cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5226
Views
0
Helpful
34
Replies

Cisco asa vpn ipsec connected to cisco 887vaw

Hamid Amir
Level 1
Level 1

Hi

 

I have cisco asa connected to cisco 887vaw router with dsl internet connection.

I have internet connection working on both. I have configured vpn IPsec on cisco asa, I can connect from inside but I can not connect from remote.

can you help please?

 

 

1 Accepted Solution

Accepted Solutions

Hamid

 

I am very glad to know that you have resolved this issue and that it is working.

 

HTH

 

Rick

HTH

Rick

View solution in original post

34 Replies 34

Hi @Hamid Amir

What you mean when you say you can connect inside but not remote?  Your crypto map is applied on outside interface.

 Does your ASA has license for VPN?

 

 

-If I helped you somehow, please, rate it as useful.-

Hi Flavio Miranda 

Sorry I did not explained correctly.

I mean I can connect from home (using my router connection) but I can not connect when I use public internet (out site home).

Regarding the licence, please see below.

Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual

This platform has an ASA 5505 Security Plus license.

Serial Number: JMX1344Z2JY
Running Permanent Activation Key: 0x4114f37c 0x70ad6fde 0x5c43dde8 0x82e8c0d8 0x c83810b6

 

 

Re: Cisco asa vpn ipsec connected to cisco 887vaw
Hi Flavio Miranda 
Sorry I did not explained correctly.
I mean I can connect from home (using my router connection and cisco asa outside interface ip address ) but I can not connect when I use public internet (out site home).
Regarding the licence, please see below.
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5505 Security Plus license.
Serial Number: JMX1344Z2JY
Running Permanent Activation Key: 0x4114f37c 0x70ad6fde 0x5c43dde8 0x82e8c0d8 0x c83810b6
 
 

I do not see anything particular in what you have posted so far that would explain why you can connect from home but can not connect when using public internet. I wonder if either of these things might be involved:

- I see that your license permits only two VPN sessions. Is it possible that when you attempt to connect from public interface that there are already two VPN sessions?

- is it possible that you are connecting using a name and that DNS resolution is successful from home but resolves differently (or not at all) from public internet?

 

HTH

 

Rick

HTH

Rick

Hi Richard

 

Sorry, I meant when I use the IP address of the outside interface Ethernet0/0, I get the output below, but no output at all when I use the ISP IP address.

May be I need to configure the router to bridge an external ip address (ISP address) to a device behind the router and then i would need to do the authentication on the ASA i presume, but I do not know exactly how  ?

Kind Regards

Hamid

 

ciscoasa# sh cry ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 10.10.10.2

local ident (addr/mask/prot/port): (172.16.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.1/255.255.255.255/0/0)
current_peer: 192.168.1.103, username: hamid
dynamic allocated peer ip: 192.168.100.1
dynamic allocated peer ip(ipv6): 0.0.0.0

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 10.10.10.2/0, remote crypto endpt.: 192.168.1.103/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 0B9BA16E
current inbound spi : 26ED84CA

inbound esp sas:
spi: 0x26ED84CA (653100234)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3588
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x0B9BA16E (194748782)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3587
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

 

 

If I understood it right, the public IP address is on 887vaw, then, you are trying to establish VPN to it?

  If so, you should have some NAT on it and foward traffic to ASA. 

 Ideally, ASA should have public IP address.

 

-If I helped you somehow, please, rate it as useful.-

Hi

yes, the public IP address is on 887vaw and try to establish vpn on asa .

I did quick bridge configuration to extend the public IP address. Now when I use ipconfig /all on the computer connected to cisco asa start to show public DNS server, which I didn't get  using  the first configuration, so I think there is chance to use bridge configuration.

 

 

 

Ian Walker
Level 1
Level 1

When you say "connect" do you mean for admin purposes?

You only have : 

ssh 172.16.30.0 255.255.255.0 inside

i.e. nothing to allow from outside.

Hamid

 

I am trying to understand this statement from your post

Sorry, I meant when I use the IP address of the outside interface Ethernet0/0, I get the output below, but no output at all when I use the ISP IP address.

Am I correct in assuming that when you got that output that you were on a PC connected to vlan 1 of the router? I can see how that would work because from the PC in vlan 1 the router can forward the VPN request to the ASA and the ASA can respond to the PC in vlan 1.

 

However that is not the case when you are outside and attempt to use the ISP address (or even if you were inside and used the ISP address of the router). The basic issue here is that the router will receive an ISAKMP request on its outside interface. But the router is not running ISAKMP and can not process the request and there is not anything to tell the router to forward the ISAKMP request to the ASA.

 

To get this to work you will need to configure port forwarding on the router so that all ISAKMP and all IPsec packets send to the ISP address use port forwarding to send them to the ASA.

 

HTH

 

Rick

 

HTH

Rick

Hi

I did use 10.10.10.2 on my iPhone using my cisco 887vaw.

 

Kind Regards

Hamid

Hamid

 

Thank you for confirming that you used your phone connected to the router to VPN to 10.10.10.2. This does support my explanation that VPN access would work for a device connected to the router and that to enable access for VPN from the Internet you will need to configure port forwarding for ISAKMP and IPsec traffic.

 

HTH

 

Rick 

HTH

Rick

Hi Rick

Please bear with me as I only know the basic. 

I did apply the configuration below and I am not sure whether  I did the right things , but sitt not working.

on the router I did apply 

ip nat inside source static udp 10.10.10.2 4500 interface Dialer0 4500

ip nat inside source static udp 10.10.10.2 500 interface Dialer0 500

and on asa I did apply 

crypto isakmp nat-traversal 3600

 

Kind Regards

 

Hamid

Hamid

 

This looks like a good start. You have configured port forwarding for ISAKMP. You might try to enable debugging for ISAKMP on the ASA and then try to establish a connection. Check the debug output to verify that it attempted negotiation and whether the negotiation was successful.

 

But there is something else that you need to do for the VPN to work. You need to configure a similar port forwarding for the ESP traffic (which carries the IPsec traffic).

 

HTH

 

Rick 

HTH

Rick

Hi Richard

Thank you for quick reply.

The debug does not show any results when I use the ISP address, only when I use 10.10.10.2 I get some data.

I did apply port forwarding for the ESP traffic  as below.

 ip nat inside source static esp 10.10.10.2 interface Dialer0

 

Kind Regards

 

Hamid