VPN remote access issue + ASA5505 Security plus

informaticien9 — Tue, 12 Mar 2019 04:41:44 GMT

Hi There,

I'm trying to setup VPN remote access usinf ASA 5505 security plus but without success

I request your help please and any idea will be appreciated ,thanks in advance

My architecture is:

ISP Router (With LAN IP : 192.168.1.1 and IP public : 81.xxx.xxx.17) ------> ASA5505---->PC (inside)

ETHO/O which outside = 192.168.1.254

ETH0/1 which inside = 10.10.10.1

I installed Cisco VPN client in a laptop from another location entirely and tried to connect to my VPN from outside my internal LAN but without succes

configuration client vpn cisco :

Host : 81.xxx.xxx.17 (public ip of my ISP router)

Name : login VPN created on the asa

password: ***********

I don't know if I missed something

my configuration is bellow :

ciscoasa(config)# show running-config
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.1.254 255.255.255.0
!
ftp mode passive
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.20.30.32 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnmu 10.20.30.40-10.20.30.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 62.251.229.237 62.251.229.223
!
dhcpd address 10.10.10.10-10.10.10.20 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpnmu internal
group-policy vpnmu attributes
 dns-server value 62.251.229.237 8.8.8.8
 vpn-tunnel-protocol IPSec
username muasa password cr81rjPsGHck2wCU encrypted privilege 15
username azizaout password 0oUjcv75MaNxYqi3 encrypted privilege 0
username azizaout attributes
 vpn-group-policy vpnmu
tunnel-group vpnmu type remote-access
tunnel-group vpnmu general-attributes
 address-pool vpnmu
 default-group-policy vpnmu
tunnel-group vpnmu ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect tftp
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2b5ba1299d6818e0a753b1a7bce7a521
: end

Hi, Seems to me that you have

Jouni Forss — Mon, 01 Sep 2014 08:32:07 GMT

Hi,

Seems to me that you have a ISP Router that is doing NAT in front of the ASA. The ISP Router holds the actual public IP address.

On a quick glance it seems to me that the VPN configuration might be ok.

The question is: Have you forwarded the required ports on the ISP Router towards the external interface IP address of the ASA? Or is there perhaps a Static NAT on the ISP Router for the public IP address that uses the ASAs external interface as the local address of the Static NAT?

If you are just going to forward ports then you need to forward UDP/500 and UDP/4500 to my understanding.

You also have to check the Cisco VPN Client connection profile settings and check that you have enabled "Transparent Tunneling"

- Jouni

Hi Jouni,you saved me on this

informaticien9 — Mon, 01 Sep 2014 21:03:08 GMT

Hi Jouni,

you saved me on this , thank you very much !!!

I forwarded the ports 500 ,4500 UDP to ETH 0/0 (outside) and Cisco VPN client has succefully connected and I can browse the internet (as I activated split tunnulling) on ASA

but I can't ping the inside hosts from VPN and I can't access share folder ,rdp....

and I can't ping ASA

AlsoI tried to ping from ASA (10.10.10.1) to vpn host (192.168.104.2) but it doesn't work

I don't know what's the issue ? Can you please take a look at my below config and tell me what's wrong?

Thanks in advance

Aziz

Hi there,any idea please to

informaticien9 — Tue, 02 Sep 2014 20:21:30 GMT

Hi there,

any idea please to help me fixing the issue below?

Thanks in advance

You may need to enable isakmp

cisco.met.co.uk — Wed, 03 Sep 2014 12:40:23 GMT

You may need to enable isakmp nat traversal as the ISP router is carrying out NAT.

crypto isakmp nat-traversal <keepalive value in seconds>

Default value or keepalive is 20 secinds and the value can be 10 to 3600

Hi ,Thanks for your replyI

informaticien9 — Mon, 08 Sep 2014 10:21:08 GMT

Hi ,

Thanks for your reply

I added this command but unfortunately the issue still persist

any other idea please?

Thank you