Remote Access IPsec VPN on ASA 7.2

Unanswered Question
Feb 14th, 2007

I have recently configured a remote access VPN on a customer ASA7.2. I have tested the RA IPSEC vpn on using an IP address that is in the same segment as the outside interface of the ASA and it works.

But the funny thing right now is if I am using a client that is using NAT to access the network, I have problem connecting. It cant even contact the security gateway and go pass the phrase 1 authentication of the tunnel group and pre-sharekey. There is nothing on the VPN client log.

I have configured NAT-T too.

Anyone have any idea? Here's the config that's relevant to the remote access IPSEC VPN.

access-list inside_nat0_outbound extended permit ip 10.203.1.0 255.255.255.0 10.

203.8.0 255.255.255.0

ip local pool vpnpool 10.203.8.100-10.203.8.199 mask 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

group-policy ntnvpn internal

group-policy ntnvpn attributes

dns-server value 165.21.83.88 165.21.100.88

vpn-tunnel-protocol IPSec

default-domain value x

username hw-support password x

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group ntnvpn type ipsec-ra

tunnel-group ntnvpn general-attributes

address-pool vpnpool

default-group-policy ntnvpn

tunnel-group ntnvpn ipsec-attributes

pre-shared-key *

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kamal Malhotra Wed, 02/14/2007 - 12:25

Hi,

If you are sitting in the 10.203.1.0 and going to the Internet through the same ASA and connecting to the outside IP of the ASA, then it is not funny. It is an incorrect way of connecting.

If it is something else, then please reply.

Regards.

DaturaX88 Wed, 02/14/2007 - 15:14

Hi,

My test method was not sitting on the 10.203.1.0 network and connecting to the outside IP of the ASA. What I mean was, sitting on the outside interface of the ASA and using a public IP to a client.

One other thing, might be very obvious, but do you have a default route setup? You mentioned that it works when on the same subnet but I'm assuming that when you're behind whatever nat device, you're coming from another network? I might be totally off but being that I don't know the details of your test environment, just check that to make sure.

DaturaX88 Thu, 02/15/2007 - 07:42

Yes, there's a default route set and I have tried using a 56k dialup and it's not working. I guess I gotta do some debugs to further troubleshoot the problem.

Anyway someone suggested disabling pfs. Anyone knows what this does?

crypto dynamic-map outside_dyn_map 20 set pfs"

And he also suggested changing sha to md5.

See here for a somewhat cryptic explanation of pfs, i.e. perfect forward secrecy:

http://en.wikipedia.org/wiki/Perfect_forward_secrecy

If you're doing client vpn, I don't think changing this stuff helps. Usually, modifying pfs, md5/sha is important to match up on lan-to-lan tunnels. With a client, the end device (your router/concentrator) tells the client what to use. As long as you're not using a very outdated client, I wouldn't think there'd be a problem.

Keep in mind that you can also turn on some debugging in the Cisco client. I believe it's under 'Options'.

kaachary Fri, 02/16/2007 - 06:39

Hi,

Begin with a small test here...

Test if you are able to ping the Outside ip address of ASA from the client pc, if you are, then check the device in between which is doing the natting, is not blocking

UDP 500

ESP

UDP 4500

If its not, then check if you have "Transparent Tunneling" enabled on the client.

You also want to check the coonection using "IPSec over TCP".

HTH,

-Kanishka

Actions

This Discussion