VPN on Cisco ASA doesnt work

Answered Question
Ivan Martinon Mon, 01/19/2009 - 10:06

Amit,


Your config looks good, what is the error message you get on your client? Your outside shows a private ip address are you using nat in front? have you opened the needed ports? can you send the client log or the asa debugs?

Ivan Martinon Mon, 01/19/2009 - 10:13

Port UDP 500, port UDP 4500 and protocol ESP need to be opened, also after adding these, go ahead and enable the next command "crypto isakmp nat-t"

Ivan Martinon Mon, 01/19/2009 - 10:25

Those ports need to be opened yes, but not on the firewall that you have, but in the router that is in front providing NAT (if any) that command enables encryption over UDP 4500 to alleviate NAT environments

Ivan Martinon Mon, 01/19/2009 - 13:13

Amit,


I saw you opened those ports on the ASA by adding an ACL, ASA does not need to have this opened since this guy will accept vpn client connections by enabling the following commands "crypto isakmp enable outside" and "crypto map XXXX interface outside" which... now that I look again at your config you don't have.


Please go ahead and add this line to your ASA:


crypto map outside_map interface outside


And try to connect again.

Ivan Martinon Mon, 01/19/2009 - 16:08

Understood, you can go ahead and remove these:


access-list port500 extended permit udp interface Outside eq isakmp interface in

side

access-list port4500 extended permit udp interface Outside eq 4500 interface ins

ide


Add those commands that I mentioned you and please check the following line:


route Outside 0.0.0.0 0.0.0.0 10.1.10.1 1


This does not make sense to the addressing scheme on the outside interface, just let me know if this was edited for privacy matters.

Ivan Martinon Mon, 01/19/2009 - 17:08

That's ok, I was just wondering why it was on a different subnet, leave it and apply what I asked.

Ivan Martinon Tue, 01/20/2009 - 10:30

nope, as soon as you enable the crypto map traffic will be processed by the asa

Ivan Martinon Tue, 01/20/2009 - 17:27

Ok, go ahead and add the next:


access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0


nat (inside) 0 access-list nonat



access-list MooreVPN_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0


and type:


no access-list MooreVPN_splitTunnelAcl standard permit any


no access-list port500 extended permit udp interface Outside eq isakmp interface inside


no access-list port4500 extended permit udp interface Outside eq 4500 interface inside


Remove this line from the group-policy MooreVPN:


no split-tunnel-network-list value port500


And change it to:


split-tunnel-network-list value MooreVPN_splitTunnelAcl



Also, your access list to allow RDP into your network, is not right, change it from:


access-list outside_access_in extended permit tcp any eq 3389 host 10.1.1.10 eq 3389


to


access-list outside_access_in extended permit tcp any host 10.1.1.10 eq 3389


Pretty much your config should look like the attached one.



Attachment: 
Ivan Martinon Wed, 01/21/2009 - 07:41

yes, you need a static translation, I am glad to hear that the vpn works now

Ivan Martinon Wed, 01/21/2009 - 07:54

Can you paste the "show conn" when you are trying as well as the logs that you see when trying as well?

Actions

This Discussion