VPN to ASA from Cisco VPN Client Getting Error

Discussion in 'Cisco' started by K.J. 44, Oct 19, 2006.

  1. K.J. 44

    K.J. 44 Guest

    Hi,

    I am trying to set up remote access VPNs and am having trouble. I
    used:

    http://www.cisco.com/en/US/products...s_configuration_example09186a00806de37e.shtml

    as a guide as was recommended by someone in a previous post.

    When I connect from the Cisco VPN client I am getting an error:
    "Secure VPN Connection terminated locally by client. Reason 412: The
    remote peer is no longer responding."

    My network looks like this.

    Router-----ASA----LAN

    I can see the traffic getting through my router when I attempt to
    connect. The IP connecting to is my outside interface's IP on the ASA
    and is a public IP. It is also the IP that is nat'ed to my mail
    server. Does this cause a problem? (I hope not because I am out of
    IP's and I don't want to have to buy more).

    Please find the relevant part of my ASA config below. thanks for your
    help.

    Result of the command: "sh running"

    : Saved
    :
    ASA Version 7.0(5)
    !
    hostname
    domain-name
    enable password
    names
    dns-guard
    !
    interface Ethernet0/0
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Ethernet0/1
    nameif outside
    security-level 0
    ip address PUBLIC IP
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    shutdown
    nameif management
    security-level 100
    ip address
    management-only
    !
    passwd SisLvDjB/rijelPS encrypted
    banner exec # You are logging into a corporate device. Unauthorized
    access is prohibited.
    banner motd # "We are what we repeatedly do. Excellence, then, is not
    an act, but a habit." - Aristotle #
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns domain-lookup inside
    dns name-server
    object-group service NecessaryServices tcp
    port-object eq echo
    port-object eq www
    port-object eq domain
    port-object eq smtp
    port-object eq ftp-data
    port-object eq pop3
    port-object eq aol
    port-object eq ftp
    port-object eq https
    object-group service UDPServices udp
    port-object eq nameserver
    port-object eq www
    port-object eq isakmp
    port-object eq domain
    object-group service TCP-UDPServices tcp-udp
    port-object eq echo
    port-object eq www
    port-object eq domain

    pager lines 24
    logging enable
    logging timestamp
    logging list ASALog level notifications
    logging monitor notifications
    logging trap notifications
    logging asdm informational
    logging device-id hostname
    logging host inside
    mtu management 1500
    mtu inside 1500
    mtu outside 1500
    ip local pool vpnclient 192.168.10.1-192.168.10.254
    ip verify reverse-path interface inside
    ip verify reverse-path interface outside
    asdm image disk0:/asdm505.bin
    asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 2 PUBLIC IP PAT netmask 255.255.255.255
    nat (inside) 0 access-list 110
    nat (inside) 2 PRIVATE IPS
    static (inside,outside) PUBLIC IP (outside interface) mailserver
    netmask 255.255.255.255
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 ROUTER INSIDE IP
    !
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server vpn protocol radius
    aaa-server vpn PRIVATE IP OF IAS SERVER
    key ****
    group-policy vpnUsers internal
    group-policy vpnUsers attributes
    banner value You are remotely accessing a corporate network. Any
    unauthorized use is strictly prohibited.
    dns-server value PRIVATE IP OF DNS SERVER
    webvpn
    username LOCAL USER ACCOUNT IN CASE IAS IS DOWN
    http server enable
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set RemoteVPNSet esp-aes-256 esp-sha-hmac
    crypto dynamic-map RemoteVPNDynmap 10 set transform-set RemoteVPNSet
    crypto dynamic-map RemoteVPNDynmap 10 set reverse-route
    crypto map RemoteVPNMap 10 ipsec-isakmp dynamic RemoteVPNDynmap
    crypto map RemoteVPNMap interface outside
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption aes-256
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 2000
    tunnel-group DefaultRAGroup general-attributes
    authentication-server-group (outside) vpn
    tunnel-group RemoteVPN type ipsec-ra
    tunnel-group RemoteVPN general-attributes
    address-pool vpnclient
    authentication-server-group vpn
    tunnel-group RemoteVPN ipsec-attributes
    pre-shared-key *
    console timeout 0
    dhcpd lease 3600
    dhcpd ping_timeout 50
    !
    class-map global-policy
    match default-inspection-traffic
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect ftp
    inspect http
    policy-map global-policy
    class global-policy
    inspect http
    inspect icmp
    inspect ftp
    inspect dns
    inspect esmtp
    !
    service-policy global_policy global
    smtp-server PRIVATE IP MAIL SERVER
    Cryptochecksum:e4042ef4dbb31b13906ab838782ba7db
    : end


    Thanks again for any light you can shed on this.
     
    K.J. 44, Oct 19, 2006
    #1
    1. Advertising

  2. K.J. 44

    K.J. 44 Guest

    Here is the debug output from the Cisco VPN Client when attempting to
    connect:

    Cisco Systems VPN Client Version 4.6.00.0049
    Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 5.1.2600 Service Pack 2

    1 13:05:16.656 10/19/06 Sev=Info/4 CM/0x63100002
    Begin connection process

    2 13:05:16.671 10/19/06 Sev=Info/4 CVPND/0xE3400001
    Microsoft IPSec Policy Agent service stopped successfully

    3 13:05:16.671 10/19/06 Sev=Info/4 CM/0x63100004
    Establish secure connection using Ethernet

    4 13:05:16.671 10/19/06 Sev=Info/4 CM/0x63100024
    Attempt connection with server "OUTSIDE PUBLIC IP OF ASA"

    5 13:05:17.671 10/19/06 Sev=Info/6 IKE/0x6300003B
    Attempting to establish a connection with OUTSIDE PUBLIC IP OF ASA

    6 13:05:17.687 10/19/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
    VID(Nat-T), VID(Frag), VID(Unity)) to OUTSIDE PUBLIC IP OF ASA

    7 13:05:17.687 10/19/06 Sev=Info/4 IPSEC/0x63700008
    IPSec driver successfully started

    8 13:05:17.687 10/19/06 Sev=Info/4 IPSEC/0x63700014
    Deleted all keys

    9 13:05:23.031 10/19/06 Sev=Info/4 IKE/0x63000021
    Retransmitting last packet!

    10 13:05:23.031 10/19/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (Retransmission) to OUTSIDE PUBLIC IP OF ASA

    11 13:05:28.031 10/19/06 Sev=Info/4 IKE/0x63000021
    Retransmitting last packet!

    12 13:05:28.031 10/19/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (Retransmission) to OUTSIDE PUBLIC IP OF ASA

    13 13:05:33.031 10/19/06 Sev=Info/4 IKE/0x63000021
    Retransmitting last packet!

    14 13:05:33.031 10/19/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (Retransmission) to OUTSIDE PUBLIC IP OF ASA

    15 13:05:38.031 10/19/06 Sev=Info/4 IKE/0x63000017
    Marking IKE SA for deletion (I_Cookie=896EE55DE5545183
    R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

    16 13:05:38.531 10/19/06 Sev=Info/4 IKE/0x6300004A
    Discarding IKE SA negotiation (I_Cookie=896EE55DE5545183
    R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

    17 13:05:38.531 10/19/06 Sev=Info/4 CM/0x63100014
    Unable to establish Phase 1 SA with server "66.184.64.14" because of
    "DEL_REASON_PEER_NOT_RESPONDING"

    18 13:05:38.531 10/19/06 Sev=Info/5 CM/0x63100025
    Initializing CVPNDrv

    19 13:05:38.546 10/19/06 Sev=Info/4 IKE/0x63000001
    IKE received signal to terminate VPN connection

    20 13:05:38.562 10/19/06 Sev=Info/4 IKE/0x63000085
    Microsoft IPSec Policy Agent service started successfully

    21 13:05:38.562 10/19/06 Sev=Info/4 IPSEC/0x63700014
    Deleted all keys

    22 13:05:38.562 10/19/06 Sev=Info/4 IPSEC/0x63700014
    Deleted all keys

    23 13:05:38.562 10/19/06 Sev=Info/4 IPSEC/0x63700014
    Deleted all keys

    24 13:05:38.562 10/19/06 Sev=Info/4 IPSEC/0x6370000A
    IPSec driver successfully stopped


    The ASA is not responding. I can see the traffic getting through the
    router and I do not see any return traffic getting stopped. Will the
    return traffic be from the same port that the initiatiation was sent
    to?

    Please help. Thanks.

    K.J. 44 wrote:
    > Hi,
    >
    > I am trying to set up remote access VPNs and am having trouble. I
    > used:
    >
    > http://www.cisco.com/en/US/products...s_configuration_example09186a00806de37e.shtml
    >
    > as a guide as was recommended by someone in a previous post.
    >
    > When I connect from the Cisco VPN client I am getting an error:
    > "Secure VPN Connection terminated locally by client. Reason 412: The
    > remote peer is no longer responding."
    >
    > My network looks like this.
    >
    > Router-----ASA----LAN
    >
    > I can see the traffic getting through my router when I attempt to
    > connect. The IP connecting to is my outside interface's IP on the ASA
    > and is a public IP. It is also the IP that is nat'ed to my mail
    > server. Does this cause a problem? (I hope not because I am out of
    > IP's and I don't want to have to buy more).
    >
    > Please find the relevant part of my ASA config below. thanks for your
    > help.
    >
    > Result of the command: "sh running"
    >
    > : Saved
    > :
    > ASA Version 7.0(5)
    > !
    > hostname
    > domain-name
    > enable password
    > names
    > dns-guard
    > !
    > interface Ethernet0/0
    > nameif inside
    > security-level 100
    > ip address 192.168.1.1 255.255.255.0
    > !
    > interface Ethernet0/1
    > nameif outside
    > security-level 0
    > ip address PUBLIC IP
    > !
    > interface Ethernet0/2
    > shutdown
    > no nameif
    > no security-level
    > no ip address
    > !
    > interface Management0/0
    > shutdown
    > nameif management
    > security-level 100
    > ip address
    > management-only
    > !
    > passwd SisLvDjB/rijelPS encrypted
    > banner exec # You are logging into a corporate device. Unauthorized
    > access is prohibited.
    > banner motd # "We are what we repeatedly do. Excellence, then, is not
    > an act, but a habit." - Aristotle #
    > ftp mode passive
    > clock timezone EST -5
    > clock summer-time EDT recurring
    > dns domain-lookup inside
    > dns name-server
    > object-group service NecessaryServices tcp
    > port-object eq echo
    > port-object eq www
    > port-object eq domain
    > port-object eq smtp
    > port-object eq ftp-data
    > port-object eq pop3
    > port-object eq aol
    > port-object eq ftp
    > port-object eq https
    > object-group service UDPServices udp
    > port-object eq nameserver
    > port-object eq www
    > port-object eq isakmp
    > port-object eq domain
    > object-group service TCP-UDPServices tcp-udp
    > port-object eq echo
    > port-object eq www
    > port-object eq domain
    >
    > pager lines 24
    > logging enable
    > logging timestamp
    > logging list ASALog level notifications
    > logging monitor notifications
    > logging trap notifications
    > logging asdm informational
    > logging device-id hostname
    > logging host inside
    > mtu management 1500
    > mtu inside 1500
    > mtu outside 1500
    > ip local pool vpnclient 192.168.10.1-192.168.10.254
    > ip verify reverse-path interface inside
    > ip verify reverse-path interface outside
    > asdm image disk0:/asdm505.bin
    > asdm history enable
    > arp timeout 14400
    > nat-control
    > global (outside) 2 PUBLIC IP PAT netmask 255.255.255.255
    > nat (inside) 0 access-list 110
    > nat (inside) 2 PRIVATE IPS
    > static (inside,outside) PUBLIC IP (outside interface) mailserver
    > netmask 255.255.255.255
    > access-group inside_access_in in interface inside
    > access-group outside_access_in in interface outside
    > route outside 0.0.0.0 0.0.0.0 ROUTER INSIDE IP
    > !
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    > timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server vpn protocol radius
    > aaa-server vpn PRIVATE IP OF IAS SERVER
    > key ****
    > group-policy vpnUsers internal
    > group-policy vpnUsers attributes
    > banner value You are remotely accessing a corporate network. Any
    > unauthorized use is strictly prohibited.
    > dns-server value PRIVATE IP OF DNS SERVER
    > webvpn
    > username LOCAL USER ACCOUNT IN CASE IAS IS DOWN
    > http server enable
    > no snmp-server location
    > no snmp-server contact
    > snmp-server enable traps snmp authentication linkup linkdown coldstart
    > crypto ipsec transform-set RemoteVPNSet esp-aes-256 esp-sha-hmac
    > crypto dynamic-map RemoteVPNDynmap 10 set transform-set RemoteVPNSet
    > crypto dynamic-map RemoteVPNDynmap 10 set reverse-route
    > crypto map RemoteVPNMap 10 ipsec-isakmp dynamic RemoteVPNDynmap
    > crypto map RemoteVPNMap interface outside
    > isakmp enable outside
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption aes-256
    > isakmp policy 10 hash sha
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 2000
    > tunnel-group DefaultRAGroup general-attributes
    > authentication-server-group (outside) vpn
    > tunnel-group RemoteVPN type ipsec-ra
    > tunnel-group RemoteVPN general-attributes
    > address-pool vpnclient
    > authentication-server-group vpn
    > tunnel-group RemoteVPN ipsec-attributes
    > pre-shared-key *
    > console timeout 0
    > dhcpd lease 3600
    > dhcpd ping_timeout 50
    > !
    > class-map global-policy
    > match default-inspection-traffic
    > class-map inspection_default
    > match default-inspection-traffic
    > !
    > !
    > policy-map global_policy
    > class inspection_default
    > inspect ftp
    > inspect http
    > policy-map global-policy
    > class global-policy
    > inspect http
    > inspect icmp
    > inspect ftp
    > inspect dns
    > inspect esmtp
    > !
    > service-policy global_policy global
    > smtp-server PRIVATE IP MAIL SERVER
    > Cryptochecksum:e4042ef4dbb31b13906ab838782ba7db
    > : end
    >
    >
    > Thanks again for any light you can shed on this.
     
    K.J. 44, Oct 19, 2006
    #2
    1. Advertising

  3. K.J. 44

    K.J. 44 Guest

    Is anyone out there that has an opinion?

    Please help and thank you.
    K.J. 44 wrote:
    > Here is the debug output from the Cisco VPN Client when attempting to
    > connect:
    >
    > Cisco Systems VPN Client Version 4.6.00.0049
    > Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
    > Client Type(s): Windows, WinNT
    > Running on: 5.1.2600 Service Pack 2
    >
    > 1 13:05:16.656 10/19/06 Sev=Info/4 CM/0x63100002
    > Begin connection process
    >
    > 2 13:05:16.671 10/19/06 Sev=Info/4 CVPND/0xE3400001
    > Microsoft IPSec Policy Agent service stopped successfully
    >
    > 3 13:05:16.671 10/19/06 Sev=Info/4 CM/0x63100004
    > Establish secure connection using Ethernet
    >
    > 4 13:05:16.671 10/19/06 Sev=Info/4 CM/0x63100024
    > Attempt connection with server "OUTSIDE PUBLIC IP OF ASA"
    >
    > 5 13:05:17.671 10/19/06 Sev=Info/6 IKE/0x6300003B
    > Attempting to establish a connection with OUTSIDE PUBLIC IP OF ASA
    >
    > 6 13:05:17.687 10/19/06 Sev=Info/4 IKE/0x63000013
    > SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
    > VID(Nat-T), VID(Frag), VID(Unity)) to OUTSIDE PUBLIC IP OF ASA
    >
    > 7 13:05:17.687 10/19/06 Sev=Info/4 IPSEC/0x63700008
    > IPSec driver successfully started
    >
    > 8 13:05:17.687 10/19/06 Sev=Info/4 IPSEC/0x63700014
    > Deleted all keys
    >
    > 9 13:05:23.031 10/19/06 Sev=Info/4 IKE/0x63000021
    > Retransmitting last packet!
    >
    > 10 13:05:23.031 10/19/06 Sev=Info/4 IKE/0x63000013
    > SENDING >>> ISAKMP OAK AG (Retransmission) to OUTSIDE PUBLIC IP OF ASA
    >
    > 11 13:05:28.031 10/19/06 Sev=Info/4 IKE/0x63000021
    > Retransmitting last packet!
    >
    > 12 13:05:28.031 10/19/06 Sev=Info/4 IKE/0x63000013
    > SENDING >>> ISAKMP OAK AG (Retransmission) to OUTSIDE PUBLIC IP OF ASA
    >
    > 13 13:05:33.031 10/19/06 Sev=Info/4 IKE/0x63000021
    > Retransmitting last packet!
    >
    > 14 13:05:33.031 10/19/06 Sev=Info/4 IKE/0x63000013
    > SENDING >>> ISAKMP OAK AG (Retransmission) to OUTSIDE PUBLIC IP OF ASA
    >
    > 15 13:05:38.031 10/19/06 Sev=Info/4 IKE/0x63000017
    > Marking IKE SA for deletion (I_Cookie=896EE55DE5545183
    > R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
    >
    > 16 13:05:38.531 10/19/06 Sev=Info/4 IKE/0x6300004A
    > Discarding IKE SA negotiation (I_Cookie=896EE55DE5545183
    > R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
    >
    > 17 13:05:38.531 10/19/06 Sev=Info/4 CM/0x63100014
    > Unable to establish Phase 1 SA with server "66.184.64.14" because of
    > "DEL_REASON_PEER_NOT_RESPONDING"
    >
    > 18 13:05:38.531 10/19/06 Sev=Info/5 CM/0x63100025
    > Initializing CVPNDrv
    >
    > 19 13:05:38.546 10/19/06 Sev=Info/4 IKE/0x63000001
    > IKE received signal to terminate VPN connection
    >
    > 20 13:05:38.562 10/19/06 Sev=Info/4 IKE/0x63000085
    > Microsoft IPSec Policy Agent service started successfully
    >
    > 21 13:05:38.562 10/19/06 Sev=Info/4 IPSEC/0x63700014
    > Deleted all keys
    >
    > 22 13:05:38.562 10/19/06 Sev=Info/4 IPSEC/0x63700014
    > Deleted all keys
    >
    > 23 13:05:38.562 10/19/06 Sev=Info/4 IPSEC/0x63700014
    > Deleted all keys
    >
    > 24 13:05:38.562 10/19/06 Sev=Info/4 IPSEC/0x6370000A
    > IPSec driver successfully stopped
    >
    >
    > The ASA is not responding. I can see the traffic getting through the
    > router and I do not see any return traffic getting stopped. Will the
    > return traffic be from the same port that the initiatiation was sent
    > to?
    >
    > Please help. Thanks.
    >
    > K.J. 44 wrote:
    > > Hi,
    > >
    > > I am trying to set up remote access VPNs and am having trouble. I
    > > used:
    > >
    > > http://www.cisco.com/en/US/products...s_configuration_example09186a00806de37e.shtml
    > >
    > > as a guide as was recommended by someone in a previous post.
    > >
    > > When I connect from the Cisco VPN client I am getting an error:
    > > "Secure VPN Connection terminated locally by client. Reason 412: The
    > > remote peer is no longer responding."
    > >
    > > My network looks like this.
    > >
    > > Router-----ASA----LAN
    > >
    > > I can see the traffic getting through my router when I attempt to
    > > connect. The IP connecting to is my outside interface's IP on the ASA
    > > and is a public IP. It is also the IP that is nat'ed to my mail
    > > server. Does this cause a problem? (I hope not because I am out of
    > > IP's and I don't want to have to buy more).
    > >
    > > Please find the relevant part of my ASA config below. thanks for your
    > > help.
    > >
    > > Result of the command: "sh running"
    > >
    > > : Saved
    > > :
    > > ASA Version 7.0(5)
    > > !
    > > hostname
    > > domain-name
    > > enable password
    > > names
    > > dns-guard
    > > !
    > > interface Ethernet0/0
    > > nameif inside
    > > security-level 100
    > > ip address 192.168.1.1 255.255.255.0
    > > !
    > > interface Ethernet0/1
    > > nameif outside
    > > security-level 0
    > > ip address PUBLIC IP
    > > !
    > > interface Ethernet0/2
    > > shutdown
    > > no nameif
    > > no security-level
    > > no ip address
    > > !
    > > interface Management0/0
    > > shutdown
    > > nameif management
    > > security-level 100
    > > ip address
    > > management-only
    > > !
    > > passwd SisLvDjB/rijelPS encrypted
    > > banner exec # You are logging into a corporate device. Unauthorized
    > > access is prohibited.
    > > banner motd # "We are what we repeatedly do. Excellence, then, is not
    > > an act, but a habit." - Aristotle #
    > > ftp mode passive
    > > clock timezone EST -5
    > > clock summer-time EDT recurring
    > > dns domain-lookup inside
    > > dns name-server
    > > object-group service NecessaryServices tcp
    > > port-object eq echo
    > > port-object eq www
    > > port-object eq domain
    > > port-object eq smtp
    > > port-object eq ftp-data
    > > port-object eq pop3
    > > port-object eq aol
    > > port-object eq ftp
    > > port-object eq https
    > > object-group service UDPServices udp
    > > port-object eq nameserver
    > > port-object eq www
    > > port-object eq isakmp
    > > port-object eq domain
    > > object-group service TCP-UDPServices tcp-udp
    > > port-object eq echo
    > > port-object eq www
    > > port-object eq domain
    > >
    > > pager lines 24
    > > logging enable
    > > logging timestamp
    > > logging list ASALog level notifications
    > > logging monitor notifications
    > > logging trap notifications
    > > logging asdm informational
    > > logging device-id hostname
    > > logging host inside
    > > mtu management 1500
    > > mtu inside 1500
    > > mtu outside 1500
    > > ip local pool vpnclient 192.168.10.1-192.168.10.254
    > > ip verify reverse-path interface inside
    > > ip verify reverse-path interface outside
    > > asdm image disk0:/asdm505.bin
    > > asdm history enable
    > > arp timeout 14400
    > > nat-control
    > > global (outside) 2 PUBLIC IP PAT netmask 255.255.255.255
    > > nat (inside) 0 access-list 110
    > > nat (inside) 2 PRIVATE IPS
    > > static (inside,outside) PUBLIC IP (outside interface) mailserver
    > > netmask 255.255.255.255
    > > access-group inside_access_in in interface inside
    > > access-group outside_access_in in interface outside
    > > route outside 0.0.0.0 0.0.0.0 ROUTER INSIDE IP
    > > !
    > > timeout xlate 3:00:00
    > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    > > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    > > timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    > > timeout uauth 0:05:00 absolute
    > > aaa-server vpn protocol radius
    > > aaa-server vpn PRIVATE IP OF IAS SERVER
    > > key ****
    > > group-policy vpnUsers internal
    > > group-policy vpnUsers attributes
    > > banner value You are remotely accessing a corporate network. Any
    > > unauthorized use is strictly prohibited.
    > > dns-server value PRIVATE IP OF DNS SERVER
    > > webvpn
    > > username LOCAL USER ACCOUNT IN CASE IAS IS DOWN
    > > http server enable
    > > no snmp-server location
    > > no snmp-server contact
    > > snmp-server enable traps snmp authentication linkup linkdown coldstart
    > > crypto ipsec transform-set RemoteVPNSet esp-aes-256 esp-sha-hmac
    > > crypto dynamic-map RemoteVPNDynmap 10 set transform-set RemoteVPNSet
    > > crypto dynamic-map RemoteVPNDynmap 10 set reverse-route
    > > crypto map RemoteVPNMap 10 ipsec-isakmp dynamic RemoteVPNDynmap
    > > crypto map RemoteVPNMap interface outside
    > > isakmp enable outside
    > > isakmp policy 10 authentication pre-share
    > > isakmp policy 10 encryption aes-256
    > > isakmp policy 10 hash sha
    > > isakmp policy 10 group 2
    > > isakmp policy 10 lifetime 2000
    > > tunnel-group DefaultRAGroup general-attributes
    > > authentication-server-group (outside) vpn
    > > tunnel-group RemoteVPN type ipsec-ra
    > > tunnel-group RemoteVPN general-attributes
    > > address-pool vpnclient
    > > authentication-server-group vpn
    > > tunnel-group RemoteVPN ipsec-attributes
    > > pre-shared-key *
    > > console timeout 0
    > > dhcpd lease 3600
    > > dhcpd ping_timeout 50
    > > !
    > > class-map global-policy
    > > match default-inspection-traffic
    > > class-map inspection_default
    > > match default-inspection-traffic
    > > !
    > > !
    > > policy-map global_policy
    > > class inspection_default
    > > inspect ftp
    > > inspect http
    > > policy-map global-policy
    > > class global-policy
    > > inspect http
    > > inspect icmp
    > > inspect ftp
    > > inspect dns
    > > inspect esmtp
    > > !
    > > service-policy global_policy global
    > > smtp-server PRIVATE IP MAIL SERVER
    > > Cryptochecksum:e4042ef4dbb31b13906ab838782ba7db
    > > : end
    > >
    > >
    > > Thanks again for any light you can shed on this.
     
    K.J. 44, Oct 20, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    3,365
  2. danstaunton

    Cisco ASA vpn client error

    danstaunton, Apr 12, 2008, in forum: Hardware
    Replies:
    1
    Views:
    821
    danstaunton
    Apr 12, 2008
  3. Tilman Schmidt
    Replies:
    1
    Views:
    2,609
    Thrill5
    Oct 22, 2008
  4. lesniak81
    Replies:
    0
    Views:
    2,221
    lesniak81
    Jan 13, 2009
  5. Slava
    Replies:
    1
    Views:
    3,103
    jay.sh1989
    Feb 10, 2012
Loading...

Share This Page