Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco VPN Client gives Blank DNS address IPSEC remote VPN

Guys, help me with this? i configured 2 ASA 5505 with IPSEC remote vpn tunnel, both uses same asdm version and asa version, one worked flawlessly, another 1 gives me problem that once it connected using cisco vpn client, i gets empty dns address in my adapter. i had configured the device as below. mind to point me out what im doing wrong?

 

[SPOILER]

ciscoasa# sh run
: Saved
:
ASA Version 9.1(2)
!
hostname ciscoasa
domain-name halliburton.com
enable password 0e53SZdxezxawxDG encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPN_POOL 10.1.0.1-10.1.0.254 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 100
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
 switchport access vlan 2
!
interface Ethernet0/3
 switchport access vlan 2
!
interface Ethernet0/4
 switchport access vlan 2
!
interface Ethernet0/5
 switchport access vlan 2
!
interface Ethernet0/6
 switchport access vlan 2
!
interface Ethernet0/7
 switchport access vlan 2
!
interface Vlan2
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan100
 nameif outside
 security-level 0
 ip address X.X.X.X 255.255.255.252
!
boot system disk0:/asa912-k8.bin
ftp mode passive
clock timezone MYT 8
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 202.188.1.5
 name-server 202.188.0.133
 domain-name halliburton.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 192.168.1.0
 subnet 192.168.1.0 255.255.255.0
 description Halliburton_LAN
object network inside_LAN
 subnet 192.168.0.0 255.255.255.0
object network VPN_Network
 subnet 10.1.0.0 255.255.255.0
object network FIN_SRV01
 host 192.168.0.100
object network VPN_Netwrok
 subnet 10.1.0.0 255.255.255.0
object network NETWORK_OBJ_10.1.0.0_24
 subnet 10.1.0.0 255.255.255.0
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo
 icmp-object echo-reply
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
access-list inside_access_in extended permit ip object inside_LAN any
access-list inside_access_in extended deny ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any object inside_LAN object-group DM_INLINE_ICMP_1
access-list HB_VPN extended permit object-group DM_INLINE_PROTOCOL_1 object VPN_Network object FIN_SRV01
access-list inside_access_in_1 extended permit ip any any
access-list VPN_Network extended permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list HB_MY_splitTunnelAcl_2 standard permit host 192.168.0.100
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,any) source static VPN_Network VPN_Network destination static FIN_SRV01 FIN_SRV01
!
object network inside_LAN
 nat (any,outside) dynamic interface
access-group inside_access_in_1 in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 Y.Y.Y.Y 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
 webvpn
  url-list value RDP
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization exec LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=ciscoasa
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment self
 subject-name CN=ciscoasa
 proxy-ldc-issuer
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint1
 certificate 84253553
    30820254 308201bd a0030201 02020484 25355330 0d06092a 864886f7 0d010105
    0500303c 3111300f 06035504 03130863 6973636f 61736131 27302506 092a8648
    86f70d01 09021618 63697363 6f617361 2e68616c 6c696275 72746f6e 2e636f6d
    301e170d 31343033 32383037 34373139 5a170d32 34303332 35303734 3731395a
    303c3111 300f0603 55040313 08636973 636f6173 61312730 2506092a 864886f7
    0d010902 16186369 73636f61 73612e68 616c6c69 62757274 6f6e2e63 6f6d3081
    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c9 c63caa50
    2a12dd9e 437aa2a7 4b169ab1 6e401dcf 234d133a 244511de a077e437 dfe268a0
    57aa5f17 b1c75e68 01d8391a ce537a2d 41e9016f 8162f5ea cbdf5d0d 9dc9123e
    eacf7174 da7f4fc4 e5361159 a8722675 20347988 bd9c1033 c013fbcf 04309895
    156a3816 1700a11a 755e7908 0e3b33c5 f98a83a6 ca89d9e1 62f9f902 03010001
    a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04
    04030201 86301f06 03551d23 04183016 8014f605 1d918692 b5e09535 0eabbf10
    a9f34f24 dd6d301d 0603551d 0e041604 14f6051d 918692b5 e095350e abbf10a9
    f34f24dd 6d300d06 092a8648 86f70d01 01050500 03818100 78da6342 cf795dd4
    cd198c37 53bee5a7 2ae9bc52 168f2c11 913d0e0c 90b8f7cc d376ba56 dd9eaf2a
    91443574 456ecf40 c7f83999 6569ce91 40f0ce92 03e47eb2 1dd8521d c0f53ded
    779c7330 0386a99d f02bba74 9f61a648 cca42df9 48be7ffa 494de7da 042ae487
    f6acbfcd e771be6b 2be5fef0 973d8d59 c3a60f39 7fdcf019
  quit
no crypto isakmp nat-traversal
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd auto_config outside
!
dhcpd address 192.168.0.101-192.168.0.130 inside
dhcpd dns 202.188.0.133 202.188.1.5 interface inside
dhcpd domain hallbayan01@unifibiz interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 202.71.100.89 source outside
webvpn
 enable outside
 smart-tunnel list CLIENT_A wininit.exe wininit.exe platform windows
 smart-tunnel list CLIENT_A TSWbPrxy.exe TSWbPrxy.exe platform windows
 smart-tunnel list CLIENT_A services.exe services.exe platform windows
 smart-tunnel list CLIENT_A mstsc.exe mstsc.exe platform windows
 smart-tunnel list CLIENT_A wksprt.exe wksprt.exe platform windows
group-policy DfltGrpPolicy attributes
 webvpn
  url-list value RDP
  smart-tunnel enable CLIENT_A
group-policy HB_MY internal
group-policy HB_MY attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value HB_VPN
 default-domain value halliburton.com
username Yin_Mei password KJkscnepnb6B5uNC encrypted privilege 0
username Yin_Mei attributes
 service-type remote-access
username Basil_Law password gMeFr1t86MFZViA4 encrypted privilege 0
username Basil_Law attributes
 service-type remote-access
username Rashid_Yusoff password LxyZjt2yG8B5cu9r encrypted privilege 0
username Rashid_Yusoff attributes
 service-type remote-access
username administrator password woVD0EbRlBnBW1dA encrypted privilege 15
username administrator attributes
 vpn-group-policy DfltGrpPolicy
 webvpn
  url-list value RDP
  smart-tunnel enable CLIENT_A
username Steve_Jacobs password 8BzMnNE1cXhPxk8f encrypted privilege 0
username Steve_Jacobs attributes
 service-type remote-access
username A_Fais password 0jkKVKJbXqjYPeWX encrypted privilege 0
username A_Fais attributes
 service-type remote-access
tunnel-group HB_MY type remote-access
tunnel-group HB_MY general-attributes
 address-pool VPN_POOL
 default-group-policy HB_MY
tunnel-group HB_MY ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e84d3a6dd96518192b7bffb3eb140944
: end

 

[/SPOILER]

 

Everyone's tags (1)
114
Views
0
Helpful
0
Replies
CreatePlease to create content