06-14-2007 09:31 AM - edited 02-21-2020 03:06 PM
Have an ASA5505. Below is the error message that the VPN Client log gives while trying to connect.
Solved! Go to Solution.
07-09-2007 11:05 AM
Here are the changes from your initial posted config. This will allow you to hit all your existing ports to 192.168.1.50 and 1.30. It will also keep your outside interface clear for the vpn.
no static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255
static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255
static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255
static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255
clear xlate
Your final static config should look like this...
static (inside,outside) xxxx.170.20 192.168.1.30 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255
static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255
static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255
static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255
Just wanted to add that this would disconnect any existing connections but will not effect routing.
06-21-2007 11:02 AM
Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT
traversal enables ESP packets to pass through one or more NAT devices
apply the following command on the ASA
isakmp nat-traversal 120
06-21-2007 11:08 AM
^ Version 7.2.2 it is "crypto isakmp nat-traversal" and it is already in his config.
07-09-2007 07:08 AM
07-09-2007 09:44 AM
Thomas
I think that I see what the issue is. You want the client to send the ISAKMP negotiation packets (UDP port 500) to the ASA to negotiate the Security Association. But the client is reporting that there is no response. I see the first clue in the debug output from the ASA:
6|Jul 09 2007|10:58:33|302015|70.200.193.240|192.168.1.50|Built inbound UDP connection 4711 for outside:70.200.193.240/1157 (70.200.193.240/1157) to inside:192.168.1.50/500 (66.64.170.18/500)
note that it is building an inbound connection. And note that it is building it to destination address 192.168.1.50. So the ISAKMP is being sent to some device on the inside network rather than being processed on the ASA. The inside device is not processing the ISAKMP request and this is why the client receives no response.
I believe that this is due to this line in the config:
static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255
this will translate any traffic arriving on the outside interface to the 192.168.1.50 address - including your ISAKMP traffic.
I believe that if you are going to translate all inbound traffic to the inside address that you need a translation of UDP 500 and of ESP to stay on the ASA outside address.
HTH
Rick
07-09-2007 10:15 AM
I agree with you assessment, however I do not have the savvy to "translate all inbound traffic to the inside address that you need a translation of UDP 500 and of ESP to stay on the ASA outside address."
How do I go about doing that?
Thanks in advance!
07-09-2007 10:19 AM
You could set up port address translation instead for each of the ports you need access to...
no static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255
etc.
07-09-2007 10:23 AM
I just need to make sure that I don't cause any problems with the current routing as I had some difficulty getting it set up in the first place.
On XXX.XXX.XXX.20 needs SMTP on 192.168.1.30
XXX.XXX.XXX.18 needs SMTP on 192.168.1.50
XXX.XXX.XXX.18 is the "Outside interface" and has a route to XXX.XXX.XXX.17.
07-09-2007 10:51 AM
Thomas
I have not tried it this way but I wonder if you could add this:
static (inside,outside) udp interface isakmp 66.64.170.18 isakmp netmask 255.255.255.255
static (inside,outside) esp interface 66.64.170.18 netmask 255.255.255.255
before the existing translate.
HTH
Rick
07-09-2007 11:05 AM
Here are the changes from your initial posted config. This will allow you to hit all your existing ports to 192.168.1.50 and 1.30. It will also keep your outside interface clear for the vpn.
no static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255
static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255
static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255
static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255
clear xlate
Your final static config should look like this...
static (inside,outside) xxxx.170.20 192.168.1.30 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255
static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255
static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255
static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255
Just wanted to add that this would disconnect any existing connections but will not effect routing.
07-10-2007 04:40 AM
Thanks to all for the help. That was the issue. There was the static 1 - 1 on the outside interface that was effectively forwarding all traffic ( including VPN ) to the internal address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide