cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2709
Views
0
Helpful
2
Replies

How to switch the ASA VPN from IPSEC over UDP to TCP

I have a customer that has a remote office with 2 PCs that VPN in to their HQ location. Previously both PCs where at different locations now they are at the same location. Both PCs are able to successfully establish a VPN connection to HQ using the Cisco VPN Client Version 5.0.07.0290, but only 1 system is actually passing traffic and is able to access resources at HQ.

I asked another engineer and they said "you have to configure IPSEC over TCP or use Anyconnect to have multiple clients behind the same remote PAT'ed public ip address...". I'd like to go with the IPSEC over TCP route so I won't have to uninstall the old client and go through the process of installing the AnyConnect client. Below is the configuration of the ASA 5505 thanks in advance for any help.

CLIENTASA# sh run

: Saved

:

ASA Version 7.2(4)

!

hostname CLIENTASA

domain-name client.local

enable password 72LucMgVuxp5I3Ox encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x x.x.x.x

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name client.local

access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0

access-list outside_in extended permit tcp any any eq smtp

access-list outside_in extended permit tcp any any eq www

access-list outside_in extended permit tcp any any eq https

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.99.99.0 255.255.255.0

pager lines 24

logging enable

logging console debugging

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN-POOL 10.99.99.100-10.99.99.200

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set esp-3des esp-des esp-md5-hmac

crypto dynamic-map VPNDYN 1 set transform-set esp-3des

crypto map vpn 65535 ipsec-isakmp dynamic VPNDYN

crypto map vpn interface outside

crypto isakmp enable outside

crypto isakmp policy 100

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd dns 192.168.1.2

dhcpd auto_config outside

!

ssl encryption des-sha1 rc4-md5

group-policy VPN-POLICY internal

group-policy VPN-POLICY attributes

dns-server value 192.16.1.2

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT-TUNNEL

username admin password PWpqnmc2BqJP9Qrb encrypted privilege 15

username vpn2 password ZBNuNQsIyyMGbOB2 encrypted

username vpn3 password 15c4LrPNccaj1Ufr encrypted

username vpn1 password fsQgwXwSLokX6hEU encrypted

tunnel-group CLIENTVPN type ipsec-ra

tunnel-group CLIENTVPN general-attributes

address-pool VPN-POOL

default-group-policy VPN-POLICY

tunnel-group CLIENTVPN ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:41bd95c164a63bb26b01c109ab1bd68a

: end

CLIENTASA#

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

You could try adding

crypto isakmp nat-traversal 30

And testing the connections

To use TCP I think you only need to add

crypto isakmp ipsec-over-tcp 10000

You will also have to change the Transparent tunneling setting on the VPN Client software profile to use TCP instead of the NAT/PAT option.

- Jouni

View solution in original post

2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

You could try adding

crypto isakmp nat-traversal 30

And testing the connections

To use TCP I think you only need to add

crypto isakmp ipsec-over-tcp 10000

You will also have to change the Transparent tunneling setting on the VPN Client software profile to use TCP instead of the NAT/PAT option.

- Jouni

Thanks for the help JouniForss. The command crypto isakmp nat-traversal 30 was all that I needed to enter.