Thank you Raj,

for this information is ok.

But i want to know more about while i devloped VPN remote connection from client(through internet ) to asa 5540.

what ip i should given to VPN Lan card.

hello Raj,

i describe my n/w then u tell me what i do configure on ASA.

My inside n/w:192.168.10.1

My dmz n/w : 192.168.1.0

now i want to access my inside server system to internet through and access via VPN.

so what ip i give to ip pool while i configure VPN for remote access?

what i configure in client VPN and also tell me client side any requriment?

so what ip i give to ip pool while i configure VPN for remote access?

Mitang,

Your VPN pool network can be any private RFC1918 network, preferably a network that is not the same as your inside or DMZ subnets to easy troubleshooting in invent of issues. Create your VPN pool network, for sake of example assume you will use 10.20.20.0/24 for RA VPN.

So you will have

1- inside n/w:192.168.10.1

2- dmz n/w : 192.168.1.0

and

3- VPN RA network 10.20.20.0/24

If not done so create VPN tunnel and assign the VPN Pool network to that tunnel Here is a link with examples in creating and assigning pool network to tunnel names.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

now i want to access my inside server system to internet through and access via VPN.

after you have created the RA tunnel with respective IP local pool for RA to that tunnel work on access list

to allow the traffic to DMZ network 10.20.20.0/24 from VPN pool network.

Create nonat exempt rules - ACLs and nat exempt statements .

you can either allow whole VPN pool access to DMZ network by:

access-list NONAT_traffic extended permit ip 192.168.1.0 255.255.255.0 10.20.20.0 255.255.255.0

or you can allow VPN pool Network access to one DMZ host,assume DMZ server is 192.168.1.X:

access-list NONAT_traffic extended permit ip host 192.168.1.X 10.20.20.0 255.255.255.0

apply nonat exempt rull in your DMZ interface as:

nat (dmz) 0 access-list NONAT_traffic

////////////////////////////

Same principle applies if you required down the road access hosts in your inside interface for RA VPN pool network.

access-list NONAT_traffic extended permit ip host 192.168.10.0 10.20.20.0 255.255.255.0

nat (inside) 0 access-list NONAT_traffic

what i configure in client VPN and also tell me client side any requriment?

Your RA vpn users will obiously need Cisco VPN Client Software loaded on their machines,you will need to provide them with tunnel group name and password to authenticate the tunnel, you did not mention users authentication but the link provided above gives examples of creating local users account localy on the ASA or if you will be using IAS RADIUS windows AD for user authen there are other configuration requirements needed for that on the tunnel shown here.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

Hope this helps

Regards

hi.

thank you.

i had created but i could not connect with my n/w to that server.

below i give log of client VPN.

and i give u what i made in ASA 5540 configuration.

This is my ASA 5540 configuration.

access-list INSIDE_nat0_outbound line 1 extended permit ip host 192.168.10.108 10.20.20.0 255.255.255.240

nat (INSIDE) 0 access-list INSIDE_nat0_outbound

username user password XEaJpJFaYvDqZKxJ encrypted privilege 0

username user attributes

vpn-group-policy testgroup

ip local pool test 10.20.20.0-10.20.20.15 mask 255.255.255.240

group-policy testgroup internal

group-policy testgroup attributes

dns-server value 203.124.20.100

tunnel-group testgroup type ipsec-ra

tunnel-group testgroup general-attributes

default-group-policy testgroup

address-pool test

tunnel-group testgroup ipsec-attributes

pre-shared-key #123*

isakmp policy 10 authen pre-share

isakmp policy 10 encrypt 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000

no crypto dynamic-map outside_dyn_map 20 set nat-t-disable

no crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

This is my client configuration.

Cisco Systems VPN Client Version 5.0.03.0560

Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

89 09:18:57.468 05/11/09 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with 10.20.20.0.

90 09:18:57.468 05/11/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 10.20.20.0

91 09:18:57.890 05/11/09 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

92 09:18:57.890 05/11/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

93 09:19:02.890 05/11/09 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

94 09:19:02.890 05/11/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 10.20.20.0

95 09:19:07.890 05/11/09 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

96 09:19:07.890 05/11/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 10.20.20.0

97 09:19:12.890 05/11/09 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

98 09:19:12.890 05/11/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 10.20.20.0

99 09:19:17.890 05/11/09 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=E37BCC570A0B52E6 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

100 09:19:18.390 05/11/09 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=E37BCC570A0B52E6 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

101 09:19:18.390 05/11/09 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

102 09:19:18.390 05/11/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

103 09:19:18.390 05/11/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

104 09:19:18.390 05/11/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

105 09:19:18.390 05/11/09 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

Plz suggest me whr ido change so i get to connection.

89 09:18:57.468 05/11/09 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with 10.20.20.0.

Mitang,

Just to make sure before we go fruther, are you VPNing in from outside your network? as this above log output from vpn client got me confused as it seems is attempting connection to 10.20.20.0 , connection should be towards vpn gateway which is your ASA5540 oustide interface IP address.. could you confirm PLS.

In your VPN client software when you configure NEW connections entry under HOST field you should place your ASA5540 outside IP address which is your Ipsec termination point, again as it seems to me based on the VPN log you are placing 10.20.20.0.

Regards

yes i want to VPNing outside n/w like broadband internet connection.

10.20.20.0 is my ip local pool.

ok now what i configure in asa so i got logs from asa.

When i give VPN clint to my Outside interface IP then its give me below logs.

5|May 11 2009 11:56:46|713904: IP = (VPN client User Ip), Aggressive Mode connections disabled on interface... dropping pkt

5|May 11 2009 11:56:41|713904: IP = 192.168.100.2(VPN client User Ip), Aggressive Mode connections disabled on interface... dropping pkt

5|May 11 2009 11:56:36|713904: IP = 192.168.100.2(VPN client User Ip), Aggressive Mode connections disabled on interface... dropping pkt

5|May 11 2009 11:56:31|713904: IP = 192.168.100.2(VPN client User Ip), Aggressive Mode connections disabled on interface... dropping pkt

6|May 11 2009 11:56:31|302015: Built inbound UDP connection 763351 for outside:192.168.100.2/4969 (192.168.100.2/4969) to NP Identity Ifc:outside interface/500 (Outside interface/500)

5|May 11 2009 11:56:15|713904: IP = 192.168.100.2(VPN client User Ip), Aggressive Mode connections disabled on interface... dropping pkt

Do you have this command configured on your ASA? "crypto isakmp am-disable"

If so, you need to "no" it out.

Info -> http://www.cisco.com/en/US/customer/docs/security/asa/asa72/command/reference/c5_72.html#wp2067847

Thank you.

i got to connect my VPN client.

Thankyou for support