02-14-2007 07:59 AM - edited 02-21-2020 02:52 PM
I have recently configured a remote access VPN on a customer ASA7.2. I have tested the RA IPSEC vpn on using an IP address that is in the same segment as the outside interface of the ASA and it works.
But the funny thing right now is if I am using a client that is using NAT to access the network, I have problem connecting. It cant even contact the security gateway and go pass the phrase 1 authentication of the tunnel group and pre-sharekey. There is nothing on the VPN client log.
I have configured NAT-T too.
Anyone have any idea? Here's the config that's relevant to the remote access IPSEC VPN.
access-list inside_nat0_outbound extended permit ip 10.203.1.0 255.255.255.0 10.
203.8.0 255.255.255.0
ip local pool vpnpool 10.203.8.100-10.203.8.199 mask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
group-policy ntnvpn internal
group-policy ntnvpn attributes
dns-server value 165.21.83.88 165.21.100.88
vpn-tunnel-protocol IPSec
default-domain value x
username hw-support password x
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group ntnvpn type ipsec-ra
tunnel-group ntnvpn general-attributes
address-pool vpnpool
default-group-policy ntnvpn
tunnel-group ntnvpn ipsec-attributes
pre-shared-key *
02-14-2007 12:25 PM
Hi,
If you are sitting in the 10.203.1.0 and going to the Internet through the same ASA and connecting to the outside IP of the ASA, then it is not funny. It is an incorrect way of connecting.
If it is something else, then please reply.
Regards.
02-14-2007 03:14 PM
Hi,
My test method was not sitting on the 10.203.1.0 network and connecting to the outside IP of the ASA. What I mean was, sitting on the outside interface of the ASA and using a public IP to a client.
02-15-2007 06:58 AM
What kind of errors on the ASA are you getting? Turn on debug cryp isakmp and debug cryp ipsec and see what happens when that client tries to connect.
02-15-2007 07:00 AM
One other thing, might be very obvious, but do you have a default route setup? You mentioned that it works when on the same subnet but I'm assuming that when you're behind whatever nat device, you're coming from another network? I might be totally off but being that I don't know the details of your test environment, just check that to make sure.
02-15-2007 07:42 AM
Yes, there's a default route set and I have tried using a 56k dialup and it's not working. I guess I gotta do some debugs to further troubleshoot the problem.
Anyway someone suggested disabling pfs. Anyone knows what this does?
crypto dynamic-map outside_dyn_map 20 set pfs"
And he also suggested changing sha to md5.
02-15-2007 07:45 AM
See here for a somewhat cryptic explanation of pfs, i.e. perfect forward secrecy:
http://en.wikipedia.org/wiki/Perfect_forward_secrecy
If you're doing client vpn, I don't think changing this stuff helps. Usually, modifying pfs, md5/sha is important to match up on lan-to-lan tunnels. With a client, the end device (your router/concentrator) tells the client what to use. As long as you're not using a very outdated client, I wouldn't think there'd be a problem.
Keep in mind that you can also turn on some debugging in the Cisco client. I believe it's under 'Options'.
02-16-2007 06:39 AM
Hi,
Begin with a small test here...
Test if you are able to ping the Outside ip address of ASA from the client pc, if you are, then check the device in between which is doing the natting, is not blocking
UDP 500
ESP
UDP 4500
If its not, then check if you have "Transparent Tunneling" enabled on the client.
You also want to check the coonection using "IPSec over TCP".
HTH,
-Kanishka
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: