# Solved: Vpn -> continued



## ademzuberi (Mar 10, 2007)

Hello, as i said i'm a newbie in ASA (ASA 5510 Version 8.0(3)6 ASDM 6.0(3) ) products, since i managed to configure the DMZ with your help (special thanks to *zx10guy*), I'm know up to configuring a vpn connection between my and a other company.
The personnel from the other company ( to be more specific 3 persons, 3 machines) will need to access a machine in my local network (it has a web application installed that will be used).
I will go for the IPsec Remote-Access VPN with cisco VPN Client on client side, what are the prerequisites? 
do i have to connect the machine with the application on a specific interface in the asa or just add a NAT rule from outside to local machine??
local network ip192.168.0.0
local comp (that will be accessed through vpn) ip: 192.168.0.35
outside inter. ip:212.xxx.xxx.xxx
Thanks


----------



## ademzuberi (Mar 10, 2007)

I would appreciate any suggestion
Thanks


----------



## zx10guy (Mar 30, 2008)

I suggest you go through the ASDM VPN wizard. It makes it really easy to set things up. I'm going to assume you're going to use the highest level of encryption possible which would be settings like AES 256, SHA-1, etc. One word of warning. I don't think Cisco has fixed this issue yet. But when you select the Diffie Helmen Group number, you'll have a choice of 1 up to 7. Do not select anything higher than 2. The wizard is going to bark at you about not using a stronger group number. But this is incorrect. The Cisco VPN client only supports DH Group 2 as the highest. If you select anything higher in the wizard, you'll never get the tunnel to come up and the error messages you'll get won't point you to this. I figured it out through lots of pain, trial and error, and cursing.

Other things you'll need to set up are the remote client IP pools and the user accounts for authentication. The IP pools get assigned when the connection is made. The IP pool addresses are what the remote client will be assigned on your local network. I would suggest using a set of privates which are NOT in your current subnet range. This will help in troubleshooting and provides some segregation. You need to make sure either the ASA is your default gateway as it will be the only device which knows how to route traffic back to the remote client or you can set up a static route rule on your current default gateway to point to the ASA to reach the remote clients.

You can set up the ASA to have a list of users which can then be assigned to specific VPN policy groups for authentication. With the number of users you're talking about, I think this is the best way and easiest. For my corporate network, I was able to tie in the PIX 515 to use our Active Directory server for user authentication. Took some doing but I got it to work.

Other than that, you should create a PCF file which is the connection profile file used by the Cisco VPN client. You need to enter the hostname or IP address of the public registered to the ASA or the device which will forward the traffic to it. The group policy name you created in the wizard gets entered here. Also the preshared key you used to set up the group policy for initial Phase 1 negotiation would also be entered here. Once you create the PCF file in the VPN client, you can then copy the PCF file and distribute it to other users. The preshared key is hashed in the file so you won't be able to read in plain text.

I know there are problem some details I've left out, but this should get you started.


----------



## ademzuberi (Mar 10, 2007)

thanks for your reply.
i did all this, but i think that i used DH group 5.
when i try connecting with vpn i get:
Secure VPN Connection terminated localy by the client
reason 412: The remote peer is no longer responding


----------



## zx10guy (Mar 30, 2008)

That's what I said previously. You can only use DH group 2 with Cisco's VPN client. Change it to DH group 2 and I bet that error goes away.


----------



## ademzuberi (Mar 10, 2007)

Thanks,
i changed DH group from 5 to 2 and still the same error?


----------



## ademzuberi (Mar 10, 2007)

in syslog i get
713903	Group = GroupName, IP = 77.xxx.xxx.xxx, Error: Unable to remove PeerTblEntry
713902	Group = Dksk_Ujp, IP = 77.xxx.xxx.xxx, Removing peer from peer table failed, no match!

and one more thing when i try to enable webvpn i get the error like in the attached picture error1.jpg
and when i make changes and saving them i get some memory problems, even though it saves the changes i get that error like in attachment error2.jpg


----------



## ademzuberi (Mar 10, 2007)

I found a resourse on the cisco web site that contains the following:

_*Requirements*

Before the secure tunnel establishment, IP connectivity needs to exist between the peers.

Make sure that UDP port 1701 is not blocked anywhere along the path of the connection.

*Use only the default tunnel group and default group policy on the Cisco PIX/ASA. User-defined policies and groups do not work.*_

And i didn't use default tunnel group and default group policy.
first thing I'll do tomorrow is check if this is the issue.


----------



## zx10guy (Mar 30, 2008)

First, how is your network set up? Is the ASA your edge firewall/router?

Second what IPSEC encryption are you using? The UDP port 1701 you're referring to is used by L2TP. You don't need this if you are doing Cisco's standard VPN setup. If the ASA is sitting behind another firewall, you need to allow these ports through: IP port 50, IP port 51 if you're using AH, and UDP port 500. You may need to open port 10000 but I'm not 100% sure about that.

If you're doing the standard Cisco VPN, you can define any tunnel group or group policy you want. I have a few defined for both my home use and at my company.

Why are you messing with WebVPN?

You should also not get those memory errors. The ASAs come with a ton of standard memory. And for your stated use, there's no way you're even putting a significant dent in the memory. Do a show memory at the CLI or look in the ASDM to see what it reports back as the amount of physical memory and how much of it is being used.


----------



## ademzuberi (Mar 10, 2007)

Thanks for your reply.
Yes the ASA is my edge firewall/router.
And configured using the IPsec VPN wizard (as in the guide http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/remvpn.html ) i still get:
713903 Group = GroupName, IP = 77.xxx.xxx.xxx, Error: Unable to remove PeerTblEntry
713902 Group = Dksk_Ujp, IP = 77.xxx.xxx.xxx, Removing peer from peer table failed, no match!

I just tried to enable the ssl Vpn for the outside interface (just as a test) and i got the webvpn error (not that i need it)

tomorrow i'll see about the memory problem and report the output (the amount of physical memory and how much of it is being used).
thanks


----------



## zx10guy (Mar 30, 2008)

Are you using the Tunnel Group name you created in the wizard in the Name field under the Group Authentication option? These two have to match along with the pre-shared key if you used this method for initial authentication.


----------



## ademzuberi (Mar 10, 2007)

Yes i do use them like that.


----------



## zx10guy (Mar 30, 2008)

Something is definitely not right here. If your ASA is your edge firewall, then the next hop will be your ISP. And I haven't run across any ISP which blocks VPN/IPSEC ports. Those errors still leads me to believe there's a IKE Phase 1 negotiation issue. And the problem I've seen the most which mimics what you've put up there is a mismatch in something like the DH group.

I can't help you any further without any more details about your configuration. As now I'm just guessing. But I can say with confidence, there shouldn't be more to setting up a Cisco VPN setup as I've done tons of them both remote client and site to site tunnels.


----------



## ademzuberi (Mar 10, 2007)

Thaks.
About the memory:
ciscoasa# show memory
Free memory: 3538072 bytes ( 1%)
Used memory: 260014824 bytes (99%)
------------- ----------------
Total memory: 263552896 bytes (100%)


After reboot:
(now i don't get the memory problems)

ciscoasa# show memory
Free memory: 86129768 bytes (33%)
Used memory: 177423128 bytes (67%)
------------- ----------------
Total memory: 263552896 bytes (100%)

This is the config of IPSEC VPN:


----------



## ademzuberi (Mar 10, 2007)

Thanks for all your reply.
I menaged to establish the connection, finaly.
What i did was reseting the asa, and reconfig again, and everithing is working excelent.
Thanks again


----------



## zx10guy (Mar 30, 2008)

Not a problem. The setup for remote client VPNs is pretty straightforward when you use the VPN Wizard.

One thing you will want to keep track of is the memory usage. There shouldn't be any reason other than a large corporate environment where you'll use up all the available memory of the ASA. You might want to examine your network traffic and see what is going on. I had this issue with my corporate PIX 515E. Tracked it down to one of the user's laptop. For some reason he had something running on it which was doing a ton of UDP connections to various places on the internet. Because of the shear number of UDP connections being generated by the laptop, the UDP connections weren't being torn down fast enough before other UDP connections were being created. As a result, memory usage shot through the roof and it caused the PIX to refuse any VPN connections.


----------

