topic Re: Remote access VPN getting error in Network Security

Remote access VPN getting error

mitang.prajapati — Mon, 11 Mar 2019 19:59:40 GMT

Hello support, i had configure belowed on ASA 5540, now i got error to connect from internet outside to inside server.

THis is my remote access vpn configuration

One(config)#
hash sha
group 2
isakmp enable outside
ip local pool SDC!GSIDC 192.168.10.1-192.168.10.15 netmask 255.255.255.0
username Dc2Idc password password
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
tunnel-group tesTGroup type ipsec-ra
tunnel-group tesTGroup general-attributes
tunnel-group tesTGroup ipsec-attributes
pre-shared-key 1234567812

crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside

crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

access-list 101 extended permit ip host 192.168.4.222 192.168.10.0 255.255.255.0

Re: Remote access VPN getting error

Jennifer Halim — Wed, 02 Mar 2011 11:58:05 GMT

Sorry, not quite sure where it is actually failing.

Do you mean to say after you are connected to the VPN, you are not able to connect to an inside server?

Or, you are not able to connect to an inside server after you configure the VPN, however, you are not using the vpn?

Can you please advise what is the ip address of the inside server that you try to access?

Also lastly, the full config would help to understand what might cause the failure. Thanks.

Re: Remote access VPN getting error

mitang.prajapati — Wed, 02 Mar 2011 12:09:35 GMT

Hello Jennifer,

Actully we are try to connecte from internet but its not getting connecting.

My server IP 192.168.4.222 which are inside

crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

static (INSIDE,outside) 59.100.90.46 192.168.4.222 netmask 255.255.255.255
access-list INSIDE_access_in extended permit tcp host 192.168.4.222 any
access-list INSIDE_access_in extended permit udp host 192.168.4.222 host 222.156.20.15 eq domain

Re: Remote access VPN getting error

Jennifer Halim — Wed, 02 Mar 2011 12:45:53 GMT

What is the ip address of the outside interface and its subnet?

Also what is the access-list that is applied to the outside interface. Please share those access-list.

VPN configuration will not affect the access towards the server.

Was this access working before?

I am assuming that you are accessing the server with its public ip address (59.100.90.46), and also how are you accessing the server? http or ping or what exactly is this server for?

Re: Remote access VPN getting error

mitang.prajapati — Wed, 02 Mar 2011 12:45:54 GMT

Hello jennifer,

PFA

Re: Remote access VPN getting error

Jennifer Halim — Wed, 02 Mar 2011 12:49:57 GMT

You haven't included the full config yet, and most importantly the access-list "outside_access_in".

Also, what ip addres is 59.144.97.46? it is not in the same subnet as your ASA outside interface. Is this being routed towards your ASA outside interface? Do you own that IP? or is this IP assigned by your ISP? just wondering if it has been routed correctly towards the ASA outside interface?

Re: Remote access VPN getting error

mitang.prajapati — Wed, 02 Mar 2011 12:50:06 GMT

Sorry for delayed replay,

We are accessing server with remote desktop port server i.e 3389,

This is 1st time configureed.

and i had attached my actul configuration to my DC.

Kindly forgot my previous configuration.

Re: Remote access VPN getting error

mitang.prajapati — Wed, 02 Mar 2011 12:58:33 GMT

Hello Jenifer,

We could not upload full configuration to this so i had uploded specific configuration. we are sorry for this.

But if you want any specific configuration than let me know.

below the outside acl

access-list outside_access_in extended permit tcp any host 58.4.90.1 eq 3389

Re: Remote access VPN getting error

Jennifer Halim — Wed, 02 Mar 2011 13:07:16 GMT

OK, so i assume that you would like to NAT 192.168.4.222 to the ASA outside interface ip address (58.4.90.1) which is what is stated on your access-list

"outside_access_in". So if the above is a correct statement then the following static line is incorrect:

static (INSIDE,outside) 59.100.90.46 192.168.4.222 netmask 255.255.255.255

Please remove that, and configure the following instead:

no static (INSIDE,outside) 59.100.90.46 192.168.4.222 netmask 255.255.255.255

static (INSIDE,outside) tcp interface 3389 192.168.4.222 3389 netmask 255.255.255.255

Then "clear xlate" after the above changes.

You should be able to RDP to 58.4.90.1 from the internet and that would RDP to your inside server: 192.168.4.222

Re: Remote access VPN getting error

mitang.prajapati — Wed, 02 Mar 2011 13:13:02 GMT

Hello Jennifer,

You are right, but for VPN connectivity how we give this server to outsode without using this port 3389.

Is there any change in configuration for remote access server via cisco client 5.0 ?

Re: Remote access VPN getting error

Jennifer Halim — Wed, 02 Mar 2011 13:18:27 GMT

For remote access VPN, you can create NAT exemption and directly RDP to the server using its private ip address (192.168.4.222).

Here is the config for NAT exemption if you don't already have it:

access-list nonat permit ip 192.168.4.0 255.255.255.0 192.168.15.0 255.255.255.0

nat (INSIDE) 0 access-list nonat

Re: Remote access VPN getting error

mitang.prajapati — Wed, 02 Mar 2011 13:25:46 GMT

hello Jennifer,

These was not work and no log generate.