Can't Connect via VPN

Answered Question
Jun 14th, 2007

Have an ASA5505. Below is the error message that the VPN Client log gives while trying to connect.

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 5 months ago

Here are the changes from your initial posted config. This will allow you to hit all your existing ports to 192.168.1.50 and 1.30. It will also keep your outside interface clear for the vpn.

no static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

clear xlate

Your final static config should look like this...

static (inside,outside) xxxx.170.20 192.168.1.30 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

Just wanted to add that this would disconnect any existing connections but will not effect routing.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
sbilgi Thu, 06/21/2007 - 11:02

Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT

traversal enables ESP packets to pass through one or more NAT devices

apply the following command on the ASA

isakmp nat-traversal 120

acomiskey Thu, 06/21/2007 - 11:08

^ Version 7.2.2 it is "crypto isakmp nat-traversal" and it is already in his config.

Richard Burts Mon, 07/09/2007 - 09:44

Thomas

I think that I see what the issue is. You want the client to send the ISAKMP negotiation packets (UDP port 500) to the ASA to negotiate the Security Association. But the client is reporting that there is no response. I see the first clue in the debug output from the ASA:

6|Jul 09 2007|10:58:33|302015|70.200.193.240|192.168.1.50|Built inbound UDP connection 4711 for outside:70.200.193.240/1157 (70.200.193.240/1157) to inside:192.168.1.50/500 (66.64.170.18/500)

note that it is building an inbound connection. And note that it is building it to destination address 192.168.1.50. So the ISAKMP is being sent to some device on the inside network rather than being processed on the ASA. The inside device is not processing the ISAKMP request and this is why the client receives no response.

I believe that this is due to this line in the config:

static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

this will translate any traffic arriving on the outside interface to the 192.168.1.50 address - including your ISAKMP traffic.

I believe that if you are going to translate all inbound traffic to the inside address that you need a translation of UDP 500 and of ESP to stay on the ASA outside address.

HTH

Rick

thomas.estes Mon, 07/09/2007 - 10:15

I agree with you assessment, however I do not have the savvy to "translate all inbound traffic to the inside address that you need a translation of UDP 500 and of ESP to stay on the ASA outside address."

How do I go about doing that?

Thanks in advance!

acomiskey Mon, 07/09/2007 - 10:19

You could set up port address translation instead for each of the ports you need access to...

no static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

etc.

thomas.estes Mon, 07/09/2007 - 10:23

I just need to make sure that I don't cause any problems with the current routing as I had some difficulty getting it set up in the first place.

On XXX.XXX.XXX.20 needs SMTP on 192.168.1.30

XXX.XXX.XXX.18 needs SMTP on 192.168.1.50

XXX.XXX.XXX.18 is the "Outside interface" and has a route to XXX.XXX.XXX.17.

Richard Burts Mon, 07/09/2007 - 10:51

Thomas

I have not tried it this way but I wonder if you could add this:

static (inside,outside) udp interface isakmp 66.64.170.18 isakmp netmask 255.255.255.255

static (inside,outside) esp interface 66.64.170.18 netmask 255.255.255.255

before the existing translate.

HTH

Rick

Correct Answer
acomiskey Mon, 07/09/2007 - 11:05

Here are the changes from your initial posted config. This will allow you to hit all your existing ports to 192.168.1.50 and 1.30. It will also keep your outside interface clear for the vpn.

no static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

clear xlate

Your final static config should look like this...

static (inside,outside) xxxx.170.20 192.168.1.30 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

Just wanted to add that this would disconnect any existing connections but will not effect routing.

thomas.estes Tue, 07/10/2007 - 04:40

Thanks to all for the help. That was the issue. There was the static 1 - 1 on the outside interface that was effectively forwarding all traffic ( including VPN ) to the internal address.

Actions

This Discussion