Site-to-Site VPN and VPN Ipsec problem

djey79001 · ‎09-17-2013

Hi,

I have a site-to-site VPN on an ASA 5510 (9.0(2)). It works fine, but I can't connect through ASA with a Vpn Ipsec client (outside site-to-site VPN).

I searched in syslog and found that UDP sources ports 500 and 4500 are used for my Ipsec client and for my site-to-site VPN.

I have a dynamic PAT rule:

nat (Inside, Outside) source dynamic Inside interface

Why ASA doesn't choose other sources ports than UDP500 et UDP4500 when translating my Ipsec Client ?

When I shut the site-to-site VPN my client can connect with IPsec.

Regards,

Hey

Tariq Bader · ‎09-20-2013

Both S2S and RA IPSEC remote access use the same protocols and they should be able to connect simultanously without a problem.

Please attach your configuraiton of the ASA to see what do you have.

Regards,

Tariq

djey79001 · ‎09-23-2013

Hi tariq,

configuration below:

ASA Version 9.0(2)

!

hostname FirstNode

enable password XXXXXXXXXXXXXX encrypted

names

!

interface Ethernet0/1

description ------ Outside Interface ------

nameif Outside

security-level 0

ip address 1.2.3.4 255.255.255.248

!

interface Ethernet0/2.50

description ---- Interface AdminIN --------

nameif AdminIN

security-level 100

ip address 10.50.0.1 255.255.0.0

!

interface Ethernet0/2.55

description ---- interface Inside ------

nameif Inside

security-level 100

ip address 10.55.0.1 255.255.0.0

!

interface Management0/0

description Interface de Management OutBand

management-only

nameif AdminOutBand

security-level 100

ip address 192.168.5.32 255.255.255.0

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network DNS1

host 5.6.7.8

description DNS 1

object network Routeur1

host 9.10.11.12

description Routeur 1

object network Outside_Host

host 1.2.3.4

description Sortie ASA 1

object network HostInside

host 10.55.255.254

description HostInside

object network Inside

subnet 10.55.0.0 255.255.0.0

description vlan Inside

object network Work

subnet 10.40.0.0 255.255.0.0

description vlan Work

object network AdminOUT

subnet 15.16.17.18 255.255.255.240

description Administration via VPN

object network peerVPN

host 20.20.20.20

description Peer VPN

object network ADMIN_IN

subnet 10.50.0.0 255.255.0.0

description Administration IN

object network AdminINNAT

subnet 192.168.171.0 255.255.255.224

description AdminIN NAT

object network ASA

host 10.50.0.1

description Admin ASA

object network CT5508

host 10.50.0.2

description CT5508 Admin

object network switch1

host 10.50.0.4

description Switch1

object network switch2

host 10.50.0.5

description switch2

object network switch3

host 10.50.0.6

description switch3

object network switch4

host 10.50.0.7

description switch4

object network switch5

host 10.50.0.8

description switch5

object network MSE

host 10.50.0.3

description MSE

object network CAPTIVE

host 10.50.255.254

description CAPTIVE Admin

object network test_NAT

host 10.55.255.250

object service ISAKMP-NAT

service udp source gt 1024 destination eq isakmp

object service ISAKMP

service udp source eq isakmp destination eq isakmp

object service NAT-T

service udp source eq 4500 destination eq 4500

object-group service WorkGroup tcp

description Ports TCP autorisés en WorkGroup

port-object eq www

port-object eq https

port-object eq pop3

port-object eq smtp

object-group service ADMIN_TCP tcp

description Ports TCP authorisés

port-object eq echo

port-object eq www

port-object eq https

port-object eq ssh

object-group service ADMIN_UDP udp

description Ports UDP authorisés

port-object eq snmp

port-object eq snmptrap

object-group network DM_INLINE_NETWORK_1

network-object object ADMIN_IN

network-object object AdminINNAT

object-group network DM_INLINE_NETWORK_2

network-object object ADMIN_IN

network-object object AdminINNAT

access-list global_access extended permit ip object HostInside any4

access-list global_access extended permit ip object AdminOUT object-group DM_INLINE_NETWORK_1

access-list global_access extended permit ip object-group DM_INLINE_NETWORK_2 object AdminOUT

access-list global_access extended permit ip object CT5508 object MSE

access-list global_access extended permit ip object MSE object CT5508

access-list global_access extended deny ip any4 any4

access-list Outside_cryptomap extended permit ip object AdminINNAT object AdminOUT

pager lines 24

logging enable

logging buffer-size 1048576

logging asdm informational

mtu Outside 1500

mtu AdminIN 1500

mtu Inside 1500

mtu AdminOutBand 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (Inside,Outside) source dynamic Inside interface

!

object network ASA

nat (any,any) static 192.168.171.1 net-to-net

object network CT5508

nat (any,any) static 192.168.171.2 net-to-net

object network switch1

nat (any,any) static 192.168.171.4 net-to-net

object network switch2

nat (any,any) static 192.168.171.5 net-to-net

object network switch3

nat (any,any) static 192.168.171.6 net-to-net

object network switch4

nat (any,any) static 192.168.171.7 net-to-net

object network switch5

nat (any,any) static 192.168.171.8 net-to-net

object network MSE

nat (any,any) static 192.168.171.3 net-to-net

object network CAPTIVE

nat (any,any) static 192.168.171.14 net-to-net

access-group global_access global

route Outside 0.0.0.0 0.0.0.0 9.10.11.12 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 10.50.0.0 255.255.0.0 AdminIN

http 15.16.17.18 255.255.255.240 AdminIN

http authentication-certificate AdminIN

no snmp-server location

no snmp-server contact

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association pmtu-aging infinite

crypto map Outside_map 1 match address Outside_cryptomap

crypto map Outside_map 1 set connection-type originate-only

crypto map Outside_map 1 set peer 20.20.20.20

crypto map Outside_map 1 set ikev1 transform-set ESP-AES-256-SHA

crypto map Outside_map 1 set security-association lifetime seconds 86400

crypto map Outside_map interface Outside

crypto isakmp nat-traversal 3600

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev1 enable Outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 10.50.0.0 255.255.0.0 AdminIN

ssh timeout 5

management-access AdminIN

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1

group-policy GroupPolicy_20.20.20.20 internal

group-policy GroupPolicy_20.20.20.20 attributes

vpn-tunnel-protocol ikev1

username admin password XXXXXXXXXXX encrypted privilege 15

tunnel-group 20.20.20.20 type ipsec-l2l

tunnel-group 20.20.20.20 general-attributes

default-group-policy GroupPolicy_20.20.20.20

tunnel-group 20.20.20.20 ipsec-attributes

ikev1 pre-shared-key *****

peer-id-validate nocheck

isakmp keepalive disable

!

policy-map type inspect ipsec-pass-thru IPSEC_TUN

parameters

esp

ah

policy-map global-policy

class class-default

user-statistics accounting

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum client auto

message-length maximum 512

!

service-policy global-policy global

Cryptochecksum:cb5f635525b378f51e9282a2e75f77b6

: end

Thx