Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client config for ASA 5505 8.2(1)

Every time I add a tunnel-group for the Cisco VPN client, my L2L VPN's stop working.  Below is my currently working config.  Would someone mind posting the commands I need to add to enable the Cisco VPN client to connect while allowing all current connections to work?  I just can't figure it out, even following examples on the Cisco site.  Thanks so much for any help.


pff-pix# sh conf
: Saved
: Written by enable_15 at 22:50:30.359 UTC Tue Jul 23 2013
!
ASA Version 8.2(1)
!
hostname pff-pix
domain-name xx.com
enable password xxxxx encrypted
passwd xxxxx encrypted
names
name xxx.xxx.xxx.248 o-pix-outside
name xxx.xxx.xxx.67 b-pix-outside
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.8.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.35 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name xx.com
access-list outside_access_in extended permit icmp any any echo-reply
access-list internet-traffic extended permit ip 192.168.8.0 255.255.255.0 any
access-list pff-to-allGvnPix-vpn extended permit ip 192.168.8.0 255.255.255.0 10.10.8.0 255.255.255.
0
access-list pff-to-allGvnPix-vpn extended permit ip 192.168.8.0 255.255.255.0 192.168.3.0 255.255.25
5.0
access-list pff-to-allGvnPix-vpn extended permit ip 192.168.8.0 255.255.255.0 192.168.6.0 255.255.25
5.0
access-list pff-to-allGvnPix-vpn extended permit ip 192.168.8.0 255.255.255.0 192.168.27.0 255.255.2
55.0
access-list pff-to-o-vpn extended permit ip 192.168.8.0 255.255.255.0 192.168.27.0 255.255.255.0

access-list pff-to-b-vpn extended permit ip 192.168.8.0 255.255.255.0 192.168.6.0 255.255.255.
0
access-list Split-Tunnel-List extended permit ip 192.168.8.0 255.255.255.0 10.10.8.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool ippool 10.10.8.1-10.10.8.254
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list pff-to-allGvnPix-vpn
nat (inside) 1 access-list internet-traffic
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set GvnPix256-set esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set GvnPix256-set
crypto map toGvnPix 6 match address pff-to-b-vpn
crypto map toGvnPix 6 set peer b-pix-outside
crypto map toGvnPix 6 set transform-set GvnPix256-set
crypto map toGvnPix 10 ipsec-isakmp dynamic dynmap
crypto map toGvnPix 27 match address pff-to-o-vpn
crypto map toGvnPix 27 set peer o-pix-outside
crypto map toGvnPix 27 set transform-set GvnPix256-set
crypto map toGvnPix interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 18
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp am-disable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
management-access inside
dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd address 192.168.8.2-192.168.8.33 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy PFFYCInternal internal
group-policy PFFYCInternal attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel-List
default-domain value xx.com
username pix password xxxxx encrypted privilege 15
username ycclient password xxxxx encrypted
username ycclient attributes
vpn-group-policy PFFYCInternal
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp keepalive threshold 60 retry 2
tunnel-group DefaultRAGroup general-attributes
address-pool ippool
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 60 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 60 retry 2
tunnel-group xxx.xxx.xxx.248 type ipsec-l2l
tunnel-group xxx.xxx.xxx.248 ipsec-attributes
pre-shared-key *
tunnel-group xxx.xxx.xxx.67 type ipsec-l2l
tunnel-group xxx.xxx.xxx.67 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxxx
pff-pix#

1 REPLY
VIP Purple

Re: VPN Client config for ASA 5505 8.2(1)

The sequence with which you add your dynamic crypto map to the static crypto map needs to bee higher then all other sequences. Just give it a 65000:

no crypto map toGvnPix 10 ipsec-isakmp dynamic dynmap

crypto map toGvnPix 65000 ipsec-isakmp dynamic dynmap

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
228
Views
0
Helpful
1
Replies
CreatePlease to create content