I am very new to Cisco 5505 firewalls and have been trying to troubleshoot a VPN connectivity issue over the past few days. Recently the AT&T router was tested and nothing is being blocked from it. Since I do not know much about the firewall, I am unsure if there is an issue with the config or if the problem lies elsewhere. When I initially log in into the firewall I noticed that the DMZ interface shows Line down, Link down. The other interfaces, inside and outside, both show up, up. I am not sure if the DMZ should show down, down or not. I was not the tech that set this firewall up so checking the config really does not tell me much as I am unfamiliar with what I am looking at. The config has been posted below. Any help would be greatly appreciated!!
: Saved : ASA Version 8.2(5) ! hostname xxxfw01 domain-name xxxxxx.lcl enable password zgDyB1JJR5jIt22C encrypted passwd 5nswNE6Ndj.ogXD4 encrypted names name 192.168.1.30 ideacom-adtran-router name 188.8.131.52 outside-voip name 10.0.4.0 inside-secondary name 10.0.0.0 inside-primary name 184.108.40.206 outside-secondary1 name 220.127.116.11 outside-secondary2 name 18.104.22.168 outside-secondary3 name 22.214.171.124 inside-old name 126.96.36.199 outside-secondary4 name 188.8.131.52 outside-secondary5 name 184.108.40.206 outside-secondary6 name 220.127.116.11 outside-secondary7 name 18.104.22.168 outside-secondary8 name 22.214.171.124 outside-web-server name 126.96.36.199 ouside-secondary9 name 188.8.131.52 outside-secondary10 name 184.108.40.206 outside-secondary11 name 220.127.116.11 outside-secondary12 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 switchport access vlan 2 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 switchport access vlan 2 ! interface Ethernet0/6 switchport access vlan 2 ! interface Ethernet0/7 switchport access vlan 3 ! interface Vlan1 nameif inside security-level 100 ip address 10.0.1.11 255.255.255.0 ospf cost 10 ! interface Vlan2 nameif outside security-level 0 ip address 18.104.22.168 255.255.255.192 ospf cost 10 ! interface Vlan3 no forward interface Vlan1 nameif dmz security-level 50 ip address 192.168.1.10 255.255.255.0 ospf cost 10 ! pim accept-register list PIM_ACCPTREG_ACL banner motd ATTENTION: banner motd You are about to log into a private network. Unauthorized access is strictly prohibited. banner motd Any attempts to do so will result in prosecution to the fullest extent of the law. banner asdm ATTENTION: banner asdm You are about to log into a private network. Unauthorized access is strictly prohibited. banner asdm Any attempts to do so will result in prosecution to the fullest extent of the law. boot system disk0:/asa825-k8.bin ftp mode passive clock timezone CST -6 clock summer-time CDT recurring dns domain-lookup inside dns server-group DefaultDNS name-server 10.0.2.106 name-server 10.0.2.57 domain-name xxxxxxx.lcl same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group network outside-ideacom-voip network-object host 22.214.171.124 network-object host 126.96.36.199 network-object host 188.8.131.52 network-object host 184.108.40.206 object-group service ideacom-tcp-voip tcp port-object range h323 1728 port-object range sip 5061 object-group service ideacom-udp-voip udp port-object range 1024 65535 object-group network outside-secondary-range network-object host outside-secondary1 network-object host outside-secondary2 network-object host outside-secondary3 network-object host outside-secondary4 object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object echo-reply access-list PIM_ACCPTREG_ACL extended permit ip 220.127.116.11 255.255.255.192 10.0.1.0 255.255.255.0 inactive access-list inside_nat_outbound extended permit ip inside-secondary 255.255.255.0 any access-list outside_access_in extended permit tcp object-group outside-ideacom-voip host ideacom-adtran-router object-group ideacom-tcp-voip inactive access-list outside_access_in extended permit udp object-group outside-ideacom-voip host ideacom-adtran-router object-group ideacom-udp-voip inactive access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 access-list xxxxxxx-VPN_splitTunnelAcl standard permit inside-primary 255.255.0.0 access-list inside_nat0_outbound extended permit ip inside-primary 255.255.0.0 10.1.1.0 255.255.255.0 access-list DefaultRAGroup_splitTunnelAcl standard permit inside-primary 255.255.0.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 ip local pool VPN-Pool 10.1.1.1-10.1.1.253 mask 255.255.255.0 ip verify reverse-path interface outside icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-631.bin no asdm history enable arp timeout 14400 global (outside) 2 outside-secondary1-outside-secondary12 netmask 255.0.0.0 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 2 access-list inside_nat_outbound norandomseq nat (inside) 1 inside-primary 255.255.0.0 static (dmz,outside) outside-voip ideacom-adtran-router netmask 255.255.255.255 norandomseq access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 18.104.22.168 1 route inside inside-primary 255.255.0.0 10.0.1.10 1 timeout xlate 0:20:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server RADIUS protocol radius aaa-server RADIUS (inside) host 10.0.2.106 key ***** aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL http server enable http inside-primary 255.255.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart snmp-server enable traps entity config-change crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA ESP-3DES-SHA crypto dynamic-map outside_dyn_map 20 set reverse-route crypto dynamic-map outside_dyn_map 40 set pfs group1 crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map dmz_map interface dmz crypto ca server shutdown crypto isakmp enable outside crypto isakmp enable dmz crypto isakmp policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 20 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh inside-primary 255.255.0.0 inside ssh timeout 5 ssh version 2 console timeout 10 dhcpd auto_config outside ! threat-detection basic-threat threat-detection statistics host threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 22.214.171.124 source outside ntp server 126.96.36.199 source outside ntp server 188.8.131.52 source outside ntp server 10.0.2.106 source inside prefer ntp server 184.108.40.206 source outside ntp server 220.127.116.11 source outside ntp server 18.104.22.168 source outside ntp server 22.214.171.124 source outside ntp server 126.96.36.199 source outside ntp server 188.8.131.52 source outside ntp server 184.108.40.206 source outside ntp server 220.127.116.11 source outside ntp server 18.104.22.168 source outside ntp server 22.214.171.124 source outside ntp server 126.96.36.199 source outside webvpn group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes dns-server value 10.0.2.106 10.0.2.56 vpn-tunnel-protocol l2tp-ipsec split-tunnel-policy tunnelall split-tunnel-network-list none default-domain value xxxxxxx.lcl group-policy DfltGrpPolicy attributes group-lock value DefaultWEBVPNGroup group-policy xxxxxxx-VPN internal group-policy xxxxxxx-VPN attributes dns-server value 10.0.2.106 10.0.2.56 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value xxxxxxx-VPN_splitTunnelAcl default-domain value hlgroup.lcl username hlgvpn password GAfBJJMk5EnKUdM+KyBXfQ== nt-encrypted username hlgvpn attributes vpn-group-policy DefaultRAGroup username admin password tU0js1787OyO3ldQ encrypted privilege 15 tunnel-group DefaultRAGroup general-attributes address-pool VPN-Pool default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key ***** tunnel-group DefaultRAGroup ppp-attributes authentication pap authentication ms-chap-v2 tunnel-group xxxxxxx-VPN type remote-access tunnel-group xxxxxxx-VPN general-attributes address-pool VPN-Pool authentication-server-group RADIUS default-group-policy xxxxxxx-VPN password-management tunnel-group xxxxxxx-VPN ipsec-attributes pre-shared-key ***** tunnel-group xxxxxxx-VPN ppp-attributes no authentication chap no authentication ms-chap-v1 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect netbios inspect tftp inspect icmp inspect icmp error inspect ctiqbe inspect dcerpc inspect dns inspect ils inspect ipsec-pass-thru inspect mgcp inspect pptp inspect snmp inspect waas inspect sip inspect ip-options ! service-policy global_policy global prompt hostname context call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email firstname.lastname@example.org destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:ca21fc44d2f9d0485564fb474bceeb51 : end asdm image disk0:/asdm-631.bin asdm location ideacom-adtran-router 255.255.255.255 inside asdm location outside-voip 255.255.255.255 inside asdm location outside-secondary1 255.255.255.255 inside asdm location inside-secondary 255.255.255.0 inside asdm location inside-primary 255.255.0.0 inside asdm location outside-secondary2 255.255.255.255 inside asdm location outside-secondary3 255.255.255.255 inside asdm location outside-secondary4 255.255.255.255 inside asdm location outside-secondary5 255.255.255.255 inside asdm location outside-secondary6 255.255.255.255 inside asdm location outside-secondary7 255.255.255.255 inside asdm location outside-secondary8 255.255.255.255 inside asdm location outside-web-server 255.255.255.255 inside asdm location ouside-secondary9 255.255.255.255 inside asdm location outside-secondary10 255.255.255.255 inside asdm location outside-secondary11 255.255.255.255 inside asdm location outside-secondary12 255.255.255.255 inside no asdm history enable
Has this VPN setup ever worked prior to you taking over? If so, do you know of any changes that have been don't to the firewall configuration that could possibly have caused the issue?
Another thing to check out is why the DMZ interface is enabled for VPN.
I suggest making the following change and then test to see if the VPN comes up
no crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
If that solves the problem, next I would check your company's security policy to see if they require a Diffie Hellman group to be used during phase 2 of the VPN setup.
Please remember to select a correct answer and rate helpful posts
Thank you for your response Marius. I made the change you suggested and still get the 413 error of User Authentication Failed. I believe the last time this worked was perhaps back in Feb, obviously it does not get used often. There were no changes to the firewall that I am aware of as I am the only IT person on staff and made no changes. According to the Interface Status page, the DMZ interface shows down, down so I did not think it was enabled at all.
Try creating a new username (like "vpntest in the example below) with a known good password and assigning it to the DefaultRAGroup. Then use it to try your login.
username vpntest password <password> username vpntest attributes vpn-group-policy DefaultRAGroup
Check the logs on your RADIUS server to see if there is any indication there to the authentication failure.
Also check the logs on the ASA when you try to connect.
Please remember to select a correct answer and rate helpful posts
Thank you for the response Marvin. I have entered what you suggested and get an error response "Invalid input detected at marker" which points to the "v" in vpn-group-policy...Any thoughts? I assumed I should have entered this via CLI, if that is incorrect I can retry where you suggest.
You should be at the CLI in configuration mode and withing the config-user submode (based on having entered the
username vpntest attributes
command just prior). The command should work - it's already present in your config above and the command reference confirms it (link).