f



VPN to ASA from Cisco VPN Client Getting Error

Hi,

I am trying to set up remote access VPNs and am having trouble.  I
used:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_example09186a00806de37e.shtml

as a guide as was recommended by someone in a previous post.

When I connect from the Cisco VPN client I am getting an error:
"Secure VPN Connection terminated locally by client.  Reason 412: The
remote peer is no longer responding."

My network looks like this.

Router-----ASA----LAN

I can see the traffic getting through my router when I attempt to
connect.  The IP connecting to is my outside interface's IP on the ASA
and is a public IP.  It is also the IP that is nat'ed to my mail
server.  Does this cause a problem? (I hope not because I am out of
IP's and I don't want to have to buy more).

Please find the relevant part of my ASA config below.  thanks for your
help.

Result of the command: "sh running"

: Saved
:
ASA Version 7.0(5)
!
hostname
domain-name
enable password
names
dns-guard
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address PUBLIC IP
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address
 management-only
!
passwd SisLvDjB/rijelPS encrypted
banner exec # You are logging into a corporate device.  Unauthorized
access is prohibited.
banner motd # "We are what we repeatedly do.  Excellence, then, is not
an act, but a habit."  - Aristotle #
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns name-server
object-group service NecessaryServices tcp
 port-object eq echo
 port-object eq www
 port-object eq domain
 port-object eq smtp
 port-object eq ftp-data
 port-object eq pop3
 port-object eq aol
 port-object eq ftp
 port-object eq https
object-group service UDPServices udp
 port-object eq nameserver
 port-object eq www
 port-object eq isakmp
 port-object eq domain
object-group service TCP-UDPServices tcp-udp
 port-object eq echo
 port-object eq www
 port-object eq domain

pager lines 24
logging enable
logging timestamp
logging list ASALog level notifications
logging monitor notifications
logging trap notifications
logging asdm informational
logging device-id hostname
logging host inside
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool vpnclient 192.168.10.1-192.168.10.254
ip verify reverse-path interface inside
ip verify reverse-path interface outside
asdm image disk0:/asdm505.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 2 PUBLIC IP PAT netmask 255.255.255.255
nat (inside) 0 access-list 110
nat (inside) 2 PRIVATE IPS
static (inside,outside) PUBLIC IP (outside interface) mailserver
netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ROUTER INSIDE IP
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server vpn protocol radius
aaa-server vpn PRIVATE IP OF IAS SERVER
 key ****
group-policy vpnUsers internal
group-policy vpnUsers attributes
 banner value You are remotely accessing a corporate network.  Any
unauthorized use is strictly prohibited.
 dns-server value PRIVATE IP OF DNS SERVER
 webvpn
username LOCAL USER ACCOUNT IN CASE IAS IS DOWN
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RemoteVPNSet esp-aes-256 esp-sha-hmac
crypto dynamic-map RemoteVPNDynmap 10 set transform-set RemoteVPNSet
crypto dynamic-map RemoteVPNDynmap 10 set reverse-route
crypto map RemoteVPNMap 10 ipsec-isakmp dynamic RemoteVPNDynmap
crypto map RemoteVPNMap interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 2000
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group (outside) vpn
tunnel-group RemoteVPN type ipsec-ra
tunnel-group RemoteVPN general-attributes
 address-pool vpnclient
 authentication-server-group vpn
tunnel-group RemoteVPN ipsec-attributes
 pre-shared-key *
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map global-policy
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect http
policy-map global-policy
 class global-policy
  inspect http
  inspect icmp
  inspect ftp
  inspect dns
  inspect esmtp
!
service-policy global_policy global
smtp-server PRIVATE IP MAIL SERVER
Cryptochecksum:e4042ef4dbb31b13906ab838782ba7db
: end


Thanks again for any light you can shed on this.

0
10/19/2006 2:11:32 AM
comp.dcom.sys.cisco 25313 articles. 0 followers. Post Follow

2 Replies
1186 Views

Similar Articles

[PageSpeed] 34

Here is the debug output from the Cisco VPN Client when attempting to
connect:

Cisco Systems VPN Client Version 4.6.00.0049
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

1      13:05:16.656  10/19/06  Sev=Info/4	CM/0x63100002
Begin connection process

2      13:05:16.671  10/19/06  Sev=Info/4	CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

3      13:05:16.671  10/19/06  Sev=Info/4	CM/0x63100004
Establish secure connection using Ethernet

4      13:05:16.671  10/19/06  Sev=Info/4	CM/0x63100024
Attempt connection with server "OUTSIDE PUBLIC IP OF ASA"

5      13:05:17.671  10/19/06  Sev=Info/6	IKE/0x6300003B
Attempting to establish a connection with OUTSIDE PUBLIC IP OF ASA

6      13:05:17.687  10/19/06  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
VID(Nat-T), VID(Frag), VID(Unity)) to OUTSIDE PUBLIC IP OF ASA

7      13:05:17.687  10/19/06  Sev=Info/4	IPSEC/0x63700008
IPSec driver successfully started

8      13:05:17.687  10/19/06  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

9      13:05:23.031  10/19/06  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!

10     13:05:23.031  10/19/06  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to OUTSIDE PUBLIC IP OF ASA

11     13:05:28.031  10/19/06  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!

12     13:05:28.031  10/19/06  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to OUTSIDE PUBLIC IP OF ASA

13     13:05:33.031  10/19/06  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!

14     13:05:33.031  10/19/06  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to OUTSIDE PUBLIC IP OF ASA

15     13:05:38.031  10/19/06  Sev=Info/4	IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=896EE55DE5545183
R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

16     13:05:38.531  10/19/06  Sev=Info/4	IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=896EE55DE5545183
R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

17     13:05:38.531  10/19/06  Sev=Info/4	CM/0x63100014
Unable to establish Phase 1 SA with server "66.184.64.14" because of
"DEL_REASON_PEER_NOT_RESPONDING"

18     13:05:38.531  10/19/06  Sev=Info/5	CM/0x63100025
Initializing CVPNDrv

19     13:05:38.546  10/19/06  Sev=Info/4	IKE/0x63000001
IKE received signal to terminate VPN connection

20     13:05:38.562  10/19/06  Sev=Info/4	IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully

21     13:05:38.562  10/19/06  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

22     13:05:38.562  10/19/06  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

23     13:05:38.562  10/19/06  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

24     13:05:38.562  10/19/06  Sev=Info/4	IPSEC/0x6370000A
IPSec driver successfully stopped


The ASA is not responding.  I can see the traffic getting through the
router and I do not see any return traffic getting stopped.  Will the
return traffic be from the same port that the initiatiation was sent
to?

Please help.  Thanks.

K.J. 44 wrote:
> Hi,
>
> I am trying to set up remote access VPNs and am having trouble.  I
> used:
>
> http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_example09186a00806de37e.shtml
>
> as a guide as was recommended by someone in a previous post.
>
> When I connect from the Cisco VPN client I am getting an error:
> "Secure VPN Connection terminated locally by client.  Reason 412: The
> remote peer is no longer responding."
>
> My network looks like this.
>
> Router-----ASA----LAN
>
> I can see the traffic getting through my router when I attempt to
> connect.  The IP connecting to is my outside interface's IP on the ASA
> and is a public IP.  It is also the IP that is nat'ed to my mail
> server.  Does this cause a problem? (I hope not because I am out of
> IP's and I don't want to have to buy more).
>
> Please find the relevant part of my ASA config below.  thanks for your
> help.
>
> Result of the command: "sh running"
>
> : Saved
> :
> ASA Version 7.0(5)
> !
> hostname
> domain-name
> enable password
> names
> dns-guard
> !
> interface Ethernet0/0
>  nameif inside
>  security-level 100
>  ip address 192.168.1.1 255.255.255.0
> !
> interface Ethernet0/1
>  nameif outside
>  security-level 0
>  ip address PUBLIC IP
> !
> interface Ethernet0/2
>  shutdown
>  no nameif
>  no security-level
>  no ip address
> !
> interface Management0/0
>  shutdown
>  nameif management
>  security-level 100
>  ip address
>  management-only
> !
> passwd SisLvDjB/rijelPS encrypted
> banner exec # You are logging into a corporate device.  Unauthorized
> access is prohibited.
> banner motd # "We are what we repeatedly do.  Excellence, then, is not
> an act, but a habit."  - Aristotle #
> ftp mode passive
> clock timezone EST -5
> clock summer-time EDT recurring
> dns domain-lookup inside
> dns name-server
> object-group service NecessaryServices tcp
>  port-object eq echo
>  port-object eq www
>  port-object eq domain
>  port-object eq smtp
>  port-object eq ftp-data
>  port-object eq pop3
>  port-object eq aol
>  port-object eq ftp
>  port-object eq https
> object-group service UDPServices udp
>  port-object eq nameserver
>  port-object eq www
>  port-object eq isakmp
>  port-object eq domain
> object-group service TCP-UDPServices tcp-udp
>  port-object eq echo
>  port-object eq www
>  port-object eq domain
>
> pager lines 24
> logging enable
> logging timestamp
> logging list ASALog level notifications
> logging monitor notifications
> logging trap notifications
> logging asdm informational
> logging device-id hostname
> logging host inside
> mtu management 1500
> mtu inside 1500
> mtu outside 1500
> ip local pool vpnclient 192.168.10.1-192.168.10.254
> ip verify reverse-path interface inside
> ip verify reverse-path interface outside
> asdm image disk0:/asdm505.bin
> asdm history enable
> arp timeout 14400
> nat-control
> global (outside) 2 PUBLIC IP PAT netmask 255.255.255.255
> nat (inside) 0 access-list 110
> nat (inside) 2 PRIVATE IPS
> static (inside,outside) PUBLIC IP (outside interface) mailserver
> netmask 255.255.255.255
> access-group inside_access_in in interface inside
> access-group outside_access_in in interface outside
> route outside 0.0.0.0 0.0.0.0 ROUTER INSIDE IP
> !
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
> timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server vpn protocol radius
> aaa-server vpn PRIVATE IP OF IAS SERVER
>  key ****
> group-policy vpnUsers internal
> group-policy vpnUsers attributes
>  banner value You are remotely accessing a corporate network.  Any
> unauthorized use is strictly prohibited.
>  dns-server value PRIVATE IP OF DNS SERVER
>  webvpn
> username LOCAL USER ACCOUNT IN CASE IAS IS DOWN
> http server enable
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set RemoteVPNSet esp-aes-256 esp-sha-hmac
> crypto dynamic-map RemoteVPNDynmap 10 set transform-set RemoteVPNSet
> crypto dynamic-map RemoteVPNDynmap 10 set reverse-route
> crypto map RemoteVPNMap 10 ipsec-isakmp dynamic RemoteVPNDynmap
> crypto map RemoteVPNMap interface outside
> isakmp enable outside
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption aes-256
> isakmp policy 10 hash sha
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 2000
> tunnel-group DefaultRAGroup general-attributes
>  authentication-server-group (outside) vpn
> tunnel-group RemoteVPN type ipsec-ra
> tunnel-group RemoteVPN general-attributes
>  address-pool vpnclient
>  authentication-server-group vpn
> tunnel-group RemoteVPN ipsec-attributes
>  pre-shared-key *
> console timeout 0
> dhcpd lease 3600
> dhcpd ping_timeout 50
> !
> class-map global-policy
>  match default-inspection-traffic
> class-map inspection_default
>  match default-inspection-traffic
> !
> !
> policy-map global_policy
>  class inspection_default
>   inspect ftp
>   inspect http
> policy-map global-policy
>  class global-policy
>   inspect http
>   inspect icmp
>   inspect ftp
>   inspect dns
>   inspect esmtp
> !
> service-policy global_policy global
> smtp-server PRIVATE IP MAIL SERVER
> Cryptochecksum:e4042ef4dbb31b13906ab838782ba7db
> : end
> 
> 
> Thanks again for any light you can shed on this.

0
K
10/19/2006 5:08:53 PM
Is anyone out there that has an opinion?

Please help and thank you.
K.J. 44 wrote:
> Here is the debug output from the Cisco VPN Client when attempting to
> connect:
>
> Cisco Systems VPN Client Version 4.6.00.0049
> Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
> Client Type(s): Windows, WinNT
> Running on: 5.1.2600 Service Pack 2
>
> 1      13:05:16.656  10/19/06  Sev=Info/4	CM/0x63100002
> Begin connection process
>
> 2      13:05:16.671  10/19/06  Sev=Info/4	CVPND/0xE3400001
> Microsoft IPSec Policy Agent service stopped successfully
>
> 3      13:05:16.671  10/19/06  Sev=Info/4	CM/0x63100004
> Establish secure connection using Ethernet
>
> 4      13:05:16.671  10/19/06  Sev=Info/4	CM/0x63100024
> Attempt connection with server "OUTSIDE PUBLIC IP OF ASA"
>
> 5      13:05:17.671  10/19/06  Sev=Info/6	IKE/0x6300003B
> Attempting to establish a connection with OUTSIDE PUBLIC IP OF ASA
>
> 6      13:05:17.687  10/19/06  Sev=Info/4	IKE/0x63000013
> SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
> VID(Nat-T), VID(Frag), VID(Unity)) to OUTSIDE PUBLIC IP OF ASA
>
> 7      13:05:17.687  10/19/06  Sev=Info/4	IPSEC/0x63700008
> IPSec driver successfully started
>
> 8      13:05:17.687  10/19/06  Sev=Info/4	IPSEC/0x63700014
> Deleted all keys
>
> 9      13:05:23.031  10/19/06  Sev=Info/4	IKE/0x63000021
> Retransmitting last packet!
>
> 10     13:05:23.031  10/19/06  Sev=Info/4	IKE/0x63000013
> SENDING >>> ISAKMP OAK AG (Retransmission) to OUTSIDE PUBLIC IP OF ASA
>
> 11     13:05:28.031  10/19/06  Sev=Info/4	IKE/0x63000021
> Retransmitting last packet!
>
> 12     13:05:28.031  10/19/06  Sev=Info/4	IKE/0x63000013
> SENDING >>> ISAKMP OAK AG (Retransmission) to OUTSIDE PUBLIC IP OF ASA
>
> 13     13:05:33.031  10/19/06  Sev=Info/4	IKE/0x63000021
> Retransmitting last packet!
>
> 14     13:05:33.031  10/19/06  Sev=Info/4	IKE/0x63000013
> SENDING >>> ISAKMP OAK AG (Retransmission) to OUTSIDE PUBLIC IP OF ASA
>
> 15     13:05:38.031  10/19/06  Sev=Info/4	IKE/0x63000017
> Marking IKE SA for deletion  (I_Cookie=896EE55DE5545183
> R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
>
> 16     13:05:38.531  10/19/06  Sev=Info/4	IKE/0x6300004A
> Discarding IKE SA negotiation (I_Cookie=896EE55DE5545183
> R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
>
> 17     13:05:38.531  10/19/06  Sev=Info/4	CM/0x63100014
> Unable to establish Phase 1 SA with server "66.184.64.14" because of
> "DEL_REASON_PEER_NOT_RESPONDING"
>
> 18     13:05:38.531  10/19/06  Sev=Info/5	CM/0x63100025
> Initializing CVPNDrv
>
> 19     13:05:38.546  10/19/06  Sev=Info/4	IKE/0x63000001
> IKE received signal to terminate VPN connection
>
> 20     13:05:38.562  10/19/06  Sev=Info/4	IKE/0x63000085
> Microsoft IPSec Policy Agent service started successfully
>
> 21     13:05:38.562  10/19/06  Sev=Info/4	IPSEC/0x63700014
> Deleted all keys
>
> 22     13:05:38.562  10/19/06  Sev=Info/4	IPSEC/0x63700014
> Deleted all keys
>
> 23     13:05:38.562  10/19/06  Sev=Info/4	IPSEC/0x63700014
> Deleted all keys
>
> 24     13:05:38.562  10/19/06  Sev=Info/4	IPSEC/0x6370000A
> IPSec driver successfully stopped
>
>
> The ASA is not responding.  I can see the traffic getting through the
> router and I do not see any return traffic getting stopped.  Will the
> return traffic be from the same port that the initiatiation was sent
> to?
>
> Please help.  Thanks.
>
> K.J. 44 wrote:
> > Hi,
> >
> > I am trying to set up remote access VPNs and am having trouble.  I
> > used:
> >
> > http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_example09186a00806de37e.shtml
> >
> > as a guide as was recommended by someone in a previous post.
> >
> > When I connect from the Cisco VPN client I am getting an error:
> > "Secure VPN Connection terminated locally by client.  Reason 412: The
> > remote peer is no longer responding."
> >
> > My network looks like this.
> >
> > Router-----ASA----LAN
> >
> > I can see the traffic getting through my router when I attempt to
> > connect.  The IP connecting to is my outside interface's IP on the ASA
> > and is a public IP.  It is also the IP that is nat'ed to my mail
> > server.  Does this cause a problem? (I hope not because I am out of
> > IP's and I don't want to have to buy more).
> >
> > Please find the relevant part of my ASA config below.  thanks for your
> > help.
> >
> > Result of the command: "sh running"
> >
> > : Saved
> > :
> > ASA Version 7.0(5)
> > !
> > hostname
> > domain-name
> > enable password
> > names
> > dns-guard
> > !
> > interface Ethernet0/0
> >  nameif inside
> >  security-level 100
> >  ip address 192.168.1.1 255.255.255.0
> > !
> > interface Ethernet0/1
> >  nameif outside
> >  security-level 0
> >  ip address PUBLIC IP
> > !
> > interface Ethernet0/2
> >  shutdown
> >  no nameif
> >  no security-level
> >  no ip address
> > !
> > interface Management0/0
> >  shutdown
> >  nameif management
> >  security-level 100
> >  ip address
> >  management-only
> > !
> > passwd SisLvDjB/rijelPS encrypted
> > banner exec # You are logging into a corporate device.  Unauthorized
> > access is prohibited.
> > banner motd # "We are what we repeatedly do.  Excellence, then, is not
> > an act, but a habit."  - Aristotle #
> > ftp mode passive
> > clock timezone EST -5
> > clock summer-time EDT recurring
> > dns domain-lookup inside
> > dns name-server
> > object-group service NecessaryServices tcp
> >  port-object eq echo
> >  port-object eq www
> >  port-object eq domain
> >  port-object eq smtp
> >  port-object eq ftp-data
> >  port-object eq pop3
> >  port-object eq aol
> >  port-object eq ftp
> >  port-object eq https
> > object-group service UDPServices udp
> >  port-object eq nameserver
> >  port-object eq www
> >  port-object eq isakmp
> >  port-object eq domain
> > object-group service TCP-UDPServices tcp-udp
> >  port-object eq echo
> >  port-object eq www
> >  port-object eq domain
> >
> > pager lines 24
> > logging enable
> > logging timestamp
> > logging list ASALog level notifications
> > logging monitor notifications
> > logging trap notifications
> > logging asdm informational
> > logging device-id hostname
> > logging host inside
> > mtu management 1500
> > mtu inside 1500
> > mtu outside 1500
> > ip local pool vpnclient 192.168.10.1-192.168.10.254
> > ip verify reverse-path interface inside
> > ip verify reverse-path interface outside
> > asdm image disk0:/asdm505.bin
> > asdm history enable
> > arp timeout 14400
> > nat-control
> > global (outside) 2 PUBLIC IP PAT netmask 255.255.255.255
> > nat (inside) 0 access-list 110
> > nat (inside) 2 PRIVATE IPS
> > static (inside,outside) PUBLIC IP (outside interface) mailserver
> > netmask 255.255.255.255
> > access-group inside_access_in in interface inside
> > access-group outside_access_in in interface outside
> > route outside 0.0.0.0 0.0.0.0 ROUTER INSIDE IP
> > !
> > timeout xlate 3:00:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
> > timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
> > aaa-server vpn protocol radius
> > aaa-server vpn PRIVATE IP OF IAS SERVER
> >  key ****
> > group-policy vpnUsers internal
> > group-policy vpnUsers attributes
> >  banner value You are remotely accessing a corporate network.  Any
> > unauthorized use is strictly prohibited.
> >  dns-server value PRIVATE IP OF DNS SERVER
> >  webvpn
> > username LOCAL USER ACCOUNT IN CASE IAS IS DOWN
> > http server enable
> > no snmp-server location
> > no snmp-server contact
> > snmp-server enable traps snmp authentication linkup linkdown coldstart
> > crypto ipsec transform-set RemoteVPNSet esp-aes-256 esp-sha-hmac
> > crypto dynamic-map RemoteVPNDynmap 10 set transform-set RemoteVPNSet
> > crypto dynamic-map RemoteVPNDynmap 10 set reverse-route
> > crypto map RemoteVPNMap 10 ipsec-isakmp dynamic RemoteVPNDynmap
> > crypto map RemoteVPNMap interface outside
> > isakmp enable outside
> > isakmp policy 10 authentication pre-share
> > isakmp policy 10 encryption aes-256
> > isakmp policy 10 hash sha
> > isakmp policy 10 group 2
> > isakmp policy 10 lifetime 2000
> > tunnel-group DefaultRAGroup general-attributes
> >  authentication-server-group (outside) vpn
> > tunnel-group RemoteVPN type ipsec-ra
> > tunnel-group RemoteVPN general-attributes
> >  address-pool vpnclient
> >  authentication-server-group vpn
> > tunnel-group RemoteVPN ipsec-attributes
> >  pre-shared-key *
> > console timeout 0
> > dhcpd lease 3600
> > dhcpd ping_timeout 50
> > !
> > class-map global-policy
> >  match default-inspection-traffic
> > class-map inspection_default
> >  match default-inspection-traffic
> > !
> > !
> > policy-map global_policy
> >  class inspection_default
> >   inspect ftp
> >   inspect http
> > policy-map global-policy
> >  class global-policy
> >   inspect http
> >   inspect icmp
> >   inspect ftp
> >   inspect dns
> >   inspect esmtp
> > !
> > service-policy global_policy global
> > smtp-server PRIVATE IP MAIL SERVER
> > Cryptochecksum:e4042ef4dbb31b13906ab838782ba7db
> > : end
> > 
> > 
> > Thanks again for any light you can shed on this.

0
K
10/20/2006 8:22:46 PM
Reply:

Similar Artilces:

asa 5505 + l2l vpn + cisco client vpn
Hi, I'm trying to replace PIX 506[working ok] with asa 5505. But just after swaping them some of the vpn links doesn't work. I can't ping sites. Cisco vpn client access doesn't work too. I was following few cisco manuals but I can't figure out what is missing in my config. Could you pls have a look at my config maybe sth obvious - I hope so. Many thanks. : Saved : Written by enable_15 at 01:48:02.989 UTC Tue Jan 13 2009 ! ASA Version 8.0(4) ! hostname pb domain-name zzzzzzz enable password zzzzzzzzzzzzzz encrypted passwd zzzzzzzzzzzz encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.254 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address zzzzzzzzzzzzz 255.255.255.240 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name zzzzzz access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0 access-list inside_nat0_outbound ...

cisco asa 8.4 + cisco vpn client
explain that I did not do so. need to arrange a remote connection, for those who do not know, much has changed in 8.4. this configuration of the docks from the site cisco.com hostname(config)# interface ethernet0 hostname(config-if)# ip address 10.10.4.200 255.255.0.0 hostname(config-if)# nameif outside hostname(config-if)# no shutdown hostname(config)# crypto ikev1 policy 1 hostname(config-ikev1-policy)# authentication pre-share hostname(config-ikev1-policy)# encryption 3des hostname(config-ikev1-policy)# hash sha hostname(config-ikev1-policy)# group 2 hostname(config-ikev1-policy)# lifetime 43200 hostname(config)# crypto ikev1 outside hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15 hostname(config)# username testuser password 12345678 hostname(config)# crypto ipsec ikev1 transform set FirstSet esp-3des esp-md5-hmac hostname(config)# tunnel-group testgroup type remote-access hostname(config)# tunnel-group testgroup general-attributes hostname(config-general)# address-pool testpool hostname(config)# tunnel-group testgroup ipsec-attributes hostname(config-ipsec)# ikev1 pre-shared-key 44kkaol59636jnfx hostname(config)# crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet hostname(config)# crypto dynamic-map dyn1 1 set reverse-route hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1 hostname(config)# crypto map mymap interface outside nat (inside,outside) source static any any destination static 192.168.0.0 192.168.0.0 route-lookup hostname(...

Trying to access the PDM of a Cisco pix over a Remote Access VPN with Cisco VPN Client
I am trying to configure the cisco pix (501) to allow access to the PDM over a Cisco VPN Client IPSEC tunnel. I found a situation for accessing the PDM ove a site-site tunnel but am not able to configure it for remote access VPN http://www.cisco.com/en/US/products/sw/netmgtsw/ps2032/products_configuration_example09186a0080094497.shtml I setup VPN by the wizard and enable split tunnel and excempt complete LAN from nat, so not the outside interface ip. Tried with management-access none, inside and outside I am running Cisco PIX Firewall Version 6.3(5) Cisco PIX Device Manager Version 3.0(4)...

Trouble Installing Linux/Cisco VPN Client Has anyone had trouble compiling the linux cisco vpn client? Here is the output of the install script: # uname -rviosm Linux 2.4.22-1.2188.nptl #1
Has anyone had trouble compiling the linux cisco vpn client? Here is the output of the install script: # uname -rviosm Linux 2.4.22-1.2188.nptl #1 Wed Apr 21 20:19:18 EDT 2004 x86_64 x86_64 GNU/Linux ../vpn_install Cisco Systems VPN Client Version 4.0.3 (B) Linux Installer Copyright (C) 1998-2001 Cisco Systems, Inc. All Rights Reserved. By installing this product you agree that you have read the license.txt file (The VPN Client license) and will comply with its terms. Directory where binaries will be installed [/usr/local/bin] Automatically start the VPN service at boot time [yes] In order to build the VPN kernel module, you must have the kernel headers for the version of the kernel you are running. For RedHat 6.x users these files are installed in /usr/src/linux by default For RedHat 7.x users these files are installed in /usr/src/linux-2.4 by default For Suse 7.3 users these files are installed in /usr/src/linux-2.4.10.SuSE by de fault Directory containing linux kernel source code [/lib/modules/2.4.22-1.2188.nptl/b uild] * Binaries will be installed in "/usr/local/bin". * Modules will be installed in "/lib/modules/2.4.22-1.2188.nptl/CiscoVPN". * The VPN service will be started AUTOMATICALLY at boot time. * Kernel source from "/lib/modules/2.4.22-1.2188.nptl/build" will be used to bui ld the module. Is the above correct [y] y Making module In file included from Cniapi.h:15, from linuxcniapi.c:24: GenDefs.h...

Cisco VPN Client vs MS VPN Client
I have to install vpn clients on 6 laptops. They will connect to PIX 515. What is the difference, whether I use Cisco or MS vpn clients ? regards Jarek Carnowski ...

Cisco VPN client OK
Hi, I have my PIX set up allowing VPN clients in. A Cisco VPN client (v4.0.3D) can get in OK but a Checkpoint client (R56 Build 311) can't. The Checkpoint client never appears to hit the outside interface of the PIX as no debug info appears when he tries to connect. I hardly need to deinstall my Cisco client sw beofre firing up the Checkpoint - do I? TIA, Ned ...

Cisco PIX vpn and vpn client
I have cisco pix 501 with IOS 6.3(4). and running Cisco VPN client 4.6.04.config is IPSEC over UDP I have a linksys router behind which the pix sits, I have forwarded UDP port 4500, 500, 10000, 50 to the pix. for some reason the vpn client connects from some internet connections and from some it does not and I do not get any error messages. I have attached the log file from the vpn client, when it was not connecting. Thanks for the help. MC -------------------------------------------------------------------------------------------------------------------------- 1 23:42:27.997 12/14/06 Sev=Info/6 IKE/0x6300003B Attempting to establish a connection with 71.78.123.220. 2 23:42:28.017 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 71.78.123.220 3 23:42:28.037 12/14/06 Sev=Info/4 IPSEC/0x63700008 IPSec driver successfully started 4 23:42:28.037 12/14/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 5 23:42:33.034 12/14/06 Sev=Info/4 IKE/0x63000021 Retransmitting last packet! 6 23:42:33.034 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (Retransmission) to 71.78.123.220 7 23:42:38.041 12/14/06 Sev=Info/4 IKE/0x63000021 Retransmitting last packet! 8 23:42:38.041 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (Retransmission) to 71.78.123.220 9 23:42:43.048 12/14/06 ...

VPN from Cisco to VPN
Does anyone know how to create a VPN (ANy type) from a Cisco 1601 to a Netscreen 100? Or where to get the information. I have emailed you a stepthrough Dave Sinclair NCSA NetScreen Certified Security Associate NCSI NetScreen Certified Security Instructor Equip Technology.com NetScreen Authrorised Training Centre in the UK ...

Cisco vpn client to Cisco 837 problem
hi, I have trouble to solve this issue and would like to get your help. I try to set up remote access vpn with cisco client software to a cisco 837 vpn server but I can only get the tunnel up but d'ont be able to ping router ethernet interface nor all computer in the LAN site. cisco client 4.0.2b--------Internet--------ADSL_Cisco 837_vpn_server-------LAN_Windows2003_terminal_server Building configuration... Current configuration : 3499 bytes version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ho...

Errore in Cisco VPN Client
Buonasera a tutti. Mi trovo con un problema in Cisco VPN Client che si collega ad un PIX 515 e pi=F9 precisamente mi dice: 28 21:05:55.745 07/31/06 Sev=3DWarning/2 CVPND/0xE3400013 AddRoute failed to add a route: code 87 Destination 192.168.0.255 Netmask 255.255.255.255 Gateway 192.168.11.1 Interface 192.168.11.1 29 21:05:55.745 07/31/06 Sev=3DWarning/2 CM/0xA3100024 Unable to add route. Network: c0a800ff, Netmask: ffffffff, Interface: c0a80b01, Gateway: c0a80b01. e logicamente non mi permette di raggiungere nessun host della rete interna. A qualcuno =E8 gi=E0 capitata una ...

Where to get Cisco VPN Client?
It's not available for download at Cisco's site. If you know where it can be downloaded that would be a big help. Thanks. In article <1164352169.439618.256890@m7g2000cwm.googlegroups.com>, gimme_this_gimme_that@yahoo.com wrote: > It's not available for download at Cisco's site. If you know where it > can be downloaded that would be a big help. Thanks. In my experience, you'll have to get your VPN administrator (the purchaser of the server-side Cisco software) to get it for you. ...

Cisco VPN client through a Hotbrick VPN 600/2
Hi If i setup a vpn using the Cisco client on a pc behind the Hobrick it's not possible to start a remote desktop session. If i setup a vpn using the Cisco client on a pc NOT behind the Hobrick it is possible to start a remote desktop session. If i setup a vpn using Microsoft Windows XP network connection on a pc behind the Hobrick it is possible to start a remote desktop session. What could be the problem? Why isn't it possible to run a remote desktop session on a Cisco vpn behind the Hotbrick firewall? Thank's Perry ...

ASA5510 with Cisco VPN client. No traffic over VPN tunnel
Hi all, In the hopes anyone sees my error in my config (I'm almost sure it's a config error on my part but i can't find it). I'm trying to get the Cisco VPN client to work with an ASA 5510. Tried the manual config way and the ASDM way through the wizard. The problem is not that i can't get any ipsec connection. That works. But when the VPN connection is established i can't get any trafic from my Client VPN IP segment (172.16.101.0/24 to the internal network (172.16.100.0/24). The logs in the ASDM keep giving me the same error (this is another error but the error for opening a RDP connection from src to dst is the same): 3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group found for udp src outside:172.16.101.100/49959 dst Company-lan:172.16.100.252/53 3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group found for udp src outside:172.16.101.100/61829 dst Company-lan:172.16.100.252/53 3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group found for udp src outside:172.16.101.100/61829 dst Company-lan:172.16.100.252/53 3|May 13 2008|21:09:40|305005|172.16.100.252|53|||No translation group found for udp src outside:172.16.101.100/64955 dst Company-lan:172.16.100.252/53 3|May 13 2008|21:09:40|305005|172.16.100.252|53|||No translation group found for udp src outside:172.16.101.100/64955 dst Company-lan:172.16.100.252/53 3|May 13 2008|21:09:39|305005|172.16.100.252|53|||No translation group foun...

Cisco 837 and Cisco VPN client wierdness.. any ideas?
With my current configuration I can VPN connect from anywhere on the web and authenticate as a local user with an 837 router. Once auth'd the VPN client is allocated an IP from the vpn pool. From a VPN connected laptop I can ping any address on the LAN and any other machine on the LAN can ping the IP the VPN client has been allocated. However I can't access all resources via all protocols on all machines. This part is inconsistent and has me baffled. e.g. from a VPN client I can mount SMB shares on 192.168.16.250 but I can't see the webserver (:80) on the same IP). From a LAN connected laptop I can see the webserver running on the VPN client (192.168.17.x:80). However the VPN client can't see a webserver on the same LAN connected laptop (192.168.16.10:80). This is my first ever contact with Cisco gear and while i'm quite chuffed with getting as far as I have on setting this box up.. i'm now way out of my depth on working out what the problem is. Any suggestions would be greatly appreciated! Client s/w is v4.6 (0045) on Mac OS 10.3.9 sh version reports: IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.2(13)ZH4 Router config (security edited) is cut/pasted below: ! version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname xxxx ! logging queue-limit 100 no logging buffered enable secret 5 xxxx ! username xxxx password 7 xxxx username xxxx password 7 xxx...

Cisco VPN Client <-> XP VPN
Hello, I'm a little bit confused about the differences between Microsoft's build-in VPN Client (for XP) and Cisco's VPN client. I wanna set up a connection to a network using Cisco's client (which I'm using for other networks as well). For the new network detailed instructions for the XP client are given, but nothing for the Cisco client. I thought - please correct me, if I'm wrong - that XP and Cisco both use the L2TP technique, so I should be able to use any client for those connections. But Cisco's client needs much more information than the IP of the...

W2K vpn client to Cisco 3005 VPN concentrator
I've got a project to configure a Cisco 3005 vpn concentrator to allow connections from the w2k builtin vpn client. The concentrator currently has users connecting via the Cisco client using IPSec, and authenticating against an Active Directory server. The way I understand things is, PPTP is supported, but only without encryption when authentication against Active Directory. And the only other option is L2TP/IPSec, which is mutually exclusive with the IPsec-only that's currently in use. (Have I got this all correct?) So, the only option open here is PPTP without encryption, correct?...

VPN - Cisco IOS <-> VPN Client
Hello everybody, I have tried to set up a VPN connection from Cisco VPN Client to Cisco Router 2621 (64MB RAM/ 16MB Flash) - with enterprise IOS 12.2. When I map a crypto map to the interface ( crypto map CRYPTOMAP to serial 0/0.1 ) - the nat stopped working and I havn't got a remonte connection to my router and other services behind the router. When I got to the LAN I was able to connect to router via ssh. I don't know what is wrong. I have studied Cisco materials and some other configs without any ideas. Would You be so kind and help me with this configuration ? Than...

Cisco VPN Client stopping RDP, Citrix working on other VPN
Hi Hope someone can help with this problem. I work for a support comapny and we have several VPN connections into different customers. These connections are configured on each of the support users PC's. All worked fine. We have a combination of Citrix, RDP, PCAnywhere and Netmeeting as our remote access clients. We use the standard Microsoft VPN where possible but have also got SonicWall and Netscreen Remote installed. On of our customers has switched from Netscreen Remote to Cisco VPN client ( 4.8.00.0440) and this works fine after uninstalling the Netscreen Remote. Howev...

Cisco VPN clients unable to connect to 3725 VPN server
I have a 3725 router that is acting as a VPN server as well as a performing NAT for the internal network. The VPN is setup to connect to another remote network and to allow clients to connect securely to the router and access the local network The problem is the client is prompted for the user name and password but it won't establish the connection so I'm not sure what's missing. Any help would be greatly appreciated. The only error I get is: Jan 18 18:21:06.319: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 172.16.2.4 Here's the config: ! ! Last configuration change at 13:30:31 PCTime Fri Jan 18 2008 by rsreese ! NVRAM config last updated at 13:30:34 PCTime Fri Jan 18 2008 by rsreese ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname 3725router ! boot-start-marker boot-end-marker ! no logging buffered enable secret 5 $1$BUZ8$sNjxnHHht1NP3co5Vkj2o0 ! aaa new-model ! ! aaa authentication login default local aaa authentication ppp default local aaa authorization exec default local aaa authorization network default local ! aaa session-id common clock timezone PCTime -5 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 no network-clock-participate slot 1 no network-clock-participate slot 2 ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 172.16.2.1 ip dhcp excluded-address 172.16.3.1 ! ip dhcp pool VLAN2clients network 172.1...

ASA 5505 and Cisco Client VPN pass-through
With the old PIX v6 multiple Cisco VPN clients on the inside could not reach a remote host. For example, visitors come to your location where you are using a PIX firewall with VPN and they cannot use Cisco Client to VPN to their home office. Is the ASA 5505 v7.2.3 any better at this? Thanks! -Bob "just bob" <kilbyfan@aoldotcom> wrote in message news:E5mdnfN95J-fGoLVnZ2dnUVZ_vGdnZ2d@supernews.com... > With the old PIX v6 multiple Cisco VPN clients on the inside could not > reach a remote host. For example, visitors come to your location where you > are usin...

Cisco ASA 5520 VPN Client Question
Hello all, I have a ASA 5200 box that I've configured for client VPN connections. I have it set up to hand out DHCP addresses for the network that the box is connected to on the inside. When I connect to the box with Cisco client software, everything works fine and the box assigns me an IP address from the DHCP pool. Below is what my routes look like after connecting to the ASA 5520: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.101.253 0.0.0.0 255.255.255.255 UH 0 0 0 eth0...

CISCO VPN client blocks DCOM communication
Hi I installed the CISCO VPN client on my windows 2000 professional edition. After that, the applcation using DCOM communications is not working any more. I uninstalled the VPN but afterwards, the DCOM application is still not working. Just wonder if you can provide any advise on how to fix that problem. Thanks a lot ...

Vpn site to site + vpn cisco client access list problem.
Hi I have problem to get vpn site to site tunnel and the vpn client tunnel to work at the same time. How can I join access list 80 and 100 so i can add them to nat "(inside) 0 access-list 80" I got a pix 501 and 2620 and on the pix 501 It's accessible thugh Cisco VPN client. The config on the pix 501: : Written by admin at 15:32:22.817 CEDT Mon Aug 7 2006 PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password g4JAhKwvQDnczMDZ encrypted passwd g4JAhKwvQDnczMDZ encrypted ...

Cant establish a VPN tunnel between PIX 501 and Cisco VPN Client
As mentioned the subject, the tunnel wont work, the user authentication via Radius grants the user access, but then the Client stops with the message: "Secure VPN connection terminated locally by the client. Reason 403: Unable to connect to the security gateway". I added the config of my setup, and the result of "debug crypto isakmp". Software Versions: PIX: 6.3.3 VPN Client: 4.0.3 (A) Maybe someone can help. -- Martin PIX - Config: ------------------------- : Saved : PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside securi...

Web resources about - VPN to ASA from Cisco VPN Client Getting Error - comp.dcom.sys.cisco

Watch The Thermals Play A Bernie Sanders Rally
The Thermals join the likes of Red Hot Chili Peppers , Vampire Weekend , and Killer Mike as artists that are throwing their support behind Bernie ...

Salesforce CEO Marc Benioff won his showdown with the Georgia governor and North Carolina is next
Salesforce CEO Marc Benioff posted a triumphant tweet on Monday after Georgia Governor Nathan Deal announced that he's vetoing a controversial ...

Bart & Fleming: Ben Affleck’s Batman V Ryan Reynolds’ Deadpool; Hollywood War Against Religious Right ...
Peter Bart and Mike Fleming Jr. worked together for two decades a t Daily Variety. In this weekly column, two old friends get together and grind ...

Web Links Crashing Your Apps on iOS 9.3? Here’s a Temporary Fix
As always, there are a number of bugs affecting iOS users who have downloaded a recent iOS update. This time, iOS 9.3 is causing multiple Apple ...

How to bypass the Oculus Store and play SteamVR games on Rift
Oculus VR has its own store for the Rift virtual reality headset, but you don’t have to use it. The first wave of Rifts are heading out today ...

Pez Easter egg hunt overtaken by hordes of crazy, egg-hungry parents
Chaos reigned supreme at a family-oriented Easter egg hunt in Connecticut March 26. The Pez Visitor Center held their third annual hunt, hiding ...

Retaking Syria's Palmyra reveals more shattered antiquities
DAMASCUS, Syria (AP) — The recapture of Syria's ancient city of Palmyra from the Islamic State group has brought new revelations of the destruction ...

Pandora shares plunge as cofounder returns as CEO
Shares of Pandora plunged Monday as news that co-founder Tim Westergren was returning as chief executive failed to ignite confidence in the group's ...

Dell to sell Perot Systems unit to NTT Data at loss of $800 million
Dell founder and CEO Michael Dell. (credit: Oracle PR ) Dell has agreed to sell its IT services subsidiary, Dell Services, to NTT Data for $3.06 ...

Will the $15 minimum wage pass California's Legislature? And other key questions...
Los Angeles Times Will the $15 minimum wage pass California's Legislature? And other key questions... Los Angeles Times Workers march through ...

Resources last updated: 3/28/2016 6:58:51 PM