ASA 5505 first configuration - no connection with external VPN

Unanswered Question
Jan 29th, 2010
User Badges:

Hi!

I'm on my first configuration of a Cisco firewall. I'm trying ASA 5505 using Cisco ASDM 5.2 (not GUI). I configured Vlan1 (inside) and Vlan2(outside) and all seems to work correctly. Network clients can use Internet and ping internal LAN. But I've some problems with vpn and other services: 1. when I try to connect to external VPN server the connection procedure stopped in username/password validation (if I try directly, without firewall ASA, there's no problem) 2.I've problems also to see external security cam working trough a web server.

I open port 1723 - 500 and GRE. What can I do more? Thank's all.


ah! this is Cisco ASDM Syslog error message:



Syslog message

3|Jan 29 2010|10:07:20|305006|88.41.211.232||regular translation creation failed for protocol 47 src inside:192.168.0.2 dst outside:88.41.211.232


Result of the command: "show startup-config"

: Saved

: Written by enable_15 at 18:37:26.964 UTC Thu Jan 28 2010

!

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password UqJHTo7.2sANHB7y encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list outside_access_in extended permit tcp any eq pptp 192.168.0.0 255.255.255.0 eq pptp

access-list outside_access_in extended permit udp any eq isakmp 192.168.0.0 255.255.255.0 eq isakmp

access-list outside_access_in extended permit gre any 192.168.0.0 255.255.255.0

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit esp any 192.168.0.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

dhcpd option 3 ip 192.168.0.1

dhcpd option 6 ip 212.216.172.62

!

dhcpd address 192.168.0.2-192.168.0.129 inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:74d04070ef0b566c8c95e3024c6b6232

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
amaerklin Fri, 01/29/2010 - 05:09
User Badges:

Hi Simone


1. if you're using outbound vpn (ipsec) to a headend located in the internet you'll need to open udp 500 for isakmp and udp 4500 for nat-t and IPsec over TCP will be using tcp 10000 if cisco is used.

2. you'll need to add the following to your mpf configuration:

policy-map global_policy
class inspection_default
  inspect ipsec-pass-thru

this will guarantee to let you ESP (protocol 50) to pass the ASA, also known as native IPsec.


3. I'm assuming that you have to setup your NAT or PAT stuff in the right manner. Configure your NAT like below, if you want to present an internal server to the outside world:

static (inside,outside) outsideip insideip netmask 255.255.255.255 0 0 -> for static nat

static (inside,outside) interface insideip netmask 255.255.255.255 0 0 -> for static pat


4. use ipsec instead of pptp, since the cisco vpn client is free and much more secure!


hope this helps

cheers

Nico

simonemoretti Fri, 01/29/2010 - 07:31
User Badges:

Thanks, I'll try your solution next Monday. Now I send you two additions:

1. I've configured NAT as dynamic (for future use I'll probably configure static NAT for VPN server)

2. I nedd to connect to evrey PPTP or IPSec external VPN e probably there are not Cisco Router (Dlink, I think)

Bye

simonemoretti Mon, 02/01/2010 - 03:11
User Badges:

Ok, now it works!

I simply add flag on PPTP in Security Policy > Server policy rule > Rule action (when you edit the policy.


Now I try to create a VPN server, so ... I think I'll need more help. Bye

ad.sharma Thu, 11/22/2012 - 23:04
User Badges:

Hi,


You have to allow PPTP inspection in your default policy group.


  • myasa(config)#policy-map global_policy
  • myasa(config-pmap)#class inspection_default

  • myasa(config-pmap-c)#inspect pptp

Anadi

Actions

This Discussion