Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
0
Helpful
3
Replies

Cisco VPN client not connecting from our LAN to another company's LAN

Humongous
Level 1
Level 1

‎07-08-2014 06:06 AM

Both companies are behind ASA's.  Here's the Cisco VPN CLient log:

 

Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\

1      14:06:45.882  07/07/14  Sev=Info/6      CERT/0x63600026
Attempting to find a Certificate using Serial Hash.

2      14:06:45.882  07/07/14  Sev=Info/6      CERT/0x63600027
Found a Certificate using Serial Hash.

3      14:06:45.888  07/07/14  Sev=Info/6      CERT/0x63600026
Attempting to find a Certificate using Serial Hash.

4      14:06:45.888  07/07/14  Sev=Info/6      CERT/0x63600027
Found a Certificate using Serial Hash.

5      14:06:45.895  07/07/14  Sev=Info/6      CERT/0x63600026
Attempting to find a Certificate using Serial Hash.

6      14:06:45.896  07/07/14  Sev=Info/6      CERT/0x63600027
Found a Certificate using Serial Hash.

7      14:06:45.898  07/07/14  Sev=Info/6      GUI/0x63B00011
Reloaded the Certificates in all Certificate Stores successfully.

8      14:06:54.398  07/07/14  Sev=Info/4      CM/0x63100002
Begin connection process

9      14:06:54.420  07/07/14  Sev=Info/4      CM/0x63100004
Establish secure connection

10     14:06:54.420  07/07/14  Sev=Info/4      CM/0x63100024
Attempt connection with server "RochesterVPN.XXX.XXX"

11     14:06:54.525  07/07/14  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 161.242.XXX.XXX.

12     14:06:54.538  07/07/14  Sev=Info/4      IKE/0x63000001
Starting IKE Phase 1 Negotiation

13     14:06:54.551  07/07/14  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 161.242.XXX.XXX

14     14:06:54.703  07/07/14  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 161.242.XXX.XXX

15     14:06:54.704  07/07/14  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?), VID(?)) from 161.242.XXX.XXX

16     14:06:54.704  07/07/14  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

17     14:06:54.704  07/07/14  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

18     14:06:54.704  07/07/14  Sev=Info/5      IKE/0x63000001
Peer supports DPD

19     14:06:54.704  07/07/14  Sev=Info/5      IKE/0x63000001
Peer supports NAT-T

20     14:06:54.704  07/07/14  Sev=Info/5      IKE/0x63000001
Peer supports IKE fragmentation payloads

21     14:06:54.704  07/07/14  Sev=Info/5      IKE/0x63000001
Peer supports DWR Code and DWR Text

22     14:06:54.707  07/07/14  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

23     14:06:54.707  07/07/14  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 161.242.XXX.XXX

24     14:06:54.708  07/07/14  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

25     14:06:54.708  07/07/14  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0xE25A, Remote Port = 0x1194

26     14:06:54.708  07/07/14  Sev=Info/5      IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

27     14:06:54.708  07/07/14  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

28     14:06:55.708  07/07/14  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

29     14:06:55.708  07/07/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

30     14:06:55.708  07/07/14  Sev=Info/4      IPSEC/0x6370000D
Key(s) deleted by Interface (172.30.235.172)

31     14:07:05.189  07/07/14  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

32     14:07:15.347  07/07/14  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

33     14:07:25.490  07/07/14  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

34     14:07:31.392  07/07/14  Sev=Info/4      CM/0x63100006
Abort connection attempt before Phase 1 SA up

35     14:07:31.393  07/07/14  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

36     14:07:31.393  07/07/14  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=39AB9617851A0C50 R_Cookie=CD564EAFBEFEBB5C) reason = DEL_REASON_RESET_SADB

37     14:07:31.393  07/07/14  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 161.242.XXX.XXX

38     14:07:31.394  07/07/14  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=39AB9617851A0C50 R_Cookie=CD564EAFBEFEBB5C) reason = DEL_REASON_RESET_SADB

39     14:07:31.409  07/07/14  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

40     14:07:32.451  07/07/14  Sev=Info/6      CM/0x63100046
Set tunnel established flag in registry to 0.

41     14:07:32.502  07/07/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

42     14:07:32.502  07/07/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

43     14:07:32.502  07/07/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

44     14:07:32.502  07/07/14  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

Labels:
0 Helpful
3 Replies 3

Humongous
Level 1
Level 1

‎07-08-2014 06:27 AM

 

 

ASA Version 8.4(4)1 
!
hostname remoteASA
domain-name 
dns-guard
!
interface GigabitEthernet0/0
 shutdown
 nameif SAN
 security-level 99
 ip address 192. 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 172. 255.255.255.0 
 ospf cost 10
!
interface GigabitEthernet0/2
 nameif DMZ
 security-level 50
 ip address 10. 255.255.255.0 
 ospf cost 10
 ospf network point-to-point non-broadcast
!
interface GigabitEthernet0/3
 nameif outside
 security-level 0
 ip address  255.255.255.240 
 ospf cost 10
 ospf network point-to-point non-broadcast
!
interface Management0/0
 shutdown
 nameif Management
 security-level 100
 ip address 10. 255.255.255.0 
 ospf cost 10
 ospf network point-to-point non-broadcast

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
o
object-group network DM_INLINE_NETWORK_2
 group-object DROP_DoNotRoute
 group-object VulnScannerIPs
object-group service DM_INLINE_SERVICE_1
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp destination eq domain 
 service-object udp destination eq domain 
object-group network DM_INLINE_NETWORK_5
 network-object object AD3
 network-object object AD4
object-group service DM_INLINE_SERVICE_2
 service-object object IPSEC-udp 
 service-object esp 
 service-object object View-AJP13 
 service-object object View-JMS 
object-group network DM_INLINE_NETWORK_6
 network-object object Xerox
 network-object object TestMonitor2


access-list Outside_authentication_BA_Auth extended permit tcp any host 64. eq www 
access-list Outside_authentication_BA_Auth extended permit tcp any host 64. eq https 
access-list Outside_authentication_BA_Auth extended permit tcp any host 64. eq 3389 inactive 
access-list inside_nat0_outbound extended permit ip 255.255.255.0 object-group _LAN 
access-list inside_nat0_outbound extended permit ip object-group _LAN 1920255.255.255.0 
access-list acl_nonat extended permit ip object-group _LAN object-group bbb_LAN 
access-list acl_nonat extended permit ip object-group _LAN object lePointLAN 
access-list acl_nonat extended permit ip object-group _LAN XX.XX10.0 255.255.255.0 
access-list acl_nonat extended permit ip XX.XX10.0 255.255.255.0 object-group bbb_LAN 
access-list acl_nonat extended permit ip object-group bbb_LAN XX.XX10.0 255.255.255.0 
access-list acl_nonat extended permit ip object-group _LAN XXX.XXX5.0 255.255.255.0 
access-list acl_nonat extended permit ip object-group _LAN XXX.XXX4.0 255.255.255.0 
access-list acl_nonat extended permit ip XXX.XXX0.0 255.255.0.0 XXX.XXX5.0 255.255.255.0 
access-list acl_nonat extended permit ip XXX.XXX200.0 255.255.255.0 XXX.XXX4.0 255.255.255.0 
access-list acl_nonat extended permit ip XXX.XXX0.0 255.255.0.0 XX.XX10.0 255.255.255.0 
access-list acl_nonat extended permit ip object-group _LAN object-group TestPool 
access-list acl_nonat extended permit ip object-group _LAN object-group ccc_LAN 
access-list acl_nonat extended permit ip object-group TestPool object-group _LAN 
access-list outside_cryptomap extended permit ip 172. 255.255.0.0 192.1 255.255.255.0 inactive 
access-list inside_access_out extended deny ip any object-group DM_INLINE_NETWORK_4 log notifications 
access-list inside_access_out extended permit object-group DM_INLINE_SERVICE_10 object-group _LAN host 161.242.XX.XXX 
access-list inside_access_out extended permit ip object-group _LAN XXX.XXX4.0 255.255.255.0 
access-list inside_access_out extended permit ip object-group _LAN XXX.XXX5.0 255.255.255.0 
access-list inside_access_out extended permit ip object-group _LAN object-group bbb_LAN 
access-list inside_access_out extended permit ip object-group _LAN object lePointLAN inactive 
access-list inside_access_out extended permit ip object _UTM any 
access-list inside_access_out extended permit ip object-group DM_INLINE_NETWORK_10 object-group ccc_LAN 
access-list inside_access_out extended permit object-group TCPUDP object-group DNSServers any eq domain 
access-list inside_access_out extended permit tcp host XXX.XXX210.56 host 54. object-group DM_INLINE_TCP_2 
access-list inside_access_out extended deny object-group TCPUDP any any eq domain 
access-list inside_access_out extended permit tcp any any object-group RDP 
access-list inside_access_out extended permit tcp object AntiSpam any eq smtp 
access-list inside_access_out extended permit tcp object AntiSpamVM any eq smtp 
access-list inside_access_out extended permit tcp host XXX.XXX210.58 any eq smtp 
access-list inside_access_out extended deny ip any host 216. 
access-list inside_access_out extended deny ip any host 204. 
access-list inside_access_out extended deny ip any host 216. 
access-list inside_access_out extended permit ip host XXX.XXX10.7 any 
access-list inside_access_out extended permit udp any any eq syslog 
access-list inside_access_out extended permit ip object-group _LAN host XXX.XXX10.17 
access-list inside_access_out extended permit tcp object EX2007 any eq smtp inactive 
access-list inside_access_out extended permit ip XXX.XXX5.0 255.255.255.0 any inactive 
access-list inside_access_out extended deny ip any host 67. 
access-list inside_access_out extended deny ip host XXX.XXX10.24 any 
access-list inside_access_out extended deny tcp any any range 135 netbios-ssn log notifications 
access-list inside_access_out extended deny udp any any range 135 139 
access-list inside_access_out extended deny tcp any any eq 445 
access-list inside_access_out extended deny udp any any eq tftp inactive 
access-list inside_access_out extended deny udp any any eq syslog inactive 
access-list inside_access_out extended permit udp object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_1 range snmp snmptrap 
access-list inside_access_out extended deny udp any any range snmp snmptrap 
access-list inside_access_out extended deny tcp any any range 6660 6669 
access-list inside_access_out extended deny tcp any any eq pop3 
access-list inside_access_out extended deny object-group TCPUDP any any eq kerberos 
access-list inside_access_out extended permit object Web8080 XXX.XXX0.0 255.255.0.0 any 
access-list inside_access_out extended permit object Web8000 XXX.XXX0.0 255.255.0.0 any 
access-list inside_access_out extended permit object Web8765 XXX.XXX0.0 255.255.0.0 any 
access-list inside_access_out extended permit object Web8443 XXX.XXX0.0 255.255.0.0 any 
access-list inside_access_out extended permit object Web81 XXX.XXX0.0 255.255.0.0 any 
access-list inside_access_out extended permit tcp XXX.XXX0.0 255.255.0.0 any object-group DM_INLINE_TCP_1 
access-list inside_access_out extended deny tcp any any eq smtp 
access-list inside_access_out extended permit ip XXX.XXX0.0 255.255.0.0 any 
access-list inside_access_out extended permit ip XXX.XXX4.0 255.255.255.0 any 
access-list inside_access_out extended permit ip object-group _LAN host XXX.XXX210.113 
access-list inside_access_out extended deny ip any any 

!
tcp-map mss-map
!

mtu inside 1500
mtu DMZ 1500
mtu outside 1500
mtu Management 1500
ip local pool ClientPool XX.XX10.1-XX.XX10.254 mask 255.255.255.0
ip local pool InsidePool XXX.XXX10.200-XXX.XXX10.220 mask 255.255.255.0
ip audit signature 2004 disable
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any DMZ
icmp permit host 64. outside
asdm image disk1:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static _LAN _LAN destination static bbb_LAN bbb_LAN no-proxy-arp
nat (inside,any) source static _LAN _LAN destination static obj-XX.XX10.0 obj-XX.XX10.0 no-proxy-arp
nat (inside,any) source static _LAN _LAN destination static lePointLAN lePointLAN no-proxy-arp
nat (inside,any) source static obj-XX.XX10.0 obj-XX.XX10.0 destination static bbb_LAN bbb_LAN no-proxy-arp
nat (inside,any) source static bbb_LAN bbb_LAN destination static obj-XX.XX10.0 obj-XX.XX10.0 no-proxy-arp
nat (inside,any) source static _LAN _LAN destination static obj-XXX.XXX5.0 obj-XXX.XXX5.0 no-proxy-arp
nat (inside,any) source static _LAN _LAN destination static obj-XXX.XXX4.0 obj-XXX.XXX4.0 no-proxy-arp
nat (inside,outside) source static _LAN _LAN destination static ccc_LAN ccc_LAN
nat (inside,outside) source static HOST_CUBE_LOOPBACK HOST_CUBE_LOOPBACK destination static ccc_LAN ccc_LAN
nat (inside,any) source static obj-XXX.XXX0.0 obj-XXX.XXX0.0 destination static obj-XXX.XXX5.0 obj-XXX.XXX5.0 no-proxy-arp
nat (inside,any) source static obj-XXX.XXX0.0 obj-XXX.XXX0.0 destination static obj-XX.XX10.0 obj-XX.XX10.0 no-proxy-arp
nat (SAN,any) source static SAN SAN destination static obj-XXX.XXX4.0 obj-XXX.XXX4.0 no-proxy-arp
!
object network AntiSpam
 nat (inside,any) static 64. service tcp smtp smtp 
object network obj-172.
 nat (inside,outside) static 64. service tcp 3389 3389 
object network obj-172.
 nat (inside,outside) static 64. service tcp https https 
object network obj-172.
 nat (inside,outside) static 64. service tcp 3389 3389 
object network obj-172.
 nat (inside,outside) static interface service tcp 5001 5001 
object network obj-172.
 nat (inside,outside) static interface service udp 5001 5001 
object network obj-172.
 nat (inside,outside) static securemail.law.com
object network Check_PC
 nat (inside,outside) static 64.
object network obj_any
 nat (inside,inside) dynamic 
object network obj_any-01
 nat (inside,outside) dynamic interface
object network obj_any-02
 nat (DMZ,outside) dynamic interface
object network obj-XX.XX1.9
 nat (DMZ,outside) static 64.
object network obj-XX.XX1.6
 nat (DMZ,outside) static 64.
!
nat (inside,outside) after-auto source static obj-172. service http http
access-group SAN_access_in in interface SAN
access-group inside_access_out in interface inside
access-group DMZ_access_in in interface DMZ
access-group Outside_access_in in interface outside
!
route-map vpn-routes permit 10
 match ip address filter-default-static-route
!
route-map vpn-routes permit 20
 match interface outside
 set metric-type type-2
!
!
router ospf 1
 network 172255.255.0.0 area 0
 area 0
 log-adj-changes
 redistribute static metric 10
!
route outside 0.0.0.0 0.0.0.0 64. 1
route inside XXX.XXX0.0 255.255.0.0 XXX.XXX10.5 1
route inside XXX.XXX99.0 255.255.255.252 XXX.XXX10.5 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 3:00:00 absolute uauth 0:30:00 inactivity
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map LDAPMAP
  map-name  sAMAccountName IETF-Radius-Class
  map-value sAMAccountName sAMAccountName Tunnel-Group-Lock
dynamic-access-policy-record DfltAccessPolicy
 description "WebAccess"
 webvpn
  url-list value Intranet
  url-entry enable
aaa-server BA_Auth protocol radius
aaa-server BA_Auth (inside) host 172.
 key *****
aaa-server BA_Auth (inside) host 172.
 key *****
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 172.
 server-port 636
 ldap-base-dn OU=Users,OU=,dc=net
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=Administrator,cn=users,dc=,dc=net
 ldap-over-ssl enable
 server-type microsoft
 ldap-attribute-map LDAPMAP
aaa-server LDAP (inside) host 172.
 server-port 636
 ldap-base-dn OU=Users,OU=,dc=,dc=net
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=Administrator,cn=users,dc=,dc=net
 ldap-over-ssl enable
 server-type microsoft
 ldap-attribute-map LDAPMAP
user-identity default-domain LOCAL
eou allow none
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication match Outside_authentication_BA_Auth outside BA_Auth
aaa authentication enable console LOCAL 
aaa authentication ssh console LOCAL 
aaa authorization command LOCAL 
aaa authentication secure-http-client
aaa authentication listener http outside port 1080 redirect
aaa authentication listener https outside port 1443 redirect
http server enable

sysopt connection tcpmss 1460

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto dynamic-map outside_dyn_map 40 set pfs 
crypto dynamic-map outside_dyn_map 40 set ikev1 transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set reverse-route
crypto dynamic-map lePoint 3 match address outside_cryptomap_2
crypto dynamic-map lePoint 3 set pfs 
crypto dynamic-map lePoint 3 set reverse-route
crypto map inside_map 1 match address outside_cryptomap
crypto map inside_map 1 set pfs 
crypto map inside_map 1 set connection-type answer-only
crypto map inside_map 1 set peer 216. 
crypto map inside_map 1 set ikev1 phase1-mode aggressive 
crypto map inside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA
crypto map inside_map 1 set security-association lifetime seconds 28800
crypto map inside_map 1 set security-association lifetime kilobytes 4608000
crypto map inside_map 1 set reverse-route
crypto map inside_map 2 match address outside_cryptomap_1
crypto map inside_map 2 set pfs 
crypto map inside_map 2 set connection-type answer-only
crypto map inside_map 2 set peer 208. 
crypto map inside_map 2 set ikev1 phase1-mode aggressive 
crypto map inside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA
crypto map inside_map 2 set reverse-route
crypto map inside_map 3 ipsec-isakmp dynamic
crypto map inside_map 4 match address outside_cryptomap_3
crypto map inside_map 4 set pfs 
crypto map inside_map 4 set peer 63. 
crypto map inside_map 4 set ikev1 phase1-mode aggressive 
crypto map inside_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA
crypto map inside_map 4 set reverse-route
crypto map inside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map inside_map interface outside


crypto isakmp identity address 
crypto isakmp disconnect-notify
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 31
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
group-delimiter @

!
class-map ipsecpassthru-traffic
 match access-list ipsecpassthru
class-map inspection_default
 match default-inspection-traffic
class-map mss-class
 match access-list mss-list
class-map http-map1
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect ipsec-pass-thru iptmap
 parameters
  esp 
  ah 
policy-map inspection_policy
 class ipsecpassthru-traffic
  inspect ipsec-pass-thru iptmap 
policy-map global_policy
 class http-map1
  set connection advanced-options mss-map
 class inspection_default
  inspect pptp 
  inspect ftp 
  inspect ip-options 
  inspect ipsec-pass-thru 
 class class-default
policy-map type inspect esmtp esmtp_map
 parameters
  allow-tls action log
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map mss-class
 class mss-class
  set connection advanced-options mss-map
  inspect ipsec-pass-thru iptmap 
policy-map type inspect ftp Test
 parameters
!
service-policy global_policy global
service-policy mss-class interface outside
smtp-server 

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Humongous

‎07-25-2014 04:46 AM

Hi,

 

Configuration you have provided is other end LAN's VPN Firewall right? from your LAN you are trying access the other LAN using the RA VPN right?

 

Also i do not see the complete configurations which has the tunnel group configurations missing from it.... please clarify your scenario, i will help you out with this.

 

Regards

Karthik

0 Helpful

turbo_engine26
Level 4
Level 4
In response to Humongous

‎07-28-2014 11:30 PM

Hi,

Your vpn config is purely a site2site vpn type not remote access. Why are you using vpn client in a site2site environment?!

 

AM

0 Helpful
Customers Also Viewed These Support Documents