ASA remote-access VPN

egeorgopoulos · ‎07-28-2011

Hello,

I have the below configuration for a cisco asa 5505. There is a ADSL router in front of the ASA which has a static IP. I set up a remote-access VPN (using the wizard), but I cannot connect to the ASA firewall as the attached VPN client log shows. My only concern is that there might be something missing, ie a static route that goes to the inside interface. Is that correct? If not, can you please let me know what else I can look.

Thank you in advance.

ASA Version 8.2(1)

!

hostname ciscoasa

enable password f7Bv8Dr8BwaT3nc3 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.178.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

object-group service DM_INLINE_SERVICE_1

service-object gre

service-object tcp eq pptp

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.178.210

access-list inside_nat0_outbound extended permit ip any 192.168.11.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool RAippool 192.168.11.1-192.168.11.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) interface 192.168.178.210 netmask 255.255.255.255

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.178.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

subject-name CN=ciscoasa

crl configure

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.178.5-192.168.178.132 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy pcchellasRAvpn internal

group-policy pcchellasRAvpn attributes

dns-server value 192.168.178.1

vpn-tunnel-protocol IPSec ikev

username george password cg/xrXSWiXyR6iSy encrypted privilege 0

username george attributes

vpn-group-policy pcchellasRAvpn

username liakos password U4.jdhW5HFwo1Nmo encrypted

username liakos attributes

service-type nas-prompt

username dimitris password rja7bfUnqVzxiuNm encrypted privilege 0

username dimitris attributes

vpn-group-policy pcchellasRAvpn

tunnel-group pcchellasRAvpn type remote-access

tunnel-group pcchellasRAvpn general-attributes

address-pool RAippool

default-group-policy pcchellasRAvpn

tunnel-group pcchellasRAvpn ipsec-attributes

ikevpre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:bb67aed98ceec15cbc78e3920641f5bb

: end

manish arora · ‎07-28-2011

Can you add the following commands :-

asa(config)# crypto isakmp nat-traversal 20

asa(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

Also, Please post logs from the ASA side.

Manish

egeorgopoulos · ‎07-29-2011

I entered the "crypto isakmp nat-traversal 20", but seems not to be written in the running configuration.

Any ideas?

Thank you.

Steven Tolzmann · ‎07-29-2011

Change:

access-list inside_nat0_outbound extended permit ip any 192.168.11.0 255.255.255.0

to:

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

Make sure you redefine:

nat (inside) 0 access-list inside_nat0_outbound

Sometimes when you delete NAT ACL it will also remove this statement.

if still doesn't work also try:

group-policy pcchellasRAvpn internal

group-policy pcchellasRAvpn attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group pcchellasRAvpn ipsec-attributes

no ikevpre-shared-key *

pre-shared-key *

Also, I noticed your DNS Server is your ASA Default Gateway. ASA does not perform DNS so you might want to list your enterprise DNS Server, or disable the option.

EDIT: Also, you do not have split tunneling enabled, so all internet traffic will come through the VPN tunnel. You will have to setup:

nat (outside) 1 192.168.11.0 255.255.255.0

nat (outside) 0 access-list nonat

To enable internet traffic over VPN.

Or create a split tunnel ACL and define it in your group policy.

Everything else looks okay.

I entered the "crypto isakmp nat-traversal 20", but seems not to be written in the running configuration.

It might be a default value. Default values do not appear in the running config usually.

egeorgopoulos · ‎07-30-2011

So, for the split tunneling I will use the following conf, which will permit only the traffic from the inside interface to go over VPN:

access-list split_Tunn extended permit ip 192.168.178.0 255.255.255.0 any

group-policy pcchellasRA internal

group-policy pcchellasRA attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_Tunn

I have opened the following ports (port forwarding to the outside ASA interface) at the adsl router in order to make sure that the vpn traffic and connection will pass:

ESP, udp 500, udp 4500.

Do I have to check anything else on the adsl router (Fritz Box Fon)?

Steven Tolzmann · ‎07-30-2011

access-list split_Tunn extended permit ip 192.168.178.0 255.255.255.0 any

group-policy pcchellasRA internal

group-policy pcchellasRA attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_Tunn

Correct.

I have opened the following ports (port forwarding to the outside ASA interface) at the adsl router in order to make sure that the vpn traffic and connection will pass:

ESP, udp 500, udp 4500.

Do I have to check anything else on the adsl router (Fritz Box Fon)?

Looks good, make sure AH is also allowed

Let us know your results.

egeorgopoulos · ‎07-31-2011

I thought that Fritz box couldn't support AH protocol (port forwarding), so there might be a problem.

After attempting the "nmap", I saw that both protocols, AH and ESP, are open at the public IP. The problem might be after leaving the adsl router.

Do I have to open these ports at outside interface at ASA?

Also, should I add a static route to the inside and/or outside interfaces, because there might be a problem with communication between the adsl router and ASA? I have drawn a rough picture, describing the network.

egeorgopoulos · ‎08-03-2011

Unfortunately, this implementation didn't work, because there seem to be a problem with the adsl router which doesn't let the IPSec traffic through.

The only way that this can be done is with GRE protocol and PPTP (1723) which are allowed through the adsl router.