Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco Easy VPN Configuration for ASA 5515-X version 9.1

Hi, 

I want to configure Easy vpn on ASA 5515-X firewall IOS version 9.1 and I don't want to use asdm. 

Please let me know the configuration. Thanks. 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

> How it is possible to

> How it is possible to access firewall using VPN?

"management-access inside"
33 REPLIES
VIP Purple

The Cisco VPN-client which is

The Cisco VPN-client which is used by EasyVPN is EOL and a new deployment shouldn't be based on that. Better go for AnyConnect. If you still want to configure EasyVPN, here is an example:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/68795-asa-remotevpn-asdm.html

The syntax changed slightly but the concepts are the same.

More info and the actual syntax is shown in the config-guide:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_remote_access.html

Community Member

Please also send me

Please also send me anyconnect VPN configuration

VIP Purple

It's all found in the config

It's all found in the config-guide:

If you want to go the easy way, take the VPN-wizard and look at what gots configured there. That can be extended to your needs then.

Community Member

I have configured EZ vpn and

I have configured EZ vpn and my client is connected but internet stops working and I am unable to access my local LAN. 

VIP Purple

My crystal ball tells me that

My crystal ball tells me that you missed to configure Split-tunneling and/or your NAT/NAT-exemption is wrong.

But sometimes even these crystal balls are wrong, so it could help to see what your actual config is. ;-)

Community Member

I configured split tunneling

I configured split tunneling and after that internet is working fine. 

When I use same subnet for VPN users and LAN users and exemt nat LAN  is also accessible but when I use different subnet for my VPN users LAN is not accessible.  I think NAT exempt is not required in second case. how to configure it without NAT exempt. 

VIP Purple

>I think NAT exempt is not

>I think NAT exempt is not required in second case. how to configure it without NAT exempt. 

It's very unlikely that you don't need NAT-exemption. Just compare traffic from inside LAN to the VPN-pool if that matches any of the NAT-rules. Typically there is a NAT rule at the end of your NAT-config  for (inside,outside)  where the whole traffic gets NAT/PAT for internet-access. If this rule is matched, then it can't work.

Community Member

I am getting following error

I am getting following error message in asdm logs after manual configuration and VPN is not connecting

 

Group = RAS-MEDIA, Username = rizwan, IP = 182.180.114.243, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.50.100/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside

VIP Purple

Probably your crypto-map and

Probably your crypto-map and/or crypto access-lists are wrong.

Community Member

y VPN is connected but unable

y VPN is connected but unable to access local LAN. Following is my configuration 

 

ASA Version 9.1(1) 
!
hostname Medialogic-ASA
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPN_POL 192.168.50.100-192.168.50.150 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 202.x.x.x 255.255.255.240 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 172.20.57.1 255.255.0.0 
!
interface GigabitEthernet0/2
 shutdown
 nameif DMZ
 security-level 50
 no ip address
!             
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.100.1 255.255.255.0 
!
ftp mode passive
object network INSIDE_HOSTS
 subnet 172.20.0.0 255.255.0.0
object network NETWORK_OBJ_172.20.0.0_16
 subnet 172.20.0.0 255.255.0.0
object network NETWORK_OBJ_192.168.50.0_24
 subnet 192.168.50.0 255.255.255.0
access-list RAS-MEDIA_splitTunnelAcl standard permit 172.20.0.0 255.255.0.0 
pager lines 24
logging enable
logging console warnings
logging asdm warnings
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu backup 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic INSIDE_HOSTS interface
nat (inside,outside) source static NETWORK_OBJ_172.20.0.0_16 NETWORK_OBJ_172.20.0.0_16 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 202.x.x.x 1

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 192.168.100.0 255.255.255.0 management
http 172.20.58.59 255.255.255.255 inside
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
 
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 172.20.58.59 255.255.255.255 inside
ssh timeout 5
console timeout 0
threat-detection rate icmp-drop rate-interval 600 average-rate 5555 burst-rate 50
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy RAS-MEDIA internal
group-policy RAS-MEDIA attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RAS-MEDIA_splitTunnelAcl
username vpn password ipT92iBMo5fLIuiz encrypted
username umer password mTnGSw0kCnDHr780 encrypted
username rizwan password /BCII2dYm.UXESdU encrypted
tunnel-group RAS-MEDIA type remote-access
tunnel-group RAS-MEDIA general-attributes
 address-pool VPN_POL
 default-group-policy RAS-MEDIA
tunnel-group RAS-MEDIA ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
Cryptochecksum:a7744507f7cb4255faaba0a829f64155
: end

VIP Purple

T-rules are in the wrong

The NAT-rules are in the wrong order. They are processed top-down and the exemption has to be on the top of the list. 

Community Member

I have changed the order but

I have changed the order but still not working, LAN is not accessible

Community Member

Is there any route required

Is there any route required for VPN pool 192.168.50.0/24

VIP Purple

Is the ASA the centrag

Is the ASA the centrag internet-gateway? then no extra routing is needed.

Is your client behind a NAT/PAT? the you have to reenable NAT-traversal:

crypto isakmp nat-traversal
 

Community Member

I have applied nat-traversal

I have applied nat-traversal command but still not working. 

Is there any access-list required to permit vpn traffic from outdside interface to inside interface?

Is it necessary my LAN users default-gateway should be inside interface of firewall? 

VIP Purple

> Is there any access-list

> Is there any access-list required to permit vpn traffic from outdside interface to inside interface?

no, that's not needed.
What's the output of "sh vpn-sessiondb detail ra-ikev1-ipsec" while connected?
And show the statistics-window of the VPN-client while connected.
 
Community Member

Please check the output below

Please check the output below and screen shot of VPN client window is attached. I also observe that packets are only encrypting but not decrypting. There is some issue in return path. 

 

 sh vpn-sessiondb detail ra-ikev1-ipsec

Session Type: IKEv1 IPsec Detailed

Username     : vpn                    Index        : 37
Assigned IP  : 192.168.50.100         Public IP    : 202.59.94.141
Protocol     : IKEv1 IPsecOverNatT
License      : Other VPN
Encryption   : IKEv1: (1)AES256  IPsecOverNatT: (1)AES128
Hashing      : IKEv1: (1)SHA1  IPsecOverNatT: (1)SHA1
Bytes Tx     : 0                      Bytes Rx     : 0
Pkts Tx      : 0                      Pkts Rx      : 0
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : RAS-MEDIA              Tunnel Group : RAS-MEDIA
Login Time   : 13:09:50 UTC Fri Aug 22 2014
Duration     : 0h:03m:03s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

IKEv1 Tunnels: 1
IPsecOverNatT Tunnels: 1

IKEv1:
  Tunnel ID    : 37.1
  UDP Src Port : 49885                  UDP Dst Port : 4500
  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys
  Encryption   : AES256                 Hashing      : SHA1
  Rekey Int (T): 86400 Seconds          Rekey Left(T): 86274 Seconds
  D/H Group    : 2
  Filter Name  : 
  Client OS    : WinNT                  Client OS Ver: 5.0.07.0410            

IPsecOverNatT:
  Tunnel ID    : 37.2
  Local Addr   : 0.0.0.0/0.0.0.0/0/0
  Remote Addr  : 192.168.50.100/255.255.255.255/0/0
  Encryption   : AES128                 Hashing      : SHA1                   
  Encapsulation: Tunnel                 
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28670 Seconds          
  Idle Time Out: 30 Minutes             Idle TO Left : 27 Minutes             
  Bytes Tx     : 0                      Bytes Rx     : 0                      
  Pkts Tx      : 0                      Pkts Rx      : 0                      
  
NAC:
  Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
  SQ Int (T)   : 0 Seconds              EoU Age(T)   : 130 Seconds

Community Member

Hello Any update on it?

Hello 

Any update on it?

VIP Purple

The traffic doesn't get to

The traffic doesn't get to your ASA, so I would look for problems on the local PC.

  1. Try it with a completely different PC
  2. Remove the VPN-client and do a fresh install
  3. Are there other VPN-clients on your PC? Remove them for a test and then reinstall the Cisco client.
  4. Is there other software installed that can intercept the sender traffic? It could also be an antivirus-scanner going wild. I've seen that with Kaspersky just days ago.
  5. Which Windows-version are you using?
Community Member

It works only when I assign

It works only when I assign vpn remote users same IP address pool as for LAN. 

I have re installed VPN client and check on other PC too but same problem. 

I am using Cisco VPN client version vpnclient-win-msi-5.0.07.0410-k9 and Windows 7 Ultimate 1 service pack 1 

VPN client shows LAN IP pool as secured routes. Please check in attached screen shots

VIP Purple

In the previous screenshot

In the previous screenshot the received/decrypted packets were 0, in this screenshot there are received packets which looks good. In exactly the same situation how do the contours on the ASA look like? (sh vpn-sessiondb detail ra-ikev1-ipsec)

Do you have an internal system where you can capture packets? Or a cisco catalyst? On that device you could do a "debug ip icmp" and then ping that switch from the VPN-client. It should show the ping-packets.

Community Member

I have identified the issue,

I have identified the issue, it is with following command; 

 split-tunnel-policy tunnelspecified
 

When I used this command internet works while connected with VPN but Local LAN does not work and when I use   "split-tunnel-policy excludespecified" Local LAN works and internet does not works 

How to make both Local LAN and internet work at the same time?

Community Member

no its not working actually.

no its not working actually. It is for remote user side Local LAN access

Community Member

Its working for Cisco Switch

Its working for Cisco Switch but not able to ping any machine. You can see logs 

from debug ip icmp below

00:23:27: ICMP: echo reply sent, src 172.20.58.250, dst 192.168.50.101
00:23:28: ICMP: echo reply sent, src 172.20.58.250, dst 192.168.50.101
00:23:29: ICMP: echo reply sent, src 172.20.58.250, dst 192.168.50.101
00:23:30: ICMP: echo reply sent, src 172.20.58.250, dst 192.168.50.101

 

VIP Purple

That shows that the VPN is

That shows that the VPN is working. Troubleshoot the machines that are not accessible. Windows-Firewall or something like that?

Community Member

yup, after making machine

yup, after making machine gateway inside interface IP of firewall its working on one machine, I am also unable to access or ping inside interface of firewall using vpn. How it is possible to access firewall using VPN?

VIP Purple

> How it is possible to

> How it is possible to access firewall using VPN?

"management-access inside"
Community Member

One last question. If my

One last question. If my internal LAN users has some other gateway not inside interface of ASA Firewall, how they will reachable from VPN? 

I can access cisco switches without gateway but on desktop machines works only when inside interface of firewall is used. as a gateway.

VIP Purple

In general, each system

In general, each system should have a valid gateway that knows how to reach all your networks. If a different gateway is used for a particular system, that router needs a route for your VPN-pool pointing to the ASA.

4605
Views
0
Helpful
33
Replies
CreatePlease to create content