- Cisco Community
- Technology and Support
- Security
- VPN
- VPN connection to ASA 5510
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
VPN connection to ASA 5510
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2010 03:29 PM
Hi, I am hoping to get some help regarding a VPN connection. I am trying to establish a connection between a remote client to a site and a site to site connection. However, I recieve several errors, they are listed below:
Error 1: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Error 2: Group = x.x.x.x, IP = x.x.x.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy x.x.x.x/0.0.0.0/17/0 local proxy x.x.x.x/255.255.255.255/17/1701 on interface outside
I have been working on this way too long and I feel like I'm spinning my wheels at this point. Any help would be greatly appreciated.
Here is the running config from the ASA
ASA Version 8.2(1)
!
hostname router
domain-name domain.local
enable password ***** encrypted
passwd ***** encrypted
names
name 192.168.10.15 Server1 description Web Server
name 192.168.10.12 Server2 description Terminal Server
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/1
nameif Phone
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif outside
security-level 0
ip address 70.x.x.x 255.255.255.224
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup Phone
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.10.10
name-server 192.168.20.197
domain-name ADAMS.local
object-group service DM_INLINE_TCP_0 tcp
port-object eq https
port-object eq smtp
port-object eq www
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group service RDP-EXT tcp
port-object eq 3489
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq smtp
object-group service zTime tcp
port-object eq 4434
object-group service DM_INLINE_TCP_2 tcp
port-object eq https
group-object zTime
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_TCP_3 tcp
group-object RDP-EXT
port-object eq ftp
port-object eq ftp-data
group-object RDP
object-group service Spark tcp
port-object eq 5222
object-group network DM_INLINE_NETWORK_1
network-object 192.168.10.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
object-group service HUD tcp
port-object eq 5222
port-object eq 6600
object-group service IAX2 udp
port-object eq 4569
object-group service RTP udp
port-object range 10000 20000
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_4 tcp
group-object RDP
port-object eq https
object-group service DM_INLINE_TCP_5 tcp
port-object eq https
port-object eq smtp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
access-list outside_access_in extended permit tcp any host 70.x.x.x eq https
access-list outside_access_in extended permit tcp any host 70.x.x.x object-group DM_INLINE_TCP_4
access-list outside_access_in extended permit tcp any host 70.x.x.x object-group DM_INLINE_TCP_0
access-list outside_access_in extended permit tcp any host 70.x.x.x object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp any host 70.x.x.x object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host 70.x.x.x object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any host 70.x.x.x object-group DM_INLINE_TCP_5
access-list outside_access_in extended permit tcp any host 70.x.x.x eq pptp
access-list outside_access_in extended permit gre any host 70.x.x.x
access-list outside_access_in extended permit object-group TCPUDP any host 70.33.178.174 eq sip
access-list outside_access_in extended permit tcp any host 70.x.x.x object-group HUD
access-list outside_access_in extended permit udp any host 70.x.x.x object-group IAX2
access-list outside_access_in extended permit udp any host 70.x.x.x object-group RTP
access-list outside_access_in extended permit udp any host 70.x.x.x eq tftp
access-list outside_access_in extended permit tcp any host 70.x.x.x eq https
access-list outside_access_in extended permit tcp any host 70.x.x.x object-group RDP
access-list outside_access_in extended permit tcp any host 70.x.x.x object-group RDP
access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit gre host 192.168.10.23 any
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_1 192.168.20.0 255.255.255.0
access-list Phone_access_in extended permit ip any any
access-list Phone_access_in extended permit icmp any any
access-list Phone_access_in extended permit tcp any any eq https
access-list Phone_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Phone_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list Phone_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list Phone_nat0_outbound extended permit ip any 192.168.10.128 255.255.255.128
access-list Phone_nat0_outbound extended permit ip any 192.168.30.0 255.255.255.0
access-list Phone_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_5 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list outside_1_cryptomap extended permit object-group DM_INLINE_PROTOCOL_4 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list outside_1_cryptomap_2 extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list outside_4_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging debug-trace
mtu inside 1500
mtu Phone 1500
mtu outside 1500
mtu management 1500
ip local pool Client 192.168.10.150-192.168.10.250 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 101 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.10.0 255.255.255.0
nat (Phone) 0 access-list Phone_nat0_outbound
static (inside,outside) tcp 70.x.x.165 www 192.168.10.100 www netmask 255.255.255.255
static (inside,outside) 70.x.x.166 192.168.10.80 netmask 255.255.255.255
static (inside,outside) 70.x.x.171 192.168.10.51 netmask 255.255.255.255
static (inside,outside) 70.x.x.170 192.168.10.11 netmask 255.255.255.255
static (inside,outside) 70.x.x.168 192.168.10.23 netmask 255.255.255.255
static (inside,outside) 70.x.x.174 192.168.10.54 netmask 255.255.255.255
static (inside,outside) 70.x.x.172 Peridot netmask 255.255.255.255
static (inside,outside) 70.x.x.169 Sapphire netmask 255.255.255.255
static (inside,outside) 70.x.x.179 192.168.10.29 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group Phone_access_in in interface Phone
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.x.x.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DC2 protocol radius
aaa-server DC2 (inside) host 192.168.10.10
timeout 5
key H2HAs9cr
acl-netmask-convert auto-detect
aaa-server RUBY protocol ldap
aaa-server RUBY (inside) host 192.168.10.10
ldap-base-dn ou=company,dc=domain,dc=local
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *
ldap-login-dn cn=administrator,cn=users,dc=domain,dc=local
server-type microsoft
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_cryptomap_2
crypto map outside_map0 1 set peer 66.x.x.129
crypto map outside_map0 1 set transform-set ESP-3DES-SHA
crypto map outside_map0 2 match address outside_2_cryptomap
crypto map outside_map0 2 set peer 71.x.x.x
crypto map outside_map0 2 set transform-set ESP-3DES-SHA
crypto map outside_map0 3 match address outside_3_cryptomap
crypto map outside_map0 3 set peer 96.x.x.x
crypto map outside_map0 3 set transform-set ESP-3DES-SHA
crypto map outside_map0 4 match address outside_4_cryptomap
crypto map outside_map0 4 set pfs
crypto map outside_map0 4 set peer 66.x.x.130
crypto map outside_map0 4 set transform-set ESP-3DES-SHA
crypto map outside_map0 interface outside
crypto ca trustpoint ASDM_TrustPoint0
fqdn router
subject-name CN=router
keypair ASDM_TrustPoint0
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 5fbc9aeb
3082055d 30820445 a0030201 0202045f bc9aeb30 0d06092a 864886f7 0d010105
05003081 ca310b30 09060355 04061302 55533110 300e0603 55040813 07417269
7a6f6e61 31133011 06035504 07130a53 636f7474 7364616c 65311a30 18060355
636f6d6d 2e636f6d 30820122 300d0609 2a864886 f70d0101 01050003 82010f00
3082010a 02820101 00b0f274 1448cb75 7a3743f7 bb611899 7f960493 0e6b695b
104a8087 98c6bbe4 6b06a367 14121eb2 fca4231b 754fb7d1 cd340434 58ce8ac3
1279b835 af7b7bd8 e9153d44 a76f0e62 ce94fc06 31a37459 177f5f54 d5e4ba69
68cce730 29060355 1d110422 3020820f 2a2e6164 616d7363 6f6d6d2e 636f6d82
0d616461 6d73636f 6d6d2e63 6f6d301d 0603551d 0e041604 14b3e2f4 39a0ceb6
675fa5f7 52ea459b a358cf16 e4300d06 092a8648 86f70d01 01050500 03820101
006f2047 061310b7 23148fa7 ef77d6b9 34fd3b90 84c36f3a fe30a4f9 90618530
c2719889 5ba78286 26159ee1 48c67437 f4016704 4cc758e4 f0ceb8e5 e55ad0c0
9fb57c28 bad0cf1b d4feea11 57772f3b f28bdfa6 66210233 d47eda6b a8896215
7555b9ce ffce6ae3 7b81350e a8148762 ea60dcfa db0b984e 0b95bde7 ea108fa6
876f7017 b90115b6 1f472039 ec11d57e 050e608d 7c696676 f54b235a 64d6c803
c6578f4d e2f354f2 1d59e2f2 e3903b27 1582ea87 9dc5875c 58afd423 db17fa6a
a70d8ac5 9da1a54a 276ab12d c722e994 81364e66 1e01f2df 515f9fe4 5d2a04ec
0a831f67 12d86b03 a5a46dfb 4f37c04e 47d6e97a 4a631481 120cbb08 06cd5f46 43
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
no vpn-addr-assign aaa
no vpn-addr-assign local
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy GrpPolicy internal
group-policy GrpPolicy attributes
vpn-tunnel-protocol IPSec svc webvpn
webvpn
url-list none
svc ask enable
tunnel-group DefaultRAGroup general-attributes
address-pool Client
authentication-server-group DomainControler
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group 71.x.x.160 type ipsec-l2l
tunnel-group 71.x.x.160 ipsec-attributes
pre-shared-key *
tunnel-group 71.x.x.50 type ipsec-l2l
tunnel-group 71.x.x.50 ipsec-attributes
pre-shared-key *
tunnel-group ClientVPN type remote-access
tunnel-group ClientVPN general-attributes
address-pool Client
authentication-server-group DomainCOntroler02
accounting-server-group DomainCOntroler
default-group-policy GrpPolicy
dhcp-server 192.168.10.10
tunnel-group ClientVPN webvpn-attributes
group-alias ClientVPN enable
tunnel-group 96.x.x.x type ipsec-l2l
tunnel-group 96.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 66.x.x.x type ipsec-l2l
tunnel-group 66.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 66.x.x.x type ipsec-l2l
tunnel-group 66.x.x.x ipsec-attributes
pre-shared-key *
no tunnel-group-map enable ou
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 192.168.x.x
prompt hostname context
Cryptochecksum:1d2d2ef73cf4f69df14fd3bb2eca3109
: end
asdm location 192.168.30.0 255.255.255.0 inside
asdm location 192.168.20.0 255.255.255.0 inside
asdm location 192.168.21.0 255.255.255.0 inside
asdm location Server1 255.255.255.255 inside
asdm location Server2 255.255.255.255 inside
asdm location 192.168.31.0 255.255.255.0 inside
no asdm history enable
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2010 03:42 PM
Hi Sean,
Since you're getting an error in phase 2, I think the error that you're seeing in phase 1 is just part of the negotiation process (phase 1 finally got established at some point).
So, we need to focus on this error:
Error 2: Group = x.x.x.x, IP = x.x.x.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy x.x.x.x/0.0.0.0/17/0 local proxy x.x.x.x/255.255.255.255/17/1701 on interface outside
Check that the interesting traffic on the other side matches your interesting traffic on this side exactly.
Federico.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2010 04:43 PM
Hi Federico,
I checked both sides and they have crypto maps that show the correct addresses.
But I get this error with a VPN client as well. Using a windows VPN connection method.
Silly question, but should I clear the ASDM cache?
Thanks,
Sean
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-10-2010 06:56 AM
Sean,
Please post the output of the following commands when attempting the VPN connection.
debug cry isa 127
debug cry ips 127
The above will shows us exactly what is failing with the VPN.
Federico.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2010 07:43 PM
silly question? how do I do that on the ASA?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide