Port Forwarding for Cisco ASA 5505 VPN

Daniel Demers · ‎07-05-2012

This is the Network

Linksys E2500 ---> Cisco ASA 5505 ---> Server

I beleive I need to forward some ports to the asa to use the IPsec VPN I just setup. I had the SSL VPN working but only needed to forward 443 for that....I assume that IPsec tunnel is a specific port.

Thank You

Jennifer Halim · ‎07-05-2012

For IPSec VPN, you need to port forward UDP/500 and UDP/4500, and remember to enable NAT-T on the ASA.

Command to enable NAT-T on ASA:

crypto isakmp nat-traversal 30

AirSail · ‎04-05-2023

that saved my day now in 2023

Jennifer Halim · ‎04-05-2023

Wow, a blast from the past - i am glad it helps you

AirSail · ‎04-05-2023

Thank you so much, @Jennifer Halim

not sure if it is a good idea, but want to drop here my issue,

I have my ASA5508 behind a modem and want to form site-to-site with a Meraki concentrator,

by adding the above CMD, the phase1 prompted on the fly, MM_Active, but phase 2 is going crazy I can't see anything on it,

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.8.73.10, sport=256, daddr=172.16.20.200, dport=256
IPSEC(crypto_map_check)-5: Checking crypto map CMAP 15: skipping because 5-tuple does not match ACL VPN-<hiden>-<hiden>.
IPSEC(crypto_map_check)-5: Checking crypto map CMAP 20: skipping because 5-tuple does not match ACL VPN-<hiden>-colo.
IPSEC(crypto_map_check)-3: Checking crypto map CMAP 25: matched.
IPSEC WARNING: Failed to get last received info for SessionID: 0x00235000

(config)# show cry isa sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 38.104.125.162
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

There are no IKEv2 SAs
S(config)#
S(config)# show cry ipse
S(config)# show cry ipsec sa

<Empty output>.

any idea what could be? I forwarded UDP4500+500

also I noticed when I do packet trace my ACL doesn't match, and I don't see the ACL that i need match

(config)# packet-tracer input inside tcp 10.8.73.10 4485 172.16.20.11 43$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.4 using egress ifc outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static <hiden>-subnet-10.8.73 <hiden>-subnet-10.8.73 destination static ss-lab ss-lab no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 172.16.20.11/4343 to 172.16.20.11/4343

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static <hiden>-subnet-10.8.73 <hiden>-subnet-10.8.73 destination static ss-lab ss-lab no-proxy-arp route-lookup
Additional Information:
Static translate 10.8.73.10/4485 to 10.8.73.10/4485
Forward Flow based lookup yields rule:
in id=0x7f0455d5eed0, priority=6, domain=nat, deny=false
hits=1237, user_data=0x7f0455dea0a0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.8.73.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=172.16.20.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f04549f3320, priority=0, domain=nat-per-session, deny=false
hits=908, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f0455dd09e0, priority=0, domain=inspect-ip-options, deny=true
hits=2192, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f04568ab3a0, priority=70, domain=encrypt, deny=false
hits=1238, user_data=0x0, cs_id=0x7f0456807440, reverse, flags=0x0, protocol=0
src ip/id=10.8.73.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=172.16.20.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

(config)#
(config)#
(config)#
(config)#
(config)# show acce
(config)# show run access-list
access-list outside_access_in_1 extended permit ip any any
access-list VPN-<hiden>-ss extended permit ip object <hiden>-subnet-10.8.73 object ss-lab
access-list VPN-<hiden>-<hiden>extended permit ip object <hiden>-subnet-10.8.73 object <hiden>-subnet
access-list VPN-<hiden>-colo extended permit ip object <hiden>-subnet-10.8.73 object colo-lab
(config)#
(config)#
(config)# show run objec
(config)# show run object ?

exec mode commands/options:
id Show specific object
in-line display the output in one line
network Show 'network' object(s)
service Show 'service' object(s)
| Output modifiers
<cr>
(config)# show run object
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network <hiden>-subnet
subnet 10.8.72.0 255.255.255.0
object network <hiden>-subnet-10.8.73
subnet 10.8.73.0 255.255.255.0
object network colo-lab
subnet 172.16.0.0 255.255.255.0
object network ss-lab
subnet 172.16.20.0 255.255.255.0

Jennifer Halim · ‎04-06-2023

Pls PM the full config, based on the above subset of config, it seems to be OK.. however packet tracer drop reason is on the VPN, and matches crypto map 25.

AirSail · ‎04-06-2023

I've just got access to the firewall, sending you the outputs directly

AirSail · ‎04-07-2023

@Jennifer Halim had a chance to look at what I DM'ed to you ? thank you.

Jennifer Halim · ‎04-07-2023

@AirSail - just replied. Hope that helps shedding some lights.