Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8508
Views
0
Helpful
1
Replies

VPN usage (port and connection) on ASA 5505

christopheacmi
Level 1
Level 1

‎11-25-2009 03:38 AM

Hi,

Here my present situation: I have to allow my partners to connect to my internal network (192.168.10.0/24). My ASA 5505 (connected to my internal network) is connected to Internet behind my provider router on which I have no access to configuration (warranty purpose). My provider router LAN is on 192.168.1.0/24 network (dmz) with the ip address 192.168.1.200 and my ASA is connected to that router with 192.168.1.1 ip address.

I have attached to this message my actual configuration.

I just would like to know which port I have to make redirect to my provider to allow VPN connection on the ASA (I cannot actually put my provider router in bridge mode)

I have found those one :

ISAKMP - UDP 500
ESP - Protocol 50
ISAKMP NAT-Traversal - UDP 4500 (NAT-T)
IPSEC Over UDP - UDP 10000 (Default)
IPSEC Over TCP - TCP 10000 (Default)

Is it correct?

In the other hand, I have tried to connect a cisco vpn client to the ASA with a computer in the dmz (with ip 192.168.1.127). I can establish the connection without any issue but I cannot ping or connect to any computer/service on my internal network.

I have seen ont some forums that in need to type following command line :

crypto isakmp nat-traversal
sysopt connection permit-ipsec

First, is it correct? And, could anyone could explain to me what those commands do?

Labels:
36114-show-configuration.txt.zip
0 Helpful
1 Reply 1

Ricardo Prado Rueda
Cisco Employee
Cisco Employee

‎12-02-2009 09:56 AM

Hi,

   The information of ports and protocols is correct, you might also want to consider protocol AH (protocol 51)

to be forwarded to your ASA.

   In regards to your second question, the problem you have is with your NONAT configuration. You have the following

line:

access-list interne_nat0_outbound extended permit ip host 192.168.10.0 192.168.10.128 255.255.255.128

   This tells the firewall that the host 192.168.10.0 (a host that is not valid on the configured network on your inside interface)

will not be translated. The same applies to your split-tunnel configuration:

access-list Cisco_splitTunnelAcl standard permit host 192.168.10.0

   This will tell the VPN client to ONLY encrypt traffic that goes to the host 192.168.10.0 which is not what you are looking for.

   Besides this, as a best practice it is not a good idea to assign addresses from your LAN network to the VPN Client (in your case

192.168.10.X), since this could create ARP issues that would prevent your remote access clients from sending traffic to your LAN.

You could try these changes for your test setup:

ip local pool PoolCnxVPN 172.16.1.190-172.16.1.195 mask 255.255.255.0

access-list Cisco_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0

access-list interne_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 172.16.1.0 255.255.255.0

   Finally, to answer the question about the last two commands:

crypto isakmp nat-traversal  >>> This enables NAT traversal for your remote VPN connections, if more than one client is behind a NAT

device, NAT traversal permits simultaneous connections (using UDP port 4500)

sysopt connection permit-ipsec >>> This permits traffic from an encrypted connection to pass through the firewall without the need of

opening it with an access-group.

   For more information on this and more commands you can check the Command Lookup Tool on the following link:

http://tools.cisco.com/Support/CLILookup/cltSearchAction.do

0 Helpful
Customers Also Viewed These Support Documents