Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC VPN help !!!

Hi All

I have ASA 5520 and want to enable IPSEC VPN and want to access it through cisco VPN client.

I have done natting on router which is connected on outside interface of the ASA. I have done a static nat of private IP address of outside i/f of ASA to the public IP, on router. I am able to ping that public IP from internet and also able to access firewall thru ASDM using that public IP.

I have done the configuration using VPN wizard but some how not able to connect thru VPN client. Please guide, if I have missed something.

Configuration of ASA is attached.

Regards

bsn

1 ACCEPTED SOLUTION

Accepted Solutions

Re: IPSEC VPN help !!!

try to do this

conf t

no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

no crypto map WAN_map interface WAN

crypto map WAN_map interface WAN <- just to be sure that all the changes were applyed

and show

debug crypto isa 10

debug crypto ipsec 10

15 REPLIES

Re: IPSEC VPN help !!!

no access-list LAN extended permit ip 10.0.0.0 255.0.0.0 any

no access-group LAN in interface LAN

no access-list WAN extended permit ip any 10.0.0.0 255.0.0.0

no access-group WAN in interface WAN

ip local pool VPN-Pool 10.0.5.1-10.0.5.255 mask 255.255.255.0

access-list LAN_nat0_outbound extended permit ip any 10.0.5.0 255.255.255.0

nat (LAN) 0 access-list LAN_nat0_outbound

no access-list cisco_splitTunnelAcl standard permit any

access-list cisco_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

route WAN 10.0.5.0 255.255.255.0 10.0.0.25 1

route WAN 0.0.0.0 0.0.0.0 10.0.0.25 1

route LAN 10.0.0.0 255.0.0.0 10.0.0.1 1

sysopt connection permit-vpn

New Member

Re: IPSEC VPN help !!!

If I will remove access-list LAN and WAN, then I will loose my connectivity to internet from inside network.

Rest I have configured but no luck.

Regards

bsn

Re: IPSEC VPN help !!!

Could you explain how did you check the vpn?

New Member

Re: IPSEC VPN help !!!

I have Cisco VPN client software Ver 4.0.01 installed on one of my machine in remote office.

I tried to access the public IP (natted to ASA outside private IP) with following settings:

group user: cisco

password: cisco

Transport: IPSEC over UDP ( I have tried IPSEC over TCP 10000 as well)

Thats all

Regards

BSN

Re: IPSEC VPN help !!!

ok... then add following

crypto isakmp ipsec-over-tcp port 10000

group-policy cisco attributes

ipsec-udp enable

New Member

Re: IPSEC VPN help !!!

I have added this:

crypto isakmp ipsec-over-tcp port 10000

and rest were already there in configuration.

Still not able to connect. Can you suggest some debugs.

Regards/bsn

Re: IPSEC VPN help !!!

debug crypto isakmp 10

debug crypto ipsec 10

conf t

logg mon 7

New Member

Re: IPSEC VPN help !!!

Debug is attached. I have replaced the Source Public IP. In the debug output, I can see there are no hits on group policy cisco. It is hitting default policy. please suggest.

Regards/bsn

Re: IPSEC VPN help !!!

tunnel-group cisco general-attributes

authentication-server-group LOCAL

New Member

Re: IPSEC VPN help !!!

I tried but the command is not executing.

========================================

ASA(config)# tunnel-group cisco general-attributes

ASA(config-tunnel-general)# authentication-server-group LOCAL

ASA(config-tunnel-general)# exi

ASA(config)# sh run | be tunnel-group cisco general-attributes

tunnel-group cisco general-attributes

address-pool VPN-Pool

default-group-policy cisco

tunnel-group cisco ipsec-attributes

pre-shared-key *

==========================================

regards/bsn

Re: IPSEC VPN help !!!

could you show the running configuration?

New Member

Re: IPSEC VPN help !!!

Show run is attached.

Recent change I have done is md5. Earlier it was SHA:

=================

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5 >>>>>>>>>>>>> It was sha earlier.

group 2

lifetime 86400

===================

New Member

Re: IPSEC VPN help !!!

In the debug I am getting below error messages:

Jul 02 14:26:12 [IKEv1]: Group = cisco, IP = , Duplicate Phase 1 packet detected. Retransmitting last packet.

Jul 02 14:26:12 [IKEv1]: Group = cisco, IP = , P1 Retransmit msg dispatched to AM FSM

Complete debug output is attached.

rgds/bsn

Re: IPSEC VPN help !!!

try to do this

conf t

no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

no crypto map WAN_map interface WAN

crypto map WAN_map interface WAN <- just to be sure that all the changes were applyed

and show

debug crypto isa 10

debug crypto ipsec 10

New Member

Re: IPSEC VPN help !!!

I have not made above changes.

The last change i have done was from sha to md5 and it cliked.

Thanks a lot for all your help and support.

rgards/bsn

253
Views
0
Helpful
15
Replies