Sorry I am on the inside trying to reacha remote network.

XP -> ASA -> Internet -> Destination Network

Hi Michael,

Does the destination network have an ASA? I just wanted to know where the VPN tunnel terminates.

Regards,

Anu

I'm not sure what it terminates at, to futher complicate things I can establish other connections from the same XP machine using the same client but using IPSec/UDP....

Hi Michael,

So, if you're using remote access VPN, you will be on the outside trying to connect to the inside of your network securely. The topology will be:

XP -> Internet-> ASA -> Destination Network

Here, the VPN tunnel is not forming because the machine is behind the ASA.

Here is a link for your reference:http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpnrmote.html

Hope this is clear.

Regards,

Anu

P.S Please mark the question as resolved if it has been answered. Do rate helpful posts.

I am behind the ASA(we'll call it A) trying to connect a remote network (B)

XP(where I am) -> ASA (My Firewall) -> Internet -> Remote Network (My destination)

Here is the an attempt being made to connect to the remote network. 

I never see a inbound connection built...anyone have thoughts on this? It would very helpful and appreciated

Hi Michael,

As I understand that IPSec traffic is from inside to outside, you would need to use one to one static nat , or

if you want to use PAT, in that case nat-t should be enabled on the remote end vpn server. (or the device through which you would be access the remote device)

Also add the following:

policy-map global_policy

class inspection_default

  inspect ipsec-pass-thru

Inspect ipsec-pass-thru should also be enabled on the firewall.

The IPSec inspection is not supported with PAT.  That is why there are port translation failed syslogs for the IP protocol 50 traffic (ESP).  The purpose of the IPSec inspection is to allow the return ESP traffic on the outside for a

corresponding outbound UDP/500 IPSec connection.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1668213

Let me know if it worked?

Thanks,
Sai

I'm unable to add the following

policy-map global_policy

class inspection_default

inspect ipsec-pass-thru

when i'm at the prompt below

RWFW1(config-pmap)# class inspection_

RWFW1(config)# class inspection_default

RWFW1(config-cmap)# inspect ipsec-pass-thru

                      ^

ERROR: % Invalid input detected at '^' marker.

RWFW1(config-cmap)#

You need to enter the commands with the folllowing syntax:

ciscoasa(config)# policy-map global_policy

ciscoasa(config-pmap)#  class inspection_default

ciscoasa(config-pmap-c)# inspect ipsec-pass-thru

"RWFW1(config-pmap)# class inspection_" do not hit TAB, its the NAME of the class-map, you will have to type.

Hope this helps.

thanks,

Sai

Saikiran Nair,

     I've updated my config and still seem to be having a problem, the updated config is below please let know me know where I'm going wrong, and thanks to everyone who has been helping.

hostname RWFW1
enable password
passwd
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.4 255.255.255.248
!
interface Vlan100
nameif RWLAN
security-level 100
ip address 10.1.1.1 255.255.254.0
!
interface Vlan110
nameif RWQA
security-level 100
ip address 10.1.16.1 255.255.255.0
!
interface Vlan120
nameif DMZ
security-level 80
ip address 192.168.251.241 255.255.255.240
!
interface Vlan130
nameif RWGST
security-level 50
ip address 172.17.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 100
!
interface Ethernet0/3
switchport trunk allowed vlan 120
switchport mode trunk
!
interface Ethernet0/4
switchport access vlan 130
!
interface Ethernet0/5
switchport access vlan 110
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 4.2.2.1
same-security-traffic permit inter-interface
object-group network ABC
network-object host 9.9.9.9
network-object 9.9.9.9  255.255.255.0
network-object 9.9.9.9 255.255.255.0
object-group service DM_INLINE_SERVICE_0
service-object esp
service-object udp eq 1701
service-object udp eq 4500
service-object udp eq isakmp
service-object ah
service-object icmp
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq 3389
object-group service DM_INLINE_UDP_1 udp
port-object eq 4500
port-object eq isakmp
access-list outside_cryptomap extended permit ip 192.168.251.240 255.255.255.240 object-group ABC
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_0 any host 1.2.3.4 log alerts
access-list outside_access_in extended permit udp any any object-group DM_INLINE_UDP_1
access-list ipsecpassthruacl extended permit udp any any eq isakmp
pager lines 24
logging enable
logging asdm informational
logging class auth asdm informational
mtu inside 1500
mtu outside 1500
mtu RWLAN 1500
mtu RWQA 1500
mtu DMZ 1500
mtu RWGST 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any RWQA
no asdm history enable
arp timeout 14400
nat-control
global (inside) 11 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 255.255.255.0
nat (RWLAN) 1 0.0.0.0 0.0.0.0
nat (RWQA) 1 0.0.0.0 0.0.0.0
nat (RWGST) 1 0.0.0.0 0.0.0.0
static (RWQA,RWLAN) 10.1.16.0 10.1.16.0 netmask 255.255.255.0
static (DMZ,RWLAN) 192.168.251.240 192.168.251.240 netmask 255.255.255.240
static (RWLAN,outside) 1.2.3.4 10.1.1.14 netmask 255.255.255.255
static (RWLAN,RWQA) 10.1.0.0 10.1.0.0 netmask 255.255.254.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.1.0.0 255.255.254.0 RWLAN
snmp-server host RWLAN 10.1.1.17 community Rwerks
snmp-server location Corporate Office
snmp-server contact Reddwerks IT
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer 8.8.8.8
crypto map outside_map0 1 set transform-set ESP-3DES-MD5
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 10.1.0.0 255.255.254.0 RWLAN
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.1.16.151-10.1.16.200 RWQA
dhcpd dns 10.1.1.10 interface RWQA
dhcpd option 3 ip 10.1.16.1 interface RWQA
dhcpd enable RWQA
!

threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group ABC type ipsec-l2l
tunnel-group ABC ipsec-attributes
pre-shared-key *
!
class-map ipsecpassthru-traffic
match access-list ipsecpassthruacl
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map type inspect ipsec-pass-thru iptmap
parameters
  esp per-client-max 10 timeout 0:11:00
  ah per-client-max 5 timeout 0:06:00
policy-map inspection_policy
class ipsecpassthru-traffic
  inspect ipsec-pass-thru iptmap
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect pptp
  inspect ipsec-pass-thru
class ipsecpassthru-traffic
  inspect ipsec-pass-thru
!
service-policy global_policy global
service-policy inspection_policy interface outside
prompt hostname context

Could you please remove the multiple instances of inspect ipsec-pass-thru, we are just trying to clean the configuration and make sure the inspect ipsec-pass-thru we configured is taking effect.

Could you also send me the syslogs at the time you try the IPSec pass through the ASA.

Also, if we could setup captures for the traffic on the ASA, and capture the traffic traversing through the ASA.

Here is a reference link for setting up captures on ASA:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Thanks,

Sai

Attached are the syslog and packet capture output......

Seems odd that the packet capture isn't showing anything in egress