cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
610
Views
0
Helpful
8
Replies

ASA 5505 remote-vpn help

niko.hartung
Level 1
Level 1

Out-of-the box configuration. Changed the internal ip range, DHCP pool and ASDM config. Then I ran the VPN wizard to connect a VPN client. I cant establish a tunnel what so ever. Find attached the config and the log.

Thank you in advanced for you help

Niko

8 Replies 8

srue
Level 7
Level 7

I pulled this off of a working config, 5505 7.2(3)

=====================================

ip local pool vpnpool 10.x.y.1-10.x.y.10 mask 255.255.255.0

crypto ipsec transform-set AES256_SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map DYNAMICMAP 5 set transform-set AES256_SHA

crypto dynamic-map DYNAMICMAP 5 set security-association lifetime seconds 7200

crypto map CRYPTOMAP 5 ipsec-isakmp dynamic DYNAMICMAP

crypto map CRYPTOMAP interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

group-policy GROUPPOLICYNAME internal

group-policy GROUPPOLICYNAME attributes

dns-server value 10.x.y.z

vpn-idle-timeout 120

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel_acl

default-domain value domain.org

split-dns value domain.org

tunnel-group VPNGROUPNAME type ipsec-ra

tunnel-group VPNGROUPNAME general-attributes

address-pool vpnpool

default-group-policy GROUPPOLICYNAME

tunnel-group VPNGROUPNAME ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none

============================================

the very last line disables xauth...

Thanks for your quick response. I've tried to disable xauth already but no luck.

based on your configuration, you have to set the group name (in the cisco vpn client) to 10.0.0.0

is that really what you want?

you also don't have nat-t enabled, which might be causing issues.

if you don't want xauth, just add that last line under the tunnel-group ipsec attributes.

Hi Niko

Attached config is a mess, attach the config you made after analyzing srue's sample RA-VPN config

Regards

Thanks for your quick response. I've tried to disable xauth already but no luck.

Niko

Assuming that this is a start from scratch (you newly configure this device) and this config is messy (webvpn policy etc), I suggest you to load factory defaults, change your Lan IP and subnet, then follow this step by step guide to configure VPN

http://www.petenetlive.com/Tech/Firewalls/Cisco/c2svpn.htm

I'll give it a try.

thx

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: