Cisco NewB with a console cable, ASA-5505 & alot of grief! please please help!

[sulucohmun]

Hello!

So I'm not daft here, but I'm not a "cisco guy". I've been hired on by a small business to help them out a bit.

They have a pretty particular network setup that involves a Cisco ASA-5505 acting as a router that establishes an IPSec/L2L VPN tunnel to a data center. From what I can see using "show running-config" the VPN tunnel is using a pre-shared key and "DefaultRAGroup". I have the pre-shared key from running "show running-config as admin" it looks something like: "prey-shared-key &*gh34836j7372j73" & I know the hostname of the ASA-5505...

My issue is this, my boss has asked me to get his home desktop windows 8 computer connected to the same VPN that the cisco ASA-5505 router connects to at work(this allows them to access an internal terminal services server and connect to their RDP resources) so that he can access the same internal resources from his home. I have a cisco console cable I soldered up & the console password for full admin access. I've logged in and run every "show ___" command that exists in IOS to try and figure out how this VPN link is setup, and still can't figure out how to get windows 8 to connect to the VPN.

If I add a VPN connection in windows 8, set it to IPSec L2TP, click advanced & put in the pre-shared key, and click "allow these protocols & select all three options one at a time or all 3 at the same time: PAP, CHAP, CHAPv2 -- each time I am asked for a username and password and I can't for the life of me understand what I am supposed to enter for the username and password?

I did not see anything about a username or password anywhere in the cisco ASA-5505 issuing every "show ?" command that exists.

Please, Please help! You will be saving so much trouble I can't even begin to express just how much!

Thank You so very much ahead of time for ANY help no matter how small, I have been trying to figure this out for over 3 weeks now.

--S.O
Edit/Delete Message

 

[VinceWhirlwind]

Check the rest of the VPN, IKE & IPSEC config.

If it's a route-based VPN, it won't work, because the other end is looking for its particular peer. In fact, even policy-based you'll have the same problem, from memory.

Give us a sanitised version of the ASA's VPN config to see.

 

[sulucohmun]

SANITIZED VERSION OF "show running-config":


------------------ show running-config ------------------

: Saved
:
ASA Version 7.2(4)
!
hostname CISCO-ASA
enable password <removed>
passwd <removed>
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.30.3.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 77.33.313.216 255.255.255.248
<--- More --->

!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp 10.1.150.0 255.255.255.0 172.30.3.0 255.255.255.0 eq 9100
access-list outside_access_in extended permit tcp 10.1.150.0 255.255.255.0 172.30.3.0 255.255.255.0 eq lpd
access-list nonatvpn extended permit ip 172.30.3.0 255.255.255.0 10.1.150.0 255.255.255.0
<--- More --->

access-list DATACENTER-VPN extended permit ip 172.30.3.0 255.255.255.0 10.1.150.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonatvpn
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 77.33.313.213 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
<--- More --->

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1200
no sysopt connection permit-vpn
crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac
crypto map oasismap 1 match address DATACENTER-VPN
crypto map oasismap 1 set pfs
crypto map oasismap 1 set peer 316.282.67.5
crypto map oasismap 1 set transform-set ESP_3DES_SHA
crypto map oasismap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 316.282.2.0 255.255.255.0 outside
ssh 316.282.73.0 255.255.255.0 outside
ssh timeout 60
<--- More --->

console timeout 0
management-access inside
dhcpd dns 5.3.3.3 5.3.3.2
dhcpd auto_config outside
!
dhcpd address 272.30.3.60-272.40.3.85 inside
dhcpd enable inside
!

tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group 316.282.67.5 type ipsec-l2l
tunnel-group 316.282.67.5 ipsec-attributes
prey-shared-key &*gs28643y7285g42
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096
!
prompt hostname context
Cryptochecksum:43h8s6j1n53agaf5hrr87j7566jhg657
: end
<--- More --->


------------------ show startup-config errors ------------------

INFO: No configuration errors

------------------ console logs ------------------

Message #1 : Message #2 : Message #3 : Message #4 : Message #5 : Message #6 : Message #7 : Message #8 : Message #9 : Message #10 : Message #11 : Message #12 : Message #13 : Message #14 :
Total SSMs found: 0
Message #15 :
Total NICs found: 10
Message #16 : 88E6095 rev 2 Gigabit Ethernet @ index 09Message #17 : MAC: 0000.0003.0002
Message #18 : 88E6095 rev 2 Ethernet @ index 08Message #19 : MAC: 0027.0dc4.f1ae
Message #20 : 88E6095 rev 2 Ethernet @ index 07Message #21 : MAC: 0027.0dc4.f1ad
Message #22 : 88E6095 rev 2 Ethernet @ index 06Message #23 : MAC: 0027.0dc4.f1ac
Message #24 : 88E6095 rev 2 Ethernet @ index 05Message #25 : MAC: 0027.0dc4.f1ab
Message #26 : 88E6095 rev 2 Ethernet @ index 04Message #27 : MAC: 0027.0dc4.f1aa
Message #28 : 88E6095 rev 2 Ethernet @ index 03Message #29 : MAC: 0027.0dc4.f1a9
Message #30 : 88E6095 rev 2 Ethernet @ index 02Message #31 : MAC: 0027.0dc4.f1a8
Message #32 : 88E6095 rev 2 Ethernet @ index 01Message #33 : MAC: 0027.0dc4.f1a7
Message #34 : y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 0027.0dc4.f1af
Message #35 :
Licensed features for this platform:
Message #36 : Maximum Physical Interfaces : 8
<--- More --->

Message #37 : VLANs : 3, DMZ Restricted
Message #38 : Inside Hosts : 50
Message #39 : Failover : Disabled
Message #40 : VPN-DES : Enabled
Message #41 : VPN-3DES-AES : Enabled
Message #42 : VPN Peers : 10
Message #43 : WebVPN Peers : 2
Message #44 : Dual ISPs : Disabled
Message #45 : VLAN Trunk Ports : 0
Message #46 :
This platform has a Base license.
Message #47 :
Message #48 : Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Message #49 : Boot microcode : CNlite-MC-Boot-Cisco-1.2
Message #50 : SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
Message #51 : IPSec microcode :
CNlite-MC-IPSECm-MAIN-2.05
Message #52 :
Cisco Adaptive Security Appliance Software Version 7.2(4)
Message #53 :
Message #54 : ****************************** Warning *******************************
Message #55 : This product contains cryptographic features and is
Message #56 : subject to United States and

 

[sulucohmun]

I understand what you mean, that if it's route based it's looking for a particular peer -- as in, it's only going to accept a connection from the public ip address at the office even if I have the pre-shared key.

If this is the case -- the cisco asa-5505 has a VPN "client" configured to connect to this "datacenter" where our terminal server/rdp resources reside, is it possible to run a "vpn server" on the cisco asa-5505 as well & connect to that VPN server and access the resources that way? Kind of like a "VPN tunneling through the already existing VPN tunnel"?

Thank you so very much.
--S.O

 

[sulucohmun]

We have no ability to serve anything to the public world/wan/internet or reach any of our machines that live behind this ASA from outside of the office because of the way that this is all set-up, and we need to do so, we plan on serving a few public resources from this location in the very near future. This VPN is only used exclusively for RDP connections in our usage scenario -- I imagine that the original tech could have done something along the lines of use routes to send only traffic destined for the RDP port through the VPN tunnel so we would be left with a relatively usable public static IP on our end? (this is totally unrelated to my original question, and I am interested in a fix for the original question more than anything).

However..any other outside the box ideas are totally welcome too.



Thank You so very much,
--S.O

 

[sulucohmun]

Even IF this is a "route based" VPN connection that can only be reached from the office's public static IP address -- the ability to move the VPN configuration from the ASA-5505 to the individual machines & configure reach individual desktop to connect to the VPN and remove the VPN/Cisco router entirely would be more ideal than our current set-up.

I just don't know what I would put into the vpn client, and what vpn client to use to test this from the office. (unplug wan uplink from the asa-5505, plug it straight into a desktop, let the desktop get out public static ip that the cisco asa-5505 used to have, and then install a VPN client on the desktop -- I imagine I could use shrewsoft VPN client to test it, but I still would need a little help/hint on what to put into the client to check if it works through shrewsoft VPN client coming from the same static IP the asa used to have -- from what I can tell based on the line "crypto isakmp identity address" the IP address and not the hostname of the asa-5505 is what is being used for authentication along with the pre-shared key... )

I'll stop replying to my own post now.

Thanks ahead of time, very much.

--S.O

 

[VinceWhirlwind]

So, leave the existing VPN alone for the moment.

Look into configuring a dial-up VPN on the ASA for your remote clients.

The first thing to check is your ASA licence and what it allows - from memory, even the most basic licence allows some small number of VPN connections.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/svc.html

 

[sulucohmun]

Thank You soo much,
That sounds like a very reasonable route to take!

I'm going to buy a replacement asa-5505 to play with as I don't like the idea of playing on production hardware, at least that way I can always swap out the original ASA without worrying about messing anything up.

I will put out existing config on it & try and configure a dail-up VPN.

I'm sure I'll be back on this thread if I need any help with that.

Thank You so very much,

--S.O

 

[imbadatthis]

Sulucohmun:

- you may not need to purchase a new asa... ask the company aboot the contact information for your CISCo sales buy he can get you a test asa for a period of time.

-i believe the 5505 comes with 2 SSL VPN licenses which means you can publish a site for your boss to connect and from there he can RDP into whatever he wants.

setting up an SSL VPN is not too hard and its less painful than attempting to allow your boss's windows 8 machine to create a VPN connection .
create a - using ASDM if you like:
group policy
tunnel group
local username/password (assuming your company does not have tacacs,ldap, or radius) ...
create book marks that allow RDP to whatever resource he wants or allow end user to 'brows' RDP.

----

alternatively you are not creating a site to site VPN , you are creating a remote client vpn connection and your issue is most likely in the IKE part of things.
you need to create a dynamic crytpo map ..etc...

if you have ASDM this makes life a lot easier, if not, get ASDM it doesn't suck like it used to...


sorry aboot bad spelling, im half sleep and just off work,.


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.