09-06-2011 07:45 AM
Ok I have looked at this for days and cannot figure this out. I have a Cisco ASA 5505. I have the VPN set up and port forwarding working on the firewall. I started using the default port 443, but for reasons other than security I cannot use it, it is already being used, so I am using an alternate port number.
Here is where things get strange:
I can access the VPN from my house and Starbucks. At home I use TDS and at Starbucks its AT&T.
My customer cannot access the VPN from his house or his office. At home he uses Time Warner and at the office uses AT&T U-verse.
So this leads me to think ports are being blocked somewhere, if so where.
All my port forwarding rules are working from everywhere.
When I did use port 443 VPN seemed to work from all locations.
Is there anyway to tell if a port is being blocked or maybe my configuration might be wrong. Below is my configuration.
Any ideas would be appreciated.
Patrick
:
ASA Version 8.2(1)
!
hostname xxx2201
domain-name yahoo.local
names
name 10.0.0.2 Server description Server 1
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.237 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server Server
domain-name yahoo.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type ALLOWPING
icmp-object echo
icmp-object time-exceeded
icmp-object echo-reply
icmp-object traceroute
icmp-object source-quench
icmp-object unreachable
object-group network server1
access-list 10 extended permit ip any any
access-list 10 extended permit icmp any any
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq ssh
access-list outside_access_in extended permit tcp any interface outside eq 978
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPoolNew 192.168.30.10-192.168.30.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.255.255.0
static (inside,outside) tcp interface 978 Server 978 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 Server 3389 netmask 255.255.255.255
static (inside,outside) tcp interface https Server https netmask 255.255.255.255
static (inside,outside) tcp interface ssh Server ssh netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.238 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
network-acl 10
webvpn
svc ask none default svc
aaa authentication telnet console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh timeout 15
console timeout 0
management-access inside
dhcpd dns Server 8.8.8.8
!
dhcpd address 10.0.0.30-10.0.0.60 inside
dhcpd dns Server 8.8.8.8 interface inside
dhcpd domain yahoo.local interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
port 3001
enable inside
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server value 10.0.0.2
dns-server value 10.0.0.2
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
default-domain value yahoo.local
address-pools value SSLClientPoolNew
webvpn
svc keep-installer installed
svc rekey time 180
svc rekey method ssl
svc modules value vpngina
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol svc webvpn
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
prompt hostname context
09-06-2011 09:19 AM
Patrick,
You could try setting up a capture on the outside interface of the ASA.
First you would need to find out the IP address from which your client is comming from (have him go to something like whatismyipaddress.com)
Then start the capture on the outside interface. In this case I'll be using 100.100.100.100 as the source address.
access-list vpncapture permit ip host 100.100.100.100 host 2.2.2.237
Then
capture VPN interface outside access-list vpncapture
Have him try a few times.
To view the captured packets do:
show capture VPN.
That will show you if the packets are gettting to your ASA or not.
Check out the following links if you need more info about the syntax:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c1.html#wp2129312
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807c35e7.shtml#s1
I hope this helps.
Raga
09-06-2011 01:40 PM
What IP address range is being used at the sites that have issues?
We had a similar issue a while back and it turns out that the customer was using the same internal network addressing at home as in work - causing issues.
Just a suggestion.
09-06-2011 02:19 PM
Raga,
I will try setting that up later tonight and test the results.
Craig,
I will check what he is using at home.
Thanks,
Patrick
09-06-2011 08:02 PM
I received no packets, Raga I have learned quite a few things from you thank you, so that got me thinking of trying other common and noncommon ports.
I had been trying packets all night and finally decided let me try 8008. That worked from the inside. I just have to have the customer try it from home, if it works I should be all set.
Again thanks Raga, I will be adding those commands to my list of commands.
Regards,
Patrick
09-06-2011 08:43 PM
Hey I'm glad I could help!
You can apply the capture command to any interface and it's pretty helpful when troubleshooting these kind of issues.
Have a good one!
PS: Please remember to mark this question as answered so that others learn from your post. Thx!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide