VPN help needed

Unanswered Question
Oct 25th, 2007


I have an ASA5510 that I am trying to setup VPN on. I need to allow home users access inside our network. I have tried going thru the VPN wizard several times and just cannot seem to get it working. I am using the Cisco VPN client, latest verision.

I am enclosing the latest configuration which also has a show version at the end of it.

Any help would be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
acomiskey Thu, 10/25/2007 - 06:59

Firstly, you always want your vpn pool to be different than your inside network.

access-list inside_nat0_outbound extended permit ip any

ip local pool VPN mask

Also add..

crypto isakmp nat-traversal

Also, are you trying to vpn to the inside interface?

crypto map inside_map interface inside

crypto isakmp enable inside

srosenthal Thu, 10/25/2007 - 07:16

Thank you for your help.

I am at home and want to have VPN access to the inside networks.


acomiskey Thu, 10/25/2007 - 07:21

These lines should say "outside" as you are vpn'ing to the outside inteface of the asa.

crypto map inside_map interface outside

crypto isakmp enable outside

srosenthal Thu, 10/25/2007 - 07:32

I did correct the config with the commands you gave me.

I tried to connect with the VPN client and still cannot. I was curious about the pre-shared key. Am I supposed to enter that in the client somewhere?


acomiskey Thu, 10/25/2007 - 07:36

Yes. You need to enter the group name "VPN" and the pre-shared key or "password" under the group authentication section of the cisco vpn client.

attrgautam Thu, 10/25/2007 - 07:37

Yes you need to have the Pre-shared key in the VPN Client. When you enter the group in thE vpn cLIENT, the psk will be the password for the group..when the connection is successful you will get the username and password dialog where you key in your personal information.

Let us know if it works

srosenthal Thu, 10/25/2007 - 08:23

Ok, I did that and it still will not connect. The VPN client tells me

Secure VPN Connection terminated by the Client.

Reason 412: The remote peer is no longer responding.

I am also attaching the latest config.


acomiskey Thu, 10/25/2007 - 08:34

This works for me...

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto isakmp identity address

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

srosenthal Thu, 10/25/2007 - 09:04

Thank you, that worked wonderfully.

Now my next question is how do I setup for certain clients to access only certain networks?

Again, thank you very much.


acomiskey Thu, 10/25/2007 - 09:12

Will these users be part of the same tunnel group or will you create differnet tunnel groups for different classes of users?

srosenthal Thu, 10/25/2007 - 09:28

I guess they can be part of the same group, just different user names and networks accessed.


acomiskey Thu, 10/25/2007 - 09:41

This should help you some...


This will show you how to create a vpn-filter acl which can be applied to a tunnel group policy or individual user account.

The other option is to remove "sysopt connection permit-vpn". This will stop ipsec traffic from bypassing your interface acl's. Then you can simply write the access you desire in your outside access list.

srosenthal Thu, 10/25/2007 - 11:48

Thank you again for the help. I did figure out that all I needed to do was add and ACL and then add a user and apply that ACL to the user.

Again, thank you very much.



This Discussion