Hi Nathan,

Just wanted to add some details here.

According to the logs:

%ASA-5-713119: Group = NetworkRA, Username = user, IP = 76.199.251.254, PHASE 1 COMPLETED
%ASA-5-713120: Group = NetworkRA, Username = user, IP = 76.199.251.254, PHASE 2 COMPLETED

So we know Phase I & II are OK.

However:

%ASA-7-710005: TCP request discarded from 76.199.251.254/25283 to DMZ:10.11.12.2/10000

Do you have the following command enabled?

hostname(config)# crypto ikev1 ipsec-over-tcp port 10000

Is there any NAT rule causing a conflict?

Recommendation:

I do recommend NAT-T since it performs much better. Besides that, cTCP connections are known to have issues across FWs.

IPsec over TCP Fails when Traffic Flows through ASA

HTH.

Portu.

Please rate any helpful posts

Here's my current running config:

hostname RemoteVPNASA

domain-name Domain.local

enable password EknDlaH/tYor46kT encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown    

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.1.76 255.255.255.0

!

interface Vlan2

nameif DMZ

security-level 0

ip address 10.11.12.2 255.255.255.0

!

banner motd

banner motd +----------------------------------------------------+

banner motd |                                                    |

banner motd |   *** Unauthorized Use or Access Prohibited ***    |

banner motd |                                                    |

banner motd |        For Authorized Official Use Only            |

banner motd |   You must have explicit permission to access or   |

banner motd |  configure this device. All activities performed   |

banner motd |  on this device may be logged, and violations of   |

banner motd | this policy may result in disciplinary action, and |

banner motd |  may be reported to law enforcement authorities.   |

banner motd |                                                    |

banner motd |   There is no right to privacy on this device.     |

banner motd |                                                    |

banner motd +----------------------------------------------------+

banner motd

ftp mode passive

dns server-group DefaultDNS

domain-name Domain.local

object network Network-10.11.12.0

subnet 10.11.12.0 255.255.255.0

object network Network-10.10.1.0

subnet 10.10.1.0 255.255.255.0

object-group icmp-type DefaultICMP

description Default ICMP Types permitted

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

object-group network DM_INLINE_NETWORK_1

network-object 10.10.1.0 255.255.255.0

network-object 10.11.12.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object 10.10.1.0 255.255.255.0

network-object 10.11.12.0 255.255.255.0

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel

access-list vpn_SplitTunnel standard permit 10.10.1.0 255.255.255.0

access-list vpn_SplitTunnel standard permit 192.168.1.0 255.255.255.0

access-list vpn_SplitTunnel standard permit 10.11.12.0 255.255.255.0

access-list vpn_SplitTunnel standard permit 5.5.0.0 255.255.255.192

access-list vpn_SplitTunnel standard permit 5.5.16.0 255.255.255.192

access-list nonat remark ACL for Nat Bypass

access-list nonat extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2

access-list acl_DMZ extended permit icmp any any object-group DefaultICMP

pager lines 24

logging enable

logging buffer-size 524288

logging asdm-buffer-size 200

logging console debugging

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu DMZ 1500 

ip local pool IPPool 10.11.12.150-10.11.12.200

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,DMZ) source static Network-10.10.1.0 Network-10.10.1.0 destination static Network-10.11.12.0 Network-10.11.12.0

access-group acl_DMZ in interface DMZ

route DMZ 0.0.0.0 0.0.0.0 10.11.12.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 10.10.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sysopt connection preserve-vpn-flows

crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map DynamicMap 1 set ikev1 transform-set FirstSet

crypto dynamic-map DynamicMap 1 set reverse-route

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map NetMap 1 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map NetMap interface DMZ

crypto isakmp identity address

crypto ikev1 enable DMZ

crypto ikev1 ipsec-over-tcp port 10000

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha    

group 2

lifetime 43200

crypto ikev1 policy 11

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 10.10.1.0 255.255.255.0 inside

ssh 10.240.232.0 255.255.252.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy Network internal

group-policy Network attributes

vpn-idle-timeout 120

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn_SplitTunnel

username user password HTfNe5Yf7OKVfTLO encrypted privilege 15

tunnel-group NetworkRA type remote-access

tunnel-group NetworkRA general-attributes

address-pool IPPool

default-group-policy Network

tunnel-group NetworkRA ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:fdd8944b7886c448137cce902d12b8a3

: end

@Portu - Yes crypto ikev1 ipsec-over-tcp port 10000 is present, whats the command to implement NAT-T? So far its connecting just fine using TCP 10000.

Thanks!

Nathan,

This NAT rule is the one affecting the traffic, since the pool is in the same network.

nat (inside,DMZ) source static any any destination static Network-10.11.12.0 Network-10.11.12.0

Let´s give it a try as following:

ip local pool VPN_NetworkRA 192.168.254.1-192.168.254.254

tunnel-group NetworkRA general-attributes

     no address-pool IPPool

     address-pool VPN_NetworkRA

!

object network obj-192.168.254.0

     subnet 192.168.254.0 255.255.255.0

!

nat (DMZ,outside) 1 source static any any destination static obj-192.168.254.0 obj-192.168.254.0

!

Then try to access the network and let me know.

Portu.

Please rate any helpful posts

I wont be able to retry the connection attempt until Monday, so I'll update then. Thanks again Julio.

Same result. I added a route to the core so that routing would be pointed at the internal interface of the ASA for 192.168.254.0/24. I also changed the pool so that it was 150-250 (I thought that the first IP needed to be reserved for the ASA?).

In any case same result. I connect. I get an address of 192.168.254.150 assigned to my VPN client, but no connectivity to anything internal.