Guys i am trying to connect my IPHONE 3Gs to cisco ASA 5500 using 3G connection (which i am using as a VPN server) but the probem is that i am unable to establish VPN i have gone through the configs many times which i guess seems to be alright but still i cant establish a VPN i am adding my current VPN configs to this thread as i need urgent help.........guys i am getting nuts kindly help me out.....guys can someone please look into it....keep in mind that ASA is conected to a checkpoint firewall ......so currently ASA is just being used as a VPN server.
Thanks in advance guys
VPN# sh run : Saved : ASA Version 8.2(1) ! hostname VPN
names name XXX abcd name XXX DNS-Ser dns-guard ! interface GigabitEthernet0/0 speed 100 duplex full nameif OUTSIDE security-level 100 ip address XXXX 255.255.255.224 ! interface GigabitEthernet0/1 shutdown no nameif no security-level ip address XXXX 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address ! boot system disk0:/asa821-k8.bin ftp mode passive access-list OUTSIDE-IN extended permit icmp any any access-list OUTSIDE-IN extended permit ip any any access-list INSIDE-OUT extended permit icmp any any access-list INSIDE-OUT extended permit ip any any pager lines 24 mtu OUTSIDE 1500 ip local pool vpn_pool XXXX mask 255.255.255.255 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-508.bin no asdm history enable arp timeout 14400 access-group OUTSIDE-IN in interface OUTSIDE access-group INSIDE-OUT out interface OUTSIDE route OUTSIDE 0.0.0.0 0.0.0.0 XXXX timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set RA_VPN_SET esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map RA_VPN_MAP 1 match address OUTSIDE-IN crypto dynamic-map RA_VPN_MAP 1 set transform-set RA_VPN_SET crypto dynamic-map RA_VPN_MAP 1 set reverse-route crypto map RA_VPN 10 ipsec-isakmp dynamic RA_VPN_MAP crypto map RA_VPN interface OUTSIDE crypto isakmp enable OUTSIDE crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400
console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept tftp-server OUTSIDE XXXX asa821-k8.bin group-policy RA_VPN_Policy internal group-policy RA_VPN_Policy attributes wins-server value XXXX dns-server value XXXX split-tunnel-policy tunnelspecified split-dns value msdomain username test password XXXX encrypted username test12 password XXXX encrypted tunnel-group RA_VPN type remote-access tunnel-group RA_VPN general-attributes address-pool iPhones_vpn_pool default-group-policy RA_VPN_Policy tunnel-group RA_VPN ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns ABCD parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns ABCD inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context Cryptochecksum: : end
Thanks for your kind reply...actually i have edited the config for confidentiality....so its the same i forgot to edit all of them so there is a pool with the name of iphone XXX.........can you please chekc something else plz....as i really dont know what the problem is......
....but can you explain why should i remove as per your recommendation
no crypto dynamic-map RA_VPN_MAP 1 match address OUTSIDE-IN
as its tied to the following access-list
access-list OUTSIDE-IN extended permit icmp any any access-list OUTSIDE-IN extended permit ip any any access-list INSIDE-OUT extended permit icmp any any access-list INSIDE-OUT extended permit ip any any
access-group OUTSIDE-IN in interface OUTSIDE
secondly we are just testing so the first step is to establish the vpn???
sorry i am not to confident on this can you pleasse explain a bit
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...