Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Remote access VPN issues via ASA 9.1.1

Hi,

I'm new to the ASA. I would like to allow 5 clients to establish remote VPN sessions via IPSec RA (not anyconnect). I initially upgraded to asa913-k8

which seemed to have issues so I downgraded to asa911-k8.

When I attempt to connect via a Win7 Desktop (firewall shutdown, mtu set to 1300, no packet loss on in/egress interfaces) running Cisco VPN Client 5.0.07.0440 using (transport) IPSec over UDP or IPSec over TCP, I get the following errors:.

IPSec over UDP - ISAKMP OAK AG (retransmission), Reason 412: The remote peer is no longer responding. (Does not present authentication prompt from the aaa server).

IPSec over TCP - (immediately presents the login prompt from the server) "REASON_IKE_NEG_FAILED

I initially used the VPN wizard then decided to use the command line. Any ideas why this is not working would be greatly appreciated. THANKS!!!

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

xlate per-session deny tcp any4 any4

names

name 192.168.1.105 Customer-Printer

name 192.168.1.10 CustomerSVR1 description CustomerSVR1

name CustomerIP Outside-Interface-IP

name CustomerGW ISP-Next-Hop-Router

name 192.168.2.0 Customer_Guest_Inside

name 10.10.100.0 VPN_Inside

ip local pool Customer-VPN-Internal 10.10.100.100-10.10.100.200 mask 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

description Customer-LAN

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

description GuestWireless

switchport access vlan 12

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address Outside-Interface-IP 255.255.255.252

!

interface Vlan12

no forward interface Vlan2

nameif guestwireless

security-level 100

ip address 192.168.2.1 255.255.255.0

boot system disk0:/asa911-k8.bin

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server CustomerSVR1

domain-name Customer

object network Outside-Interface-IP

host CustomerIP

object network CustomerSVR1

host 192.168.1.10

object network Customer_Guest_Inside

subnet 192.168.2.0 255.255.255.0

object network VPN_Inside

subnet 10.10.100.0 255.255.255.0

object network obj-192.168.1.19

subnet 192.168.1.192 255.255.255.192

object network obj-192.168.1.22

host 192.168.1.22

object network obj_any

subnet 0.0.0.0 0.0.0.0

object-group network DNS

network-object object DNS2

network-object object DNS1

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network DM_INLINE_NETWORK_1

network-object object Outside-Interface-IP

network-object object CustomerSVR1

object-group network All_Inside_Nets

network-object 192.168.1.0 255.255.255.0

network-object object Customer_Guest_Inside

network-object object VPN_Inside

object-group network DM_INLINE_NETWORK_2

network-object object Outside-Interface-IP

group-object All_Inside_Nets

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object esp

protocol-object ah

object-group service DM_INLINE_UDP_1 udp

port-object eq radius

port-object eq radius-acct

object-group service DM_INLINE_UDP_2 udp

port-object eq radius

port-object eq radius-acct

object-group service udp4500 udp

port-object eq 4500

port-object eq isakmp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object esp

protocol-object ah

object-group service DM_INLINE_UDP_3 udp

port-object eq isakmp

group-object udp4500

object-group service vpn10000s tcp

port-object range 10000 10010

object-group service udp10000s udp

port-object range 10000 10009

access-list inside_access_in extended permit udp object CustomerSVR1 any4 object-group DM_INLINE_UDP_1

access-list inside_access_in extended permit ip any object Outside-Interface-IP

access-list inside_access_in extended deny object-group TCPUDP any4 any4 object-group DenyOut

access-list inside_access_in extended permit tcp object-group All_Inside_Nets any4 eq imap4

access-list inside_access_in extended permit tcp object-group All_Inside_Nets any4 eq pop2

access-list inside_access_in extended permit tcp object-group All_Inside_Nets any4 eq pop3

access-list inside_access_in extended permit tcp object-group All_Inside_Nets any4 eq smtp

access-list inside_access_in extended permit tcp object-group All_Inside_Nets any4 eq https

access-list inside_access_in extended permit object-group TCPUDP object-group All_Inside_Nets any4 eq www

access-list inside_access_in extended permit ip object-group All_Inside_Nets any4

access-list inside_nat0_outbound extended permit ip any4 object VPN_Inside

access-list outside_access_in extended permit udp object-group NIST-NTP any4 eq ntp

access-list outside_access_in remark Migration, ACE (line 2) expanded: permit tcp any4 object-group DM_INLINE_NETWORK_1

access-list outside_access_in extended permit tcp any4 object CustomerSVR1 eq 3389

access-list outside_access_in extended permit tcp any4 object CustomerSVR1 eq 5050

access-list outside_access_in remark Migration: End of expansion

access-list outside_access_in extended permit tcp any4 object Customer-Cloud-Server object-group SSH-to-CustomerCloud

access-list outside_access_in remark Migration, ACE (line 5) expanded: permit tcp any4 host Outside-Interface-IP

access-list outside_access_in extended permit tcp any4 host 192.168.1.22 eq 9000

access-list outside_access_in extended permit udp any4 any4 object-group DM_INLINE_UDP_2

access-list outside_access_in extended permit tcp any4 object Outside-Interface-IP eq https

access-list outside_access_in extended permit udp any4 object Outside-Interface-IP object-group DM_INLINE_UDP_3

access-list outside_access_in extended permit tcp any4 object Outside-Interface-IP object-group vpn10000s

access-list outside_access_in extended permit udp any4 object Outside-Interface-IP object-group udp10000s

access-list outside_access_in extended permit udp object Outside-Interface-IP any object-group udp10000s

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any4

access-list outside_access_in extended permit tcp object Outside-Interface-IP any object-group vpn10000s

access-list outside_access_in extended deny udp any4 0.0.0.0 0.0.0.0 eq netbios-ns

access-list outside_access_in extended deny udp any4 0.0.0.0 0.0.0.0 eq netbios-dgm

access-list outside_access_in extended deny udp any4 0.0.0.0 0.0.0.0 eq 139

access-list outside_access_in extended deny udp any4 0.0.0.0 0.0.0.0 eq 389

access-list outside_access_in extended deny udp any4 0.0.0.0 0.0.0.0 eq 445

access-list outside_access_in extended deny udp any4 0.0.0.0 0.0.0.0 eq cifs

access-list outside_access_in extended deny udp any4 0.0.0.0 0.0.0.0 eq nfs

access-list outside_access_in extended deny tcp any4 0.0.0.0 0.0.0.0 eq 135

access-list outside_access_in extended deny tcp any4 0.0.0.0 0.0.0.0 eq 137

access-list outside_access_in extended deny tcp any4 0.0.0.0 0.0.0.0 eq 138

access-list outside_access_in extended deny tcp any4 0.0.0.0 0.0.0.0 eq netbios-ssn

access-list outside_access_in extended deny tcp any4 0.0.0.0 0.0.0.0 eq ldap

access-list outside_access_in extended deny tcp any4 0.0.0.0 0.0.0.0 eq 445

access-list outside_access_in extended deny tcp any4 0.0.0.0 0.0.0.0 eq cifs

access-list outside_access_in extended deny tcp any4 0.0.0.0 0.0.0.0 eq nfs

access-list outside_access_in remark Migration: End of expansion

access-list outside_access_in remark Migration: End of expansion

access-list Customer-VPN-LIST extended permit ip 10.10.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list Customer-VPN-LIST extended permit ip 192.168.1.0 255.255.255.0 10.10.100.0 255.255.255.0

access-list outside_cryptomap_1.1 extended permit ip 10.10.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list NO-NAT extended permit ip 10.10.100.0 255.255.255.0 any

pager lines 24

logging enable

logging console debugging

logging asdm informational

logging debug-trace

mtu inside 1500

mtu outside 1500

mtu guestwireless 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_any

nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 ISP-Next-Hop-Router 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server CustomerSVR1 protocol nt

aaa-server CustomerSVR1 (inside) host CustomerSVR1

timeout 40

nt-auth-domain-controller 192.168.1.10

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.1.100 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection timewait

sysopt connection preserve-vpn-flows

no service resetoutbound interface inside

no service resetoutbound interface outside

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set Customer-VPN-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal Customer-VPN

protocol esp encryption aes-256 aes-192 aes

protocol esp integrity sha-1 md5

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map Customer-VPN-DYN-MAP 1 match address outside_cryptomap_1.1

crypto dynamic-map Customer-VPN-DYN-MAP 1 set ikev1 transform-set Customer-VPN-TRANS

crypto dynamic-map Customer-VPN-DYN-MAP 1 set ikev2 ipsec-proposal Customer-VPN

crypto dynamic-map Customer-VPN-DYN-MAP 1 set reverse-route

crypto map Customer-VPN 1 ipsec-isakmp dynamic Customer-VPN-DYN-MAP

crypto map Customer-VPN interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=Customer-ASA

crl configure

crypto ca trustpool policy

crypto ca certificate map DefaultCertificateMap 10

crypto ca certificate chain ASDM_TrustPoint0

(removed)

  quit

crypto isakmp nat-traversal 3600

crypto isakmp disconnect-notify

crypto ikev2 policy 1

encryption aes-256 aes-192 aes

integrity md5

group 2

prf md5

lifetime seconds none

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 ipsec-over-tcp port 10001

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime none

telnet timeout 5

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

vpn-addr-assign dhcp

vpn-sessiondb max-other-vpn-limit 10

vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp authenticate

ssl trust-point ASDM_TrustPoint0 inside

ssl trust-point ASDM_TrustPoint0 outside

group-policy DfltGrpPolicy attributes

dns-server value 192.168.1.10

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec

ipsec-udp enable

default-domain value Customer

split-tunnel-all-dns enable

user-authentication enable

client-bypass-protocol enable

address-pools value Customer-VPN-Internal

client-access-rule 1 permit type any version any

tunnel-group DefaultRAGroup general-attributes

authentication-server-group CustomerSVR1

tunnel-group Customer-VPN type remote-access

tunnel-group Customer-VPN general-attributes

address-pool (inside) Customer-VPN-Internal

address-pool Customer-VPN-Internal

authentication-server-group CustomerSVR1

authentication-server-group (inside) CustomerSVR1

authentication-server-group (outside) CustomerSVR1

dhcp-server CustomerSVR1

tunnel-group Customer-VPN webvpn-attributes

authentication aaa certificate

tunnel-group Customer-VPN ipsec-attributes

ikev1 pre-shared-key *****

ikev1 radius-sdi-xauth

tunnel-group Customer-Secure type remote-access

tunnel-group Customer-Secure general-attributes

address-pool Customer-VPN-Internal

authentication-server-group CustomerSVR1

authentication-server-group (inside) CustomerSVR1

authentication-server-group (outside) CustomerSVR1

dhcp-server CustomerSVR1

tunnel-group Customer-Secure ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

Everyone's tags (2)
569
Views
0
Helpful
0
Replies