VPN PROBLEM CISCO ASA 5505

Answered Question
Jul 2nd, 2012

    Hello,  I have been trying to configure a VPN with Cisco Asa 5505 and Cisco VPN client 5.X for 3 weeks and I am not being able to accomplish it, so I decided to reset to factory defaults and start over again.

     I used ASDM 6.4 VPN wizard to configure it (I selected exempt local network from NAT and enabled split tunneling, but I have tried other combinations as well).

     Tunnel seems to be established properly since I do see an endpoint while using 'sh crypto isakmp sa' but 'sh crypto ipsec sa' shows no packets encrypted or decrypted, so VPN is not working as expected. I can't ping or rdp to internal LAN:

     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

     The running-config it created is:

ciscoasa# sh run

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password XXXX encrypted

passwd XXXX encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.1.254 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group ADSL_Telefonica

ip address pppoe setroute

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_10.0.0.0_24

subnet 10.0.0.0 255.255.255.0

object network NETWORK_OBJ_172.16.0.0_16

subnet 172.16.0.0 255.255.0.0

access-list test_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool test 10.0.0.1-10.0.0.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_16 NETWORK_OBJ_172.16.0.0_16 destination static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 172.16.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 172.16.0.0 255.255.0.0 inside

telnet timeout 55

ssh 172.16.0.0 255.255.0.0 inside

ssh timeout 55

console timeout 0

vpdn group ADSL_Telefonica request dialout pppoe

vpdn group ADSL_Telefonica localname adslppp@telefonicanetpa

vpdn group ADSL_Telefonica ppp authentication pap

vpdn username adslppp@telefonicanetpa password *****

dhcpd auto_config outside

!

dhcpd address 172.16.2.2-172.16.2.129 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy test internal

group-policy test attributes

dns-server value 172.16.1.1

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value test_splitTunnelAcl

username test password XXXXXX encrypted privilege 0

username test attributes

vpn-group-policy test

username ignacio password XXXXXXX encrypted

tunnel-group test type remote-access

tunnel-group test general-attributes

address-pool test

default-group-policy test

tunnel-group test ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:c8935bd572dfd37e81c6aa9f9dc8207c

: end

Thank you very much for your help

I have this problem too.
0 votes
Correct Answer by Karsten Iwen about 1 year 9 months ago

That looks like a client-problem. Are you using an actual version of the VPN-Client? And have you tried a different PC as a client?

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Karsten Iwen Mon, 07/02/2012 - 14:33

Your config is not complete. You have no IP-pool assigned to your VPN and you are also missing the NAT-exemption.

You can use the VPN-wizard to add a working VPN-setup. And don't forget to enable the ASDM-option to preview commands before sending to the ASA, so that you can look at what the ASDM has configured.

PedroGonzalezZ Tue, 07/03/2012 - 03:14

Firstly I apologize for any inconvenience caused becauseI remade config just before leaving the office and I did it wrong. I have changed my original post including updated running config and some screenshots. 

Karsten Iwen Tue, 07/03/2012 - 03:36

your config looks good so far. Look at the Statistics of the VPN-client while connected and testing. Are the counters incrementing?

Correct Answer
Karsten Iwen Tue, 07/03/2012 - 12:39

That looks like a client-problem. Are you using an actual version of the VPN-Client? And have you tried a different PC as a client?

PedroGonzalezZ Wed, 07/04/2012 - 07:31

Yes, it was a VPN client problem. I was doing test with a WWAN card and it seems it is not compatible with windows 7.

• The VPN Client on Windows 7 does not support WWAN devices (also called wireless data cards).

I should have read Release Notes before. Thank you very much for your help and effort.

Karsten Iwen Wed, 07/04/2012 - 10:05

Then you could migrate to the AnyConnect-client. That's running with many data-cards. For the ASA its a different config, you need a Certificate and probably a new license (AnyConnect Essentials for about 50 to 60 bucks).

Actions

Login or Register to take actions

This Discussion

Posted July 2, 2012 at 2:04 PM
Stats:
Replies:7 Avg. Rating:5
Views:2226 Votes:0
Shares:0

Related Content

Discussions Leaderboard