Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco 5505 VPN Remote Access Problems

Hi Yall,

      I have setup remote access via ASDM and it seems like I am missing some NAT rules and or something because I cannot connect for the life of me. I am using Cisco VPN client Version 5.0.01 0600 and I am recieving error message Reason 412:The remote peer is no longer responding. I am testing the connection internally from the site, is this causing a loop and preventing me from connecting? Do I need to test it remotely?

Here is my config;

ASA Version 8.2(2)
!
hostname ciscoasa
enable password TGFUt.AsMHJOyury encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list 100 extended permit tcp any interface outside eq ftp
access-list 100 extended permit tcp any interface outside eq ftp-data
access-list inside_nat0_outbound extended permit ip any 192.168.1.128 255
5.192
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPN_Pool 192.168.1.150-192.168.1.160 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp 192.168.1.110 ftp netmask 255.2
255
static (inside,outside) tcp interface ftp-data 192.168.1.110 ftp-data net
5.255.255.255
access-group 100 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-
ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_M
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN_Tunnel internal
group-policy VPN_Tunnel attributes
dns-server value 192.168.1.110
vpn-tunnel-protocol IPSec
username test123 password 274Y4GRAbNElaCoV encrypted privilege 0
username test123 attributes
vpn-group-policy VPN_Tunnel
tunnel-group VPN_Tunnel type remote-access
tunnel-group VPN_Tunnel general-attributes
address-pool VPN_Pool
default-group-policy VPN_Tunnel
tunnel-group VPN_Tunnel ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d819388a2b426205b0254e33e9df9c69

4 REPLIES

Re: Cisco 5505 VPN Remote Access Problems

Hi,

First  observation I do not see clear is the  incomplete nonat exempt rule access-list inside_nat0_outbound extended permit ip any 192.168.1.128 255 and comparing it against your VPN Pool address  VPN_Pool 192.168.1.150-192.168.1.160 mask 255.255.255.0 , also your VLAN1 which is your inside interface LAN that  also routes for 192.168.1.0/24 network is  also used for VPN Pool which  by the way is ok, but also opens doors for problems and sometimes could be painfull to troubleshoot.

Personally  if there is not a real good reason to use VPN network ID and inside Network ID  I recomend to keep networks separated usinng their own network ID . If your  inside LAN is  192.168.1.0/24 , make your VPN pool something different , 172.16.1.0/24 is one example.

Going  back to your possible problems I would re-design your logical network for VPN pool, should be fairly  easy to do:

remove a recreate Pool

no ip local pool VPN_Pool 192.168.1.150-192.168.1.160 mask 255.255.255.0

create new one

ip local pool VPN_Pool 172.16.1.150-172.16.1.160 mask 255.255.255.0

remove this acl  --> access-list inside_nat0_outbound extended permit ip any 192.168.1.128 255......

add new  exempt acl bellow

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

one statement you also need is to enable  NAT traversal

asa(config)#crypto isakmp nat-traversal 20

that's it prety much,  you should test RA  VPN  from the outside internet.

Regards

Community Member

Re: Cisco 5505 VPN Remote Access Problems

Great, Thanks. I will test it once I dig my way out tomorrow...

Re: Cisco 5505 VPN Remote Access Problems

How did it work out,  still have issues?

Regards

Community Member

Re: Cisco 5505 VPN Remote Access Problems

Sorry, I did not have a chance to test it yet. I will test it ASAP. Thanks

769
Views
0
Helpful
4
Replies
CreatePlease to create content