From: abdul muhammed (abdulmuri@gmail.com)
Date: Mon Jul 21 2008 - 14:33:45 ART
Hi,
I configured my ASA5520 for Ipsec Remote Access VPN as follows,
client details:
vpn client 4.6.00.0045
connection entry :aun
Host: 209.165.202.129
group authentication
name: ciscovpn
password: cisco
Enable transparent Tunnelling
IPsec over TC tcp port 9000
the server detail configuration is a s below:
ASA Version 7.0(1)
! ip address on the outside interface
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 209.165.202.129 255.255.255.0
! ip address on the inside interface
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.40.1 255.255.255.0
!
hostname aun
domain-name aun.com
same-security-traffic permit intra-interface
! To Allow IPSec hairpinning on the same interface
same-security-traffic permit intra-interface
! ACL to define Split-tunnel policy. This will allow the Client to
send encrypted traffic to 192.168.0.0/16
access-list ST_ACL standard permit 192.168.0.0 255.255.0.0
! ACL to define Inbound FW policy to restrict inbound clear-text traffic
access-list Inbound_FW_ACL extended permit tcp any eq www any
access-list Inbound_FW_ACL extended permit udp any eq domain any
! ACL to define Outbound FW policy to restrict outbound clear-text traffic
access-list Outbound_FW_ACL extended permit tcp any any eq www
access-list Outbound_FW_ACL extended permit udp any any eq domain
! Enable logging to send syslog messages to 192.168.60.150
logging enable
logging timestamp
logging host inside 192.168.60.150
logging trap notifications
! IP Pool used to assign IP address to the VPN client
ip local pool ippool 192.168.50.1-192.168.50.100 mask 255.255.255.0
! Default gateways.
route outside 0.0.0.0 0.0.0.0 209.165.202.130 1
route inside 192.168.60.0 255.255.255.0 192.168.40.2
route inside 0.0.0.0 0.0.0.0 192.168.40.2 tunneled
! Configuration of an internal user-group called SecureMeGrp
group-policy SecureMeGrp internal
! Configuration of user-group attributes
group-policy SecureMeGrp attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ST_ACL
default-domain value aun.com
client-firewall req cisco-integrated acl-in Inbound_FW_ACL acl-out
Outbound_FW_ACL
! Configuration of LOCAL user database
username ciscouser password cisco
username adminuser password cisco
username poweruser password cisco
! Configuration of ASDM for Appliance management
http server enable
http 0.0.0.0 0.0.0.0 inside
! sysopt to bypass traffic filters
sysopt connection permit-ipsec
! Transform set to specify encryption and hashing algorithm
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
! Dynamic crypto-map for Remote-Access Clients
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
! Dynamic crypto-map is mapped to the static crypto-map
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
! Static crypto-map is applied to the outside interface
crypto map outside_map interface outside
! isakmp configuration
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
! Tunnel Encapsulation to use IPSec over TCP over port 9000
isakmp ipsec-over-tcp port 9000
! tunnel-group configuration for VPN client. The groupname is ciscovpn
tunnel-group ciscovpn type ipsec-ra
tunnel-group ciscovpn general-attributes
address-pool ippool
default-group-policy SecureMeGrp
tunnel-group ciscovpn ipsec-attributes
pre-shared-key cisco
Question: I recieved Secure VPN Connection terminated Locally by the client.
Reason 401: an unrecognized error occurred while establishing the VPN
connections.
Thanks
-- Abdul Muhammed Murtala AMerican University of Nigeria Lamido Zubairu way, Yola Adamawa +2348052001153, +2348056201237Network Manager MCSE,MCDBA,MCSA,OCPDBA,CCNA,CCIE Written.
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART