Can't Connect via VPN

Answered Question
Jun 14th, 2007
User Badges:

Have an ASA5505. Below is the error message that the VPN Client log gives while trying to connect.





Correct Answer by acomiskey about 9 years 10 months ago

Here are the changes from your initial posted config. This will allow you to hit all your existing ports to 192.168.1.50 and 1.30. It will also keep your outside interface clear for the vpn.


no static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

clear xlate


Your final static config should look like this...


static (inside,outside) xxxx.170.20 192.168.1.30 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255


Just wanted to add that this would disconnect any existing connections but will not effect routing.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
sbilgi Thu, 06/21/2007 - 11:02
User Badges:
  • Silver, 250 points or more

Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT

traversal enables ESP packets to pass through one or more NAT devices


apply the following command on the ASA

isakmp nat-traversal 120


acomiskey Thu, 06/21/2007 - 11:08
User Badges:
  • Green, 3000 points or more

^ Version 7.2.2 it is "crypto isakmp nat-traversal" and it is already in his config.

Richard Burts Mon, 07/09/2007 - 09:44
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Thomas


I think that I see what the issue is. You want the client to send the ISAKMP negotiation packets (UDP port 500) to the ASA to negotiate the Security Association. But the client is reporting that there is no response. I see the first clue in the debug output from the ASA:

6|Jul 09 2007|10:58:33|302015|70.200.193.240|192.168.1.50|Built inbound UDP connection 4711 for outside:70.200.193.240/1157 (70.200.193.240/1157) to inside:192.168.1.50/500 (66.64.170.18/500)

note that it is building an inbound connection. And note that it is building it to destination address 192.168.1.50. So the ISAKMP is being sent to some device on the inside network rather than being processed on the ASA. The inside device is not processing the ISAKMP request and this is why the client receives no response.


I believe that this is due to this line in the config:

static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

this will translate any traffic arriving on the outside interface to the 192.168.1.50 address - including your ISAKMP traffic.

I believe that if you are going to translate all inbound traffic to the inside address that you need a translation of UDP 500 and of ESP to stay on the ASA outside address.

HTH


Rick

thomas.estes Mon, 07/09/2007 - 10:15
User Badges:

I agree with you assessment, however I do not have the savvy to "translate all inbound traffic to the inside address that you need a translation of UDP 500 and of ESP to stay on the ASA outside address."


How do I go about doing that?


Thanks in advance!

acomiskey Mon, 07/09/2007 - 10:19
User Badges:
  • Green, 3000 points or more

You could set up port address translation instead for each of the ports you need access to...


no static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

etc.

thomas.estes Mon, 07/09/2007 - 10:23
User Badges:

I just need to make sure that I don't cause any problems with the current routing as I had some difficulty getting it set up in the first place.


On XXX.XXX.XXX.20 needs SMTP on 192.168.1.30

XXX.XXX.XXX.18 needs SMTP on 192.168.1.50


XXX.XXX.XXX.18 is the "Outside interface" and has a route to XXX.XXX.XXX.17.

Richard Burts Mon, 07/09/2007 - 10:51
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Thomas


I have not tried it this way but I wonder if you could add this:

static (inside,outside) udp interface isakmp 66.64.170.18 isakmp netmask 255.255.255.255

static (inside,outside) esp interface 66.64.170.18 netmask 255.255.255.255

before the existing translate.


HTH


Rick

Correct Answer
acomiskey Mon, 07/09/2007 - 11:05
User Badges:
  • Green, 3000 points or more

Here are the changes from your initial posted config. This will allow you to hit all your existing ports to 192.168.1.50 and 1.30. It will also keep your outside interface clear for the vpn.


no static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

clear xlate


Your final static config should look like this...


static (inside,outside) xxxx.170.20 192.168.1.30 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255


Just wanted to add that this would disconnect any existing connections but will not effect routing.

thomas.estes Tue, 07/10/2007 - 04:40
User Badges:

Thanks to all for the help. That was the issue. There was the static 1 - 1 on the outside interface that was effectively forwarding all traffic ( including VPN ) to the internal address.

Actions

This Discussion