Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco VPN client not connecting from our LAN to another company's LAN

Both companies are behind ASA's.  Here's the Cisco VPN CLient log:

 

Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\

1      14:06:45.882  07/07/14  Sev=Info/6      CERT/0x63600026
Attempting to find a Certificate using Serial Hash.

2      14:06:45.882  07/07/14  Sev=Info/6      CERT/0x63600027
Found a Certificate using Serial Hash.

3      14:06:45.888  07/07/14  Sev=Info/6      CERT/0x63600026
Attempting to find a Certificate using Serial Hash.

4      14:06:45.888  07/07/14  Sev=Info/6      CERT/0x63600027
Found a Certificate using Serial Hash.

5      14:06:45.895  07/07/14  Sev=Info/6      CERT/0x63600026
Attempting to find a Certificate using Serial Hash.

6      14:06:45.896  07/07/14  Sev=Info/6      CERT/0x63600027
Found a Certificate using Serial Hash.

7      14:06:45.898  07/07/14  Sev=Info/6      GUI/0x63B00011
Reloaded the Certificates in all Certificate Stores successfully.

8      14:06:54.398  07/07/14  Sev=Info/4      CM/0x63100002
Begin connection process

9      14:06:54.420  07/07/14  Sev=Info/4      CM/0x63100004
Establish secure connection

10     14:06:54.420  07/07/14  Sev=Info/4      CM/0x63100024
Attempt connection with server "RochesterVPN.XXX.XXX"

11     14:06:54.525  07/07/14  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 161.242.XXX.XXX.

12     14:06:54.538  07/07/14  Sev=Info/4      IKE/0x63000001
Starting IKE Phase 1 Negotiation

13     14:06:54.551  07/07/14  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 161.242.XXX.XXX

14     14:06:54.703  07/07/14  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 161.242.XXX.XXX

15     14:06:54.704  07/07/14  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?), VID(?)) from 161.242.XXX.XXX

16     14:06:54.704  07/07/14  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

17     14:06:54.704  07/07/14  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

18     14:06:54.704  07/07/14  Sev=Info/5      IKE/0x63000001
Peer supports DPD

19     14:06:54.704  07/07/14  Sev=Info/5      IKE/0x63000001
Peer supports NAT-T

20     14:06:54.704  07/07/14  Sev=Info/5      IKE/0x63000001
Peer supports IKE fragmentation payloads

21     14:06:54.704  07/07/14  Sev=Info/5      IKE/0x63000001
Peer supports DWR Code and DWR Text

22     14:06:54.707  07/07/14  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

23     14:06:54.707  07/07/14  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 161.242.XXX.XXX

24     14:06:54.708  07/07/14  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

25     14:06:54.708  07/07/14  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0xE25A, Remote Port = 0x1194

26     14:06:54.708  07/07/14  Sev=Info/5      IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

27     14:06:54.708  07/07/14  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

28     14:06:55.708  07/07/14  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

29     14:06:55.708  07/07/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

30     14:06:55.708  07/07/14  Sev=Info/4      IPSEC/0x6370000D
Key(s) deleted by Interface (172.30.235.172)

31     14:07:05.189  07/07/14  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

32     14:07:15.347  07/07/14  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

33     14:07:25.490  07/07/14  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

34     14:07:31.392  07/07/14  Sev=Info/4      CM/0x63100006
Abort connection attempt before Phase 1 SA up

35     14:07:31.393  07/07/14  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

36     14:07:31.393  07/07/14  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=39AB9617851A0C50 R_Cookie=CD564EAFBEFEBB5C) reason = DEL_REASON_RESET_SADB

37     14:07:31.393  07/07/14  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 161.242.XXX.XXX

38     14:07:31.394  07/07/14  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=39AB9617851A0C50 R_Cookie=CD564EAFBEFEBB5C) reason = DEL_REASON_RESET_SADB

39     14:07:31.409  07/07/14  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

40     14:07:32.451  07/07/14  Sev=Info/6      CM/0x63100046
Set tunnel established flag in registry to 0.

41     14:07:32.502  07/07/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

42     14:07:32.502  07/07/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

43     14:07:32.502  07/07/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

44     14:07:32.502  07/07/14  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

Everyone's tags (1)
3 REPLIES
New Member

  ASA Version 8.4(4)1 

 

 

ASA Version 8.4(4)1 
!
hostname remoteASA
domain-name 
dns-guard
!
interface GigabitEthernet0/0
 shutdown
 nameif SAN
 security-level 99
 ip address 192. 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 172. 255.255.255.0 
 ospf cost 10
!
interface GigabitEthernet0/2
 nameif DMZ
 security-level 50
 ip address 10. 255.255.255.0 
 ospf cost 10
 ospf network point-to-point non-broadcast
!
interface GigabitEthernet0/3
 nameif outside
 security-level 0
 ip address  255.255.255.240 
 ospf cost 10
 ospf network point-to-point non-broadcast
!
interface Management0/0
 shutdown
 nameif Management
 security-level 100
 ip address 10. 255.255.255.0 
 ospf cost 10
 ospf network point-to-point non-broadcast

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
o
object-group network DM_INLINE_NETWORK_2
 group-object DROP_DoNotRoute
 group-object VulnScannerIPs
object-group service DM_INLINE_SERVICE_1
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp destination eq domain 
 service-object udp destination eq domain 
object-group network DM_INLINE_NETWORK_5
 network-object object AD3
 network-object object AD4
object-group service DM_INLINE_SERVICE_2
 service-object object IPSEC-udp 
 service-object esp 
 service-object object View-AJP13 
 service-object object View-JMS 
object-group network DM_INLINE_NETWORK_6
 network-object object Xerox
 network-object object TestMonitor2


access-list Outside_authentication_BA_Auth extended permit tcp any host 64. eq www 
access-list Outside_authentication_BA_Auth extended permit tcp any host 64. eq https 
access-list Outside_authentication_BA_Auth extended permit tcp any host 64. eq 3389 inactive 
access-list inside_nat0_outbound extended permit ip 255.255.255.0 object-group _LAN 
access-list inside_nat0_outbound extended permit ip object-group _LAN 1920255.255.255.0 
access-list acl_nonat extended permit ip object-group _LAN object-group bbb_LAN 
access-list acl_nonat extended permit ip object-group _LAN object lePointLAN 
access-list acl_nonat extended permit ip object-group _LAN XX.XX10.0 255.255.255.0 
access-list acl_nonat extended permit ip XX.XX10.0 255.255.255.0 object-group bbb_LAN 
access-list acl_nonat extended permit ip object-group bbb_LAN XX.XX10.0 255.255.255.0 
access-list acl_nonat extended permit ip object-group _LAN XXX.XXX5.0 255.255.255.0 
access-list acl_nonat extended permit ip object-group _LAN XXX.XXX4.0 255.255.255.0 
access-list acl_nonat extended permit ip XXX.XXX0.0 255.255.0.0 XXX.XXX5.0 255.255.255.0 
access-list acl_nonat extended permit ip XXX.XXX200.0 255.255.255.0 XXX.XXX4.0 255.255.255.0 
access-list acl_nonat extended permit ip XXX.XXX0.0 255.255.0.0 XX.XX10.0 255.255.255.0 
access-list acl_nonat extended permit ip object-group _LAN object-group TestPool 
access-list acl_nonat extended permit ip object-group _LAN object-group ccc_LAN 
access-list acl_nonat extended permit ip object-group TestPool object-group _LAN 
access-list outside_cryptomap extended permit ip 172. 255.255.0.0 192.1 255.255.255.0 inactive 
access-list inside_access_out extended deny ip any object-group DM_INLINE_NETWORK_4 log notifications 
access-list inside_access_out extended permit object-group DM_INLINE_SERVICE_10 object-group _LAN host 161.242.XX.XXX 
access-list inside_access_out extended permit ip object-group _LAN XXX.XXX4.0 255.255.255.0 
access-list inside_access_out extended permit ip object-group _LAN XXX.XXX5.0 255.255.255.0 
access-list inside_access_out extended permit ip object-group _LAN object-group bbb_LAN 
access-list inside_access_out extended permit ip object-group _LAN object lePointLAN inactive 
access-list inside_access_out extended permit ip object _UTM any 
access-list inside_access_out extended permit ip object-group DM_INLINE_NETWORK_10 object-group ccc_LAN 
access-list inside_access_out extended permit object-group TCPUDP object-group DNSServers any eq domain 
access-list inside_access_out extended permit tcp host XXX.XXX210.56 host 54. object-group DM_INLINE_TCP_2 
access-list inside_access_out extended deny object-group TCPUDP any any eq domain 
access-list inside_access_out extended permit tcp any any object-group RDP 
access-list inside_access_out extended permit tcp object AntiSpam any eq smtp 
access-list inside_access_out extended permit tcp object AntiSpamVM any eq smtp 
access-list inside_access_out extended permit tcp host XXX.XXX210.58 any eq smtp 
access-list inside_access_out extended deny ip any host 216. 
access-list inside_access_out extended deny ip any host 204. 
access-list inside_access_out extended deny ip any host 216. 
access-list inside_access_out extended permit ip host XXX.XXX10.7 any 
access-list inside_access_out extended permit udp any any eq syslog 
access-list inside_access_out extended permit ip object-group _LAN host XXX.XXX10.17 
access-list inside_access_out extended permit tcp object EX2007 any eq smtp inactive 
access-list inside_access_out extended permit ip XXX.XXX5.0 255.255.255.0 any inactive 
access-list inside_access_out extended deny ip any host 67. 
access-list inside_access_out extended deny ip host XXX.XXX10.24 any 
access-list inside_access_out extended deny tcp any any range 135 netbios-ssn log notifications 
access-list inside_access_out extended deny udp any any range 135 139 
access-list inside_access_out extended deny tcp any any eq 445 
access-list inside_access_out extended deny udp any any eq tftp inactive 
access-list inside_access_out extended deny udp any any eq syslog inactive 
access-list inside_access_out extended permit udp object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_1 range snmp snmptrap 
access-list inside_access_out extended deny udp any any range snmp snmptrap 
access-list inside_access_out extended deny tcp any any range 6660 6669 
access-list inside_access_out extended deny tcp any any eq pop3 
access-list inside_access_out extended deny object-group TCPUDP any any eq kerberos 
access-list inside_access_out extended permit object Web8080 XXX.XXX0.0 255.255.0.0 any 
access-list inside_access_out extended permit object Web8000 XXX.XXX0.0 255.255.0.0 any 
access-list inside_access_out extended permit object Web8765 XXX.XXX0.0 255.255.0.0 any 
access-list inside_access_out extended permit object Web8443 XXX.XXX0.0 255.255.0.0 any 
access-list inside_access_out extended permit object Web81 XXX.XXX0.0 255.255.0.0 any 
access-list inside_access_out extended permit tcp XXX.XXX0.0 255.255.0.0 any object-group DM_INLINE_TCP_1 
access-list inside_access_out extended deny tcp any any eq smtp 
access-list inside_access_out extended permit ip XXX.XXX0.0 255.255.0.0 any 
access-list inside_access_out extended permit ip XXX.XXX4.0 255.255.255.0 any 
access-list inside_access_out extended permit ip object-group _LAN host XXX.XXX210.113 
access-list inside_access_out extended deny ip any any 

!
tcp-map mss-map
!

mtu inside 1500
mtu DMZ 1500
mtu outside 1500
mtu Management 1500
ip local pool ClientPool XX.XX10.1-XX.XX10.254 mask 255.255.255.0
ip local pool InsidePool XXX.XXX10.200-XXX.XXX10.220 mask 255.255.255.0
ip audit signature 2004 disable
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any DMZ
icmp permit host 64. outside
asdm image disk1:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static _LAN _LAN destination static bbb_LAN bbb_LAN no-proxy-arp
nat (inside,any) source static _LAN _LAN destination static obj-XX.XX10.0 obj-XX.XX10.0 no-proxy-arp
nat (inside,any) source static _LAN _LAN destination static lePointLAN lePointLAN no-proxy-arp
nat (inside,any) source static obj-XX.XX10.0 obj-XX.XX10.0 destination static bbb_LAN bbb_LAN no-proxy-arp
nat (inside,any) source static bbb_LAN bbb_LAN destination static obj-XX.XX10.0 obj-XX.XX10.0 no-proxy-arp
nat (inside,any) source static _LAN _LAN destination static obj-XXX.XXX5.0 obj-XXX.XXX5.0 no-proxy-arp
nat (inside,any) source static _LAN _LAN destination static obj-XXX.XXX4.0 obj-XXX.XXX4.0 no-proxy-arp
nat (inside,outside) source static _LAN _LAN destination static ccc_LAN ccc_LAN
nat (inside,outside) source static HOST_CUBE_LOOPBACK HOST_CUBE_LOOPBACK destination static ccc_LAN ccc_LAN
nat (inside,any) source static obj-XXX.XXX0.0 obj-XXX.XXX0.0 destination static obj-XXX.XXX5.0 obj-XXX.XXX5.0 no-proxy-arp
nat (inside,any) source static obj-XXX.XXX0.0 obj-XXX.XXX0.0 destination static obj-XX.XX10.0 obj-XX.XX10.0 no-proxy-arp
nat (SAN,any) source static SAN SAN destination static obj-XXX.XXX4.0 obj-XXX.XXX4.0 no-proxy-arp
!
object network AntiSpam
 nat (inside,any) static 64. service tcp smtp smtp 
object network obj-172.
 nat (inside,outside) static 64. service tcp 3389 3389 
object network obj-172.
 nat (inside,outside) static 64. service tcp https https 
object network obj-172.
 nat (inside,outside) static 64. service tcp 3389 3389 
object network obj-172.
 nat (inside,outside) static interface service tcp 5001 5001 
object network obj-172.
 nat (inside,outside) static interface service udp 5001 5001 
object network obj-172.
 nat (inside,outside) static securemail.law.com
object network Check_PC
 nat (inside,outside) static 64.
object network obj_any
 nat (inside,inside) dynamic 
object network obj_any-01
 nat (inside,outside) dynamic interface
object network obj_any-02
 nat (DMZ,outside) dynamic interface
object network obj-XX.XX1.9
 nat (DMZ,outside) static 64.
object network obj-XX.XX1.6
 nat (DMZ,outside) static 64.
!
nat (inside,outside) after-auto source static obj-172. service http http
access-group SAN_access_in in interface SAN
access-group inside_access_out in interface inside
access-group DMZ_access_in in interface DMZ
access-group Outside_access_in in interface outside
!
route-map vpn-routes permit 10
 match ip address filter-default-static-route
!
route-map vpn-routes permit 20
 match interface outside
 set metric-type type-2
!
!
router ospf 1
 network 172255.255.0.0 area 0
 area 0
 log-adj-changes
 redistribute static metric 10
!
route outside 0.0.0.0 0.0.0.0 64. 1
route inside XXX.XXX0.0 255.255.0.0 XXX.XXX10.5 1
route inside XXX.XXX99.0 255.255.255.252 XXX.XXX10.5 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 3:00:00 absolute uauth 0:30:00 inactivity
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map LDAPMAP
  map-name  sAMAccountName IETF-Radius-Class
  map-value sAMAccountName sAMAccountName Tunnel-Group-Lock
dynamic-access-policy-record DfltAccessPolicy
 description "WebAccess"
 webvpn
  url-list value Intranet
  url-entry enable
aaa-server BA_Auth protocol radius
aaa-server BA_Auth (inside) host 172.
 key *****
aaa-server BA_Auth (inside) host 172.
 key *****
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 172.
 server-port 636
 ldap-base-dn OU=Users,OU=,dc=net
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=Administrator,cn=users,dc=,dc=net
 ldap-over-ssl enable
 server-type microsoft
 ldap-attribute-map LDAPMAP
aaa-server LDAP (inside) host 172.
 server-port 636
 ldap-base-dn OU=Users,OU=,dc=,dc=net
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=Administrator,cn=users,dc=,dc=net
 ldap-over-ssl enable
 server-type microsoft
 ldap-attribute-map LDAPMAP
user-identity default-domain LOCAL
eou allow none
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication match Outside_authentication_BA_Auth outside BA_Auth
aaa authentication enable console LOCAL 
aaa authentication ssh console LOCAL 
aaa authorization command LOCAL 
aaa authentication secure-http-client
aaa authentication listener http outside port 1080 redirect
aaa authentication listener https outside port 1443 redirect
http server enable

sysopt connection tcpmss 1460

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto dynamic-map outside_dyn_map 40 set pfs 
crypto dynamic-map outside_dyn_map 40 set ikev1 transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set reverse-route
crypto dynamic-map lePoint 3 match address outside_cryptomap_2
crypto dynamic-map lePoint 3 set pfs 
crypto dynamic-map lePoint 3 set reverse-route
crypto map inside_map 1 match address outside_cryptomap
crypto map inside_map 1 set pfs 
crypto map inside_map 1 set connection-type answer-only
crypto map inside_map 1 set peer 216. 
crypto map inside_map 1 set ikev1 phase1-mode aggressive 
crypto map inside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA
crypto map inside_map 1 set security-association lifetime seconds 28800
crypto map inside_map 1 set security-association lifetime kilobytes 4608000
crypto map inside_map 1 set reverse-route
crypto map inside_map 2 match address outside_cryptomap_1
crypto map inside_map 2 set pfs 
crypto map inside_map 2 set connection-type answer-only
crypto map inside_map 2 set peer 208. 
crypto map inside_map 2 set ikev1 phase1-mode aggressive 
crypto map inside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA
crypto map inside_map 2 set reverse-route
crypto map inside_map 3 ipsec-isakmp dynamic
crypto map inside_map 4 match address outside_cryptomap_3
crypto map inside_map 4 set pfs 
crypto map inside_map 4 set peer 63. 
crypto map inside_map 4 set ikev1 phase1-mode aggressive 
crypto map inside_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA
crypto map inside_map 4 set reverse-route
crypto map inside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map inside_map interface outside


crypto isakmp identity address 
crypto isakmp disconnect-notify
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 31
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
group-delimiter @

!
class-map ipsecpassthru-traffic
 match access-list ipsecpassthru
class-map inspection_default
 match default-inspection-traffic
class-map mss-class
 match access-list mss-list
class-map http-map1
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect ipsec-pass-thru iptmap
 parameters
  esp 
  ah 
policy-map inspection_policy
 class ipsecpassthru-traffic
  inspect ipsec-pass-thru iptmap 
policy-map global_policy
 class http-map1
  set connection advanced-options mss-map
 class inspection_default
  inspect pptp 
  inspect ftp 
  inspect ip-options 
  inspect ipsec-pass-thru 
 class class-default
policy-map type inspect esmtp esmtp_map
 parameters
  allow-tls action log
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map mss-class
 class mss-class
  set connection advanced-options mss-map
  inspect ipsec-pass-thru iptmap 
policy-map type inspect ftp Test
 parameters
!
service-policy global_policy global
service-policy mss-class interface outside
smtp-server 

Hi, Configuration you have

Hi,

 

Configuration you have provided is other end LAN's VPN Firewall right? from your LAN you are trying access the other LAN using the RA VPN right?

 

Also i do not see the complete configurations which has the tunnel group configurations missing from it.... please clarify your scenario, i will help you out with this.

 

Regards

Karthik

New Member

Hi,Your vpn config is purely

Hi,

Your vpn config is purely a site2site vpn type not remote access. Why are you using vpn client in a site2site environment?!

 

AM

65
Views
0
Helpful
3
Replies