topic ASA 5505 ssl work ipsec does not in Network Security

ASA 5505 ssl work ipsec does not

roger perkin — Tue, 12 Mar 2019 01:17:04 GMT

I am trying to configure an IPSEC vpn on an ASA5505

I setup an SSL vpn and it works fine, I can browse to the https: address log in and connnect to servers

However when I try to setup the ipsec client access vpn it will not connect and I am getting the errors below

I used the wizard for the initial configuration

Looks like the inital IKE is being blocked or dropped?

%ASA-7-710005: UDP request discarded from my external IP/35781 to external:ASA-external/500

%ASA-7-710005: UDP request discarded from my external IP/35781 to external:ASA-external/137

Roger

ASA 5505 ssl work ipsec does not

Julio Carvajal — Wed, 20 Mar 2013 19:38:00 GMT

Hello

do you have the

crypto isakamp enable outside configured?

What version are you running?

ASA 5505 ssl work ipsec does not

roger perkin — Wed, 20 Mar 2013 19:54:36 GMT

crypto ikev2 enable external

crypto ikev1 enable external

Running version 8.4(1)

The ssl works perfectly

I then configured the IPSEC using the wizard and it wont' connect?

Scratching my head a bit

Thanks

Roger

ASA 5505 ssl work ipsec does not

Julio Carvajal — Wed, 20 Mar 2013 20:29:41 GMT

Hello Roger,

Can you share the configuration so I can take a quick look at it

ASA 5505 ssl work ipsec does not

roger perkin — Wed, 20 Mar 2013 23:00:12 GMT

Problem nearly fixed, I rebooted the firewall and I am now able to log in

However traffic is only flowing one way lots of encrypted packets but 0 decrypted

Also my split tunnel does not seem to be working.

I will get the config into this post soon

Thanks

Roger

ASA 5505 ssl work ipsec does not

Julio Carvajal — Wed, 20 Mar 2013 23:11:02 GMT

Hello,

Then we will need to check the confi

ASA 5505 ssl work ipsec does not

roger perkin — Thu, 21 Mar 2013 00:00:13 GMT

Ok, I am getting this error when pinging an internal host from the connected vpn client

VPN client is on 172.16.24.2 internal host is on 192.168.100.37

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src external:172.16.24.2 dst internal:192.168.100.37 (type 8, code 0) denied due to NAT reverse path failure

object network obj-192.168.50.10

host 192.168.50.10

object network obj-192.168.50.20

host 192.168.50.20

object network obj-192.168.50.21

host 192.168.50.21

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network obj-0.0.0.0

host 0.0.0.0

object network NETWORK_OBJ_10.10.1.0_28

subnet 10.10.1.0 255.255.255.240

object network vpn_clients

subnet 192.168.199.0 255.255.255.0

object network 192.168.100.0

subnet 192.168.100.0 255.255.255.0

object network NETWORK_OBJ_192.168.199.0_24

subnet 192.168.199.0 255.255.255.0

object network VPN_172

subnet 172.16.24.0 255.255.255.0

object-group service RDP tcp

port-object eq 3389

object-group service SQL tcp

port-object eq 1433

object-group service RDP-SQL tcp

group-object RDP

group-object SQL

access-list outside_in extended permit udp any any log

access-list network_10_access_in extended permit ip interface internal any

access-list external_access_in extended permit ip object NETWORK_OBJ_192.168.199.0_24 interface internal

access-list external_access_in extended permit tcp any any inactive

access-list from_outside extended permit icmp any any log

access-list from_outside extended permit icmp any any echo

access-list split_VPN_Split standard permit 192.168.100.0 255.255.255.0

access-list external_access_in_1 extended permit ip object NETWORK_OBJ_192.168.199.0_24 192.168.100.0 255.255.255.0

access-list external_access_in_1 extended permit ip object VPN_172 192.168.100.0 255.255.255.0

pager lines 24

nat (internal,external) source static any any destination static NETWORK_OBJ_10.10.1.0_28 NETWORK_OBJ_10.10.1.0_28

nat (internal,external) source static 192.168.100.0 192.168.100.0 destination static NETWORK_OBJ_192.168.199.0_24 NETWORK_OBJ_192.168.199.0_24

nat (internal,external) source static any any destination static NETWORK_OBJ_192.168.199.0_24 NETWORK_OBJ_192.168.199.0_24

object network obj-192.168.50.10

nat (internal,external) static 192.168.0.81

object network obj-192.168.50.20

nat (internal,external) static 192.168.0.230

object network obj-192.168.50.21

nat (internal,external) static 192.168.0.231

object network obj_any

nat (internal,external) dynamic interface

object network obj_any-01

nat (internal,external) dynamic obj-0.0.0.0

access-group network_10_access_in in interface internal

access-group external_access_in_1 in interface external

route external 0.0.0.0 0.0.0.0 4.5.6.7.1 1

route internal 10.10.10.0 255.255.255.255 192.168.100.1 1

ASA 5505 ssl work ipsec does not

Julio Carvajal — Thu, 21 Mar 2013 05:55:00 GMT

Hello,

Try

nat (inside,outside) 1 source static 192.168.100.0 192.168.100.0 destination static VPN_172 VPN_172

Regards

ASA 5505 ssl work ipsec does not

roger perkin — Thu, 21 Mar 2013 08:30:18 GMT

Thanks for that, we are now one step closer!

Now getting this error

%ASA-4-313004: Denied ICMP type=0, from laddr 172.16.24.2 on interface external to 192.168.100.37: no matching session

ASA 5505 ssl work ipsec does not

roger perkin — Thu, 21 Mar 2013 08:40:57 GMT

Thanks for your replies, I have marked the nat as the correct answer, after much head stratching, I have now realised the porblem.

This is another firewall added to the network.

The default gateway of the client I am pinging is another firewall so the ping is going in and then going back to the main firewall.

My issue lies on the internal network.

Thanks

Roger

ASA 5505 ssl work ipsec does not

Julio Carvajal — Thu, 21 Mar 2013 15:08:28 GMT

Hello Roger,

Glad to know that I could help,

Have a great day