Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA 5525 9.1 Remote access VPN

Dears,

Kindly I tried to configure remote access vpn on ASA9.1 but it didn't work, Anyway can you please post any configuration steps

Appreciate your support,

Regards,

23 REPLIES
New Member

ASA 5525 9.1 Remote access VPN

Please any help??

Below the sh run and still having the error message (reason 412):-

HQ-ASA(config)#

HQ-ASA(config)# sh ru

: Saved

:

ASA Version 9.1(1)

!

hostname HQ-ASA

enable password .h2T1va7bpb/xWzw encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

ip local pool testpool 30.30.30.1-30.30.30.15

!

interface GigabitEthernet0/0

nameif outside

security-level 50

ip address 10.11.1.2 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.11.2.2 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/7

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

shutdown

nameif management

security-level 100

no ip address

!

boot system disk0:/asa911-smp-k8.bin

ftp mode passive

object network Local-Lan

subnet 10.10.0.0 255.255.0.0

object network VPN-Pool

subnet 30.30.30.0 255.255.255.0

object network Net_10.10.0.0

subnet 10.10.0.0 255.255.0.0

object network Net_10.11.0.0

subnet 10.11.0.0 255.255.0.0

object network Net_192.168.0.0

subnet 192.168.0.0 255.255.0.0

object network Net_172.16.0.0

subnet 172.16.0.0 255.255.0.0

object-group network inside_network

network-object 10.10.0.0 255.255.0.0

network-object 10.11.0.0 255.255.0.0

network-object 172.16.0.0 255.255.0.0

network-object 192.168.0.0 255.255.0.0

object-group network outside

network-object host 10.11.1.2

access-list internal extended permit ip any any

access-list internal extended permit icmp any any

access-list external extended permit icmp any any

access-list external extended permit ip any any

access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 30.30.30.0 255.255.255

.0

access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 30.30.30.0 255.255.25

5.0

access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 30.30.30.0 255.255.2

55.0

access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 30.30.30.0 255.255.255

.0

access-list nat0 extended permit ip object VPN-Pool 10.10.0.0 255.255.0.0

access-list nat0 extended permit ip object VPN-Pool 10.11.0.0 255.255.0.0

access-list nat0 extended permit ip object VPN-Pool 172.16.0.0 255.255.0.0

access-list nat0 extended permit ip object VPN-Pool 192.168.0.0 255.255.0.0

access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 object VPN-Pool

access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 object VPN-Pool

access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 object VPN-Pool

access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 object VPN-Pool

access-list split-acl standard permit 10.10.0.0 255.255.0.0

access-list split-acl standard permit 10.11.0.0 255.255.0.0

access-list split-acl standard permit 192.168.0.0 255.255.0.0

access-list split-acl standard permit 172.16.0.0 255.255.0.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source dynamic any interface

nat (any,inside) source static VPN-Pool VPN-Pool destination static Net_10.10.0.

0 Net_10.10.0.0

nat (any,inside) source static VPN-Pool VPN-Pool destination static Net_10.11.0.

0 Net_10.11.0.0

nat (any,inside) source static VPN-Pool VPN-Pool destination static Net_192.168.

0.0 Net_192.168.0.0

nat (any,inside) source static VPN-Pool VPN-Pool destination static Net_172.16.0

.0 Net_172.16.0.0

access-group internal in interface outside

access-group external in interface inside

route outside 0.0.0.0 0.0.0.0 10.11.1.1 1

route inside 10.10.0.0 255.255.0.0 10.11.2.1 1

route inside 172.16.0.0 255.255.0.0 10.11.2.1 1

route inside 192.168.0.0 255.255.0.0 10.11.2.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set FirstSet esp-3des esp-sha-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto ca trustpool policy

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1

group-policy testgroup internal

group-policy testgroup attributes

vpn-filter value nat0

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value nat0

username cisco password 3USUcOPFUiMCO4Jk encrypted

tunnel-group testgroup type remote-access

tunnel-group testgroup general-attributes

address-pool testpool

default-group-policy testgroup

tunnel-group testgroup ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:d9350a145595b903911cb6223630e7b6

: end

HQ-ASA(config)#

VIP Green

ASA 5525 9.1 Remote access VPN

Hi,

What isn't working?  Are you unable to establish a connection? Are you able to establish a connection but traffic is not passing?

--

Please rate all helpful posts

--

Please remember to rate and select a correct answer
VIP Green

ASA 5525 9.1 Remote access VPN

Your NAT exempt statements are a bit off.  You have configured them in the wrong direction.  Change them to the following:

nat (inside,outside) source static Net_10.10.0.0 Net_10.10.0.0 destination static VPN-Pool VPN-Pool

nat (inside,outside) source static Net_10.11.0.0 Net_10.11.0.0 destination static VPN-Pool VPN-Pool

nat (inside,outside) source static Net_192.168.0.0 Net_192.168.0.0 destination static VPN-Pool VPN-Pool

nat (inside,outside) source static Net_172.16.0.0 Net_172.16.0.0 destination static VPN-Pool VPN-Pool

--

Please remember to rate and select a correct answer
New Member

ASA 5525 9.1 Remote access VPN

Thanks for your reply,

The vpn client I cannot establish connection.

For the NAT I will sdd it and update you.

Regards,

VIP Green

ASA 5525 9.1 Remote access VPN

Here is a working configuration.

ip local pool testpool 30.30.30.1-30.30.30.15

crypto ipsec ikev1 transform-set MYSET esp-aes esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set MYSET

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto ikev1 enable outside

crypto ikev1 policy 65535

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

group-policy testgroup internal

group-policy testgroup attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

username cisco password cisco

tunnel-group testgroup type remote-access

tunnel-group testgroup general-attributes

address-pool testpool

default-group-policy testgroup

tunnel-group testgroup ipsec-attributes

ikev1 pre-shared-key cisco

--

Please remember to rate and select a correct answer
New Member

ASA 5525 9.1 Remote access VPN

Dear,

Now the configuration that you sent I have to add ACL on it to permit the internal traffic to the VPN pooll network.

Also for the static NAT I should keep it or move it??

Regards,

VIP Green

ASA 5525 9.1 Remote access VPN

Keep the NAT exempt statements.

I am not sure which ACL you are refering to.  If you are refering to the interface ACL, you are already permitting all traffic from the inside out.

By the way, if this ASA is in a live environment, you should most definately remove the permit IP any any on the outside interface.

access-list internal extended permit ip any any

access-list internal extended permit icmp any any

access-list external extended permit icmp any any

access-list external extended permit ip any any

access-group internal in interface outside

access-group external in interface inside

--

Please rate all helpful posts

--

Please remember to rate and select a correct answer
New Member

ASA 5525 9.1 Remote access VPN

I'm refering for this ACL:

access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 30.30.30.0 255.255.255

.0

access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 30.30.30.0 255.255.25

5.0

access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 30.30.30.0 255.255.2

55.0

access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 30.30.30.0 255.255.255

.0

access-list nat0 extended permit ip object VPN-Pool 10.10.0.0 255.255.0.0

access-list nat0 extended permit ip object VPN-Pool 10.11.0.0 255.255.0.0

access-list nat0 extended permit ip object VPN-Pool 172.16.0.0 255.255.0.0

access-list nat0 extended permit ip object VPN-Pool 192.168.0.0 255.255.0.0

access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 object VPN-Pool

access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 object VPN-Pool

access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 object VPN-Pool

access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 object VPN-Pool

access-list split-acl standard permit 10.10.0.0 255.255.0.0

access-list split-acl standard permit 10.11.0.0 255.255.0.0

access-list split-acl standard permit 192.168.0.0 255.255.0.0

access-list split-acl standard permit 172.16.0.0 255.255.0.0

VIP Green

ASA 5525 9.1 Remote access VPN

Yes the ACLs you  have configured for the NAT exempt and split tunneling need to be kept.

--

Please remember to rate and choose a correct answer

--

Please remember to rate and select a correct answer
New Member

ASA 5525 9.1 Remote access VPN

Still facing the same issue (error reason 412 remote peer no longer responding).

I'm using cisco vpn client version 5.0 so please advice if I have change it to new version ??

below the updated sh run:-


: Saved
:
ASA Version 9.1(1)
!
hostname HQ-ASA
enable password .h2T1va7bpb/xWzw encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool testpool 30.30.30.1-30.30.30.15
!
interface GigabitEthernet0/0
nameif outside
security-level 50
ip address 10.11.1.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.11.2.2 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
<--- More --->
              
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
<--- More --->
              
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
nameif management
security-level 100
no ip address
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
object network Local-Lan
subnet 10.10.0.0 255.255.0.0
object network VPN-Pool
subnet 30.30.30.0 255.255.255.0
object network Net_10.10.0.0
subnet 10.10.0.0 255.255.0.0
object network Net_10.11.0.0
subnet 10.11.0.0 255.255.0.0
<--- More --->
              
object network Net_192.168.0.0
subnet 192.168.0.0 255.255.0.0
object network Net_172.16.0.0
subnet 172.16.0.0 255.255.0.0
object-group network inside_network
network-object 10.10.0.0 255.255.0.0
network-object 10.11.0.0 255.255.0.0
network-object 172.16.0.0 255.255.0.0
network-object 192.168.0.0 255.255.0.0
object-group network outside
network-object host 10.11.1.2
access-list internal extended permit ip any any
access-list internal extended permit icmp any any
access-list external extended permit icmp any any
access-list external extended permit ip any any
access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 30.30.30.0 255.255.255.0
access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 30.30.30.0 255.255.255.0
access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 30.30.30.0 255.255.255.0
access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 30.30.30.0 255.255.255.0
access-list nat0 extended permit ip object VPN-Pool 10.10.0.0 255.255.0.0
access-list nat0 extended permit ip object VPN-Pool 10.11.0.0 255.255.0.0
access-list nat0 extended permit ip object VPN-Pool 172.16.0.0 255.255.0.0
access-list nat0 extended permit ip object VPN-Pool 192.168.0.0 255.255.0.0
access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 object VPN-Pool
<--- More --->
              
access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 object VPN-Pool
access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 object VPN-Pool
access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 object VPN-Pool
access-list split-acl standard permit 10.10.0.0 255.255.0.0
access-list split-acl standard permit 10.11.0.0 255.255.0.0
access-list split-acl standard permit 192.168.0.0 255.255.0.0
access-list split-acl standard permit 172.16.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static Net_10.10.0.0 Net_10.10.0.0 destination static VPN-Pool VPN-Pool
nat (inside,outside) source static Net_10.11.0.0 Net_10.11.0.0 destination static VPN-Pool VPN-Pool
nat (inside,outside) source static Net_192.168.0.0 Net_192.168.0.0 destination static VPN-Pool VPN-Pool
nat (inside,outside) source static Net_172.16.0.0 Net_172.16.0.0 destination static VPN-Pool VPN-Pool
access-group internal in interface outside
<--- More --->
              
access-group external in interface inside
route outside 0.0.0.0 0.0.0.0 10.11.1.1 1
route inside 10.10.0.0 255.255.0.0 10.11.2.1 1
route inside 172.16.0.0 255.255.0.0 10.11.2.1 1
route inside 192.168.0.0 255.255.0.0 10.11.2.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set MYSET esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set MYSET
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
<--- More --->
              
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
<--- More --->
              
ssl encryption des-sha1
group-policy testgroup internal
group-policy testgroup attributes
vpn-filter value nat0
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nat0
username cisco password 3USUcOPFUiMCO4Jk encrypted
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
address-pool testpool
default-group-policy testgroup
tunnel-group testgroup ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
<--- More --->
              
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e7eb95646e1b6a2e70d6481c561265d9
: end

HQ-ASA#

Hall of Fame Super Silver

ASA 5525 9.1 Remote access VPN

Is this in a lab or private network environment? I ask because your outside interface 10.11.1.2 is a private address that will only be reachable via internal clients. If there is an upstream NAT on another device (the 10.11.1.1 gateway perhaps?) you may be having issues there.

VIP Green

ASA 5525 9.1 Remote access VPN

Are you connecting to the VPN from the inside network?  You have applied the crypto map to the inside interface, which will not work if you are trying to connect to it from a location located off the outside interface.

crypto map inside_map interface inside

make the following changes to your configuration and then test again:

no crypto map inside_map interface inside

no crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

ASA 5525 9.1 Remote access VPN

Dear Marius,

I did all the required changes but still facing the same issue (error 412 remote peer no longer respond)

By the way I did static NAt on the reouter to redirect to ASA outside IP (ip nat inside source static 10.11.1.2 X.X.X.X)

Below new ASA sh run:-

HQ-ASA(config)# sh ru

: Saved

:

ASA Version 9.1(1)

!

hostname HQ-ASA

enable password .h2T1va7bpb/xWzw encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

ip local pool testpool 30.30.30.1-30.30.30.15

!

interface GigabitEthernet0/0

nameif outside

security-level 50

ip address 10.11.1.2 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.11.2.2 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/7

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

shutdown

nameif management

security-level 100

no ip address

!

boot system disk0:/asa911-smp-k8.bin

ftp mode passive

object network Local-Lan

subnet 10.10.0.0 255.255.0.0

object network VPN-Pool

subnet 30.30.30.0 255.255.255.0

object network Net_10.10.0.0

subnet 10.10.0.0 255.255.0.0

object network Net_10.11.0.0

subnet 10.11.0.0 255.255.0.0

object network Net_192.168.0.0

subnet 192.168.0.0 255.255.0.0

object network Net_172.16.0.0

subnet 172.16.0.0 255.255.0.0

object-group network inside_network

network-object 10.10.0.0 255.255.0.0

network-object 10.11.0.0 255.255.0.0

network-object 172.16.0.0 255.255.0.0

network-object 192.168.0.0 255.255.0.0

object-group network outside

network-object host 10.11.1.2

access-list internal extended permit ip any any

access-list internal extended permit icmp any any

access-list external extended permit icmp any any

access-list external extended permit ip any any

access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 30.30.30.0 25

.0

access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 30.30.30.0 2

5.0

access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 30.30.30.0

55.0

access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 30.30.30.0 25

.0

access-list nat0 extended permit ip object VPN-Pool 10.10.0.0 255.255.0

access-list nat0 extended permit ip object VPN-Pool 10.11.0.0 255.255.0

access-list nat0 extended permit ip object VPN-Pool 172.16.0.0 255.255.

access-list nat0 extended permit ip object VPN-Pool 192.168.0.0 255.255

access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 object VPN-Po

access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 object VPN-Po

access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 object VPN-

access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 object VPN-P

access-list split-acl standard permit 10.10.0.0 255.255.0.0

access-list split-acl standard permit 10.11.0.0 255.255.0.0

access-list split-acl standard permit 192.168.0.0 255.255.0.0

access-list split-acl standard permit 172.16.0.0 255.255.0.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source dynamic any interface

nat (inside,outside) source static Net_10.10.0.0 Net_10.10.0.0 destinat

c VPN-Pool VPN-Pool

nat (inside,outside) source static Net_10.11.0.0 Net_10.11.0.0 destinat

c VPN-Pool VPN-Pool

nat (inside,outside) source static Net_192.168.0.0 Net_192.168.0.0 dest

tatic VPN-Pool VPN-Pool

nat (inside,outside) source static Net_172.16.0.0 Net_172.16.0.0 destin

tic VPN-Pool VPN-Pool

access-group internal in interface outside

access-group external in interface inside

route outside 0.0.0.0 0.0.0.0 10.11.1.1 1

route inside 10.10.0.0 255.255.0.0 10.11.2.1 1

route inside 172.16.0.0 255.255.0.0 10.11.2.1 1

route inside 192.168.0.0 255.255.0.0 10.11.2.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set MYSET esp-aes esp-sha-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1

group-policy testgroup internal

group-policy testgroup attributes

vpn-filter value nat0

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value nat0

username cisco password 3USUcOPFUiMCO4Jk encrypted

tunnel-group testgroup type remote-access

tunnel-group testgroup general-attributes

address-pool testpool

default-group-policy testgroup

tunnel-group testgroup ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:73f3eecf4b2dcbbde341d28ab989a946

: end

HQ-ASA(config)#

HQ-ASA(config)# sh ru

: Saved

:

ASA Version 9.1(1)

!

hostname HQ-ASA

enable password .h2T1va7bpb/xWzw encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

ip local pool testpool 30.30.30.1-30.30.30.15

!

interface GigabitEthernet0/0

nameif outside

security-level 50

ip address 10.11.1.2 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.11.2.2 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/7

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

shutdown

nameif management

security-level 100

no ip address

!

boot system disk0:/asa911-smp-k8.bin

ftp mode passive

object network Local-Lan

subnet 10.10.0.0 255.255.0.0

object network VPN-Pool

subnet 30.30.30.0 255.255.255.0

object network Net_10.10.0.0

subnet 10.10.0.0 255.255.0.0

object network Net_10.11.0.0

subnet 10.11.0.0 255.255.0.0

object network Net_192.168.0.0

subnet 192.168.0.0 255.255.0.0

object network Net_172.16.0.0

subnet 172.16.0.0 255.255.0.0

object-group network inside_network

network-object 10.10.0.0 255.255.0.0

network-object 10.11.0.0 255.255.0.0

network-object 172.16.0.0 255.255.0.0

network-object 192.168.0.0 255.255.0.0

object-group network outside

network-object host 10.11.1.2

access-list internal extended permit ip any any

access-list internal extended permit icmp any any

access-list external extended permit icmp any any

access-list external extended permit ip any any

access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 30.30.30.0 25

.0

access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 30.30.30.0 2

5.0

access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 30.30.30.0

55.0

access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 30.30.30.0 25

.0

access-list nat0 extended permit ip object VPN-Pool 10.10.0.0 255.255.0

access-list nat0 extended permit ip object VPN-Pool 10.11.0.0 255.255.0

access-list nat0 extended permit ip object VPN-Pool 172.16.0.0 255.255.

access-list nat0 extended permit ip object VPN-Pool 192.168.0.0 255.255

access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 object VPN-Po

access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 object VPN-Po

access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 object VPN-

access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 object VPN-P

access-list split-acl standard permit 10.10.0.0 255.255.0.0

access-list split-acl standard permit 10.11.0.0 255.255.0.0

access-list split-acl standard permit 192.168.0.0 255.255.0.0

access-list split-acl standard permit 172.16.0.0 255.255.0.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source dynamic any interface

nat (inside,outside) source static Net_10.10.0.0 Net_10.10.0.0 destinat

c VPN-Pool VPN-Pool

nat (inside,outside) source static Net_10.11.0.0 Net_10.11.0.0 destinat

c VPN-Pool VPN-Pool

nat (inside,outside) source static Net_192.168.0.0 Net_192.168.0.0 dest

tatic VPN-Pool VPN-Pool

nat (inside,outside) source static Net_172.16.0.0 Net_172.16.0.0 destin

tic VPN-Pool VPN-Pool

access-group internal in interface outside

access-group external in interface inside

route outside 0.0.0.0 0.0.0.0 10.11.1.1 1

route inside 10.10.0.0 255.255.0.0 10.11.2.1 1

route inside 172.16.0.0 255.255.0.0 10.11.2.1 1

route inside 192.168.0.0 255.255.0.0 10.11.2.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set MYSET esp-aes esp-sha-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1

group-policy testgroup internal

group-policy testgroup attributes

vpn-filter value nat0

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value nat0

username cisco password 3USUcOPFUiMCO4Jk encrypted

tunnel-group testgroup type remote-access

tunnel-group testgroup general-attributes

address-pool testpool

default-group-policy testgroup

tunnel-group testgroup ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:73f3eecf4b2dcbbde341d28ab989a946

: end

HQ-ASA(config)#

Appreciate your Support,

Hall of Fame Super Silver

ASA 5525 9.1 Remote access VPN

I still come back to my earlier question - is your outside address 10.11.1.2 accessible (independent of VPN access) to your remote access clients?

New Member

ASA 5525 9.1 Remote access VPN

Dear Marvin,

I have cisco router facing the internet and I did a static NAT to redirect the traffic to the ASA outside interface.

(ip nat inside source static 10.11.1.2 X.X.X.X)

Regards,

Hall of Fame Super Silver

ASA 5525 9.1 Remote access VPN

OK.

Does the router have any access-list potentially affecting the incoming remote access VPN clients? If you watch the ASA log while trying to connect do you see any incoming traffic or relevant log messages?

Sometimes it is useful to do a packet capture on the ASA to verify that the client requests are making it to the ASA. At a minimum that isolates the problem as on the ASA or somewhere upstream.

Packet capture is easy to do on ASDM or CLI. See the following link:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

New Member

ASA 5525 9.1 Remote access VPN

Dear Marvin,

Below the configuration that I did on the router

HQ_Router#
HQ_Router#sh run
Building configuration...

Current configuration : 5580 bytes
!
! Last configuration change at 13:56:36 BG Sun Dec 8 2013
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HQ_Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 ZwZCjZpqSXIvRzD.nWp0Zo5muAaIQwD/IC9ucx3AbOM
!
no aaa new-model
clock timezone BG 3 0
!
!
crypto pki trustpoint TP-self-signed-311074010
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-311074010
revocation-check none
rsakeypair TP-self-signed-311074010
!
!
crypto pki certificate chain TP-self-signed-311074010
certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33313130 37343031 30301E17 0D313330 35303931 30333735
  365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3331 31303734
  30313030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  ADD6EC7A 2E836E51 930FACB0 ABB39019 04AAD377 C49E9DF6 824637E8 3E564D5D
  57D7E501 F1418E00 431B4C27 A0C50C62 90649115 72EEFA36 23DA9D82 D29C4202
  70BD1518 6E1475D4 78C33EA2 ACA1CA9C 52342E2E 8E523528 007550E3 9B29EB22
  B41D177D 971A2F14 50793969 32CC400A 8227F2CA 4776BBD0 99AF2D5E D385697F
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  23041830 168014FD 9340EDE7 77F4A878 824AE83B E7043BD3 B54E2C30 1D060355
  1D0E0416 0414FD93 40EDE777 F4A87882 4AE83BE7 043BD3B5 4E2C300D 06092A86
  4886F70D 01010505 00038181 0091CDD9 28D63666 23779218 2B4019D9 AB1CCE6F
  40402CC5 D00B9E2C 3FA05FD8 16D81AED 7B11F2BB 4C11E0A7 80A7103D 48BCC105
  082069EA FA5EA086 2566F93F C04DFDEB 050B5457 E27D67DE FF651C9A E9E32382
  03E29073 6F649262 C4D2BCA5 0F3BA95D A28A9EE5 0A35C43D 415CC956 3DD209CE
  C2D9F15B 5E02635A 460C04C9 9A
        quit
ip cef
!
!
!
!
!
!
ip domain name yourdomain.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
license udi pid CISCO2951/K9 sn FCZ171970P4
!
!
username admin privilege 15 password 0 Pa$$w0rd
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Connected to Public
ip address X.X.X.X 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Connected to ASA port G0/0
ip address 10.11.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source static 10.11.1.2 X.X.X.X
ip route 0.0.0.0 0.0.0.0 X.X.X.X
ip route 10.10.0.0 255.255.0.0 10.11.1.2
ip route 10.11.2.0 255.255.255.0 10.11.1.2
ip route 172.16.0.0 255.255.0.0 10.11.1.2
ip route 192.168.0.0 255.255.0.0 10.11.1.2
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 10 permit 172.16.0.0 0.0.255.255
access-list 10 permit 10.10.0.0 0.0.255.255
access-list 10 permit 10.11.0.0 0.0.255.255
!
!
!

Hall of Fame Super Silver

ASA 5525 9.1 Remote access VPN

I believe you need a line:

     ip nat outside source static x.x.x.x 10.11.1.2

...to account for the fact that outside users (your VPN  client) need to initiate comunications to the ASA interface.

New Member

ASA 5525 9.1 Remote access VPN

Marvin,

I tested it but I got the same error (error 412 remote peer no longer responding)

Hall of Fame Super Silver

ASA 5525 9.1 Remote access VPN

Did you try the capture like I suggested earlier to see if the traffic is coming in from your client to the ASA?

VIP Green

Re: ASA 5525 9.1 Remote access VPN

If you see that traffic is coming from the client to the ASA in the capture that Marvin has suggested, then I am wondering if the NAT configuration on your ASA is causing this issue.

nat (inside,outside) source dynamic any interface

nat (inside,outside) source static Net_10.10.0.0 Net_10.10.0.0 destination static VPN-Pool VPN-Pool

nat (inside,outside) source static Net_10.11.0.0 Net_10.11.0.0 destination static VPN-Pool VPN-Pool

nat (inside,outside) source static Net_192.168.0.0 Net_192.168.0.0 destination static VPN-Pool VPN-Pool

nat (inside,outside) source static Net_172.16.0.0 Net_172.16.0.0 destintion static VPN-Pool VPN-Pool

I am thinking your dynamic NAT is overriding your twice NAT since it is configured in "section 1" of the NAT table.  This section matches on a top bottom first match basis.  You can correct this by doing one of two things:  Configure it in section 2 (auto NAT), or configure it in after auto.

Section 2 config:

         object network DYNAMIC

            subnet 0 0

            nat (inside,outside) dynamic interface

        When you do a show run now, you should see that the NAT statement is placed under an object group.  It will look something like the following:

          object network DYNAMIC

             nat (inside,outside) dynamic interface

After auto config:

          nat (inside,outside) after-auto dynamic source any interface

With the after auto option you need to be sure that the dynamic statement is at the bottom of the list if you have any other static NATs configured here.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

Re: ASA 5525 9.1 Remote access VPN

Thank you for your reply and support,

Please advise, I will add section 2 config on the ASA and keeping the previos NAT config or I have to delete it??

Regards,

VIP Green

Re: ASA 5525 9.1 Remote access VPN

You need to remove the dynamic NAT statement you currently have configured and then add it into section2 or 3

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
888
Views
0
Helpful
23
Replies
CreatePlease to create content