cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4976
Views
0
Helpful
14
Replies

Remote VPN Client and Telnet to ASA

asfar.zaidi
Level 1
Level 1

Hi Guys

I ahve a ASA firewall Connected to Cisco 2821 Router.

On the Router I have ADSL and Lease Line connected.

All my traffic destined for port web ftp etc is going from ADSL and smtp pop3 telnet etc is going from lease Line.

My issues as follow:

I am unable to telnet to ASA outside Interface although its configuered.

Unable to connect my Remote VPN Client , there are no packets in debug crypto isakmp , I know I ahve a nat device i.e. my router before my asa , I have to no nat port 4500 and esp over there but how , its confusing.

I am ataching configuration.

Regards

1 Accepted Solution

Accepted Solutions

It's look like a config issue. Might need debug output of "debug crypto isa 127".

You might need remove command "authorization-server-group LOCAL".

NAT-traversal is enabled by default on ASA version 8.x. Therefore, you don't need worry NAT device in the middle.

View solution in original post

14 Replies 14

Yudong Wu
Level 7
Level 7

Is aa.aa.aa.2 a public IP? If yes, will the packet to aa.aa.aa.2 come in from ADSL?

Make sure the packet to aa.aa.aa.2 will reach ASA. You can enable logging buffer or setup capture on outside interface. Then try telnet to ASA and check log or capture to see if telnet packet reach ASA.

Yes its a Public IP. and Packet should come from LL not from ADSL (That what I think).

I captured , but telnet is not reaching till ASA.

If you do the capture on ASA like following,

access-list cap permit tcp any host aa.aa.aa.2 eq telnet

access-list cap permit tcp host aa.aa.aa.2 eq telnet any

capture cap access-list cap interface outside

- telent to ASA outside interface from somewhere else.

- then on ASA, show capture cap

Do you see the packet in and out?

This is the Packet Capture

5 packets captured

1: 22:51:11.754981 217.164.167.147.61152 > aa.aa.aa.2.23: S 2487757828:24

87757828(0) win 65535

K>

2: 22:51:14.838671 217.164.167.147.61152 > aa.aa.aa.2.23: S 2487757828:24

87757828(0) win 65535

K>

3: 22:51:20.878464 217.164.167.147.61152 > aa.aa.aa.2.23: S 2487757828:24

87757828(0) win 65535

K>

4: 22:51:32.997156 217.164.167.147.61152 > aa.aa.aa.2.23: S 2487757828:24

87757828(0) win 65535

K>

5: 22:51:57.058270 217.164.167.147.61152 > aa.aa.aa.2.23: S 2487757828:24

87757828(0) win 65535

K>

5 packets shown

Did you capture the packet by using the ACL in my previous post? If yes, you should be able to capture the packet in both directions. From output, it looks like ASA did not response to telnet request. Can you enable logging buffered and then try telnet again and check "show logging" to see if there is log info for this.

Yes I capture the packet as you told me and this is the output for show logging

%ASA-4-402117: IPSEC: Received a non-IPSec packet (protocol= TCP) from 217.164.167.147 to aa.aa.aa.2.

%ASA-7-710005: TCP request discarded from 217.164.167.147/61771 to outside:aa.aa.aa.2/23

%ASA-4-402117: IPSEC: Received a non-IPSec packet (protocol= TCP) from 217.164.167.147 to aa.aa.aa.2.

%ASA-7-710005: TCP request discarded from 217.164.167.147/61823 to outside:aa.aa.aa.2/23

%ASA-4-402117: IPSEC: Received a non-IPSec packet (protocol= TCP) from 217.164.167.147 to aa.aa.aa.2.

%ASA-7-710005: TCP request discarded from 217.164.167.147/61823 to outside:aa.aa.aa.2/23

Ok, you can not telnet to an outside interface directly. It must go through VPN tunnel. but you should be able to SSH to outside interface directly.

Ok, but why it should go through VPN Tunnel.

Secondly , I am unable to get VPN up even

1. That's by design. Telnet to outside is not safe since the packet is in plain text.

2. Looks like you missed "crypto isakmp enable outside".

Thanks ... you are right .... I enable it and getting this error

(config)# Aug 25 23:47:42 [IKEv1]: Group = AdminGrp, IP = 217.164.167.147, Removing peer from peer table failed, no match!

Aug 25 23:47:42 [IKEv1]: Group = AdminGrp, IP = 217.164.167.147, Error: Unable to remove PeerTblEntry

Aug 25 23:47:47 [IKEv1]: Group = AdminGrp, IP = 217.164.167.147, Removing peer from peer table failed, no match!

Aug 25 23:47:47 [IKEv1]: Group = AdminGrp, IP = 217.164.167.147, Error: Unable to remove PeerTblEntry

Aug 25 23:47:52 [IKEv1]: Group = AdminGrp, IP = 217.164.167.147, Removing peer from peer table failed, no match!

Aug 25 23:47:52 [IKEv1]: Group = AdminGrp, IP = 217.164.167.147, Error: Unable to remove PeerTblEntry

Aug 25 23:47:57 [IKEv1]: Group = AdminGrp, IP = 217.164.167.147, Removing peer from peer table failed, no match!

Aug 25 23:47:57 [IKEv1]: Group = AdminGrp, IP = 217.164.167.147, Error: Unable to remove PeerTblEntry

By the way tell me one thing I have a nat device above the ASA , why i dont need to bypass the port 4500 on it

It's look like a config issue. Might need debug output of "debug crypto isa 127".

You might need remove command "authorization-server-group LOCAL".

NAT-traversal is enabled by default on ASA version 8.x. Therefore, you don't need worry NAT device in the middle.

Thanks

I change the group 5 to 2 and it start working.

Great! I am glad you found the mistaken in config. Good job.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: