IPSEC VPN help !!!

Answered Question
Jul 1st, 2008

Hi All

I have ASA 5520 and want to enable IPSEC VPN and want to access it through cisco VPN client.

I have done natting on router which is connected on outside interface of the ASA. I have done a static nat of private IP address of outside i/f of ASA to the public IP, on router. I am able to ping that public IP from internet and also able to access firewall thru ASDM using that public IP.

I have done the configuration using VPN wizard but some how not able to connect thru VPN client. Please guide, if I have missed something.

Configuration of ASA is attached.

Regards

bsn

Attachment: 
I have this problem too.
0 votes
Correct Answer by a.alekseev about 8 years 6 months ago

try to do this

conf t

no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

no crypto map WAN_map interface WAN

crypto map WAN_map interface WAN <- just to be sure that all the changes were applyed

and show

debug crypto isa 10

debug crypto ipsec 10

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
a.alekseev Tue, 07/01/2008 - 01:57

no access-list LAN extended permit ip 10.0.0.0 255.0.0.0 any

no access-group LAN in interface LAN

no access-list WAN extended permit ip any 10.0.0.0 255.0.0.0

no access-group WAN in interface WAN

ip local pool VPN-Pool 10.0.5.1-10.0.5.255 mask 255.255.255.0

access-list LAN_nat0_outbound extended permit ip any 10.0.5.0 255.255.255.0

nat (LAN) 0 access-list LAN_nat0_outbound

no access-list cisco_splitTunnelAcl standard permit any

access-list cisco_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

route WAN 10.0.5.0 255.255.255.0 10.0.0.25 1

route WAN 0.0.0.0 0.0.0.0 10.0.0.25 1

route LAN 10.0.0.0 255.0.0.0 10.0.0.1 1

sysopt connection permit-vpn

bsn1980in Tue, 07/01/2008 - 02:29

If I will remove access-list LAN and WAN, then I will loose my connectivity to internet from inside network.

Rest I have configured but no luck.

Regards

bsn

bsn1980in Tue, 07/01/2008 - 02:53

I have Cisco VPN client software Ver 4.0.01 installed on one of my machine in remote office.

I tried to access the public IP (natted to ASA outside private IP) with following settings:

group user: cisco

password: cisco

Transport: IPSEC over UDP ( I have tried IPSEC over TCP 10000 as well)

Thats all

Regards

BSN

a.alekseev Tue, 07/01/2008 - 03:01

ok... then add following

crypto isakmp ipsec-over-tcp port 10000

group-policy cisco attributes

ipsec-udp enable

bsn1980in Tue, 07/01/2008 - 03:34

I have added this:

crypto isakmp ipsec-over-tcp port 10000

and rest were already there in configuration.

Still not able to connect. Can you suggest some debugs.

Regards/bsn

bsn1980in Tue, 07/01/2008 - 04:05

Debug is attached. I have replaced the Source Public IP. In the debug output, I can see there are no hits on group policy cisco. It is hitting default policy. please suggest.

Regards/bsn

Attachment: 
a.alekseev Tue, 07/01/2008 - 04:47

tunnel-group cisco general-attributes

authentication-server-group LOCAL

bsn1980in Tue, 07/01/2008 - 19:42

I tried but the command is not executing.

========================================

ASA(config)# tunnel-group cisco general-attributes

ASA(config-tunnel-general)# authentication-server-group LOCAL

ASA(config-tunnel-general)# exi

ASA(config)# sh run | be tunnel-group cisco general-attributes

tunnel-group cisco general-attributes

address-pool VPN-Pool

default-group-policy cisco

tunnel-group cisco ipsec-attributes

pre-shared-key *

==========================================

regards/bsn

bsn1980in Wed, 07/02/2008 - 01:16

Show run is attached.

Recent change I have done is md5. Earlier it was SHA:

=================

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5 >>>>>>>>>>>>> It was sha earlier.

group 2

lifetime 86400

===================

Correct Answer
a.alekseev Wed, 07/02/2008 - 01:54

try to do this

conf t

no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

no crypto map WAN_map interface WAN

crypto map WAN_map interface WAN <- just to be sure that all the changes were applyed

and show

debug crypto isa 10

debug crypto ipsec 10

bsn1980in Wed, 07/02/2008 - 02:51

I have not made above changes.

The last change i have done was from sha to md5 and it cliked.

Thanks a lot for all your help and support.

rgards/bsn

Actions

This Discussion