ISAKMP connection request from client denied by ASA

Unanswered Question
Oct 6th, 2007

Hi, all, I am running 8.0(2), I am trying to set up IPsec RA on ASA. The IPsec tunnel from Client will terminate on ASA's Outside interface.

It did not work, debug shows that ISAKMP connection request (UDP destination port 500) is either denied by ASA or ASA complains the no translation group found. I don't understand why ASA is denying ISAKMP connection when such connection is by default permitted. (I also tried to configure ACL on Outside interface to explicitly permit udp isakmp, and toggled "crypto map <> interface Outside", "crytp isakmp enable Outside"), And in what scenario ASA would treat isakmp connection request like a normal inbound traffic and tries to look for translation entry?

It should be a simple configuration, I followed every step in documentation, I am scratching my head to get it the first step of IPsec VPN RA working...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Sun, 10/07/2007 - 08:26

Jian

My first guess is that something in the ASA configuration for the RA VPN is not set up correctly and the ASA is attempting to forward the packet to somewhere else. Can you post the config of the ASA (most especially the VPN parts of the config)?

HTH

Rick

jiangu Sun, 10/07/2007 - 09:24

Hi, Rick, thank you for your reply, here is the relevant configuration, please let me know if you need any other configurations:

crypto map:

============

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map Outside_dynamic_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dynamic_map

crypto map Outside_map interface Outside

crypto isakmp identity address

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

Tunnel group configuration:

===========================

tunnel-group ipsec-remote type remote-access

tunnel-group ipsec-remote general-attributes

address-pool ra_pool

authentication-server-group RADIUS_SVRS

authorization-server-group RADIUS_SVRS

accounting-server-group RADIUS_SVRS

tunnel-group ipsec-remote ipsec-attributes

pre-shared-key *

NAT related configuration

=========================

nat (Inside) 0 access-list inside-nonat

access-list inside-nonat extended permit ip INTERNAL-NETS 255.255.255.0 VPN-Client-NET 255.255.255.0

whisperwind Sun, 10/07/2007 - 10:50

Let me take a crack at this for ya.

First thing I do not see is a DHCP Pool to assign clients addreses:

! The user vpn dhcp pool cannot overlap with internally used subnets.

!

ip local pool VPN-DHCP-POOL 192.168.168.1-192.168.168.20 mask 255.255.255.0

!

! Assigning the VPN DHCP Pool subnet as a no-nat on the outside interface allows the user

! traffic to enter the outside interface from the VPN Client in order to be NAT's on its way to the Inet

!

nat (OUTSIDE) 1 192.168.168.0 255.255.255.0

!

Next thing I do not see is a group policy and associated access list that defines user attributes and access, see this

group-policy REMOTEVPN internal

group-policy REMOTEVPN attributes

wins-server value 192.168.15.112

dns-server value 192.168.15.112

vpn-idle-timeout 30

vpn-filter value VPN-USERACCESS

vpn-tunnel-protocol IPSec

default-domain value mydoamin.com

You may also want to have usernames for authentication

jiangu Sun, 10/07/2007 - 12:28

Thanks for your reply, I do have VPN pool "ra-pool" defined and group policy is DfltGrpPolicy which I modified to include all tunnel protocols. Usernames and authentication is configured in RADIUS server. I doubt the points you made would lead ASA to deny incoming ISAKMP connection.

Sorry I did not post every line of my configuration.

whisperwind Sun, 10/07/2007 - 13:24

Well you can either post the entire config here for the community to review or call TAC

Actions

This Discussion