10-06-2007 11:31 PM - edited 03-11-2019 04:21 AM
Hi, all, I am running 8.0(2), I am trying to set up IPsec RA on ASA. The IPsec tunnel from Client will terminate on ASA's Outside interface.
It did not work, debug shows that ISAKMP connection request (UDP destination port 500) is either denied by ASA or ASA complains the no translation group found. I don't understand why ASA is denying ISAKMP connection when such connection is by default permitted. (I also tried to configure ACL on Outside interface to explicitly permit udp isakmp, and toggled "crypto map <> interface Outside", "crytp isakmp enable Outside"), And in what scenario ASA would treat isakmp connection request like a normal inbound traffic and tries to look for translation entry?
It should be a simple configuration, I followed every step in documentation, I am scratching my head to get it the first step of IPsec VPN RA working...
10-07-2007 08:26 AM
Jian
My first guess is that something in the ASA configuration for the RA VPN is not set up correctly and the ASA is attempting to forward the packet to somewhere else. Can you post the config of the ASA (most especially the VPN parts of the config)?
HTH
Rick
10-07-2007 09:24 AM
Hi, Rick, thank you for your reply, here is the relevant configuration, please let me know if you need any other configurations:
crypto map:
============
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dynamic_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dynamic_map
crypto map Outside_map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Tunnel group configuration:
===========================
tunnel-group ipsec-remote type remote-access
tunnel-group ipsec-remote general-attributes
address-pool ra_pool
authentication-server-group RADIUS_SVRS
authorization-server-group RADIUS_SVRS
accounting-server-group RADIUS_SVRS
tunnel-group ipsec-remote ipsec-attributes
pre-shared-key *
NAT related configuration
=========================
nat (Inside) 0 access-list inside-nonat
access-list inside-nonat extended permit ip INTERNAL-NETS 255.255.255.0 VPN-Client-NET 255.255.255.0
10-07-2007 10:50 AM
Let me take a crack at this for ya.
First thing I do not see is a DHCP Pool to assign clients addreses:
! The user vpn dhcp pool cannot overlap with internally used subnets.
!
ip local pool VPN-DHCP-POOL 192.168.168.1-192.168.168.20 mask 255.255.255.0
!
! Assigning the VPN DHCP Pool subnet as a no-nat on the outside interface allows the user
! traffic to enter the outside interface from the VPN Client in order to be NAT's on its way to the Inet
!
nat (OUTSIDE) 1 192.168.168.0 255.255.255.0
!
Next thing I do not see is a group policy and associated access list that defines user attributes and access, see this
group-policy REMOTEVPN internal
group-policy REMOTEVPN attributes
wins-server value 192.168.15.112
dns-server value 192.168.15.112
vpn-idle-timeout 30
vpn-filter value VPN-USERACCESS
vpn-tunnel-protocol IPSec
default-domain value mydoamin.com
You may also want to have usernames for authentication
10-07-2007 12:28 PM
Thanks for your reply, I do have VPN pool "ra-pool" defined and group policy is DfltGrpPolicy which I modified to include all tunnel protocols. Usernames and authentication is configured in RADIUS server. I doubt the points you made would lead ASA to deny incoming ISAKMP connection.
Sorry I did not post every line of my configuration.
10-07-2007 01:24 PM
Well you can either post the entire config here for the community to review or call TAC
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: