Re: Setup the ASA 5505 as VPN Server thats behind a ISP router

musclemania05 · ‎09-04-2018

Hello All,

I'm trying to set up the Cisco 5505 as a VPN sever thats behind a ISP router/modem. This router doesn't have bridge mode capabilities but as an alternative I was able to get a business static IP.

In the access management UI of the ISP router/modem, I set up port forwarding for ESP and port 500 to one of the internal IPs of the ISP router/modem which in turn i assigned to the outside interface of cisco 5505.

In the VPN Cisco Client software i route to the business static IP of the ISP router/modem but nothing seems to work?

Can someone please advice me what I'm doing wrong?

balaji.bandi · ‎09-04-2018

Typically you need to forward DSL router to ASA

below ports UDP/500 and 4500 along with TCP/443(SSL)

If still an issue - and post the ASA full config along with error logs.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Richard Burts · ‎09-04-2018

There are several things in the original post that are not clear. For one thing it describes the ASA as VPN server. But is not clear whether this is for site to site VPN or for Remote Access VPN. If it is for Remote Access VPN it is not clear whether this is for the traditional IPSec Remote Access VPN or for the newer AnyConnect Remote Access VPN. Can we get clarification of this?

Assuming that this is for the most common VPN use of ASA I will assume that we are talking about the AnyConnect Remote Access VPN. And in that case we have a clue about what may be the issue. The post tells us " I set up port forwarding for ESP and port 500". But the AnyConnect client does not use ESP and uses SSL.

HTH

Rick

HTH

Rick

musclemania05 · ‎09-04-2018

I'm using the cisco 5505 as a VPN server for Remote Access VPN using IPsec. Okay i see need to forward another port but one thing I'm still unsure of is which IP to use on the Outside Vlan of the cisco 5505.

The ISP Router/modem has a business static IP of 72.X.X.X and has DHCP set up on the LAN with an address pool of 192.168.42.100 - 192.168.42.149. What i have done is pick a random number from this pool and set the outside vlan of the cisco 5505 to this IP. Which in this case would be 192.168.42.105.

Attached is my config

Georg Pauwen · ‎09-04-2018

Hello,

the IP address of the outside interface is fine. You can also use 'ip address dhcp setroute'.

The problem I see with your config, at first glance, is that your local pool and your inside network are using overlapping IP address spaces ?

ip local pool vpn_pool 192.168.1.200-192.168.1.220 mask 255.255.255.0

interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

Since your are excluding your entire 192.168.1.0/24 subnet in your split tunnel, this probably won't work. Try and use another IP address space for the pool...

musclemania05 · ‎09-04-2018

if I change the VPN pool addresses to a different network how will I get to anything on the 192.168.1.0/24 network. If I hand out VPN address between 192.168.3.200-192.168.3.220

255.255.255.0, for example how will i be able to get to my inside network ?

Ive always used this address pool and it’s worked but every ISP modem I used had bridges mode capibilities.

Georg Pauwen · ‎09-04-2018

You need the ' route inside 0.0.0.0 0.0.0.0 x.x.x.x tunneled' for that as far as I recall. Either way, what is:

route outside 0.0.0.0 0.0.0.0 166.247.200.1 1

Where is that IP address ?

musclemania05 · ‎09-04-2018

That should be route outside 0.0.0.0 0.0.0.0 192.168.42.105 same as outside vlan2

musclemania05 · ‎09-04-2018

earlier you said that i can set the outside vlan of the cisco 5505 to "'ip address dhcp setroute" but if i do this i will need to still setup port forwarding to a specific IP on the Managment UI of ISP router/modem combo. The port forward might or might not be the same. Remember the internal IP pool of the ISP router/modem combo is in the range 192.168.42.100 - 192.168.42.149 and the public business static IP is 72.x.x.x. I figured i need to give the outside of the cisco 5505 a static IP in that range and use a route outside statement to the business static IP 72.x.x.x?