Hello,
I'm attempting to reconfigure an in-place ASA5505 to support both site-to-site VPNS (in place and working for some time) and remote access VPNs (where I'm stuck). The issue I'm running into is this - the VPN client connection will pass phase 1 and authenticate the user. Immediately after successful authentication, the connection will drop and I will find the following error in the ASA log:
rejecting IPSEC tunnel, no matching crypto map entry for remote proxy 192.168.251.XXX(IP address assigned by the ASA's DHCP pool for remote access) on interface outside.
My configuration looks like this. Any assistance would be greatly appreciated.
hostname REMOTEASA
enable password XXXXXXXX encrypted
passwd XXXXXXX encrypted
names
name 192.0.0.0 MainOffice
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 MainOffice 255.255.255.0
access-list 101 extended permit ip MainOffice 255.255.255.0 192.168.1.0 255.255.255.0
access-list 102 extended permit ip any any
access-list 102 extended permit ip MainOffice 255.255.255.0 192.168.1.0 255.255.255.0
access-list 102 extended permit udp any any
access-list 102 extended permit tcp any any
access-list 103 extended permit ip 192.168.251.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 103 extended permit ip 192.168.1.0 255.255.255.0 192.168.251.0 255.255.255.0
access-list NO_NAT_RA extended permit ip 192.168.1.0 255.255.255.0 192.168.251.0 255.255.255.0
access-list NO_NAT_RA extended permit ip 192.168.1.0 255.255.255.0 MainOffice 255.255.255.0
access-list Split standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RAPool 192.168.251.100-192.168.251.120
icmp unreachable rate-limit 10 burst-size 5
no asdm history
enable arp
timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 0 192.168.251.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 102 in interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable http 192.168.1.0 255.255.255.0 inside
http CityOffice 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps
snmp authentication
crypto ipsec transform-set CryptoSet esp-aes-256 esp-sha-hmac
crypto ipsec transform-set RA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 match address RemoteIPs
crypto dynamic-map dyn1 1 set transform-set RA
crypto map outside_map0 1 match address 101
crypto map outside_map0 1 set peer 20.20.20.1
crypto map outside_map0 1 set transform-set CryptoSet
crypto map outside_map0 interface outside
crypto map mymap 100 ipsec-isakmp dynamic dyn1
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
vpn-addr-assign local reuse-delay 5
telnet 192.168.1.0 255.255.255.0 inside
telnet MainOffice 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics
tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-filter value 101
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split
group-policy R_A internal
group-policy R_A attributes
vpn-tunnel-protocol IPSec
group-lock value RAGroup
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split
username testuser password XXXXXXXX encrypted privilege 15
username testuser attributes
vpn-group-policy R_A
tunnel-group 20.20.20.1 type ipsec-l2l
tunnel-group 20.20.20.1 ipsec-attributes
pre-shared-key *
tunnel-group RAGroup type remote-access
tunnel-group RAGroup general-attributes
address-pool RAPool
tunnel-group RAGroup ipsec-attributes
pre-shared-key *
!
!
!
policy-map global_policy
class class-default
set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
I'm attempting to reconfigure an in-place ASA5505 to support both site-to-site VPNS (in place and working for some time) and remote access VPNs (where I'm stuck). The issue I'm running into is this - the VPN client connection will pass phase 1 and authenticate the user. Immediately after successful authentication, the connection will drop and I will find the following error in the ASA log:
rejecting IPSEC tunnel, no matching crypto map entry for remote proxy 192.168.251.XXX(IP address assigned by the ASA's DHCP pool for remote access) on interface outside.
My configuration looks like this. Any assistance would be greatly appreciated.
hostname REMOTEASA
enable password XXXXXXXX encrypted
passwd XXXXXXX encrypted
names
name 192.0.0.0 MainOffice
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 MainOffice 255.255.255.0
access-list 101 extended permit ip MainOffice 255.255.255.0 192.168.1.0 255.255.255.0
access-list 102 extended permit ip any any
access-list 102 extended permit ip MainOffice 255.255.255.0 192.168.1.0 255.255.255.0
access-list 102 extended permit udp any any
access-list 102 extended permit tcp any any
access-list 103 extended permit ip 192.168.251.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 103 extended permit ip 192.168.1.0 255.255.255.0 192.168.251.0 255.255.255.0
access-list NO_NAT_RA extended permit ip 192.168.1.0 255.255.255.0 192.168.251.0 255.255.255.0
access-list NO_NAT_RA extended permit ip 192.168.1.0 255.255.255.0 MainOffice 255.255.255.0
access-list Split standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RAPool 192.168.251.100-192.168.251.120
icmp unreachable rate-limit 10 burst-size 5
no asdm history
enable arp
timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 0 192.168.251.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 102 in interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable http 192.168.1.0 255.255.255.0 inside
http CityOffice 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps
snmp authentication
crypto ipsec transform-set CryptoSet esp-aes-256 esp-sha-hmac
crypto ipsec transform-set RA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 match address RemoteIPs
crypto dynamic-map dyn1 1 set transform-set RA
crypto map outside_map0 1 match address 101
crypto map outside_map0 1 set peer 20.20.20.1
crypto map outside_map0 1 set transform-set CryptoSet
crypto map outside_map0 interface outside
crypto map mymap 100 ipsec-isakmp dynamic dyn1
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
vpn-addr-assign local reuse-delay 5
telnet 192.168.1.0 255.255.255.0 inside
telnet MainOffice 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics
tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-filter value 101
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split
group-policy R_A internal
group-policy R_A attributes
vpn-tunnel-protocol IPSec
group-lock value RAGroup
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split
username testuser password XXXXXXXX encrypted privilege 15
username testuser attributes
vpn-group-policy R_A
tunnel-group 20.20.20.1 type ipsec-l2l
tunnel-group 20.20.20.1 ipsec-attributes
pre-shared-key *
tunnel-group RAGroup type remote-access
tunnel-group RAGroup general-attributes
address-pool RAPool
tunnel-group RAGroup ipsec-attributes
pre-shared-key *
!
!
!
policy-map global_policy
class class-default
set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context