Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
655
Views
0
Helpful
7
Replies

Remote Access IPsec VPN on ASA 7.2

DaturaX88
Level 1
Level 1

‎02-14-2007 07:59 AM - edited ‎02-21-2020 02:52 PM

I have recently configured a remote access VPN on a customer ASA7.2. I have tested the RA IPSEC vpn on using an IP address that is in the same segment as the outside interface of the ASA and it works.

But the funny thing right now is if I am using a client that is using NAT to access the network, I have problem connecting. It cant even contact the security gateway and go pass the phrase 1 authentication of the tunnel group and pre-sharekey. There is nothing on the VPN client log.

I have configured NAT-T too.

Anyone have any idea? Here's the config that's relevant to the remote access IPSEC VPN.

access-list inside_nat0_outbound extended permit ip 10.203.1.0 255.255.255.0 10.

203.8.0 255.255.255.0

ip local pool vpnpool 10.203.8.100-10.203.8.199 mask 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

group-policy ntnvpn internal

group-policy ntnvpn attributes

dns-server value 165.21.83.88 165.21.100.88

vpn-tunnel-protocol IPSec

default-domain value x

username hw-support password x

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group ntnvpn type ipsec-ra

tunnel-group ntnvpn general-attributes

address-pool vpnpool

default-group-policy ntnvpn

tunnel-group ntnvpn ipsec-attributes

pre-shared-key *

Labels:
0 Helpful
7 Replies 7

Kamal Malhotra
Cisco Employee
Cisco Employee

‎02-14-2007 12:25 PM

Hi,

If you are sitting in the 10.203.1.0 and going to the Internet through the same ASA and connecting to the outside IP of the ASA, then it is not funny. It is an incorrect way of connecting.

If it is something else, then please reply.

Regards.

0 Helpful

DaturaX88
Level 1
Level 1
In response to Kamal Malhotra

‎02-14-2007 03:14 PM

Hi,

My test method was not sitting on the 10.203.1.0 network and connecting to the outside IP of the ASA. What I mean was, sitting on the outside interface of the ASA and using a public IP to a client.

0 Helpful

djones
Level 1
Level 1
In response to DaturaX88

‎02-15-2007 06:58 AM

What kind of errors on the ASA are you getting? Turn on debug cryp isakmp and debug cryp ipsec and see what happens when that client tries to connect.

0 Helpful

djones
Level 1
Level 1
In response to djones

‎02-15-2007 07:00 AM

One other thing, might be very obvious, but do you have a default route setup? You mentioned that it works when on the same subnet but I'm assuming that when you're behind whatever nat device, you're coming from another network? I might be totally off but being that I don't know the details of your test environment, just check that to make sure.

0 Helpful

DaturaX88
Level 1
Level 1
In response to djones

‎02-15-2007 07:42 AM

Yes, there's a default route set and I have tried using a 56k dialup and it's not working. I guess I gotta do some debugs to further troubleshoot the problem.

Anyway someone suggested disabling pfs. Anyone knows what this does?

crypto dynamic-map outside_dyn_map 20 set pfs"

And he also suggested changing sha to md5.

0 Helpful

djones
Level 1
Level 1
In response to DaturaX88

‎02-15-2007 07:45 AM

See here for a somewhat cryptic explanation of pfs, i.e. perfect forward secrecy:

http://en.wikipedia.org/wiki/Perfect_forward_secrecy

If you're doing client vpn, I don't think changing this stuff helps. Usually, modifying pfs, md5/sha is important to match up on lan-to-lan tunnels. With a client, the end device (your router/concentrator) tells the client what to use. As long as you're not using a very outdated client, I wouldn't think there'd be a problem.

Keep in mind that you can also turn on some debugging in the Cisco client. I believe it's under 'Options'.

0 Helpful

kaachary
Cisco Employee
Cisco Employee

‎02-16-2007 06:39 AM

Hi,

Begin with a small test here...

Test if you are able to ping the Outside ip address of ASA from the client pc, if you are, then check the device in between which is doing the natting, is not blocking

UDP 500

ESP

UDP 4500

If its not, then check if you have "Transparent Tunneling" enabled on the client.

You also want to check the coonection using "IPSec over TCP".

HTH,

-Kanishka

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents