07-28-2011 01:14 PM - edited 02-21-2020 05:29 PM
Hello,
I have the below configuration for a cisco asa 5505. There is a ADSL router in front of the ASA which has a static IP. I set up a remote-access VPN (using the wizard), but I cannot connect to the ASA firewall as the attached VPN client log shows. My only concern is that there might be something missing, ie a static route that goes to the inside interface. Is that correct? If not, can you please let me know what else I can look.
Thank you in advance.
ASA Version 8.2(1)
!
hostname ciscoasa
enable password f7Bv8Dr8BwaT3nc3 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.178.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object-group service DM_INLINE_SERVICE_1
service-object gre
service-object tcp eq pptp
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.178.210
access-list inside_nat0_outbound extended permit ip any 192.168.11.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RAippool 192.168.11.1-192.168.11.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) interface 192.168.178.210 netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.178.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=ciscoasa
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.178.5-192.168.178.132 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy pcchellasRAvpn internal
group-policy pcchellasRAvpn attributes
dns-server value 192.168.178.1
vpn-tunnel-protocol IPSec ikev
username george password cg/xrXSWiXyR6iSy encrypted privilege 0
username george attributes
vpn-group-policy pcchellasRAvpn
username liakos password U4.jdhW5HFwo1Nmo encrypted
username liakos attributes
service-type nas-prompt
username dimitris password rja7bfUnqVzxiuNm encrypted privilege 0
username dimitris attributes
vpn-group-policy pcchellasRAvpn
tunnel-group pcchellasRAvpn type remote-access
tunnel-group pcchellasRAvpn general-attributes
address-pool RAippool
default-group-policy pcchellasRAvpn
tunnel-group pcchellasRAvpn ipsec-attributes
ikevpre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bb67aed98ceec15cbc78e3920641f5bb
: end
07-28-2011 03:49 PM
Can you add the following commands :-
asa(config)# crypto isakmp nat-traversal 20
asa(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
Also, Please post logs from the ASA side.
Manish
07-29-2011 06:19 AM
I entered the "crypto isakmp nat-traversal 20", but seems not to be written in the running configuration.
Any ideas?
Thank you.
07-29-2011 10:38 AM
Change:
access-list inside_nat0_outbound extended permit ip any 192.168.11.0 255.255.255.0
to:
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
Make sure you redefine:
nat (inside) 0 access-list inside_nat0_outbound
Sometimes when you delete NAT ACL it will also remove this statement.
if still doesn't work also try:
group-policy pcchellasRAvpn internal
group-policy pcchellasRAvpn attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group pcchellasRAvpn ipsec-attributes
no ikevpre-shared-key *
pre-shared-key *
Also, I noticed your DNS Server is your ASA Default Gateway. ASA does not perform DNS so you might want to list your enterprise DNS Server, or disable the option.
EDIT: Also, you do not have split tunneling enabled, so all internet traffic will come through the VPN tunnel. You will have to setup:
nat (outside) 1 192.168.11.0 255.255.255.0
nat (outside) 0 access-list nonat
To enable internet traffic over VPN.
Or create a split tunnel ACL and define it in your group policy.
Everything else looks okay.
I entered the "crypto isakmp nat-traversal 20", but seems not to be written in the running configuration.
It might be a default value. Default values do not appear in the running config usually.
07-30-2011 06:57 AM
So, for the split tunneling I will use the following conf, which will permit only the traffic from the inside interface to go over VPN:
access-list split_Tunn extended permit ip 192.168.178.0 255.255.255.0 any
group-policy pcchellasRA internal
group-policy pcchellasRA attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_Tunn
I have opened the following ports (port forwarding to the outside ASA interface) at the adsl router in order to make sure that the vpn traffic and connection will pass:
ESP, udp 500, udp 4500.
Do I have to check anything else on the adsl router (Fritz Box Fon)?
07-30-2011 12:28 PM
access-list split_Tunn extended permit ip 192.168.178.0 255.255.255.0 any
group-policy pcchellasRA internal
group-policy pcchellasRA attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_Tunn
Correct.
I have opened the following ports (port forwarding to the outside ASA interface) at the adsl router in order to make sure that the vpn traffic and connection will pass:
ESP, udp 500, udp 4500.
Do I have to check anything else on the adsl router (Fritz Box Fon)?
Looks good, make sure AH is also allowed
Let us know your results.
07-31-2011 01:38 AM
I thought that Fritz box couldn't support AH protocol (port forwarding), so there might be a problem.
After attempting the "nmap", I saw that both protocols, AH and ESP, are open at the public IP. The problem might be after leaving the adsl router.
Do I have to open these ports at outside interface at ASA?
Also, should I add a static route to the inside and/or outside interfaces, because there might be a problem with communication between the adsl router and ASA? I have drawn a rough picture, describing the network.
08-03-2011 11:57 PM
Unfortunately, this implementation didn't work, because there seem to be a problem with the adsl router which doesn't let the IPSec traffic through.
The only way that this can be done is with GRE protocol and PPTP (1723) which are allowed through the adsl router.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide