Re: ASA 5525 9.1 Remote access VPN - Page 2

Ali Bahnam · ‎11-26-2013

Dears,

Kindly I tried to configure remote access vpn on ASA9.1 but it didn't work, Anyway can you please post any configuration steps

Appreciate your support,

Regards,

Ali Bahnam · ‎12-08-2013

Dear Marvin,

I have cisco router facing the internet and I did a static NAT to redirect the traffic to the ASA outside interface.

(ip nat inside source static 10.11.1.2 X.X.X.X)

Regards,

Marvin Rhoads · ‎12-08-2013

OK.

Does the router have any access-list potentially affecting the incoming remote access VPN clients? If you watch the ASA log while trying to connect do you see any incoming traffic or relevant log messages?

Sometimes it is useful to do a packet capture on the ASA to verify that the client requests are making it to the ASA. At a minimum that isolates the problem as on the ASA or somewhere upstream.

Packet capture is easy to do on ASDM or CLI. See the following link:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Ali Bahnam · ‎12-11-2013

Dear Marvin,

Below the configuration that I did on the router

HQ_Router#
HQ_Router#sh run
Building configuration...

Current configuration : 5580 bytes
!
! Last configuration change at 13:56:36 BG Sun Dec 8 2013
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HQ_Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 ZwZCjZpqSXIvRzD.nWp0Zo5muAaIQwD/IC9ucx3AbOM
!
no aaa new-model
clock timezone BG 3 0
!
!
crypto pki trustpoint TP-self-signed-311074010
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-311074010
revocation-check none
rsakeypair TP-self-signed-311074010
!
!
crypto pki certificate chain TP-self-signed-311074010
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33313130 37343031 30301E17 0D313330 35303931 30333735
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3331 31303734
30313030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
ADD6EC7A 2E836E51 930FACB0 ABB39019 04AAD377 C49E9DF6 824637E8 3E564D5D
57D7E501 F1418E00 431B4C27 A0C50C62 90649115 72EEFA36 23DA9D82 D29C4202
70BD1518 6E1475D4 78C33EA2 ACA1CA9C 52342E2E 8E523528 007550E3 9B29EB22
B41D177D 971A2F14 50793969 32CC400A 8227F2CA 4776BBD0 99AF2D5E D385697F
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014FD 9340EDE7 77F4A878 824AE83B E7043BD3 B54E2C30 1D060355
1D0E0416 0414FD93 40EDE777 F4A87882 4AE83BE7 043BD3B5 4E2C300D 06092A86
4886F70D 01010505 00038181 0091CDD9 28D63666 23779218 2B4019D9 AB1CCE6F
40402CC5 D00B9E2C 3FA05FD8 16D81AED 7B11F2BB 4C11E0A7 80A7103D 48BCC105
082069EA FA5EA086 2566F93F C04DFDEB 050B5457 E27D67DE FF651C9A E9E32382
03E29073 6F649262 C4D2BCA5 0F3BA95D A28A9EE5 0A35C43D 415CC956 3DD209CE
C2D9F15B 5E02635A 460C04C9 9A
quit
ip cef
!
!
!
!
!
!
ip domain name yourdomain.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
license udi pid CISCO2951/K9 sn FCZ171970P4
!
!
username admin privilege 15 password 0 Pa$$w0rd
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Connected to Public
ip address X.X.X.X 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Connected to ASA port G0/0
ip address 10.11.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source static 10.11.1.2 X.X.X.X
ip route 0.0.0.0 0.0.0.0 X.X.X.X
ip route 10.10.0.0 255.255.0.0 10.11.1.2
ip route 10.11.2.0 255.255.255.0 10.11.1.2
ip route 172.16.0.0 255.255.0.0 10.11.1.2
ip route 192.168.0.0 255.255.0.0 10.11.1.2
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 10 permit 172.16.0.0 0.0.255.255
access-list 10 permit 10.10.0.0 0.0.255.255
access-list 10 permit 10.11.0.0 0.0.255.255
!
!
!

Marvin Rhoads · ‎12-11-2013

I believe you need a line:

ip nat outside source static x.x.x.x 10.11.1.2

...to account for the fact that outside users (your VPN client) need to initiate comunications to the ASA interface.

Ali Bahnam · ‎12-11-2013

Marvin,

I tested it but I got the same error (error 412 remote peer no longer responding)

Marvin Rhoads · ‎12-11-2013

Did you try the capture like I suggested earlier to see if the traffic is coming in from your client to the ASA?

Marius Gunnerud · ‎12-12-2013

If you see that traffic is coming from the client to the ASA in the capture that Marvin has suggested, then I am wondering if the NAT configuration on your ASA is causing this issue.

nat (inside,outside) source dynamic any interface
nat (inside,outside) source static Net_10.10.0.0 Net_10.10.0.0 destination static VPN-Pool VPN-Pool
nat (inside,outside) source static Net_10.11.0.0 Net_10.11.0.0 destination static VPN-Pool VPN-Pool
nat (inside,outside) source static Net_192.168.0.0 Net_192.168.0.0 destination static VPN-Pool VPN-Pool
nat (inside,outside) source static Net_172.16.0.0 Net_172.16.0.0 destintion static VPN-Pool VPN-Pool

I am thinking your dynamic NAT is overriding your twice NAT since it is configured in "section 1" of the NAT table. This section matches on a top bottom first match basis. You can correct this by doing one of two things: Configure it in section 2 (auto NAT), or configure it in after auto.

Section 2 config:

object network DYNAMIC

subnet 0 0

nat (inside,outside) dynamic interface

When you do a show run now, you should see that the NAT statement is placed under an object group. It will look something like the following:

object network DYNAMIC

nat (inside,outside) dynamic interface

After auto config:

nat (inside,outside) after-auto dynamic source any interface

With the after auto option you need to be sure that the dynamic statement is at the bottom of the list if you have any other static NATs configured here.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Ali Bahnam · ‎12-12-2013

Thank you for your reply and support,

Please advise, I will add section 2 config on the ASA and keeping the previos NAT config or I have to delete it??

Regards,

Marius Gunnerud · ‎12-12-2013

You need to remove the dynamic NAT statement you currently have configured and then add it into section2 or 3

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts