Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco software VPN through ASA5505

I have a cisco software vpn on a laptop that connects to another company network but when I run it on our network it will not connect.  I am using a Cisco 5505 device on our network.

The strange part is that It works through another users's home network that has the same ASA5505 with a similar configuration. 

I have confirmed that the software vpn does work when bypassing the firewall so its definitely a setting on the firewall.

Thanks

3 REPLIES
Super Bronze

Cisco software VPN through ASA5505

Pls share your config to double check if there is missing configs.

New Member

Cisco software VPN through ASA5505

Thank you so much.  Here is our config:

Result of the command: "show config"

: Saved
: Written by William.Cobb at 05:59:13.659 UTC Tue Jun 19 2012
!
ASA Version 8.4(3)
!
hostname ciscoasa
domain-name global-isi.com
enable password kLsF.QwMD05QKnnk encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.2.0 WC
name 192.168.6.0 Seetharam
name 192.168.5.2 Exchange
name 192.168.5.162 OldSharepoint
name 192.168.5.3 ISIVPN
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 70.164.41.109 255.255.255.224
!
interface Vlan5
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
!
boot system disk0:/asa843-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server Exchange
name-server 4.2.2.1
domain-name global-isi.com
object network obj-192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network Seetharam
subnet 192.168.6.0 255.255.255.0
object network ISIVPN
host 192.168.5.3
object network Exchange
host 192.168.5.2
object network Exchange-01
host 192.168.5.2
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network WC
subnet 192.168.2.0 255.255.255.0
description Created during name migration
object network Buddy
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.5.0_24
subnet 192.168.5.0 255.255.255.0
object network NETWORK_OBJ_192.168.5.2
host 192.168.5.2
object network IndusLaptop
host 192.168.5.147
description Indu
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq imap4
port-object eq pop3
port-object eq www
port-object eq 993
object-group service DM_INLINE_SERVICE_1
service-object gre
service-object tcp destination eq https
service-object tcp destination eq pptp
service-object tcp destination eq www
service-object tcp destination eq 993
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp
service-object udp
service-object tcp
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq pptp
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object icmp
service-object udp
service-object gre
service-object icmp6
service-object tcp
service-object icmp echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
service-object tcp destination eq pptp
access-list outside_cryptomap extended permit ip 192.168.5.0 255.255.255.0 object Seetharam
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 object Seetharam
access-list outside_cryptomap_1 extended permit ip 192.168.5.0 255.255.255.0 object Buddy
access-list outside_acl extended permit object-group DM_INLINE_SERVICE_3 any host 192.168.5.157
access-list outside_acl extended permit tcp any object Exchange eq smtp
access-list outside_acl extended permit tcp any object Exchange object-group DM_INLINE_TCP_1
access-list outside_acl extended permit object-group DM_INLINE_SERVICE_1 any object ISIVPN
access-list outside_acl extended permit tcp any host 70.164.41.112 object-group DM_INLINE_TCP_2
access-list outside_acl extended permit object-group DM_INLINE_SERVICE_2 any object IndusLaptop
pager lines 24
logging enable
logging buffer-size 50000
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 1800
nat (inside,outside) source static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24 destination static Buddy Buddy no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24 destination static Seetharam Seetharam no-proxy-arp route-lookup
!
object network ISIVPN
nat (inside,outside) static 70.164.41.111
object network Exchange
nat (inside,outside) static 70.164.41.115
object network Exchange-01
nat (inside,outside) dynamic interface
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 70.164.41.97 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp dmz
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 173.73.70.5
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 71.246.230.170
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_173.73.70.5 internal
group-policy GroupPolicy_173.73.70.5 attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_71.246.230.170 internal
group-policy GroupPolicy_71.246.230.170 attributes
vpn-tunnel-protocol ikev1
group-policy VPNPolicy internal
group-policy VPNPolicy attributes
vpn-tunnel-protocol ssl-clientless
webvpn
  url-list value Bookmarks
username William.Cobb password yXGENBczn.RAvvmJ encrypted privilege 15
username William.Cobb attributes
vpn-group-policy VPNPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
default-group-policy VPNPolicy
tunnel-group 173.73.70.5 type ipsec-l2l
tunnel-group 173.73.70.5 general-attributes
default-group-policy GroupPolicy_173.73.70.5
tunnel-group 173.73.70.5 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 71.246.230.170 type ipsec-l2l
tunnel-group 71.246.230.170 general-attributes
default-group-policy GroupPolicy_71.246.230.170
tunnel-group 71.246.230.170 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global-policy
class global-class
  inspect dns
  inspect http
  inspect ip-options
  inspect ipsec-pass-thru
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4ed6f97598fce8debd5fa5ab2042e178

Super Bronze

Cisco software VPN through ASA5505

Config looks OK to me.

Can you share the logs from the VPN Client when you try to connect. Thanks.

360
Views
0
Helpful
3
Replies