Can't logon to CVPN-3000 after using PIX-to-ASA Migration Tool on ASA-5520

Unanswered Question
Sep 29th, 2009
User Badges:

After using the Cisco PIX-to-ASA Migration Tool to configure an Cisco ASA-5520 to replace a PIX 515E, users can no longer connect to a CVPN 3005 concentrator. "Secure VPN Connected terminated by peer. Reason 427: Unknown Error Occurred at Peer."


I suspect the problem has to do with nat transparency, but I am not sure how to modify the global policy-map. Can anyone refer me to a document that might provide the answer? Thank you.


My configuration of my ASA-5520 is as follows:


hostname ASA-5520-DIA

domain-name ciscopix.com

enable password --------------------- encrypted

passwd ------------------------ encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address <public ip>


!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address <private ip>


!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address <dmz ip>


!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa821-k8.bin

ftp mode passive

clock timezone CDT -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name

access-list 102 extended permit tcp any host <public ip> eq www

access-list 102 extended permit tcp any host <public ip> eq smtp

access-list 102 extended permit esp any host <cvpn 3000 public ip>


access-list 102 extended permit udp any host <cvpn 3000 public ip> eq isakmp

access-list 102 extended permit udp any host <cvpn 3000 public ip> eq 4500

access-list 102 extended permit udp any host <cvpn 3000 public ip> eq 10000

access-list 105 extended deny ip any any log

pager lines 65

logging enable

logging timestamp

logging trap alerts

logging host inside


mtu outside 1500

mtu inside 1500

mtu DMZ 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

asdm history enable

arp timeout 14400

global (outside) 1 <public ip> netmask <mask>

nat (inside) 1 <inside ip><inside mask>

nat (DMZ) 1 <dmz ip> <dmz mask>


static (DMZ,outside) <cvpn 3000 public ip> <cvpn 3000 dmz ip> netmask <mask>

access-group 102 in interface outside

route outside 0.0.0.0 0.0.0.0 __________


timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

http server enable

http ------------------ inside

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps syslog

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet ---------------------- inside

telnet timeout 60

ssh ------------------- inside

ssh timeout 60

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server --------------- source outside prefer

webvpn

policy-map global_policy

service-policy global_policy global

prompt hostname context


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Wed, 09/30/2009 - 08:57
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jerry


I am confused. You describe a conversion to ASA and you provide a configuration of an ASA. So where does the CVPN 3005 fit into this?


Is the ASA a replacement for the CVPN 3005? does the ASA use the same addressing as the CVPN 3005? If so it sounds like the duplicated address used in both devices would be the problem.


If that is not the issue then please provide more information so we can understand better what is going on.


HTH


Rick

Actions

This Discussion