Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN help needed

Hello,

I have an ASA5510 that I am trying to setup VPN on. I need to allow home users access inside our network. I have tried going thru the VPN wizard several times and just cannot seem to get it working. I am using the Cisco VPN client, latest verision.

I am enclosing the latest configuration which also has a show version at the end of it.

Any help would be greatly appreciated.

13 REPLIES
Green

Re: VPN help needed

Firstly, you always want your vpn pool to be different than your inside network.

access-list inside_nat0_outbound extended permit ip any 10.19.1.0 255.255.255.0

ip local pool VPN 10.19.1.100-10.19.1.254 mask 255.255.255.0

Also add..

crypto isakmp nat-traversal

Also, are you trying to vpn to the inside interface?

crypto map inside_map interface inside

crypto isakmp enable inside

New Member

Re: VPN help needed

Thank you for your help.

I am at home and want to have VPN access to the inside networks.

Seth

Green

Re: VPN help needed

These lines should say "outside" as you are vpn'ing to the outside inteface of the asa.

crypto map inside_map interface outside

crypto isakmp enable outside

New Member

Re: VPN help needed

I did correct the config with the commands you gave me.

I tried to connect with the VPN client and still cannot. I was curious about the pre-shared key. Am I supposed to enter that in the client somewhere?

Seth

Green

Re: VPN help needed

Yes. You need to enter the group name "VPN" and the pre-shared key or "password" under the group authentication section of the cisco vpn client.

Silver

Re: VPN help needed

Yes you need to have the Pre-shared key in the VPN Client. When you enter the group in thE vpn cLIENT, the psk will be the password for the group..when the connection is successful you will get the username and password dialog where you key in your personal information.

Let us know if it works

New Member

Re: VPN help needed

Ok, I did that and it still will not connect. The VPN client tells me

Secure VPN Connection terminated by the Client.

Reason 412: The remote peer is no longer responding.

I am also attaching the latest config.

Seth

Green

Re: VPN help needed

This works for me...

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto isakmp identity address

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

New Member

Re: VPN help needed

Thank you, that worked wonderfully.

Now my next question is how do I setup for certain clients to access only certain networks?

Again, thank you very much.

Seth

Green

Re: VPN help needed

Will these users be part of the same tunnel group or will you create differnet tunnel groups for different classes of users?

New Member

Re: VPN help needed

I guess they can be part of the same group, just different user names and networks accessed.

Seth

Green

Re: VPN help needed

This should help you some...

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

This will show you how to create a vpn-filter acl which can be applied to a tunnel group policy or individual user account.

The other option is to remove "sysopt connection permit-vpn". This will stop ipsec traffic from bypassing your interface acl's. Then you can simply write the access you desire in your outside access list.

New Member

Re: VPN help needed

Thank you again for the help. I did figure out that all I needed to do was add and ACL and then add a user and apply that ACL to the user.

Again, thank you very much.

Seth

155
Views
10
Helpful
13
Replies