Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
263
Views
0
Helpful
0
Replies

VPN issues on Cisco ASA - need to clean up crypto maps?

mark
Level 1
Level 1

‎08-06-2015 04:33 PM

I have an ASA that works just fine with Windows 7/8/8.1 and the Cisco IPSEC client. Have a Windows 10 machine and the Cisco client does not install. Using Shrew Soft client to connect to many other ASAs without an issue, but this one gives me fit. Authentication is fine, but as soon as any traffic (even a ping) goes to the ASA the connection is dropped. I looked at the config on the ASA, and it looks a little convoluted. Can someone help me clean this up? Changed a few names to protect the innocent.

Just a snip from the VPN part of things......

crypto ipsec ikev1 transform-set AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto dynamic-map MAP 100 set ikev1 transform-set AES256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map2 1 match address outside_cryptomap
crypto map outside_map2 1 set peer OTHER_ASA_IP
crypto map outside_map2 1 set ikev2 ipsec-proposal AES256
crypto map outside_map2 2 match address outside_cryptomap_1
crypto map outside_map2 2 set pfs
crypto map outside_map2 2 set peer OTHER_ASA_IP
crypto map outside_map2 2 set ikev2 ipsec-proposal AES256
crypto map outside_map2 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map2 interface outside
crypto map wlguest_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wlguest_map interface wlguest
crypto isakmp identity address
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 enable wlguest
crypto ikev1 policy 100
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet timeout 15
ssh scopy enable
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 15
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 15

webvpn
group-policy VPN-Policy internal
group-policy VPN-Policy attributes
 dns-server value 10.0.0.35
 vpn-tunnel-protocol ikev1 l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel_vpn
 default-domain value domain.local
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev2
group-policy GroupPolicy_Other_site_ASA internal
group-policy GroupPolicy_Other_site_ASA attributes
 vpn-tunnel-protocol ikev2
tunnel-group firestone type ipsec-l2l
tunnel-group firestone ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group insync type remote-access
tunnel-group insync general-attributes
 address-pool ip-pool-firestone_vpn
 authentication-server-group radius LOCAL
 default-group-policy VPN-Policy
tunnel-group insync ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group Marketing type remote-access
tunnel-group Marketing general-attributes
 address-pool ip-pool-firestone_vpn
 authentication-server-group radius LOCAL
 default-group-policy VPN-Policy
tunnel-group Marketing ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group OTHER_ASA_IP type ipsec-l2l
tunnel-group OTHER_ASA_IP general-attributes
 default-group-policy GroupPolicy_Other_site_ASA
tunnel-group OTHER_ASA_IP ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
tunnel-group Engineering type remote-access
tunnel-group Engineering general-attributes
 address-pool ip-pool-firestone_vpn
 authentication-server-group radius LOCAL
 default-group-policy VPN-Policy
tunnel-group Engineering ipsec-attributes
 ikev1 pre-shared-key *****

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents