I have an ASA5520 and need to allow users to connect to the inside network (and some users to the management network if possible), using the VPN client. I went through the wizard on the ASDM and created an access control list for the ports used by the VPN client. When checking the logs, it tends to say that the access to the port is denied by the outside interface. Using the packet trace feature it fails on my implicit deny all for the outside interface, even though I specifically gave access on those ports. Could this be a group policy issue, or some other feature not being setup properly?
Here is what I'm allowing:
object-group service DM_INLINE_SERVICE_4
service-object tcp-udp eq 10000
service-object udp eq isakmp
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any host IP1
This is what I see on the log:
|2||Apr 06 2010||11:29:20||106006||10.10.101.28||4765||IP1||500||Deny inbound UDP from 10.10.101.28/4765 to IP1/500 on interface outside|
Please chjeck the below link to make sure everything is configured correctly.
If you still experience issues, post the configs of the ASA (show runn).
Make sure the client is offering the transforms you have set on your ASA.
For example, if you are tying to use AES-128, the IPSEC client needs to offer AES-128.
If you are connected to the CLI of the ASA and run debug crypto isakmp 254 and then try to connect. The "Wall of text" that appears will also show the transform sets the client is offering to the ASA. Depending on the ipsec client I have seen this vary from 4 to 12 offerings. Make sure you configure the ASA to one of those options.
How do I configure the VPN client to the transforms on the ASA? I'm using Cisco VPN Client v5.0.06.0160.
On another note, what are transforms? Are they necessary? Is there a document on this so I can do some more reading?
My apologies, I misread the error.
As a test, edit the VPN using the ASDM to bypass the access list when connecting to the VPN. This is in step one of configuring the VPN.
If that works, it could be the access list "...service_4" is permitting traffic to an IP that is not on the firewall.
I thought about this last night. The denied error is to IP1. Are you telling the VPN client to connect to the outside interface of the ASA or are you trying to connect the VPN to IP1?
When you run the wizard, it will setup the VPN to allow it to connect to the interface you specify in the wizard. In this case I would guess that you would want to use the outside interface. Your VPN client should then use that host address (Outside interface) to connect to. That deny almost looks like you are trying to connect to IP1.