cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1493
Views
22
Helpful
24
Replies

asa5510 and business class dsl problems

vgoradia
Level 1
Level 1

below is my setup.

business class dsl modem with a static ip (100.0.0.1) connects to a asa5510.

the isp provided me another static routable ip for the asa5510 and I configured the 5510 outside interface with this (100.0.0.2).

I also have couple of machines behind the inside interface of the 5510. (172.16.1.0)

All i want to do is let some ppl vpn into the inside network to do some troubleshooting.

I don't need anyone from the inside to access the net, so no nat needed.

I went through the normal vpn config and the remote vpn wizard.

however, using the cisco vpn client, i'm unable to log in.

I can ping the 100.0.0.1 interface but cannot vpn in.

I think there is no path from 100.0.0.1 to 100.0.0.2

any suggestions?

1 Accepted Solution

Accepted Solutions

The group name should be EAT which is configured on the tunnel-group parameters in your ASA. It should not be "vgoradia" but what is configured on the ASA.

And the password should be the one that you have configured under the tunnel-group parameter for pre-shared key.

tunnel-group EAT type ipsec-ra

tunnel-group EAT general-attributes

address-pool vpnpool

default-group-policy EAT

tunnel-group EAT ipsec-attributes

pre-shared-key *

Let me know how this pans out.

Rate this post, if it helps.

Thanks

Gilbert

View solution in original post

24 Replies 24

Kamal Malhotra
Cisco Employee
Cisco Employee

Hi,

To begin with, do you have a default route on the ASA that points to the DSL? E.g. :

route outside 0.0.0.0 0.0.0.0 100.0.0.1

HTH,

Please rate if it helps,

Regards,

Kamal

nope, do not have a default route set. I need to do this.

when I setup the cisco easyvpn client s/w, the ip I would want to hit is 100.0.0.2 correct?

how would 100.0.0.1 allow traffic to flow to 100.0.0.2?

what command should I use to make 100.0.0.2 pingable temporarily just to verify that the vpn works.

thanks for all the help. i will rate

Hi,

To begin with, are you able to ping 100.0.0.1 from 100.0.0.2? If not then you need to talk to your ISP. You might also want to clear the ARP table on the asa using the CLI command 'clear arp'.

Yes you are correct that the IP you would want to hit is 100.0.0.2. Since 100.0.0.2 is directly connected to 100.0.0.1, it will have .2 IP in its ARP table and will ebe able to route correctly.

Route is important even to be able to ping.

HTH,

Regards,

Kamal

ok I cleared the arp table and put in the static route.

now, from the 5510, i can ping the inside machines using the inside interface and I can ping the outside dsl modem using the outside interface.

Also, from the net, I can now ping the ip for the dsl modem as well as the static routable ip for the asa5510 !!!!!!

this is good.

however, I am unable to vpn into the 5510.

the easyvpn client says 'connection terminated by local client' , reason 412.

I tried to play with the different transport, including checking off and on 'transparent runneling'.

any other ideas?

i'm stumped.

i feel i'm very close to this.

any help would be really appreciated!

here's my sh run

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password xxx

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.80.98 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.16.4.231 255.255.252.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 172.16.4.192 255.255.255.192

pager lines 24

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

ip local pool vpnpool 172.16.4.220-172.16.4.230 mask 255.255.252.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

route outside 0.0.0.0 0.0.0.0 x.x.80.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy EAT internal

group-policy EAT attributes

vpn-tunnel-protocol IPSec

username vgoradia password xxx

privilege 0

username vgoradia attributes

vpn-group-policy EAT

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group EAT type ipsec-ra

tunnel-group EAT general-attributes

address-pool pool

default-group-policy EAT

tunnel-group EAT ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

Hi,

The config looks good so we need to get debugs from the ASA and the logs from the clients. You might want to remove the PFS from the dynamic cry map. The commands would be :

no crypto map outside_map interface outside

no crypto dynamic-map outside_dyn_map 20 set pfs

crypto map outside_map interface outside

HTH,

Please rate if helps,

Regards,

Kamal

what commands do I enable for debugs from the asa and from the client?

thanks

On the ASA you would need to run

deb cry isa 128

deb cry ipsec 128

And on the clients, go to the "Log" section

a. Enable Log

b. Go to log settings and change the severity of the logs to 1-3

Open the log window -

Connect and send the logs & debugs.

Thanks

Gilbert

is there a cisco url where I can see a config for a basic remote access vpn on an asa device.

I don't even need to NAT and all the other stuff....

I would've thought that this would be the simplest config of all....

what's compounding the fact is that this device is in a different bldg from where I am and I have to go over everytime to make a change.

and since they do not have a phone line, I have to come back to my office and dial out to an isp and then try to vpn in!!!

(since we do not allow vpn traffic out of our work LAN)

also, is there a way I can manage the asa5510 through it's outside interface since I can ping it?

thanks once again for staying with me.

This example gives you an idea on how to configure it.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

(Even though it says PIX, it can be used for ASA as well).

Here is another example for VPN client to connect to an ASA and also allow access through the ASA to the internet.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

You can access your ASA through the outside interface. You can use ssh or ASDM.

ssh 0.0.0.0 0.0.0.0 outside

Use a "putty client" or some ssh client and you should be able to access the ASA.

Use the username pix which is by default.

Thanks

Gilbert

Rate this post, if it helped.

ok, i modified the settings on the 5510 and still no go.

here's the log from the vpn client.

I could not ssh into the asa from my dial up...and niether could I use the asdm..it just timed out.....

i'm at my wits end!

please help

Cisco Systems VPN Client Version 4.8.02.0010

Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

Config file directory: C:\Program Files\Cisco Systems\VPN Client

1 14:36:23.545 03/13/07 Sev=Info/6 GUI/0x63B00011

Reloaded the Certificates in all Certificate Stores successfully.

Cisco Systems VPN Client Version 4.8.02.0010

Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

Config file directory: C:\Program Files\Cisco Systems\VPN Client

1 14:36:44.915 03/13/07 Sev=Info/4 PPP/0x63200015

Processing enumerate phone book entries command

2 14:36:44.986 03/13/07 Sev=Info/4 PPP/0x6320000D

Retrieved 2 dial entries

3 14:36:56.532 03/13/07 Sev=Info/4 CM/0x63100002

Begin connection process

4 14:36:56.582 03/13/07 Sev=Info/4 CM/0x63100004

Establish secure connection

5 14:36:56.582 03/13/07 Sev=Info/4 CM/0x63100024

Attempt connection with server "x.x.80.98"

6 14:36:56.592 03/13/07 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with x.x.80.98.

7 14:36:56.622 03/13/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Unity)) to x.x.80.98

8 14:36:56.863 03/13/07 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

9 14:36:56.863 03/13/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

10 14:36:56.863 03/13/07 Sev=Info/4 IPSEC/0x6370000D

Key(s) deleted by Interface (x.x.34.170)

11 14:36:56.863 03/13/07 Sev=Info/4 IPSEC/0x6370000D

Key(s) deleted by Interface (x.x.55.131)

12 14:37:01.860 03/13/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

13 14:37:01.860 03/13/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.80.98

14 14:37:06.867 03/13/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

15 14:37:06.867 03/13/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.80.98

16 14:37:11.874 03/13/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

17 14:37:11.874 03/13/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.80.98

18 14:37:16.881 03/13/07 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=0D933CECB69B085E R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

19 14:37:17.402 03/13/07 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=0D933CECB69B085E R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

20 14:37:17.402 03/13/07 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "x.x.80.98" because of "DEL_REASON_PEER_NOT_RESPONDING"

21 14:37:17.442 03/13/07 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

22 14:37:17.472 03/13/07 Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.

23 14:37:17.472 03/13/07 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

24 14:37:18.514 03/13/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

25 14:37:18.514 03/13/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

26 14:37:18.514 03/13/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

27 14:37:18.514 03/13/07 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

Send me the output of the following

sh run ssh

sh cry key mypubkey rsa

from the ASA.

Thanks

Gilbert

here you go...looks like the pubkey is blank.

ciscoasa# sh run ssh

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

ciscoasa# sh cry key mypubkey rsa

ciscoasa#

Issue this command on the ASA

cry key gen rsa modu 1024

Try the ssh again from the client - see if you can access the ASA.

Thanks

Gilbert

Rate this, if it helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: