RE: ASA VPN problem

Ivan,

I would take a step back and see if you can get it working with the most basic settings and then maybe you can narrow down what's blocking you.

I replicated basic settings on a 5510 running 7.2(4)33, so I'm missing the service-type setting under the username attributes. I have this configured in other environments on 8.2(1)11 with fallback local authorization. Here are my results:

s ver | i 7.2
Cisco Adaptive Security Appliance Software Version 7.2(4)33

show run | i group-policy|tunnel-group|ip local pool|access-list test[12]
access-list test1 extended deny ip any host 192.168.98.3
access-list test1 extended permit ip any any
access-list test2 extended permit ip any any
ip local pool vpnpool 192.168.100.1-192.168.100.20
group-policy test2 internal
group-policy test2 attributes
group-policy test1 internal
group-policy test1 attributes
tunnel-group testing type ipsec-ra
tunnel-group testing general-attributes
 default-group-policy test1
tunnel-group testing ipsec-attributes

You'll want to watch for the AAA output when you connect:

Jan 15 2010 17:50:02 : %ASA-6-113012: AAA user authentication Successful : local database : user = test2
Jan 15 2010 17:50:02 : %ASA-6-113003: AAA group policy for user test2 is being set to test2
Jan 15 2010 17:50:02 : %ASA-6-113011: AAA retrieved user specific group policy (test2) for user = test2
Jan 15 2010 17:50:02 : %ASA-6-113009: AAA retrieved default group policy (test1) for user = test2
Jan 15 2010 17:50:02 : %ASA-6-113008: AAA transaction status ACCEPT : user = test2

show vpn-sessiondb remote | i Username|Group
Username : test2
Group Policy : test2
Tunnel Group : testing

HTH,

-ryan

> -----Original Message-----
> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
> Sent: Friday, January 15, 2010 1:51 PM
> To: Ryan West
> Cc: Cisco certification
> Subject: Re: ASA VPN problem
>
> Nothing. Same thing.
>
> On Fri, Jan 15, 2010 at 5:13 PM, Ryan West <rwest_at_zyedge.com> wrote:
> > Ivan,
> >
> >> -----Original Message-----
> >> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
> >> Sent: Thursday, January 14, 2010 5:37 PM
> >> To: Ryan West
> >>
> >> ASA# sh run tunnel-group
> >> tunnel-group GROUP1 type remote-access
> >> tunnel-group GROUP1 general-attributes
> >> default-group-policy POLICY3
> >> tunnel-group GROUP1 ipsec-attributes
> >> pre-shared-key *
> >
> > Try adding this to your tunnel-group GROUP1 general-attributes:
> > authorization-server-group LOCAL
> >
> > -ryan

Blogs and organic groups at http://www.ccie.net
Received on Fri Jan 15 2010 - 22:53:39 ART