cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1492
Views
22
Helpful
24
Replies

asa5510 and business class dsl problems

vgoradia
Level 1
Level 1

below is my setup.

business class dsl modem with a static ip (100.0.0.1) connects to a asa5510.

the isp provided me another static routable ip for the asa5510 and I configured the 5510 outside interface with this (100.0.0.2).

I also have couple of machines behind the inside interface of the 5510. (172.16.1.0)

All i want to do is let some ppl vpn into the inside network to do some troubleshooting.

I don't need anyone from the inside to access the net, so no nat needed.

I went through the normal vpn config and the remote vpn wizard.

however, using the cisco vpn client, i'm unable to log in.

I can ping the 100.0.0.1 interface but cannot vpn in.

I think there is no path from 100.0.0.1 to 100.0.0.2

any suggestions?

24 Replies 24

good news and bad news.

the good news is that ssh works.

the bad news is that I'm unable to logon with my password.

I tried to login as 'admin' 'pix' and blank and I input my enable/console password and it didn't take any!

also, I tried the vpn client and it failed.

I tried to login thru ipsec/tcp port 10000 and it established tcp connection and then tried to send the ISAKMP OAK AG packet but no response from the 5510.

anything else I can try? and what can I use to logon thru ssh.

thanks for all the help

Hello Vishal,

Lets divide and conquer instead of putting every problem in the same basket.

Lets fix the ssh issue first.

So, the ASA has two password. Normal telnet password and enabled password.

When you ssh into the ASA, use the username "pix" and telnet password

Then you will get the prompt for enable

ASA>

After that, type enable and insert the enable password. You should be able to log in.

Please rate this topic, if it helps.

Thanks

Gilbert

Gilbert,

good news is ssh issue is resolved.

bad news is that i'm an idiot.

I had not set a telnet password and didn't realize this.

i used the default username and the default password and sure enough, it let me in.

so i'm all set with ssh which is a great relief bcoz now I do not have to go on site to configure the 5510. I can sit in my office and play with it and then dial out to an isp to test the vpn.

so what's next...guru?

Vishal,

Good to hear that you got it working.

Now, lets get the VPN client to work.

ssh into your ASA and enable the debugs

"deb cry isa 128" & "deb cry ipsec 128"

issue the command "term mon"

Connect with your VPN client and lets see where this is failing.

Run the logs on the client at the same time you are trying to connect.

Attached both - the debugs and the logs - let me take a look at them.

Cheers

Gilbert

this is what the term mon shows which may explain the whole problem...

the x.x.105.96 IP is the machine that has the vpn client trying to connect to the 5510.

ciscoasa# Mar 14 14:22:50 [IKEv1]: IP = x.x.105.96, No crypto map bound to interface... dropping pkt

Mar 14 14:22:55 [IKEv1]: IP = x.x.105.96, No crypto map bound to interface... dropping pkt

Mar 14 14:23:00 [IKEv1]: IP = x.x.105.96, No crypto map bound to interface... dropping pkt

Mar 14 14:23:05 [IKEv1]: IP = x.x.105.96, No crypto map bound to interface... dropping pkt

Are you connecting to the interface with the IP "x.x.80.98" - as per your ASA configuration posted previously.

If so, can you please apply this command

cry map outside_map interface outside

Run the commands again - see if it gets connected. :)

Cheers

Gilbert

no dice.

the x.x.80.98 is the outside int of 5510. this is a routable ip.

the x.x.105.96 is the ip of the vpn client which is trying to establish a vpn connection with the 5510.

this is what I got from term mon

ciscoasa# debug cry isa 128

ciscoasa# debug cry ipsec 128

ciscoasa# term mon

ciscoasa# Mar 14 15:01:40 [IKEv1]: IP = x.x.105.96, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 808

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing SA payload

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing ke payload

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing ISA_KE payload

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing nonce payload

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing ID payload

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing VID payload

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, Received xauth V6 VID

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing VID payload

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, Received DPD VID

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing VID payload

Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, Received Cisco Unity client VID

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, processing IKE SA payload

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing ISAKMP SA payload

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing ke payload

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing nonce payload

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, Generating keys for Responder...

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing ID payload

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing hash payload

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, Computing hash for ISAKMP

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing Cisco Unity VID payload

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing xauth V6 VID payload

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing Fragmentation VID + extended capabilities payload

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing VID payload

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Mar 14 15:01:40 [IKEv1]: IP = x.x.105.96, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 352

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, IKE AM Responder FSM error history (struct &0x3f6c458) , : AM_DONE, EV_ERROR-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_BLD_MSG2, EV_BLD_MSG2_TRL-->AM_BLD_MSG2, EV_SKEYID_OK-->AM_BLD_MSG2, NullEvent-->AM_BLD_MSG2, EV_GEN_SKEYID-->AM_BLD_MSG2, EV_BLD_MSG2_HDR

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, IKE SA AM:b53d7823 terminating: flags 0x0104c001, refcnt 0, tuncnt 0

Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, sending delete/delete with reason message

Mar 14 15:01:40 [IKEv1]: Group = DefaultRAGroup, IP = x.x.105.96, Removing peer from peer table failed, no match!

Mar 14 15:01:40 [IKEv1]: Group = DefaultRAGroup, IP = x.x.105.96, Error: Unable to remove PeerTblEntry.

Also, on the vpn client, the reason for failure was because of "DEL_REASON_IKE_NEG_FAILED"

Ok - Lets go step by step.

I need the following...

a. current config on the ASA.

b. If you go to the client, what is the groupname you have entered.

groupname --> vgoradia

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password xxx

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.80.98 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.16.4.x 255.255.252.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 172.16.4.0 255.255.252.0

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

ip local pool vpnpool 172.16.4.220-172.16.4.230 mask 255.255.252.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

route outside 0.0.0.0 0.0.0.0 x.x.80.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy EAT internal

group-policy EAT attributes

vpn-tunnel-protocol IPSec

ipsec-udp enable

ipsec-udp-port 10000

username xxx password xxxx

privilege 15

username vgoradia attributes

vpn-group-policy EAT

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

tunnel-group EAT type ipsec-ra

tunnel-group EAT general-attributes

address-pool vpnpool

default-group-policy EAT

tunnel-group EAT ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 5

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxxx

: end

ciscoasa#

The group name should be EAT which is configured on the tunnel-group parameters in your ASA. It should not be "vgoradia" but what is configured on the ASA.

And the password should be the one that you have configured under the tunnel-group parameter for pre-shared key.

tunnel-group EAT type ipsec-ra

tunnel-group EAT general-attributes

address-pool vpnpool

default-group-policy EAT

tunnel-group EAT ipsec-attributes

pre-shared-key *

Let me know how this pans out.

Rate this post, if it helps.

Thanks

Gilbert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: