Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Remote Access VPN Problem with ASA 5505

After about ~1 year of having the Cisco VPN Client connecting to a ASA 5505 without any problems, suddenly one day it stops working. The client is able to get a connection to the ASA and browse the local network for only about 30 seconds after connection. After that, no access is available to the network behind the ASA. I tried everything that I can think of to try and troubleshoot the problem, but at this point I am just banging my head against a wall. Does anyone know what could cause this?

Here is the running cfg of the ASA

----------------------------------------------------------------------------------------

: Saved

:

ASA Version 8.4(1)

!

hostname NCHCO

enable password xxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxx encrypted

names

name 192.168.2.0 NCHCO description City Offices

name 192.168.2.80 VPN_End

name 192.168.2.70 VPN_Start

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address **.**.***.*** 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa841-k8.bin

ftp mode passive

object network NCHCO

subnet 192.168.2.0 255.255.255.0

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

object network obj-192.168.2.64

subnet 192.168.2.64 255.255.255.224

object network obj-0.0.0.0

subnet 0.0.0.0 255.255.255.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Webserver

object network FINX

host 192.168.2.11

object service rdp

service tcp source range 1 65535 destination eq 3389

description rdp

access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224

access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224

access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0

access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0

access-list LAN_Access standard permit 192.168.2.0 255.255.255.0

access-list LAN_Access standard permit 0.0.0.0 255.255.255.0

access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0

access-list AnyConnect_Client_Local_Print extended deny ip any any

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns

access-list outside_access_in extended permit tcp any object FINX eq 3389

access-list outside_access_in_1 extended permit object rdp any object FINX

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0

nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64

nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64

!

object network obj_any

nat (inside,outside) dynamic interface

object network FINX

nat (inside,outside) static interface service tcp 3389 3389

access-group outside_access_in_1 in interface outside

route outside 0.0.0.0 0.0.0.0 69.61.228.177 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

network-acl outside_nat0_outbound

webvpn

  svc ask enable default svc

http server enable

http 192.168.1.0 255.255.255.0 inside

http **.**.***.*** 255.255.255.255 outside

http **.**.***.*** 255.255.255.255 outside

http NCHCO 255.255.255.0 inside

http 96.11.251.186 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set l2tp-transform mode transport

crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map dyn-map 10 set pfs group1

crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform

crypto dynamic-map dyn-map 10 set reverse-route

crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 74.219.208.50

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto map vpn-map 1 match address outside_1_cryptomap_1

crypto map vpn-map 1 set pfs group1

crypto map vpn-map 1 set peer 74.219.208.50

crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map

crypto isakmp identity address

crypto ikev1 enable inside

crypto ikev1 enable outside

crypto ikev1 ipsec-over-tcp port 10000

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto ikev1 policy 15

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 35

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

client-update enable

telnet 192.168.1.0 255.255.255.0 inside

telnet NCHCO 255.255.255.0 inside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh NCHCO 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.2.150-192.168.2.225 inside

dhcpd dns 216.68.4.10 216.68.5.10 interface inside

dhcpd lease 64000 interface inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 192.168.2.1

vpn-tunnel-protocol ikev1 l2tp-ipsec

default-domain value nchco.local

group-policy DfltGrpPolicy attributes

dns-server value 192.168.2.1

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

password-storage enable

ipsec-udp enable

intercept-dhcp 255.255.255.0 enable

address-pools value VPN_Pool

group-policy NCHCO internal

group-policy NCHCO attributes

dns-server value 192.168.2.1 8.8.8.8

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value NCHCO_splitTunnelAcl_1

default-domain value NCHCO.local

username admin password LbMiJuAJjDaFb2uw encrypted privilege 15

username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15

username NCHvpn99 password dhn.JzttvRmMbHsP encrypted

tunnel-group DefaultRAGroup general-attributes

address-pool (inside) VPN_Pool

address-pool VPN_Pool

authentication-server-group (inside) LOCAL

authentication-server-group (outside) LOCAL

authorization-server-group LOCAL

authorization-server-group (inside) LOCAL

authorization-server-group (outside) LOCAL

default-group-policy DefaultRAGroup

strip-realm

strip-group

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

peer-id-validate nocheck

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup ppp-attributes

authentication pap

authentication ms-chap-v2

tunnel-group 74.219.208.50 type ipsec-l2l

tunnel-group 74.219.208.50 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group NCHCO type remote-access

tunnel-group NCHCO general-attributes

address-pool VPN_Pool

default-group-policy NCHCO

tunnel-group NCHCO ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:a2110206e1af06974c858fb40c6de2fc

: end

asdm image disk0:/asdm-649.bin

asdm location VPN_Start 255.255.255.255 inside

asdm location VPN_End 255.255.255.255 inside

no asdm history enable

---------------------------------------------------------------------------------------------------------------

And here is the logs from the Cisco VPN Client when it browses, then fails to browse the network behind the ASA:

---------------------------------------------------------------------------------------------------------------

Cisco Systems VPN Client Version 5.0.07.0440

Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.1.7601 Service Pack 1

Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\

1      09:44:55.677  10/01/13  Sev=Info/6    CERT/0x63600026

Attempting to find a Certificate using Serial Hash.

2      09:44:55.677  10/01/13  Sev=Info/6    CERT/0x63600027

Found a Certificate using Serial Hash.

3      09:44:55.693  10/01/13  Sev=Info/6    GUI/0x63B00011

Reloaded the Certificates in all Certificate Stores successfully.

4      09:45:02.802  10/01/13  Sev=Info/4    CM/0x63100002

Begin connection process

5      09:45:02.802  10/01/13  Sev=Info/4    CM/0x63100004

Establish secure connection

6      09:45:02.802  10/01/13  Sev=Info/4    CM/0x63100024

Attempt connection with server "**.**.***.***"

7      09:45:02.802  10/01/13  Sev=Info/6    IKE/0x6300003B

Attempting to establish a connection with **.**.***.***.

8      09:45:02.818  10/01/13  Sev=Info/4    IKE/0x63000001

Starting IKE Phase 1 Negotiation

9      09:45:02.865  10/01/13  Sev=Info/4    IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to **.**.***.***

10     09:45:02.896  10/01/13  Sev=Info/5    IKE/0x6300002F

Received ISAKMP packet: peer = **.**.***.***

11     09:45:02.896  10/01/13  Sev=Info/4    IKE/0x63000014

RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from **.**.***.***

12     09:45:02.896  10/01/13  Sev=Info/5    IKE/0x63000001

Peer is a Cisco-Unity compliant peer

13     09:45:02.896  10/01/13  Sev=Info/5    IKE/0x63000001

Peer supports XAUTH

14     09:45:02.896  10/01/13  Sev=Info/5    IKE/0x63000001

Peer supports DPD

15     09:45:02.896  10/01/13  Sev=Info/5    IKE/0x63000001

Peer supports NAT-T

16     09:45:02.896  10/01/13  Sev=Info/5    IKE/0x63000001

Peer supports IKE fragmentation payloads

17     09:45:02.927  10/01/13  Sev=Info/6    IKE/0x63000001

IOS Vendor ID Contruction successful

18     09:45:02.927  10/01/13  Sev=Info/4    IKE/0x63000013

SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to **.**.***.***

19     09:45:02.927  10/01/13  Sev=Info/4    IKE/0x63000083

IKE Port in use - Local Port =  0xDD3B, Remote Port = 0x01F4

20     09:45:02.927  10/01/13  Sev=Info/5    IKE/0x63000072

Automatic NAT Detection Status:

   Remote end is NOT behind a NAT device

   This   end is NOT behind a NAT device

21     09:45:02.927  10/01/13  Sev=Info/4    CM/0x6310000E

Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

22     09:45:02.943  10/01/13  Sev=Info/5    IKE/0x6300002F

Received ISAKMP packet: peer = **.**.***.***

23     09:45:02.943  10/01/13  Sev=Info/4    IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***

24     09:45:02.943  10/01/13  Sev=Info/4    CM/0x63100015

Launch xAuth application

25     09:45:03.037  10/01/13  Sev=Info/6    GUI/0x63B00012

Authentication request attributes is 6h.

26     09:45:03.037  10/01/13  Sev=Info/4    CM/0x63100017

xAuth application returned

27     09:45:03.037  10/01/13  Sev=Info/4    IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***

28     09:45:03.037  10/01/13  Sev=Info/4    IPSEC/0x63700008

IPSec driver successfully started

29     09:45:03.037  10/01/13  Sev=Info/4    IPSEC/0x63700014

Deleted all keys

30     09:45:03.083  10/01/13  Sev=Info/5    IKE/0x6300002F

Received ISAKMP packet: peer = **.**.***.***

31     09:45:03.083  10/01/13  Sev=Info/4    IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***

32     09:45:03.083  10/01/13  Sev=Info/4    IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***

33     09:45:03.083  10/01/13  Sev=Info/4    CM/0x6310000E

Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

34     09:45:03.083  10/01/13  Sev=Info/5    IKE/0x6300005E

Client sending a firewall request to concentrator

35     09:45:03.083  10/01/13  Sev=Info/4    IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***

36     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300002F

Received ISAKMP packet: peer = **.**.***.***

37     09:45:03.146  10/01/13  Sev=Info/4    IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***

38     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70

39     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

40     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1

41     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8

42     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001

43     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

44     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000F

SPLIT_NET #1

    subnet = 192.168.2.0

    mask = 255.255.255.0

    protocol = 0

    src port = 0

    dest port=0

45     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000E

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO.local

46     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0x00002710

47     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

48     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000E

MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.4(1) built by builders on Mon 31-Jan-11 02:11

49     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001

50     09:45:03.146  10/01/13  Sev=Info/4    CM/0x63100019

Mode Config data received

51     09:45:03.146  10/01/13  Sev=Info/4    IKE/0x63000056

Received a key request from Driver: Local IP = 192.168.2.70, GW IP = **.**.***.***, Remote IP = 0.0.0.0

52     09:45:03.146  10/01/13  Sev=Info/4    IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to **.**.***.***

53     09:45:03.177  10/01/13  Sev=Info/5    IKE/0x6300002F

Received ISAKMP packet: peer = **.**.***.***

54     09:45:03.177  10/01/13  Sev=Info/4    IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***

55     09:45:03.177  10/01/13  Sev=Info/5    IKE/0x63000045

RESPONDER-LIFETIME notify has value of 86400 seconds

56     09:45:03.177  10/01/13  Sev=Info/5    IKE/0x63000047

This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now

57     09:45:03.193  10/01/13  Sev=Info/5    IKE/0x6300002F

Received ISAKMP packet: peer = **.**.***.***

58     09:45:03.193  10/01/13  Sev=Info/4    IKE/0x63000014

RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***

59     09:45:03.193  10/01/13  Sev=Info/5    IKE/0x63000045

RESPONDER-LIFETIME notify has value of 28800 seconds

60     09:45:03.193  10/01/13  Sev=Info/4    IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(HASH) to **.**.***.***

61     09:45:03.193  10/01/13  Sev=Info/5    IKE/0x63000059

Loading IPsec SA (MsgID=967A3C93 OUTBOUND SPI = 0xAAAF4C1C INBOUND SPI = 0x3EBEBFC5)

62     09:45:03.193  10/01/13  Sev=Info/5    IKE/0x63000025

Loaded OUTBOUND ESP SPI: 0xAAAF4C1C

63     09:45:03.193  10/01/13  Sev=Info/5    IKE/0x63000026

Loaded INBOUND ESP SPI: 0x3EBEBFC5

64     09:45:03.193  10/01/13  Sev=Info/5    CVPND/0x63400013

    Destination           Netmask           Gateway         Interface   Metric

        0.0.0.0           0.0.0.0       96.11.251.1     96.11.251.149      261

    96.11.251.0     255.255.255.0     96.11.251.149     96.11.251.149      261

  96.11.251.149   255.255.255.255     96.11.251.149     96.11.251.149      261

  96.11.251.255   255.255.255.255     96.11.251.149     96.11.251.149      261

      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306

      127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306

127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306

    192.168.1.0     255.255.255.0       192.168.1.3       192.168.1.3      261

    192.168.1.3   255.255.255.255       192.168.1.3       192.168.1.3      261

  192.168.1.255   255.255.255.255       192.168.1.3       192.168.1.3      261

      224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306

      224.0.0.0         240.0.0.0     96.11.251.149     96.11.251.149      261

      224.0.0.0         240.0.0.0       192.168.1.3       192.168.1.3      261

255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306

255.255.255.255   255.255.255.255     96.11.251.149     96.11.251.149      261

255.255.255.255   255.255.255.255       192.168.1.3       192.168.1.3      261

65     09:45:03.521  10/01/13  Sev=Info/6    CVPND/0x63400001

Launch VAInst64 to control IPSec Virtual Adapter

66     09:45:03.896  10/01/13  Sev=Info/4    CM/0x63100034

The Virtual Adapter was enabled:

    IP=192.168.2.70/255.255.255.0

    DNS=192.168.2.1,8.8.8.8

    WINS=0.0.0.0,0.0.0.0

    Domain=NCHCO.local

    Split DNS Names=

67     09:45:03.912  10/01/13  Sev=Info/5    CVPND/0x63400013

    Destination           Netmask           Gateway         Interface   Metric

        0.0.0.0           0.0.0.0       96.11.251.1     96.11.251.149      261

    96.11.251.0     255.255.255.0     96.11.251.149     96.11.251.149      261

  96.11.251.149   255.255.255.255     96.11.251.149     96.11.251.149      261

  96.11.251.255   255.255.255.255     96.11.251.149     96.11.251.149      261

      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306

      127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306

127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306

    192.168.1.0     255.255.255.0       192.168.1.3       192.168.1.3      261

    192.168.1.3   255.255.255.255       192.168.1.3       192.168.1.3      261

  192.168.1.255   255.255.255.255       192.168.1.3       192.168.1.3      261

      224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306

      224.0.0.0         240.0.0.0     96.11.251.149     96.11.251.149      261

      224.0.0.0         240.0.0.0       192.168.1.3       192.168.1.3      261

      224.0.0.0         240.0.0.0           0.0.0.0           0.0.0.0      261

255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306

255.255.255.255   255.255.255.255     96.11.251.149     96.11.251.149      261

255.255.255.255   255.255.255.255       192.168.1.3       192.168.1.3      261

255.255.255.255   255.255.255.255           0.0.0.0           0.0.0.0      261

68     09:45:07.912  10/01/13  Sev=Info/4    CM/0x63100038

Successfully saved route changes to file.

69     09:45:07.912  10/01/13  Sev=Info/5    CVPND/0x63400013

    Destination           Netmask           Gateway         Interface   Metric

        0.0.0.0           0.0.0.0       96.11.251.1     96.11.251.149      261

  **.**.***.***   255.255.255.255       96.11.251.1     96.11.251.149      100

    96.11.251.0     255.255.255.0     96.11.251.149     96.11.251.149      261

  96.11.251.149   255.255.255.255     96.11.251.149     96.11.251.149      261

  96.11.251.255   255.255.255.255     96.11.251.149     96.11.251.149      261

      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306

      127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306

127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306

    192.168.1.0     255.255.255.0       192.168.1.3       192.168.1.3      261

    192.168.1.3   255.255.255.255       192.168.1.3       192.168.1.3      261

  192.168.1.255   255.255.255.255       192.168.1.3       192.168.1.3      261

    192.168.2.0     255.255.255.0      192.168.2.70      192.168.2.70      261

    192.168.2.0     255.255.255.0       192.168.2.1      192.168.2.70      100

   192.168.2.70   255.255.255.255      192.168.2.70      192.168.2.70      261

  192.168.2.255   255.255.255.255      192.168.2.70      192.168.2.70      261

      224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306

      224.0.0.0         240.0.0.0     96.11.251.149     96.11.251.149      261

      224.0.0.0         240.0.0.0       192.168.1.3       192.168.1.3      261

      224.0.0.0         240.0.0.0      192.168.2.70      192.168.2.70      261

255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306

255.255.255.255   255.255.255.255     96.11.251.149     96.11.251.149      261

255.255.255.255   255.255.255.255       192.168.1.3       192.168.1.3      261

255.255.255.255   255.255.255.255      192.168.2.70      192.168.2.70      261

70     09:45:07.912  10/01/13  Sev=Info/6    CM/0x63100036

The routing table was updated for the Virtual Adapter

71     09:45:07.912  10/01/13  Sev=Info/4    CM/0x6310001A

One secure connection established

72     09:45:07.943  10/01/13  Sev=Info/4    CM/0x6310003B

Address watch added for 96.11.251.149.  Current hostname: psaserver, Current address(es): 192.168.2.70, 96.11.251.149, 192.168.1.3.

73     09:45:07.943  10/01/13  Sev=Info/4    CM/0x6310003B

Address watch added for 192.168.2.70.  Current hostname: psaserver, Current address(es): 192.168.2.70, 96.11.251.149, 192.168.1.3.

74     09:45:07.943  10/01/13  Sev=Info/5    CM/0x63100001

Did not find the Smartcard to watch for removal

75     09:45:07.943  10/01/13  Sev=Info/4    IPSEC/0x63700014

Deleted all keys

76     09:45:07.943  10/01/13  Sev=Info/4    IPSEC/0x63700010

Created a new key structure

77     09:45:07.943  10/01/13  Sev=Info/4    IPSEC/0x6370000F

Added key with SPI=0x1c4cafaa into key list

78     09:45:07.943  10/01/13  Sev=Info/4    IPSEC/0x63700010

Created a new key structure

79     09:45:07.943  10/01/13  Sev=Info/4    IPSEC/0x6370000F

Added key with SPI=0xc5bfbe3e into key list

80     09:45:07.943  10/01/13  Sev=Info/4    IPSEC/0x6370002F

Assigned VA private interface addr 192.168.2.70

81     09:45:07.943  10/01/13  Sev=Info/4    IPSEC/0x63700037

Configure public interface: 96.11.251.149. SG: **.**.***.***

82     09:45:07.943  10/01/13  Sev=Info/6    CM/0x63100046

Set tunnel established flag in registry to 1.

83     09:45:13.459  10/01/13  Sev=Info/4    IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to **.**.***.***

84     09:45:13.459  10/01/13  Sev=Info/6    IKE/0x6300003D

Sending DPD request to **.**.***.***, our seq# = 107205276

85     09:45:13.474  10/01/13  Sev=Info/5    IKE/0x6300002F

Received ISAKMP packet: peer = **.**.***.***

86     09:45:13.474  10/01/13  Sev=Info/4    IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from **.**.***.***

87     09:45:13.474  10/01/13  Sev=Info/5    IKE/0x63000040

Received DPD ACK from **.**.***.***, seq# received = 107205276, seq# expected = 107205276

88     09:45:15.959  10/01/13  Sev=Info/4    IPSEC/0x63700019

Activate outbound key with SPI=0x1c4cafaa for inbound key with SPI=0xc5bfbe3e

89     09:46:00.947  10/01/13  Sev=Info/4    IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to **.**.***.***

90     09:46:00.947  10/01/13  Sev=Info/6    IKE/0x6300003D

Sending DPD request to **.**.***.***, our seq# = 107205277

91     09:46:01.529  10/01/13  Sev=Info/5    IKE/0x6300002F

Received ISAKMP packet: peer = **.**.***.***

92     09:46:01.529  10/01/13  Sev=Info/4    IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from **.**.***.***

93     09:46:01.529  10/01/13  Sev=Info/5    IKE/0x63000040

Received DPD ACK from **.**.***.***, seq# received = 107205277, seq# expected = 107205277

94     09:46:11.952  10/01/13  Sev=Info/4    IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to **.**.***.***

95     09:46:11.952  10/01/13  Sev=Info/6    IKE/0x6300003D

Sending DPD request to **.**.***.***, our seq# = 107205278

96     09:46:11.979  10/01/13  Sev=Info/5    IKE/0x6300002F

Received ISAKMP packet: peer = **.**.***.***

97     09:46:11.979  10/01/13  Sev=Info/4    IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from **.**.***.***

98     09:46:11.979  10/01/13  Sev=Info/5    IKE/0x63000040

Received DPD ACK from **.**.***.***, seq# received = 107205278, seq# expected = 107205278

---------------------------------------------------------------------------------------------------------------

Any help would be appreciated, thanks!

  • VPN
Everyone's tags (3)
3 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Remote Access VPN Problem with ASA 5505

try putting you deny ACL (access-list AnyConnect_Client_Local_Print extended deny ip any any) at the end of the ACL list.

Cisco Employee

Remote Access VPN Problem with ASA 5505

Hi Matthew,

You use a VPN pool from the same subnet of the inside subnet (192.168.2.70 -192.168.2.80). This could lead to some unexpected behaviours. So i suggest that you use a unique pool and rely on routing to achieve communication between the inside subnet and the pool .

One question here, when the problem happens (after 30 seconds), is the tunnel kept up or you see the VPN client disconnected ?

The following troubleshooting will clarify the situation more :

  -  set the following captures:

       capture capin interface inside match ip host  < IP Assigned to the VPN client>   host 

      if you cannot know the IP assigned to the client, use 192.168.2.0 255.255.255.0

   - connect from your VPN client

   - initiate a continous ping to the internal IP (set in the capture) 

   - get the output of "show cap capin" from the ASA

   - get the outputs from the ASA :

      show crypto isakmp sa

      show crypto ipsec sa

  when the  problem starts:

   - "clear cap capin"

  - wait for seconds, and get the capture again: show cap capin

   - get the ASP drop captures

   cap asp type asp-drop all

   show cap asp

Hope this helps

------------
Mashal Shboul

------------------ Mashal Shboul
Cisco Employee

Re: Remote Access VPN Problem with ASA 5505

Ok, i got them.

i will communicate with you via email.

------------------
Mashal Shboul

------------------ Mashal Shboul
20 REPLIES
New Member

Remote Access VPN Problem with ASA 5505

try putting you deny ACL (access-list AnyConnect_Client_Local_Print extended deny ip any any) at the end of the ACL list.

Cisco Employee

Remote Access VPN Problem with ASA 5505

Hi Matthew,

You use a VPN pool from the same subnet of the inside subnet (192.168.2.70 -192.168.2.80). This could lead to some unexpected behaviours. So i suggest that you use a unique pool and rely on routing to achieve communication between the inside subnet and the pool .

One question here, when the problem happens (after 30 seconds), is the tunnel kept up or you see the VPN client disconnected ?

The following troubleshooting will clarify the situation more :

  -  set the following captures:

       capture capin interface inside match ip host  < IP Assigned to the VPN client>   host 

      if you cannot know the IP assigned to the client, use 192.168.2.0 255.255.255.0

   - connect from your VPN client

   - initiate a continous ping to the internal IP (set in the capture) 

   - get the output of "show cap capin" from the ASA

   - get the outputs from the ASA :

      show crypto isakmp sa

      show crypto ipsec sa

  when the  problem starts:

   - "clear cap capin"

  - wait for seconds, and get the capture again: show cap capin

   - get the ASP drop captures

   cap asp type asp-drop all

   show cap asp

Hope this helps

------------
Mashal Shboul

------------------ Mashal Shboul
New Member

Re: Remote Access VPN Problem with ASA 5505

After the problem happens, the tunnel is kept up (the VPN client does not disconnect). All that changes is that the local network can no longer be accessed.

Attached is the capture you requested. From the VPN client to the server they access. I ran a continuous ping until it stopped responding, then stopped the captured and saved it. Let me know if that is what you needed.

Thanks so much for the replies!

Matthew

Cisco Employee

Re: Remote Access VPN Problem with ASA 5505

Matthew,

The captures you attached show normal traffic exchange for some period of time. However, the captures alone cannot point to the problem.

let's do the following when the problem is happening:

   - connect from your VPN client

  - initiate a continous ping to the internal IP.

  Wait until the problem starts:

  -  run: "clear crypto ipsec sa counters"

  - wait for some seconds then get the following outputs from the ASA :

      show crypto isakmp sa

      show crypto ipsec sa

- set the captures:

       capture capin interface  inside match ip host  < IP Assigned to the VPN client>   host  

    - get the ASP drop captures as following:

   cap asp type asp-drop all

   show cap asp

Is it possible that you use a VPN pool different from the inside network range ?

Regards.
Mashal Shboul

------------------ Mashal Shboul
New Member

Re: Remote Access VPN Problem with ASA 5505

Thanks for your quick reply!

I did exactly as you requested, and the results are attached.

As far as using a different set of IP addresses for the VPN pool, I have no problems with that at all, but would not know what to do to set up the routing so that the pool can access the internal network (I am not that familiar with Cisco CLI).

Thanks,

Matthew

Cisco Employee

Re: Remote Access VPN Problem with ASA 5505

Hi Matthew,

The SAs output shows that when the problem is happening, decaps are incresaing but no encaps, which indicates that the problem is in returning traffic from the internal hosts to the VPN pool. I didn't see any packets in the inside captures (capin), so based on that i assume that the arp consistency fails at some time from the internal hosts to the ASA.

I suggest that you get rid of this troublesome setup by using a distinct VPN pool. This change should be straighforward:

For example:

asa(config)# ip local pool NEW_POOL  192.168.3.1-192.168.3.254  255.255.255.0

tunnel-group NCHCO general-attributes

address-pool NEW_POOL

You don't need to change routing in the internal subnet as long as it uses the ASA as a default gateway, otherwise you will need to add a specific route toward the new pool with the ASA as next-hop.

If you want to continue troublehsooting the current setup, you need to focus on captures at the inside host, ARP entries at the inside hosts, ARP debugs at the ASA, and captures at the ASA.

Hope this helps

------------------
Mashal Shboul

------------------ Mashal Shboul
New Member

Re: Remote Access VPN Problem with ASA 5505

I made the change that you requested by moving the VPN pool to the 192.168.3.0 network. Unfortunately, now traffic isn't flowing to the inside network at all. I was going to make a specific route as you suggested, but as far as I can see the routes are already being created correctly on the VPN client's end.

Here is the route print off of the computer behind the (test) client:

===========================================================================

Interface List

21...00 05 9a 3c 78 00 ......Cisco Systems VPN Adapter for 64-bit Windows

10...00 15 5d 01 02 01 ......Microsoft Hyper-V Network Adapter

15...00 15 5d 01 02 02 ......Microsoft Hyper-V Network Adapter #2

  1...........................Software Loopback Interface 1

13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter

11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

14...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter

16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2

23...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3

===========================================================================

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0      96.11.251.1    96.11.251.149    261

    69.61.228.178  255.255.255.255      96.11.251.1    96.11.251.149    100

      96.11.251.0    255.255.255.0         On-link     96.11.251.149    261

    96.11.251.149  255.255.255.255         On-link     96.11.251.149    261

    96.11.251.255  255.255.255.255         On-link     96.11.251.149    261

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

      192.168.1.0    255.255.255.0         On-link       192.168.1.3    261

      192.168.1.3  255.255.255.255         On-link       192.168.1.3    261

    192.168.1.255  255.255.255.255         On-link       192.168.1.3    261

      192.168.2.0    255.255.255.0      192.168.3.1     192.168.3.70    100

      192.168.3.0    255.255.255.0         On-link      192.168.3.70    261

     192.168.3.70  255.255.255.255         On-link      192.168.3.70    261

    192.168.3.255  255.255.255.255         On-link      192.168.3.70    261

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link       192.168.1.3    261

        224.0.0.0        240.0.0.0         On-link     96.11.251.149    261

        224.0.0.0        240.0.0.0         On-link      192.168.3.70    261

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link       192.168.1.3    261

  255.255.255.255  255.255.255.255         On-link     96.11.251.149    261

  255.255.255.255  255.255.255.255         On-link      192.168.3.70    261

===========================================================================

Persistent Routes:

  Network Address          Netmask  Gateway Address  Metric

          0.0.0.0          0.0.0.0      96.11.251.1  Default

===========================================================================

IPv6 Route Table

===========================================================================

Active Routes:

If Metric Network Destination      Gateway

14   1020 ::/0                     2002:c058:6301::c058:6301

14   1020 ::/0                     2002:c058:6301::1

  1    306 ::1/128                  On-link

14   1005 2002::/16                On-link

14    261 2002:600b:fb95::600b:fb95/128

                                    On-link

15    261 fe80::/64                On-link

10    261 fe80::/64                On-link

21    261 fe80::/64                On-link

10    261 fe80::64ae:bae7:3dc0:c8c4/128

                                    On-link

21    261 fe80::e9f7:e24:3147:bd/128

                                    On-link

15    261 fe80::f116:2dfd:1771:125a/128

                                    On-link

  1    306 ff00::/8                 On-link

15    261 ff00::/8                 On-link

10    261 ff00::/8                 On-link

21    261 ff00::/8                 On-link

===========================================================================

Persistent Routes:

  None

---------------------------------------------------------------------------------------------------------------------------------------------------------------

And here is the updated running config in case you need it:

: Saved
:
ASA Version 8.4(1) 
!
hostname NCHCO
enable password hTjwXz/V8EuTw9p9 encrypted
passwd hTjwXz/V8EuTw9p9 encrypted
names
name 192.168.2.0 NCHCO description City Offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.61.228.178 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa841-k8.bin
ftp mode passive
object network NCHCO 
 subnet 192.168.2.0 255.255.255.0
object network obj-192.168.1.0 
 subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.64 
 subnet 192.168.2.64 255.255.255.224
object network obj-0.0.0.0 
 subnet 0.0.0.0 255.255.255.0
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network Webserver 
object network FINX 
 host 192.168.2.11
object service rdp 
 service tcp source range 1 65535 destination eq 3389 
 description rdp  
object network obj-192.168.3.0 
 subnet 192.168.3.0 255.255.255.0
object network obj-192.168.2.0 
 subnet 192.168.2.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0 
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224 
access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224 
access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0 
access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0 
access-list LAN_Access standard permit 192.168.2.0 255.255.255.0 
access-list LAN_Access standard permit 0.0.0.0 255.255.255.0 
access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0 
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd 
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631 
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100 
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353 
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355 
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137 
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns 
access-list AnyConnect_Client_Local_Print extended deny ip any any 
access-list outside_access_in extended permit tcp any object FINX eq 3389 
access-list outside_access_in_1 extended permit object rdp any object FINX 
access-list outside_specific_blocks extended deny ip host 121.168.66.35 any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
ip local pool VPN_Split_Pool 192.168.3.70-192.168.3.80 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
!
object network obj_any
 nat (inside,outside) dynamic interface
object network FINX
 nat (inside,outside) static interface service tcp 3389 3389 
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
 network-acl outside_nat0_outbound
 webvpn
  svc ask enable default svc
http server enable
http 192.168.1.0 255.255.255.0 inside
http 69.61.228.178 255.255.255.255 outside
http 74.218.158.238 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
http 96.11.251.186 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set l2tp-transform mode transport
crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs group1
crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
crypto dynamic-map dyn-map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 74.219.208.50 
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map vpn-map 1 match address outside_1_cryptomap_1
crypto map vpn-map 1 set pfs group1
crypto map vpn-map 1 set peer 74.219.208.50 
crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto isakmp identity address 
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000 
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto ikev1 policy 15
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 35
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet NCHCO 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh NCHCO 255.255.255.0 inside
ssh 96.11.251.186 255.255.255.255 outside
ssh timeout 5
console timeout 0

dhcpd address 192.168.2.150-192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
dhcpd lease 64000 interface inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.2.1
 vpn-tunnel-protocol ikev1 l2tp-ipsec 
 default-domain value nchco.local
group-policy DfltGrpPolicy attributes
 dns-server value 192.168.2.1
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
 password-storage enable
 ipsec-udp enable
 intercept-dhcp 255.255.255.0 enable
 address-pools value VPN_Split_Pool
group-policy NCHCO internal
group-policy NCHCO attributes
 dns-server value 192.168.2.1 8.8.8.8
 vpn-tunnel-protocol ikev1 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value NCHCO_splitTunnelAcl_1
 default-domain value NCHCO.local
username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
tunnel-group DefaultRAGroup general-attributes
 address-pool (inside) VPN_Pool
 address-pool VPN_Split_Pool
 authentication-server-group (inside) LOCAL
 authentication-server-group (outside) LOCAL
 authorization-server-group LOCAL
 authorization-server-group (inside) LOCAL
 authorization-server-group (outside) LOCAL
 default-group-policy DefaultRAGroup
 strip-realm
 strip-group
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
 authentication pap
 authentication ms-chap-v2
tunnel-group 74.219.208.50 type ipsec-l2l
tunnel-group 74.219.208.50 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group NCHCO type remote-access
tunnel-group NCHCO general-attributes
 address-pool VPN_Split_Pool
 default-group-policy NCHCO
tunnel-group NCHCO ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9e8466cd318c0bd35bc660fa65ba7a03
: end
asdm image disk0:/asdm-649.bin
asdm location VPN_Start 255.255.255.255 inside
asdm location VPN_End 255.255.255.255 inside
no asdm history enable

Thanks again for your help,

Matthew

Cisco Employee

Re: Remote Access VPN Problem with ASA 5505

You need to add nat-exempt rule for the new VPN pool:

object network obj-192.168.3.0

   subnet 192.168.3.0 255.255.255.0

nat (inside,outside) source static NCHCO NCHCO destination static obj-192.168.3.0 obj-192.168.3.0

let me know how it goes with you.

--------
Mashal Shboul

------------------ Mashal Shboul
New Member

Re: Remote Access VPN Problem with ASA 5505

I did as you suggested above, but the traffic is still not getting to the 192.168.2.0 network. In trying to diagnose, I saw that the traffic was bypassing the tunnel in the VPN client (the packet count under Tunnel Details in VPN Client statistics show packets as bypassing). The VPN is set up as split tunneling, so I tried adding the 192.168.3.0 network to the ACL that specifies networks to tunnel but it did not make a difference. Any idea what would cause that?

Thanks once again,

Matt

2400
Views
0
Helpful
20
Replies