Cisco 5505 VPN Remote Access Problems

Unanswered Question
Feb 10th, 2010

Hi Yall,

      I have setup remote access via ASDM and it seems like I am missing some NAT rules and or something because I cannot connect for the life of me. I am using Cisco VPN client Version 5.0.01 0600 and I am recieving error message Reason 412:The remote peer is no longer responding. I am testing the connection internally from the site, is this causing a loop and preventing me from connecting? Do I need to test it remotely?

Here is my config;

ASA Version 8.2(2)
hostname ciscoasa
enable password TGFUt.AsMHJOyury encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
access-list 100 extended permit tcp any interface outside eq ftp
access-list 100 extended permit tcp any interface outside eq ftp-data
access-list inside_nat0_outbound extended permit ip any 255
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPN_Pool mask
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
static (inside,outside) tcp interface ftp ftp netmask 255.2
static (inside,outside) tcp interface ftp-data ftp-data net
access-group 100 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_M
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy VPN_Tunnel internal
group-policy VPN_Tunnel attributes
dns-server value
vpn-tunnel-protocol IPSec
username test123 password 274Y4GRAbNElaCoV encrypted privilege 0
username test123 attributes
vpn-group-policy VPN_Tunnel
tunnel-group VPN_Tunnel type remote-access
tunnel-group VPN_Tunnel general-attributes
address-pool VPN_Pool
default-group-policy VPN_Tunnel
tunnel-group VPN_Tunnel ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Wed, 02/10/2010 - 18:57


First  observation I do not see clear is the  incomplete nonat exempt rule access-list inside_nat0_outbound extended permit ip any 255 and comparing it against your VPN Pool address  VPN_Pool mask , also your VLAN1 which is your inside interface LAN that  also routes for network is  also used for VPN Pool which  by the way is ok, but also opens doors for problems and sometimes could be painfull to troubleshoot.

Personally  if there is not a real good reason to use VPN network ID and inside Network ID  I recomend to keep networks separated usinng their own network ID . If your  inside LAN is , make your VPN pool something different , is one example.

Going  back to your possible problems I would re-design your logical network for VPN pool, should be fairly  easy to do:

remove a recreate Pool

no ip local pool VPN_Pool mask

create new one

ip local pool VPN_Pool mask

remove this acl  --> access-list inside_nat0_outbound extended permit ip any 255......

add new  exempt acl bellow

access-list inside_nat0_outbound extended permit ip

one statement you also need is to enable  NAT traversal

asa(config)#crypto isakmp nat-traversal 20

that's it prety much,  you should test RA  VPN  from the outside internet.


importking Wed, 02/10/2010 - 19:36

Great, Thanks. I will test it once I dig my way out tomorrow...

importking Fri, 02/12/2010 - 20:56

Sorry, I did not have a chance to test it yet. I will test it ASAP. Thanks


This Discussion