Cisco VPN Client Behind ASA 5505
- by fdf33
I'm trying to get connected to another ASA via Cisco VPN Client. I am behind an ASA 5505 myself and I am tryihng to VPN to a 5510.
I get the message:
Secure VPN Connection terminated locally by the Client.
Reason 412: The remote peer is no longer responding.
I can connect to the other ASA if I use a normal cheap Linksys.
Here's the version of my ASA:
Result of the command: "sh ver"
Cisco Adaptive Security Appliance Software Version 8.4(1)
Any help would be great.
Thanks
running-config
: Saved
: Written by enable_15 at 23:12:32.378 UTC Fri Jul 1 2011
!
ASA Version 8.4(1)
!
hostname aaaasa
domain-name aaa.local
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.254.0
!
interface Vlan5
no nameif
security-level 50
ip address 172.16.0.254 255.255.255.0
!
interface Vlan500
no nameif
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa841-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
domain-name aaa.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network A_93.97.168.1
host 93.97.168.1
object network rdp
host 192.168.1.2
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
access-list 101 extended permit tcp any host 192.168.1.2 eq 3389
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit icmp any any unreachable
access-list 102 extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1492
ip local pool VPNPool 192.168.2.200-192.168.2.210 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
!
object network rdp
nat (inside,outside) static interface service tcp 3389 3389
!
nat (inside,outside) after-auto source dynamic any interface
access-group 101 in interface outside
access-group 102 out interface outside
!
router ospf 1
network 192.168.1.0 255.255.255.0 area 0
log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 93.97.168.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 8877d64d
30820248 308201b1 a0030201 02020488 77d64d30 0d06092a 864886f7 0d010105
05003036 3111300f 06035504 03130863 6973636f 61736131 21301f06 092a8648
86f70d01 09021612 63697363 6f617361 2e6e6a64 2e6c6f63 616c301e 170d3131
30353231 30383533 34325a17 0d323130 35313830 38353334 325a3036 3111300f
06035504 03130863 6973636f 61736131 21301f06 092a8648 86f70d01 09021612
63697363 6f617361 2e6e6a64 2e6c6f63 616c3081 9f300d06 092a8648 86f70d01
01010500 03818d00 30818902 818100ea 1aa95141 480e616c efee6816 a96d6511
313b6776 cd3dd57b cd84b4d2 5e108aee 7c980086 4d92e2eb b6c7bf66 4585af0a
ccbf153a db9270be c6f5c67b db9dd8d1 2f78d033 3348b056 df4be0da 70e08953
53adf294 9db6c020 597d250f bf448b43 b90179c8 ff0b15d8 744632d9 31c1945f
0b11e258 b4c1d224 692efff4 7b2f5102 03010001 a3633061 300f0603 551d1301
01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23
04183016 8014493c 19db183a ab1af9e9 b1e44ad4 2a408b3c 89d1301d 0603551d
0e041604 14493c19 db183aab 1af9e9b1 e44ad42a 408b3c89 d1300d06 092a8648
86f70d01 01050500 03818100 1dd1760a fdd15941 4803fb9a cd6f44a7 2e275854
a1c0fbe1 d19f2cc9 182d43ef a547f854 8df96d15 3ea79c62 cf3fcb1c 5820360b
c607dbfc 4de8bb16 19f727e9 b928a085 665816d8 138e4a35 ed610950 7910dd4a
0b1a9dd9 0e26f1c8 b78bc0cc cbf19eb2 4c4c3931 45199ea5 249e3266 661e44fd
7a00d376 dcfc6e4e d43f10b8
quit
crypto isakmp nat-traversal 30
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd dns 4.2.2.2 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host number-of-rate 3
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 82.219.4.31 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
anyconnect profiles AnyConnectVPN_client_profile disk0:/AnyConnectVPN_client_profile.xml
anyconnect profiles SSLAnyConnectVPN_client_profile disk0:/SSLAnyConnectVPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_AnyConnectVPN internal
group-policy GroupPolicy_AnyConnectVPN attributes
wins-server none
dns-server value 4.2.2.2
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
default-domain value aaa.local
webvpn
url-list none
anyconnect profiles value AnyConnectVPN_client_profile type user
group-policy GroupPolicy_SSLAnyConnectVPN internal
group-policy GroupPolicy_SSLAnyConnectVPN attributes
wins-server none
dns-server value 4.2.2.2
vpn-tunnel-protocol ikev2 ssl-client
default-domain value aaa.local
webvpn
anyconnect profiles value SSLAnyConnectVPN_client_profile type user
username testuser password xxxxxxxxxxxxxxxxx encrypted privilege 0
username testuser attributes
vpn-group-policy GroupPolicy_AnyConnectVPN
tunnel-group SSLPOL type remote-access
tunnel-group SSLPOL general-attributes
default-group-policy GroupPolicy_AnyConnectVPN
tunnel-group SSLAnyConnectVPN type remote-access
tunnel-group SSLAnyConnectVPN general-attributes
address-pool VPNPool
default-group-policy GroupPolicy_SSLAnyConnectVPN
tunnel-group SSLAnyConnectVPN webvpn-attributes
group-alias SSLAnyConnectVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:94a65341aa27d3929d5e92a32ba22120
: end
