07-16-2012 01:53 AM
Hello to all,
I'm configuring this asa for to connect home users to my network using the native microsoft vpn clients with windows xp over internet.
This asa have on the outside interface one public intenet ip and in the inside inferface have configured in the the network 192.168.0.x and i want to acces to this network from internet users using native vpn clients.
I tested with one pc connected directly to the outside interface and works well, but when i connect this interface to internet and tried to connect on user to the vpn i can see in the logs this, and can't connect with error 800.
TCP request discarded from "public_ip_client/61648" to outside:publicip_outside_interface/1723"
Can help me please?, Very thanks in advance !
(running configuration)
: Saved
:
ASA Version 8.4(3)
!
hostname ciscoasa
enable password *** encrypted
passwd *** encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address publicinternetaddress 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network gatewayono
host gatewayofinternetprovideraccess
description salida gateway ono
object service remotointerno
service tcp destination eq 3389
description remoto
object network pb_clienteing_2
host 192.168.0.15
description Pebble cliente ingesta 2
object service remotoexternopebble
service tcp destination eq 5353
description remotoexterno
object network actusmon
host 192.168.0.174
description Actus monitor web
object service Web
service tcp destination eq www
description 80
object network irdeto
host 192.168.0.31
description Irdeto
object network nmx_mc_p
host 192.168.0.60
description NMX Multicanal Principal
object network nmx_mc_r
host 192.168.0.61
description NMX multicanal reserva
object network tarsys
host 192.168.0.10
description Tarsys
object network nmx_teuve
host 192.168.0.30
description nmx cabecera teuve
object network tektronix
host 192.168.0.20
description tektronix vnc
object service vnc
service tcp destination eq 5900
description Acceso vnc
object service exvncnmxmcr
service tcp destination eq 5757
description Acceso vnc externo nmx mc ppal
object service exvncirdeto
service tcp destination eq 6531
description Acceso vnc externo irdeto
object service exvncnmxmcp
service tcp destination eq 5656
object service exvnctektronix
service tcp destination eq 6565
object service exvncnmxteuve
service tcp destination eq 6530
object service ssh
service tcp destination eq ssh
object service sshtedialexterno
service tcp destination eq 5454
object-group service puertosabiertos tcp
description remotedesktop
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object object irdeto
network-object object nmx_mc_p
network-object object nmx_mc_r
network-object object nmx_teuve
network-object object tektronix
object-group service vpn udp
port-object eq 1723
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq pptp
object-group network DM_INLINE_NETWORK_2
network-object object actusmon
network-object object tarsys
access-list inside_access_in extended permit object remotointerno any any
access-list inside_access_in extended permit object ssh any any
access-list inside_access_in extended permit object-group TCPUDP any any eq www
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit object vnc any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit object remotointerno any object pb_clienteing_2
access-list outside_access_in extended permit object-group TCPUDP any object actusmon eq www
access-list outside_access_in remark Acceso tedial ssh
access-list outside_access_in extended permit tcp any object tarsys eq ssh
access-list outside_access_in extended permit object vnc any object-group DM_INLINE_NETWORK_1
access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list outside_access_in extended deny icmp any any
access-list corporativa standard permit 192.168.0.0 255.255.255.0
access-list Split-Tunnel-ACL standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging monitor debugging
logging asdm debugging
logging debug-trace
mtu inside 1500
mtu outside 1500
ip local pool clientesvpn 192.168.0.100-192.168.0.110 mask 255.255.255.0
ip local pool clientesvpn2 192.168.1.120-192.168.1.130 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (outside,inside) source static any interface destination static interface actusmon service Web Web unidirectional
nat (outside,inside) source static any interface destination static interface tarsys service sshtedialexterno ssh unidirectional
nat (outside,inside) source static any interface destination static interface pb_clienteing_2 service remotoexternopebble remotointerno unidirectional
nat (outside,inside) source static any interface destination static interface irdeto service exvncirdeto vnc unidirectional
nat (outside,inside) source static any interface destination static interface nmx_mc_p service exvncnmxmcp vnc unidirectional
nat (outside,inside) source static any interface destination static interface nmx_mc_r service exvncnmxmcr vnc unidirectional
nat (outside,inside) source static any interface destination static interface nmx_teuve service exvncnmxteuve vnc unidirectional
nat (outside,inside) source static any interface destination static interface tektronix service exvnctektronix vnc unidirectional
nat (any,outside) source dynamic DM_INLINE_NETWORK_2 interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside per-user-override
route outside 0.0.0.0 0.0.0.0 gatewayinternetprovideracces 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
eou allow none
aaa local authentication attempts max-fail 10
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set clientewindowsxp esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set clientewindowsxp mode transport
crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev1 transform-set clientewindowsxp
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto dynamic-map L2TP-MAP 10 set ikev1 transform-set L2TP-IKE1-Transform-Set
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map L2TP-VPN-MAP 20 ipsec-isakmp dynamic L2TP-MAP
crypto map L2TP-VPN-MAP interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint Ingenieria
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8
dhcpd auto_config outside
!
dhcpd address 192.168.0.5-192.168.0.36 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point Ingenieria outside
webvpn
tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server none
dns-server value 192.168.0.1
vpn-tunnel-protocol l2tp-ipsec
default-domain none
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
group-policy ingenieria internal
group-policy ingenieria attributes
vpn-tunnel-protocol l2tp-ipsec
default-domain none
group-policy L2TP-Policy internal
group-policy L2TP-Policy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel-ACL
intercept-dhcp enable
username ingenieria password 4fD/5xY/6BwlkjGqMZbnKw== nt-encrypted privilege 0
username ingenieria attributes
vpn-group-policy ingenieria
username rjuve password SjBNOLNgSkUi5KWk/TUsTQ== nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool clientesvpn
address-pool clientesvpn2
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
default-group-policy L2TP-Policy
authorization-required
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
class-map inspection_default
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
!
prompt hostname context
call-home reporting anonymous
Cryptochecksum:59b54f1d10fe829aeb47bafee57ba95e
: end
no asdm history enable
Solved! Go to Solution.
07-16-2012 07:23 AM
I ramon i guess the service policy is not applied in the firewall. So it is not taking the non trusted other than the same public segment.
Apply like this.
service-policy global_policy global.
bcos as per the old configs i do see the policy was not applied. Please let me know the results.
Please rate if the given info helps.
07-16-2012 03:55 AM
Hi Ramon,
Ist thing you have to add the inspect statement in policy-map global-policy which is in the last
policy-map global_policy
inspect pptp
!
After that also if it not works... then allow gre from source to destination.
This will resolve the issue i guess...
Please rate if the given info helps.
07-16-2012 04:25 AM
Yep i'm real beginning user of Cisco and i don't how i can add this in the configuration, i'm using 6.4 asdm or telnet to the cisco, but i can't put "inspect pptp" directly.
I can acces with telnet, after this i loggued, put "configure t" and after i go to the polity-map global_policy but inside i can't put inspect... it's possible this don't work for i have diferent version?
Thanks in advance Karthikeyan !
07-16-2012 04:56 AM
Hi Ramon,
Either you can get in to the policy map and do it or to make it simple....
from conf t # fixup protocol pptp 1723
it will add to the inspect. also you can have the below added as well for other service which is normally there in default configuration.
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect xdmcp
inspect netbios
inspect tftp
inspect sqlnet
!
07-16-2012 05:13 AM
Yes with this command creates this
policy-map global_policy
class inspection_default
inspect pptp
!
But don't work. I also tried to add the pptp and gre in the outside access rules but nothing...
I don't understand why if a connect directly to the outside interface with the same outside network works well.
ej: the pc have 89.120.145.14 ip and the outside asa have 89.120.145.140 and if I create one vpn in this pc the outside ip 89.120.145.140 with the correct parameters the asa don't discart 1723 and connect ok but if this ip is not of this range discards 1723...
07-16-2012 07:23 AM
I ramon i guess the service policy is not applied in the firewall. So it is not taking the non trusted other than the same public segment.
Apply like this.
service-policy global_policy global.
bcos as per the old configs i do see the policy was not applied. Please let me know the results.
Please rate if the given info helps.
07-17-2012 03:07 AM
Thanks, after change this, the packet has not dicarted but i can't connect windows xp and windows 7 to the vpn server using l2tp-ipsec, have error 800.
After this i tried the configuration for anyconnect client webbased and this works very fast and better. I thinks is better solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide