08-30-2014 06:57 AM - edited 03-11-2019 09:41 PM
Hi There,
I'm trying to setup VPN remote access usinf ASA 5505 security plus but without success
I request your help please and any idea will be appreciated ,thanks in advance
My architecture is:
ISP Router (With LAN IP : 192.168.1.1 and IP public : 81.xxx.xxx.17) ------> ASA5505---->PC (inside)
ETHO/O which outside = 192.168.1.254
ETH0/1 which inside = 10.10.10.1
I installed Cisco VPN client in a laptop from another location entirely and tried to connect to my VPN from outside my internal LAN but without succes
configuration client vpn cisco :
Host : 81.xxx.xxx.17 (public ip of my ISP router)
Name : login VPN created on the asa
password: ***********
I don't know if I missed something
my configuration is bellow :
ciscoasa(config)# show running-config : Saved : ASA Version 8.2(5) ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 shutdown ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 shutdown ! interface Ethernet0/6 shutdown ! interface Ethernet0/7 shutdown ! interface Vlan1 nameif inside security-level 100 ip address 10.10.10.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 192.168.1.254 255.255.255.0 ! ftp mode passive access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.20.30.32 255.255.255.224 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool vpnmu 10.20.30.40-10.20.30.50 mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication http console LOCAL http server enable http 10.10.10.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128 -SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256 -MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd dns 62.251.229.237 62.251.229.223 ! dhcpd address 10.10.10.10-10.10.10.20 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy vpnmu internal group-policy vpnmu attributes dns-server value 62.251.229.237 8.8.8.8 vpn-tunnel-protocol IPSec username muasa password cr81rjPsGHck2wCU encrypted privilege 15 username azizaout password 0oUjcv75MaNxYqi3 encrypted privilege 0 username azizaout attributes vpn-group-policy vpnmu tunnel-group vpnmu type remote-access tunnel-group vpnmu general-attributes address-pool vpnmu default-group-policy vpnmu tunnel-group vpnmu ipsec-attributes pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect tftp inspect xdmcp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DD CEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:2b5ba1299d6818e0a753b1a7bce7a521 : end
Solved! Go to Solution.
09-01-2014 01:32 AM
Hi,
Seems to me that you have a ISP Router that is doing NAT in front of the ASA. The ISP Router holds the actual public IP address.
On a quick glance it seems to me that the VPN configuration might be ok.
The question is: Have you forwarded the required ports on the ISP Router towards the external interface IP address of the ASA? Or is there perhaps a Static NAT on the ISP Router for the public IP address that uses the ASAs external interface as the local address of the Static NAT?
If you are just going to forward ports then you need to forward UDP/500 and UDP/4500 to my understanding.
You also have to check the Cisco VPN Client connection profile settings and check that you have enabled "Transparent Tunneling"
- Jouni
09-01-2014 01:32 AM
Hi,
Seems to me that you have a ISP Router that is doing NAT in front of the ASA. The ISP Router holds the actual public IP address.
On a quick glance it seems to me that the VPN configuration might be ok.
The question is: Have you forwarded the required ports on the ISP Router towards the external interface IP address of the ASA? Or is there perhaps a Static NAT on the ISP Router for the public IP address that uses the ASAs external interface as the local address of the Static NAT?
If you are just going to forward ports then you need to forward UDP/500 and UDP/4500 to my understanding.
You also have to check the Cisco VPN Client connection profile settings and check that you have enabled "Transparent Tunneling"
- Jouni
09-01-2014 02:03 PM
Hi Jouni,
you saved me on this , thank you very much !!!
I forwarded the ports 500 ,4500 UDP to ETH 0/0 (outside) and Cisco VPN client has succefully connected and I can browse the internet (as I activated split tunnulling) on ASA
but I can't ping the inside hosts from VPN and I can't access share folder ,rdp....
and I can't ping ASA
AlsoI tried to ping from ASA (10.10.10.1) to vpn host (192.168.104.2) but it doesn't work
I don't know what's the issue ? Can you please take a look at my below config and tell me what's wrong?
Thanks in advance
Aziz
09-02-2014 01:21 PM
Hi there,
any idea please to help me fixing the issue below?
Thanks in advance
09-03-2014 05:40 AM
You may need to enable isakmp nat traversal as the ISP router is carrying out NAT.
crypto isakmp nat-traversal <keepalive value in seconds>
Default value or keepalive is 20 secinds and the value can be 10 to 3600
09-08-2014 03:21 AM
Hi ,
Thanks for your reply
I added this command but unfortunately the issue still persist
any other idea please?
Thank you
Aziz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide