10-27-2012 06:46 PM - edited 03-11-2019 05:15 PM
Hello All,
I have a test ASA behind an edge firewall (Checkpoint), and I'm trying to set up the ASA for remote VPN access only. The ports being forwarded are UDP/500, UDP/4500 and UDP/TCP/10000. I'd prefer to encapsulate the sessions into TCP/10000. There's two networks that the ASA is connected to. The DMZ (10.11.12.0/24) and an internal segment (10.10.1.0/24), where the external remote client will connect to the DMZ interface and the goal is to access the internal subnet. The pool I want to set up is 10.11.12.150-200. I have upgraded the ASA to the most current IOS [8.4(4)1] / ASDM [6.4(9)] images. Here's what I've come up with, but unfortuantely the client fails to connect. I have messed around several times with settings using the ASDM, but ultimately I cannot get the client to connect. Here's my config:
[code]
hostname RemoteVPNASA
domain-name Domain.local
enable password ---------------- encrypted
passwd ---------------- encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.1.76 255.255.255.0
!
interface Vlan2
nameif DMZ
security-level 0
ip address 10.11.12.2 255.255.255.0
!
banner motd
banner motd +----------------------------------------------------+
banner motd | |
banner motd | *** Unauthorized Use or Access Prohibited *** |
banner motd | |
banner motd | For Authorized Official Use Only |
banner motd | You must have explicit permission to access or |
banner motd | configure this device. All activities performed |
banner motd | on this device may be logged, and violations of |
banner motd | this policy may result in disciplinary action, and |
banner motd | may be reported to law enforcement authorities. |
banner motd | |
banner motd | There is no right to privacy on this device. |
banner motd | |
banner motd +----------------------------------------------------+
banner motd
ftp mode passive
dns server-group DefaultDNS
domain-name Domain.local
object network Network-10.11.12.0
subnet 10.11.12.0 255.255.255.0
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group network DM_INLINE_NETWORK_1
network-object 10.10.1.0 255.255.255.0
network-object 10.11.12.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 10.10.1.0 255.255.255.0
network-object 10.11.12.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel
access-list vpn_SplitTunnel standard permit 10.10.1.0 255.255.255.0
access-list nonat remark ACL for Nat Bypass
access-list nonat extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list acl_DMZ extended permit icmp any any object-group DefaultICMP
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu DMZ 1500
ip local pool IPPool 10.11.12.150-10.11.12.200
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,DMZ) source static any any destination static Network-10.11.12.0 Network-10.11.12.0
access-group acl_DMZ in interface DMZ
route DMZ 0.0.0.0 0.0.0.0 10.11.12.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map DynamicMap 1 set ikev1 transform-set FirstSet
crypto dynamic-map DynamicMap 1 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map NetMap 1 ipsec-isakmp dynamic DynamicMap
crypto map NetMap interface DMZ
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp identity address
crypto ikev1 enable inside
crypto ikev1 enable DMZ
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.10.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy Network internal
group-policy Network attributes
vpn-idle-timeout 120
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SplitTunnel
username user password ---------------- encrypted privilege 15
tunnel-group NetworkRA type remote-access
tunnel-group NetworkRA general-attributes
address-pool IPPool
default-group-policy Network
tunnel-group NetworkRA ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d6e568acfb0bed9dc9979dc1a980f24f
: end
[/code]
Any help would be greatly appreciated!
Solved! Go to Solution.
11-01-2012 11:54 AM
Hello Nathan,
I know I have asked for it so many times but I will need to see the updated configuration
Can you share it again
Regards,
Julio
11-01-2012 05:56 PM
Hi Nathan,
Just wanted to add some details here.
According to the logs:
%ASA-5-713119: Group = NetworkRA, Username = user, IP = 76.199.251.254, PHASE 1 COMPLETED
%ASA-5-713120: Group = NetworkRA, Username = user, IP = 76.199.251.254, PHASE 2 COMPLETED
So we know Phase I & II are OK.
However:
%ASA-7-710005: TCP request discarded from 76.199.251.254/25283 to DMZ:10.11.12.2/10000
Do you have the following command enabled?
hostname(config)# crypto ikev1 ipsec-over-tcp port 10000
Is there any NAT rule causing a conflict?
Recommendation:
I do recommend NAT-T since it performs much better. Besides that, cTCP connections are known to have issues across FWs.
IPsec over TCP Fails when Traffic Flows through ASA
HTH.
Portu.
Please rate any helpful posts
11-01-2012 06:25 PM
Here's my current running config:
hostname RemoteVPNASA
domain-name Domain.local
enable password EknDlaH/tYor46kT encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.1.76 255.255.255.0
!
interface Vlan2
nameif DMZ
security-level 0
ip address 10.11.12.2 255.255.255.0
!
banner motd
banner motd +----------------------------------------------------+
banner motd | |
banner motd | *** Unauthorized Use or Access Prohibited *** |
banner motd | |
banner motd | For Authorized Official Use Only |
banner motd | You must have explicit permission to access or |
banner motd | configure this device. All activities performed |
banner motd | on this device may be logged, and violations of |
banner motd | this policy may result in disciplinary action, and |
banner motd | may be reported to law enforcement authorities. |
banner motd | |
banner motd | There is no right to privacy on this device. |
banner motd | |
banner motd +----------------------------------------------------+
banner motd
ftp mode passive
dns server-group DefaultDNS
domain-name Domain.local
object network Network-10.11.12.0
subnet 10.11.12.0 255.255.255.0
object network Network-10.10.1.0
subnet 10.10.1.0 255.255.255.0
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group network DM_INLINE_NETWORK_1
network-object 10.10.1.0 255.255.255.0
network-object 10.11.12.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 10.10.1.0 255.255.255.0
network-object 10.11.12.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel
access-list vpn_SplitTunnel standard permit 10.10.1.0 255.255.255.0
access-list vpn_SplitTunnel standard permit 192.168.1.0 255.255.255.0
access-list vpn_SplitTunnel standard permit 10.11.12.0 255.255.255.0
access-list vpn_SplitTunnel standard permit 5.5.0.0 255.255.255.192
access-list vpn_SplitTunnel standard permit 5.5.16.0 255.255.255.192
access-list nonat remark ACL for Nat Bypass
access-list nonat extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list acl_DMZ extended permit icmp any any object-group DefaultICMP
pager lines 24
logging enable
logging buffer-size 524288
logging asdm-buffer-size 200
logging console debugging
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu DMZ 1500
ip local pool IPPool 10.11.12.150-10.11.12.200
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,DMZ) source static Network-10.10.1.0 Network-10.10.1.0 destination static Network-10.11.12.0 Network-10.11.12.0
access-group acl_DMZ in interface DMZ
route DMZ 0.0.0.0 0.0.0.0 10.11.12.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection preserve-vpn-flows
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map DynamicMap 1 set ikev1 transform-set FirstSet
crypto dynamic-map DynamicMap 1 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map NetMap 1 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map NetMap interface DMZ
crypto isakmp identity address
crypto ikev1 enable DMZ
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.10.1.0 255.255.255.0 inside
ssh 10.240.232.0 255.255.252.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy Network internal
group-policy Network attributes
vpn-idle-timeout 120
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SplitTunnel
username user password HTfNe5Yf7OKVfTLO encrypted privilege 15
tunnel-group NetworkRA type remote-access
tunnel-group NetworkRA general-attributes
address-pool IPPool
default-group-policy Network
tunnel-group NetworkRA ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:fdd8944b7886c448137cce902d12b8a3
: end
@Portu - Yes crypto ikev1 ipsec-over-tcp port 10000 is present, whats the command to implement NAT-T? So far its connecting just fine using TCP 10000.
Thanks!
11-01-2012 07:01 PM
Nathan,
This NAT rule is the one affecting the traffic, since the pool is in the same network.
nat (inside,DMZ) source static any any destination static Network-10.11.12.0 Network-10.11.12.0
Let´s give it a try as following:
ip local pool VPN_NetworkRA 192.168.254.1-192.168.254.254
tunnel-group NetworkRA general-attributes
no address-pool IPPool
address-pool VPN_NetworkRA
!
object network obj-192.168.254.0
subnet 192.168.254.0 255.255.255.0
!
nat (DMZ,outside) 1 source static any any destination static obj-192.168.254.0 obj-192.168.254.0
!
Then try to access the network and let me know.
Portu.
Please rate any helpful posts
11-02-2012 02:40 PM
I wont be able to retry the connection attempt until Monday, so I'll update then. Thanks again Julio.
11-05-2012 06:39 AM
Same result. I added a route to the core so that routing would be pointed at the internal interface of the ASA for 192.168.254.0/24. I also changed the pool so that it was 150-250 (I thought that the first IP needed to be reserved for the ASA?).
In any case same result. I connect. I get an address of 192.168.254.150 assigned to my VPN client, but no connectivity to anything internal.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide