Cisco ASA / Remote VPN access

Discussion in 'Cisco' started by mich, Dec 26, 2008.

  1. mich

    mich Guest

    Hello,

    I am having problems connecting to my Cisco ASA 5510 via remote VPN.

    When connecting I am seeing the following in the log:

    397 18:20:58.646 12/26/2008 Sev=Warning/3 IKE/0xC3000057
    The received HASH payload cannot be verified

    398 18:20:58.647 12/26/2008 Sev=Warning/2 IKE/0xC300007E
    Hash verification failed... may be configured with invalid group
    password.

    399 18:20:58.647 12/26/2008 Sev=Warning/2 IKE/0xC300009B
    Failed to authenticate peer (Navigator:904)

    400 18:20:58.647 12/26/2008 Sev=Info/4 IKE/0x43000013
    SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to [my external
    ip]

    401 18:20:58.647 12/26/2008 Sev=Info/4 IKE/0x43000013
    SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to [my external ip]

    402 18:20:58.647 12/26/2008 Sev=Warning/2 IKE/0xC30000A7
    Unexpected SW error occurred while


    My config:

    hostname myhostname
    domain-name my-fqdn
    enable password xxxxxxxx encrypted
    passwd xxxxxxxxxx encrypted
    names
    dns-guard
    !
    interface Ethernet0/0
    nameif uplink
    security-level 0
    ip address [my external ip] 255.255.255.0
    !
    interface Ethernet0/1
    nameif lan
    security-level 100
    ip address 192.168.10.1 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    ftp mode passive
    access-list lan_nat0_outbound extended permit ip interface lan
    192.168.10.96 255.255.255.224
    access-list outside-entry extended permit tcp any host [my external
    ip] eq www
    access-list outside-entry extended permit tcp any host [my external
    ip] eq ftp
    access-list outside-entry extended permit tcp any host [my external
    ip] eq 8888
    access-list outside-entry extended permit tcp any host [my external
    ip] eq 3389
    access-list outside-entry extended permit udp any host [my external
    ip] eq 3389
    access-list outside-entry extended permit tcp any host [my external
    ip] eq 8889
    access-list outside-entry extended permit tcp any host [my external
    ip] eq 9000
    access-list outside-entry extended permit udp any host [my external
    ip] eq 9000
    access-list outside-entry extended permit tcp any host [my external
    ip] eq 8885
    access-list outside-entry extended permit tcp any host [my external
    ip] eq ssh
    access-list outside-entry extended permit tcp any host [my external
    ip] eq 8890
    access-list outside-entry extended permit tcp any host [my external
    ip] eq 8891
    pager lines 24
    logging asdm informational
    mtu uplink 1500
    mtu lan 1500
    mtu management 1500
    ip local pool VPNpool 192.168.10.100-192.168.10.120 mask 255.255.255.0
    asdm image disk0:/asdm-508.bin
    no asdm history enable
    arp timeout 14400
    global (uplink) 1 interface
    nat (lan) 1 192.168.10.0 255.255.255.0
    nat (management) 10 0.0.0.0 0.0.0.0
    static (lan,uplink) tcp interface www 192.168.10.2 www netmask
    255.255.255.255
    static (lan,uplink) tcp interface ftp 192.168.10.6 ftp netmask
    255.255.255.255
    static (lan,uplink) tcp interface 3389 192.168.10.4 3389 netmask
    255.255.255.255
    static (lan,uplink) udp interface 3389 192.168.10.4 3389 netmask
    255.255.255.255
    static (lan,uplink) tcp interface 8888 192.168.10.6 8888 netmask
    255.255.255.255
    static (lan,uplink) tcp interface 8889 192.168.10.6 8889 netmask
    255.255.255.255
    static (lan,uplink) tcp interface 9000 192.168.10.6 9000 netmask
    255.255.255.255
    static (lan,uplink) udp interface 9000 192.168.10.6 9000 netmask
    255.255.255.255
    static (lan,uplink) tcp interface 8885 192.168.10.2 8885 netmask
    255.255.255.255
    static (lan,uplink) udp interface 8885 192.168.10.2 8885 netmask
    255.255.255.255
    static (lan,uplink) tcp interface ssh 192.168.10.10 ssh netmask
    255.255.255.255
    static (lan,uplink) tcp interface 8890 192.168.10.10 8890 netmask
    255.255.255.255
    static (lan,uplink) tcp interface 8891 192.168.10.10 8891 netmask
    255.255.255.255
    access-group outside-entry in interface uplink
    route uplink 0.0.0.0 0.0.0.0 195.80.159.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    group-policy RemoteAccess internal
    username mich password xxxxxxxxxx encrypted privilege 0
    username mich attributes
    vpn-group-policy RemoteAccess
    webvpn
    http server enable
    http 192.168.10.250 255.255.255.255 lan
    http 192.168.10.55 255.255.255.255 lan
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map uplink_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto dynamic-map uplink_dyn_map 20 set security-association lifetime
    seconds 28800
    crypto dynamic-map uplink_dyn_map 20 set security-association lifetime
    kilobytes 4608000
    crypto map uplink_map 65535 ipsec-isakmp dynamic uplink_dyn_map
    crypto map uplink_map interface uplink
    isakmp enable uplink
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    tunnel-group RemoteAccess type ipsec-ra
    tunnel-group RemoteAccess general-attributes
    address-pool VPNpool
    default-group-policy RemoteAccess
    tunnel-group RemoteAccess ipsec-attributes
    pre-shared-key *
    telnet 192.168.10.0 255.255.255.0 lan
    telnet 192.168.1.0 255.255.255.0 management
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd lease 3600
    dhcpd ping_timeout 50
    dhcpd enable management
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global



    Any help will be greatly appreciated.

    Thanks,

    MIke
     
    mich, Dec 26, 2008
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.