Guys we have a situation and i don't know what is going wrong....i have setup a ASA as a VPN server....the connection is we have a router the router terminates in checkpoint and asa is connected to one of the DMZ ports on checkpoint....checkpoint is again connected to 4500 switch and that has some servers like lotus notes....now we have recently given iphones to executives to use 3G to VPN into the network and they can use there lotus notes.....i have attached the config so kindly have a look.....i have done couple of test on iphone vpn is established but when i do sh crypto isakmp sa it show me AM_ACTIVE state can someone tell me what is that shd'nt it suppose to be QM_IDLE state???? i am new to ASA anyways second thing is that pool of ip addresses shd the subnet mask shd be all 255 (kindly see the config) i have seen this config on the internet is it right or wrong......guys another thing is that when i try to setup the vpn from iphone i enabled debugging and i also did term monitor but nothing comes up why is that???? i have already pointed the static routes to the checkpoint as only one interface of ASA has been used......i checked the routing on checkpoint as well as on 4500 nothing is erong but we are unable to connect to the notes server.....guy please help me out as i am getting nuts. the config is as under:
iPHONE-VPN# sh run : Saved : ASA Version 8.2(1) ! hostname iPHONE-VPN enable password XXXX encrypted passwd XXXXX encrypted names name 188.8.131.52 server1 name 184.108.40.206 DNS-Server dns-guard ! interface GigabitEthernet0/0 speed 100 duplex full nameif OUTSIDE security-level 100 ip address X.X.30.22 255.255.255.224 ! interface GigabitEthernet0/1 shutdown no nameif no security-level
! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address ! boot system disk0:/asa821-k8.bin ftp mode passive access-list OUTSIDE-IN extended permit icmp any any access-list OUTSIDE-IN extended permit ip any any access-list INSIDE-OUT extended permit icmp any any access-list INSIDE-OUT extended permit ip any any pager lines 24 mtu OUTSIDE 1500 ip local pool iPhones_vpn_pool 220.127.116.11-18.104.22.168 mask 255.255.255.255 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-508.bin no asdm history enable arp timeout 14400 access-group OUTSIDE-IN in interface OUTSIDE access-group INSIDE-OUT out interface OUTSIDE route OUTSIDE 0.0.0.0 0.0.0.0 22.214.171.124 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set RA_VPN_SET esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map RA_VPN_MAP 1 match address OUTSIDE-IN crypto dynamic-map RA_VPN_MAP 1 set transform-set RA_VPN_SET crypto dynamic-map RA_VPN_MAP 1 set reverse-route crypto map RA_VPN 10 ipsec-isakmp dynamic RA_VPN_MAP crypto map RA_VPN interface OUTSIDE crypto isakmp enable OUTSIDE crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 3600 telnet X.X.X.X 255.255.255.0 OUTSIDE telnet timeout 600 ssh X.X.X.X 255.255.128.0 OUTSIDE ssh 0.0.0.0 0.0.0.0 OUTSIDE ssh X.X.X.X 255.255.255.0 OUTSIDE ssh timeout 55 ssh version 2 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept tftp-server OUTSIDE 10.200.30.16 asa821-k8.bin group-policy RA_VPN_Policy internal group-policy RA_VPN_Policy attributes wins-server value X.X.X.X dns-server value X.X.X.X split-tunnel-policy tunnelspecified split-dns value msdomain username testiphone password X.X.X.X encrypted username test1234 password X.X.X.X encrypted tunnel-group RA_VPN type remote-access tunnel-group RA_VPN general-attributes address-pool iPhones_vpn_pool default-group-policy RA_VPN_Policy tunnel-group RA_VPN ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context Cryptochecksum:X.X.X.X : end
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :