cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
963
Views
0
Helpful
10
Replies

Can't Connect via VPN

thomas.estes
Level 1
Level 1

Have an ASA5505. Below is the error message that the VPN Client log gives while trying to connect.

1 Accepted Solution

Accepted Solutions

Here are the changes from your initial posted config. This will allow you to hit all your existing ports to 192.168.1.50 and 1.30. It will also keep your outside interface clear for the vpn.

no static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

clear xlate

Your final static config should look like this...

static (inside,outside) xxxx.170.20 192.168.1.30 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

Just wanted to add that this would disconnect any existing connections but will not effect routing.

View solution in original post

10 Replies 10

sbilgi
Level 5
Level 5

Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT

traversal enables ESP packets to pass through one or more NAT devices

apply the following command on the ASA

isakmp nat-traversal 120

^ Version 7.2.2 it is "crypto isakmp nat-traversal" and it is already in his config.

Attached are the current running configs. And the log file from the VPN client and the only activity that I see on on the FW.

Thanks

Thomas

I think that I see what the issue is. You want the client to send the ISAKMP negotiation packets (UDP port 500) to the ASA to negotiate the Security Association. But the client is reporting that there is no response. I see the first clue in the debug output from the ASA:

6|Jul 09 2007|10:58:33|302015|70.200.193.240|192.168.1.50|Built inbound UDP connection 4711 for outside:70.200.193.240/1157 (70.200.193.240/1157) to inside:192.168.1.50/500 (66.64.170.18/500)

note that it is building an inbound connection. And note that it is building it to destination address 192.168.1.50. So the ISAKMP is being sent to some device on the inside network rather than being processed on the ASA. The inside device is not processing the ISAKMP request and this is why the client receives no response.

I believe that this is due to this line in the config:

static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

this will translate any traffic arriving on the outside interface to the 192.168.1.50 address - including your ISAKMP traffic.

I believe that if you are going to translate all inbound traffic to the inside address that you need a translation of UDP 500 and of ESP to stay on the ASA outside address.

HTH

Rick

HTH

Rick

I agree with you assessment, however I do not have the savvy to "translate all inbound traffic to the inside address that you need a translation of UDP 500 and of ESP to stay on the ASA outside address."

How do I go about doing that?

Thanks in advance!

You could set up port address translation instead for each of the ports you need access to...

no static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

etc.

I just need to make sure that I don't cause any problems with the current routing as I had some difficulty getting it set up in the first place.

On XXX.XXX.XXX.20 needs SMTP on 192.168.1.30

XXX.XXX.XXX.18 needs SMTP on 192.168.1.50

XXX.XXX.XXX.18 is the "Outside interface" and has a route to XXX.XXX.XXX.17.

Thomas

I have not tried it this way but I wonder if you could add this:

static (inside,outside) udp interface isakmp 66.64.170.18 isakmp netmask 255.255.255.255

static (inside,outside) esp interface 66.64.170.18 netmask 255.255.255.255

before the existing translate.

HTH

Rick

HTH

Rick

Here are the changes from your initial posted config. This will allow you to hit all your existing ports to 192.168.1.50 and 1.30. It will also keep your outside interface clear for the vpn.

no static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

clear xlate

Your final static config should look like this...

static (inside,outside) xxxx.170.20 192.168.1.30 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

Just wanted to add that this would disconnect any existing connections but will not effect routing.

Thanks to all for the help. That was the issue. There was the static 1 - 1 on the outside interface that was effectively forwarding all traffic ( including VPN ) to the internal address.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: