue, 03/13/2007 - 12:29
User Badges:
  • Cisco Employee,

Issue this command on the ASA


cry key gen rsa modu 1024


Try the ssh again from the client - see if you can access the ASA.


Thanks

Gilbert


Rate this, if it helps.




vgoradia Tue, 03/13/2007 - 12:50
User Badges:

good news and bad news.

the good news is that ssh works.

the bad news is that I'm unable to logon with my password.


I tried to login as 'admin' 'pix' and blank and I input my enable/console password and it didn't take any!


also, I tried the vpn client and it failed.

I tried to login thru ipsec/tcp port 10000 and it established tcp connection and then tried to send the ISAKMP OAK AG packet but no response from the 5510.


anything else I can try? and what can I use to logon thru ssh.

thanks for all the help

ggilbert Tue, 03/13/2007 - 16:07
User Badges:
  • Cisco Employee,

Hello Vishal,


Lets divide and conquer instead of putting every problem in the same basket.


Lets fix the ssh issue first.

So, the ASA has two password. Normal telnet password and enabled password.


When you ssh into the ASA, use the username "pix" and telnet password


Then you will get the prompt for enable


ASA>


After that, type enable and insert the enable password. You should be able to log in.


Please rate this topic, if it helps.


Thanks

Gilbert

vgoradia Tue, 03/13/2007 - 19:16
User Badges:

Gilbert,

good news is ssh issue is resolved.

bad news is that i'm an idiot.


I had not set a telnet password and didn't realize this.

i used the default username and the default password and sure enough, it let me in.

so i'm all set with ssh which is a great relief bcoz now I do not have to go on site to configure the 5510. I can sit in my office and play with it and then dial out to an isp to test the vpn.

so what's next...guru?


ggilbert Wed, 03/14/2007 - 05:49
User Badges:
  • Cisco Employee,

Vishal,


Good to hear that you got it working.

Now, lets get the VPN client to work.


ssh into your ASA and enable the debugs


"deb cry isa 128" & "deb cry ipsec 128"


issue the command "term mon"


Connect with your VPN client and lets see where this is failing.


Run the logs on the client at the same time you are trying to connect.


Attached both - the debugs and the logs - let me take a look at them.


Cheers

Gilbert

vgoradia Wed, 03/14/2007 - 07:29
User Badges:

this is what the term mon shows which may explain the whole problem...

the x.x.105.96 IP is the machine that has the vpn client trying to connect to the 5510.



ciscoasa# Mar 14 14:22:50 [IKEv1]: IP = x.x.105.96, No crypto map bound to interface... dropping pkt

Mar 14 14:22:55 [IKEv1]: IP = x.x.105.96, No crypto map bound to interface... dropping pkt

Mar 14 14:23:00 [IKEv1]: IP = x.x.105.96, No crypto map bound to interface... dropping pkt

Mar 14 14:23:05 [IKEv1]: IP = x.x.105.96, No crypto map bound to interface... dropping pkt

ggilbert Wed, 03/14/2007 - 07:53
User Badges:
  • Cisco Employee,

Are you connecting to the interface with the IP "x.x.80.98" - as per your ASA configuration posted previously.


If so, can you please apply this command


cry map outside_map interface outside



Run the commands again - see if it gets connected. :)


Cheers

Gilbert

vgoradia Wed, 03/14/2007 - 08:09
User Badges:

no dice.

the x.x.80.98 is the outside int of 5510. this is a routable ip.

the x.x.105.96 is the ip of the vpn client which is trying to establish a vpn connection with the 5510.


this is what I got from term mon


ciscoasa# debug cry isa 128

ciscoasa# debug cry ipsec 128

ciscoasa# term mon

ciscoasa# Mar 14 15:01:40 [IKEv1]: IP = x.x.105.96, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 808

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing SA payload

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing ke payload

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing ISA_KE payload

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing nonce payload

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing ID payload

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing VID payload

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, Received xauth V6 VID

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing VID payload

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, Received DPD VID

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing VID payload

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, Received Cisco Unity client VID

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, processing IKE SA payload

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing ISAKMP SA payload

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing ke payload

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing nonce payload

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, Generating keys for Responder...

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing ID payload

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing hash payload

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, Computing hash for ISAKMP

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing Cisco Unity VID payload

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing xauth V6 VID payload

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing Fragmentation VID + extended capabilities payload

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing VID payload

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Mar 14 15:01:40 [IKEv1]: IP = x.x.105.96, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 352

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, IKE AM Responder FSM error history (struct &0x3f6c458) , : AM_DONE, EV_ERROR-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_BLD_MSG2, EV_BLD_MSG2_TRL-->AM_BLD_MSG2, EV_SKEYID_OK-->AM_BLD_MSG2, NullEvent-->AM_BLD_MSG2, EV_GEN_SKEYID-->AM_BLD_MSG2, EV_BLD_MSG2_HDR

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, IKE SA AM:b53d7823 terminating: flags 0x0104c001, refcnt 0, tuncnt 0

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, sending delete/delete with reason message

Mar 14 15:01:40 [IKEv1]: Group = DefaultRAGroup, IP = x.x.105.96, Removing peer from peer table failed, no match!

Mar 14 15:01:40 [IKEv1]: Group = DefaultRAGroup, IP = x.x.105.96, Error: Unable to remove PeerTblEntry.


Also, on the vpn client, the reason for failure was because of "DEL_REASON_IKE_NEG_FAILED"

ggilbert Wed, 03/14/2007 - 08:23
User Badges:
  • Cisco Employee,

Ok - Lets go step by step.


I need the following...


a. current config on the ASA.

b. If you go to the client, what is the groupname you have entered.



vgoradia Wed, 03/14/2007 - 08:33
User Badges:

groupname --> vgoradia



ASA Version 7.2(2)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password xxx

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.80.98 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.16.4.x 255.255.252.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 172.16.4.0 255.255.252.0

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

ip local pool vpnpool 172.16.4.220-172.16.4.230 mask 255.255.252.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

route outside 0.0.0.0 0.0.0.0 x.x.80.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy EAT internal

group-policy EAT attributes

vpn-tunnel-protocol IPSec

ipsec-udp enable

ipsec-udp-port 10000

username xxx password xxxx

privilege 15

username vgoradia attributes

vpn-group-policy EAT

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

tunnel-group EAT type ipsec-ra

tunnel-group EAT general-attributes

address-pool vpnpool

default-group-policy EAT

tunnel-group EAT ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 5

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxxx

: end

ciscoasa#

Correct Answer
ggilbert Wed, 03/14/2007 - 08:50
User Badges:
  • Cisco Employee,

The group name should be EAT which is configured on the tunnel-group parameters in your ASA. It should not be "vgoradia" but what is configured on the ASA.


And the password should be the one that you have configured under the tunnel-group parameter for pre-shared key.




tunnel-group EAT type ipsec-ra

tunnel-group EAT general-attributes

address-pool vpnpool

default-group-policy EAT

tunnel-group EAT ipsec-attributes

pre-shared-key *




Let me know how this pans out.


Rate this post, if it helps.


Thanks

Gilbert

Actions

This Discussion