Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
795
Views
0
Helpful
5
Replies

We moved from an AS500 to an ASA5500 and are having an issue with port forwarding and VPN

Go to solution
staylor07
Level 1
Level 1

‎09-23-2014 07:35 AM - edited ‎03-11-2019 09:48 PM

When we moved from our old AS500 to the new ASA5505, we did not have an issue getting up and running as far as internet and email access goes. What we are having an issue setting up is with our port forwarding for our IP Phone systems and IPsec VPN.

I have attached our current running config to see if anyone might be able to spot the solution to the issues we are having. I am sure it is something simple that we missed when setting up the rules.

 

Thank you in advanced

Stephen

 

Labels:
Preview file
23 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to staylor07

‎09-25-2014 01:24 AM

Hi,

 

I would suggest changing the VPN Pool to be completely different subnet from the LAN.

 

For example

 

ip local pool VPN-POOL 192.168.100.10-192.168.100.20 mask 255.255.255.0

 

tunnel-group test-vpn-group general-attributes
 no address-pool TEST-VPN-POOL
 address-pool VPN-POOL

 

no nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.1.160_27 NETWORK_OBJ_192.168.1.160_27 no-proxy-arp route-lookup

 

object network LAN
 subnet 192.168.1.0 255.255.255.0

 

object network VPN-POOL
 subnet 192.168.100.0 255.255.255.0

 

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

 

And then try connecting through the VPN again

 

- Jouni

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎09-24-2014 12:54 AM

Hi,

 

There is atleast a simpler way of trying to configure Static PAT (Port Forward) without having to use so many different "object".

 

I would suggest removing the current configurations and using the following as template to configure all the require Static PAT configurations you need

 

object network <object name>
 host <internal ip>
 nat (inside,outside) static interface service <udp/tcp> <real port> <mapped port>

 

Make the above configurations for every port you need. Notice that a single "object" can only hold a single "nat" configurations so each Static PAT configuration requires its own "object". If there are several ports forwarded to a single server I personally tend to do so that I create an additional "object" that just contains the internal server IP address and use that in the external interface ACL rules to allow connections. I do this to avoid having to use multiple different named "object" in the ACL even though it would be possible to use the "object" created in the above NAT configurations.

 

With regards to the VPN connections, what are you trying to accomplish?

 

There are several configurations under the Default groups which I would avoid doing. There is also Hardware client configurations, L2L VPN configurations and VPN Client configurations on the ASA.

 

I would suggest clearing these configurations IF they are not required. In the case of the Default Group configurations you might need to just remove the configurations under those "group-policy" and "tunnel-group" configurations. I don't think you can even remove the actual groups as they are the default ones.

 

vpnclient server 192.168.1.1
vpnclient mode client-mode
vpnclient vpngroup REDACTED password *****
vpnclient username REDACTED password *****
dhcpd auto_config outside

webvpn
 enable outside

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.1.11 192.168.1.20
 vpn-tunnel-protocol l2tp-ipsec 
 default-domain value patc.net
group-policy DfltGrpPolicy attributes
 address-pools value PATC-VPN-IPPool

group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev1 ikev2 
 address-pools value PATC-VPN-IPPool

tunnel-group DefaultRAGroup general-attributes
 address-pool (outside) PATC-VPN-IPPool
 address-pool PATC-VPN-IPPool
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool (inside) PATC-VPN-IPPool
 address-pool PATC-VPN-IPPool
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 ikev1 pre-shared-key *****

tunnel-group PATCVPN type ipsec-l2l
tunnel-group PATCVPN general-attributes
 default-group-policy GroupPolicy1
tunnel-group PATCVPN ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

 

After this I would simply suggest that you log into the ASA with ASDM and run the Wizard for the VPN Client configuration (if that is what you are after) and use it to create a basic IPsec VPN Client configuration (or SSL VPN if you have the required software)

 

After that is done we can take a look at the configurations again if VPN connections are not working.

 

- Jouni

0 Helpful

Go to solution
staylor07
Level 1
Level 1
In response to Jouni Forss

‎09-24-2014 08:26 AM

Port forwarding was successful! Thank you!

 

I removed all the old VPN information and ran the VPN Wizard as you suggested and we are still not able to open a tunnel, it is almost like we are not getting a good handshake with the ASA.

 

Attached is the new running-config for your review. Again, thank you for your assistance.

Preview file
23 KB
0 Helpful

Go to solution
staylor07
Level 1
Level 1
In response to staylor07

‎09-24-2014 08:27 AM

With regards to the VPN connections,  we are trying to accomplish an IPsec conneciton with both windows and apple using the built in VPN connections with these operating systems.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to staylor07

‎09-25-2014 01:24 AM

Hi,

 

I would suggest changing the VPN Pool to be completely different subnet from the LAN.

 

For example

 

ip local pool VPN-POOL 192.168.100.10-192.168.100.20 mask 255.255.255.0

 

tunnel-group test-vpn-group general-attributes
 no address-pool TEST-VPN-POOL
 address-pool VPN-POOL

 

no nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.1.160_27 NETWORK_OBJ_192.168.1.160_27 no-proxy-arp route-lookup

 

object network LAN
 subnet 192.168.1.0 255.255.255.0

 

object network VPN-POOL
 subnet 192.168.100.0 255.255.255.0

 

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

 

And then try connecting through the VPN again

 

- Jouni

 

0 Helpful

Go to solution
staylor07
Level 1
Level 1
In response to Jouni Forss

‎09-25-2014 06:32 AM

That worked a treat! iPhone connected straight away, windows PC also connected. Now to find out why the Apple Macbook Air doesnt connect. I think it is a configuration setting on the Macbook that is the issue.

 

Thank you very much!

Stephen

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card