Re: Please assist, RA [VPN] failing - Page 2

droberts1124 · ‎09-24-2010

I'm trying to create a RA VPN. The thing is, the network is not "normal" in terms of topology. We have (coming from the internet) a T1 going straight to a Cisco 1720, which then goes to an ASA 5510 which hosts the VPN configuration. I can't get connected when I use the Cisco VPN client, and I think it's because of these two routers and their odd arrangement. I have been told that there is no way to drop the 1720 from the equation (it's the only CSU/DSU). If I can put the CSU/DSU expansion card in the 5510, then I MIGHT be able to remove it if I have to in order for this to work.

Here is the error from the client:

Initializing the connection...
Contacting the security gateway at 65.114.65.30...
Contacting the security gateway at 65.114.109.33... (backup)
Contacting the security gateway at 65.114.109.34... (backup)
Secure VPN Connection terminated locally by the Client.
Reason 401: An unrecognized error occurred while establishing the VPN connection.

-or- (depending on which IP I try to connect to)

Contacting the security gateway at 208.44.133.177...
Secure VPN Connection terminated locally by the Client.
Reason 412: The remote peer is no longer responding.

I can access the 1720 from the internet via Hyper Terminal and make changes. To make any changes to the 5510, I need to use Remote Desktop and use the ASDM from an internal network server. I believe that the VPN configuration itself is complete and correct. I think its the 1720 thats the problem. Here is the config:

Building configuration...

Current configuration : 867 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname CSCORTR
!
boot system flash c1700-y-mz.121-19.bin
boot system flash c1700-y-mz.121-1.bin
[pwd omitted]

!
!
!
!
!
memory-size iomem 25
ip subnet-zero
!
!
!
!
interface Serial0
ip address 65.114.65.30 255.255.255.252
service-module t1 timeslots 1-24
!
interface FastEthernet0
ip address 208.44.133.177 255.255.255.248 secondary
ip address 65.114.109.33 255.255.255.224
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 65.114.109.0 255.255.255.0 65.114.109.34
no ip http server
!
!
[omitted pwd info]

!
no scheduler allocate
end

I greatly appreciate any help I can get. This is turning into a real nightmare for me...

Jennifer Halim · ‎09-25-2010

You should already have access to your DNS server subnet (10.1.9.0/24) as per your diagram, it's not connected to the ISA server subnet, if

you add the NAT exemption configuration advised earlier.

droberts1124 · ‎09-25-2010

The running config is up, working on remoting into the Firewall

droberts1124 · ‎09-25-2010

Here is one other piece of maybe useful information. This is the route print from the Virtual XP-mode box.

C:\Documents and Settings\XPMUser>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 03 ff 55 30 d2 ...... Intel 21140-Based PCI Fast Ethernet Adapte
(Generic) - Packet Scheduler Miniport
0x140004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Schedu
r Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask               Gateway       Interface        Metric
          0.0.0.0                   0.0.0.0           192.168.1.1     192.168.1.4         20
        10.1.11.0           255.255.255.0         10.1.11.100     10.1.11.100       20
      10.1.11.100        255.255.255.255       127.0.0.1        127.0.0.1           20
   10.255.255.255      255.255.255.255      10.1.11.100     10.1.11.100       20
    65.114.109.34       255.255.255.255      192.168.1.1     192.168.1.4        1
        127.0.0.0               255.0.0.0            127.0.0.1       127.0.0.1            1
      192.168.1.0        255.255.255.0          192.168.1.4     192.168.1.4       20
      192.168.1.1        255.255.255.255      192.168.1.4     192.168.1.4        1
      192.168.1.4        255.255.255.255        127.0.0.1       127.0.0.1           20
    192.168.1.255      255.255.255.255       192.168.1.4     192.168.1.4       20
     192.168.60.0         255.255.255.0        10.1.11.100     10.1.11.100        1
        224.0.0.0            240.0.0.0              10.1.11.100     10.1.11.100       20
        224.0.0.0            240.0.0.0             192.168.1.4     192.168.1.4        20
255.255.255.255     255.255.255.255     10.1.11.100     10.1.11.100         1
255.255.255.255     255.255.255.255     192.168.1.4     192.168.1.4         1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
None

Jennifer Halim · ‎09-25-2010

The firewall rules do not look correct.

Let's start with the traffic flow:

From your vpn client PC --> vpn will terminate on your ASA outside interface (all the vpn protocols will stop on the ASA outside interface) --> traffic between ASA Inside interface or PublicServer interface towards your internal network will be in clear text, ie: whether it is ICMP traffic, DNS traffic, HTTP traffic, SMTP traffic, etc etc, this will be in clear text, so the firewall rules need to reflect this (not VPN protocols).

droberts1124 · ‎09-25-2010

Okay, so in the ISA scrnshot I uploaded - do you think the entry below the one I had highlighted would work bettter? I had been trying to use that one, but since i was unsure of what "VPN Clients" means to the ISA server, I custom added all the ports by hand. What do you recommend that I change now, because I am slightly lost at this point. I would have thought that once the VPN was connected, I could open an Internet Explorer window and access the CRM interface I mentioned earlier, or to discover and access a local machine from the internal network in Windows Explorer.

Jennifer Halim · ‎09-25-2010

Let's work on 1 network at the time, and let's start with the PublicServer network as it is not behind any other firewall.

Are you able to access any of the PublicServer network (use its private ip address to access those servers)? Can you ping the dns server internal ip? Can you perform DNS resolution using the dns server internal ip address?

droberts1124 · ‎09-25-2010

Okay here is what I have right now: there are many servers in the address range 10.1.9.X - mostly 10.1.9.[40-100]. I can ping them, but if I try to go to them in IE I get one of two things. A) "Access to this web page is currently unavailable." or B) what appears to be a modem configuration page or something...? Very strange. I can ping many/all of these addresses and get replies however with little to no latency (less than 70 ms).

As for pinging the AD internal DNS, that is not working. The IP 192.168.60.1 is timing out. I am also not getting a response from the address 10.1.10.60, yet I can get a response from 192.168.60.12 (they are both part of the ISA; the 192 is the inward facing interface and the 10.1 is what is facing the ASA). the Fileserver with the ASDM is 192.168.60.35 and I get no responses to a ping to its address.

droberts1124 · ‎09-27-2010

Sorry about how much work this is. My colleague tells me that we need to have a radius server on the network to authenticate the clients into active directory. Do you think that would solve the problem? I am still somewhat at a loss as to why this isn't working and I don't have an idea on what to do to proceed from here.