help! vpn configuration ASA5505 not work...

Marco Balocco · ‎03-09-2011

Hello everyone,

I'm new in this forum! I would like to configure a cisco ASA5505 IPSEC VPN. I used the wizard and tried to connect to the outside .. does not work ..
The network is configured in this manner:
- ADSL router with public address and internal address 192.168.2.1 -> firewall interface inside and outside 192.168.2.2 192.168.3.1 (my network is 192.168.3.0). I used a VPN to the pools ranging from 192.168.4.1 to 192.168.4.100.

INTERNET ----- ROUTER ------ ASA5505 -------LAN

What should I change? there could be problems between the router and firewall?
Do you have a easy documentation to follow?
Thanks in advance.

I attach also the configuration

Allego anche configurazione

: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
enable password mdoillqq.abBsHGn encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.2.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network FW_Arpa_Bra
host 82.119.218.130
description Ip Address Bra
object network NETWORK_OBJ_192.168.4.0_26
subnet 192.168.4.0 255.255.255.192
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended deny ip any any
access-list outside_access_in extended permit ip object FW_Arpa_Bra any
access-list outside_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_ADDRESS 192.168.4.1-192.168.4.50
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.4.0_26 NETWORK_OBJ_192.168.4.0_26
!
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
ldap attribute-map ARPA_MAP
map-name memberOf IETF-Radius-Class
map-value memberOf CN=administrators,CN=Users,DC=arpa,DC=locale Policy1
dynamic-access-policy-record DfltAccessPolicy
aaa-server ARPAUK_DOMAIN protocol ldap
aaa-server ARPAUK_DOMAIN (inside) host 192.168.3.2
ldap-base-dn dc=arpauk, dc=locale
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=administrator, cn=users, dc=arpauk, dc=locale
server-type microsoft
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy test_2 internal
group-policy test_2 attributes
dns-server value 192.168.3.2
vpn-tunnel-protocol IPSec
group-policy test1 internal
group-policy test1 attributes
dns-server value 192.168.3.2
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy test_1 internal
group-policy test_1 attributes
dns-server value 192.168.3.2 192.168.2.1
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy test internal
group-policy test attributes
dns-server value 192.168.3.2 192.168.3.1
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username admin password Jkpnd7YDhgBi4IUs encrypted privilege 15
tunnel-group test type remote-access
tunnel-group test general-attributes
address-pool VPN_ADDRESS
default-group-policy test_2
tunnel-group test ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
Cryptochecksum:090de209ab7c6a022ee0e4e6a36e4904
: end
no asdm history enable

Federico Coto Fajardo · ‎03-09-2011

Marco,

The first thing is that the ASA has a private IP on its outside interface.

This means that in order for VPN to work, the router (on the outside) should be doing NAT for the IP of the ASA 192.168.2.2

Do you have IP connectivity from the Internet to the ASA?

If you do... then it's just a matter to see why the tunnel is not establishing correctly.

Federico.

Marco Balocco · ‎03-09-2011

Hi Federico,

thank you for your response.

Sorry What's means verify IP connectivity from the Internet to the ASA?

How can I do NAT on the router? what kind of command do I give?

Thank you for your patience!

Federico Coto Fajardo · ‎03-09-2011

Marco,

What I'm saying is that the ASA is not directly accessible from the Internet because the WAN IP is a private IP.

If you assign a public IP to the ASA, then you can connect directly from the Internet.

Now... when having a private IP assigned, the only way to reach the ASA from the Internet is when another device (in this case the router in front) NAT's the IP to a public IP.

All I'm saying is that only public IPs are accessible from the outside world (no private IPs).

So, before checking if the VPN is working... check that you can indeed connect to the ASA from the Internet (for example with PING).

An example of NAT on the router could be:

ip nat inside source static 192.168.2.2 x.x.x.x

Assuming that x.x.x.x is the public IP to access the ASA from the Internet.

Hope it helps.

Federico.

Marco Balocco · ‎03-10-2011

Ok!

So I need to another public IP address in addition to the router?
Or can I use the same public IP address of the router?

Thank you very much

Your help is very important

Federico Coto Fajardo · ‎03-10-2011

You can either use another public IP address or use the same public IP of the router and redirect VPN traffic to the ASA.

This can be done with port forwarding where you redirect UDP 500, UDP 4500 and ESP from the router's public IP to the ASA's outside IP.

Federico.

Marco Balocco · ‎03-11-2011

Ok,

I understand first I have to modify the setup of my router and then i can manage VPn on the ASA.

Right?

Thank you in advance.

I will know you the developments of this activity.

Thank you!