06-21-2011 11:43 AM - edited 03-11-2019 01:48 PM
Ok so here is the issue
I have a XP workstation behind my ASA that can not connect to a client's network via Cisco VPN Client using IPSec...
In the logs it shows the translation is working on 500 but the VPN Client has the error 412, that the client is not responding.
Config below, if anyone has any thoughts the sooner I can get this fixed the better
ASA Version 8.2(1)
!
hostname RWFW1
enable password encrypted
passwd encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Vlan100
nameif RWLAN
security-level 100
ip address 10.1.1.1 255.255.254.0
!
interface Vlan110
nameif RWQA
security-level 100
ip address 10.1.16.1 255.255.255.0
!
interface Vlan120
nameif DMZ
security-level 80
ip address 192.168.251.241 255.255.255.240
!
interface Vlan130
nameif RWGST
security-level 50
ip address 172.17.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 100
!
interface Ethernet0/3
switchport trunk allowed vlan 120
switchport mode trunk
!
interface Ethernet0/4
switchport access vlan 130
!
interface Ethernet0/5
switchport access vlan 110
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 4.2.2.1
same-security-traffic permit inter-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network SVC
network-object host a.a.a.a
network-object a.a.a.a 255.255.255.0
network-object a.a.a.a 255.255.255.0
object-group service DM_INLINE_SERVICE_0
service-object esp
service-object udp eq 1701
service-object udp eq 4500
service-object udp eq isakmp
service-object ah
service-object icmp
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq 3389
access-list outside_cryptomap extended permit ip 192.168.251.240 255.255.255.240 object-group SVC
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_0 any host x.x.x.x log alerts
access-list RWLAN_access_out extended permit ip any any
access-list RWLAN_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
logging class auth asdm informational
mtu inside 1500
mtu outside 1500
mtu RWLAN 1500
mtu RWQA 1500
mtu DMZ 1500
mtu RWGST 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any RWQA
no asdm history enable
arp timeout 14400
nat-control
global (inside) 11 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 255.255.255.0
nat (RWLAN) 1 0.0.0.0 0.0.0.0
nat (RWQA) 1 0.0.0.0 0.0.0.0
nat (RWGST) 1 0.0.0.0 0.0.0.0
static (RWQA,RWLAN) 10.1.16.0 10.1.16.0 netmask 255.255.255.0
static (DMZ,RWLAN) 192.168.251.240 192.168.251.240 netmask 255.255.255.240
static (RWLAN,outside) a.a.a.a 10.1.1.14 netmask 255.255.255.255
static (RWLAN,RWQA) 10.1.0.0 10.1.0.0 netmask 255.255.254.0
access-group outside_access_in in interface outside
access-group RWLAN_access_out out interface RWLAN
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.1.0.0 255.255.254.0 RWLAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer 12.46.119.201
crypto map outside_map0 1 set transform-set ESP-3DES-MD5
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.1.16.151-10.1.16.200 RWQA
dhcpd dns 10.1.1.10 interface RWQA
dhcpd option 3 ip 10.1.16.1 interface RWQA
dhcpd enable RWQA
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group SVC type ipsec-l2l
tunnel-group SVC ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9fcc951db580d654444f363d5685f473
06-21-2011 12:01 PM
Hi,
Could you clarify your topology? Are you on the outside trying to access the internal network behind the ASA using remote access VPN? If yes, then you need to exempt VPN traffic from being NAT-ed.
access-list nonat permit ip host
nat (inside) 0 access-lists nonat
Let me know.
Regards,
Anu
P.S Please mark the question as resolved if it has been answered. Do rate helpful posts.
06-21-2011 12:05 PM
Sorry I am on the inside trying to reacha remote network.
XP -> ASA -> Internet -> Destination Network
06-21-2011 12:11 PM
Hi Michael,
Does the destination network have an ASA? I just wanted to know where the VPN tunnel terminates.
Regards,
Anu
06-21-2011 12:13 PM
I'm not sure what it terminates at, to futher complicate things I can establish other connections from the same XP machine using the same client but using IPSec/UDP....
06-21-2011 12:21 PM
Hi Michael,
So, if you're using remote access VPN, you will be on the outside trying to connect to the inside of your network securely. The topology will be:
XP -> Internet-> ASA -> Destination Network
Here, the VPN tunnel is not forming because the machine is behind the ASA.
Here is a link for your reference:http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpnrmote.html
Hope this is clear.
Regards,
Anu
P.S Please mark the question as resolved if it has been answered. Do rate helpful posts.
06-21-2011 12:27 PM
I am behind the ASA(we'll call it A) trying to connect a remote network (B)
XP(where I am) -> ASA (My Firewall) -> Internet -> Remote Network (My destination)
06-21-2011 01:22 PM
Here is the an attempt being made to connect to the remote network.
06-21-2011 04:26 PM
I never see a inbound connection built...anyone have thoughts on this? It would very helpful and appreciated
06-21-2011 08:30 PM
Hi Michael,
As I understand that IPSec traffic is from inside to outside, you would need to use one to one static nat , or
if you want to use PAT, in that case nat-t should be enabled on the remote end vpn server. (or the device through which you would be access the remote device)
Also add the following:
policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
Inspect ipsec-pass-thru should also be enabled on the firewall.
The IPSec inspection is not supported with PAT. That is why there are port translation failed syslogs for the IP protocol 50 traffic (ESP). The purpose of the IPSec inspection is to allow the return ESP traffic on the outside for a
corresponding outbound UDP/500 IPSec connection.
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1668213
Let me know if it worked?
Thanks,
Sai
06-23-2011 12:07 PM
I'm unable to add the following
policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
when i'm at the prompt below
RWFW1(config-pmap)# class inspection_
RWFW1(config)# class inspection_default
RWFW1(config-cmap)# inspect ipsec-pass-thru
^
ERROR: % Invalid input detected at '^' marker.
RWFW1(config-cmap)#
06-23-2011 01:15 PM
You need to enter the commands with the folllowing syntax:
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect ipsec-pass-thru
"RWFW1(config-pmap)# class inspection_" do not hit TAB, its the NAME of the class-map, you will have to type.
Hope this helps.
thanks,
Sai
06-23-2011 03:50 PM
Saikiran Nair,
I've updated my config and still seem to be having a problem, the updated config is below please let know me know where I'm going wrong, and thanks to everyone who has been helping.
hostname RWFW1
enable password
passwd
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.4 255.255.255.248
!
interface Vlan100
nameif RWLAN
security-level 100
ip address 10.1.1.1 255.255.254.0
!
interface Vlan110
nameif RWQA
security-level 100
ip address 10.1.16.1 255.255.255.0
!
interface Vlan120
nameif DMZ
security-level 80
ip address 192.168.251.241 255.255.255.240
!
interface Vlan130
nameif RWGST
security-level 50
ip address 172.17.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 100
!
interface Ethernet0/3
switchport trunk allowed vlan 120
switchport mode trunk
!
interface Ethernet0/4
switchport access vlan 130
!
interface Ethernet0/5
switchport access vlan 110
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 4.2.2.1
same-security-traffic permit inter-interface
object-group network ABC
network-object host 9.9.9.9
network-object 9.9.9.9 255.255.255.0
network-object 9.9.9.9 255.255.255.0
object-group service DM_INLINE_SERVICE_0
service-object esp
service-object udp eq 1701
service-object udp eq 4500
service-object udp eq isakmp
service-object ah
service-object icmp
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq 3389
object-group service DM_INLINE_UDP_1 udp
port-object eq 4500
port-object eq isakmp
access-list outside_cryptomap extended permit ip 192.168.251.240 255.255.255.240 object-group ABC
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_0 any host 1.2.3.4 log alerts
access-list outside_access_in extended permit udp any any object-group DM_INLINE_UDP_1
access-list ipsecpassthruacl extended permit udp any any eq isakmp
pager lines 24
logging enable
logging asdm informational
logging class auth asdm informational
mtu inside 1500
mtu outside 1500
mtu RWLAN 1500
mtu RWQA 1500
mtu DMZ 1500
mtu RWGST 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any RWQA
no asdm history enable
arp timeout 14400
nat-control
global (inside) 11 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 255.255.255.0
nat (RWLAN) 1 0.0.0.0 0.0.0.0
nat (RWQA) 1 0.0.0.0 0.0.0.0
nat (RWGST) 1 0.0.0.0 0.0.0.0
static (RWQA,RWLAN) 10.1.16.0 10.1.16.0 netmask 255.255.255.0
static (DMZ,RWLAN) 192.168.251.240 192.168.251.240 netmask 255.255.255.240
static (RWLAN,outside) 1.2.3.4 10.1.1.14 netmask 255.255.255.255
static (RWLAN,RWQA) 10.1.0.0 10.1.0.0 netmask 255.255.254.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.1.0.0 255.255.254.0 RWLAN
snmp-server host RWLAN 10.1.1.17 community Rwerks
snmp-server location Corporate Office
snmp-server contact Reddwerks IT
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer 8.8.8.8
crypto map outside_map0 1 set transform-set ESP-3DES-MD5
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 10.1.0.0 255.255.254.0 RWLAN
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.1.16.151-10.1.16.200 RWQA
dhcpd dns 10.1.1.10 interface RWQA
dhcpd option 3 ip 10.1.16.1 interface RWQA
dhcpd enable RWQA
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group ABC type ipsec-l2l
tunnel-group ABC ipsec-attributes
pre-shared-key *
!
class-map ipsecpassthru-traffic
match access-list ipsecpassthruacl
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect ipsec-pass-thru iptmap
parameters
esp per-client-max 10 timeout 0:11:00
ah per-client-max 5 timeout 0:06:00
policy-map inspection_policy
class ipsecpassthru-traffic
inspect ipsec-pass-thru iptmap
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
inspect ipsec-pass-thru
class ipsecpassthru-traffic
inspect ipsec-pass-thru
!
service-policy global_policy global
service-policy inspection_policy interface outside
prompt hostname context
06-23-2011 04:33 PM
Could you please remove the multiple instances of inspect ipsec-pass-thru, we are just trying to clean the configuration and make sure the inspect ipsec-pass-thru we configured is taking effect.
Could you also send me the syslogs at the time you try the IPSec pass through the ASA.
Also, if we could setup captures for the traffic on the ASA, and capture the traffic traversing through the ASA.
Here is a reference link for setting up captures on ASA:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml
Thanks,
Sai
06-24-2011 12:07 PM
Attached are the syslog and packet capture output......
Seems odd that the packet capture isn't showing anything in egress
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide