Cisco 1721 VPN endpoint not working behind ASA

Unanswered Question
Apr 2nd, 2010
User Badges:
  • Bronze, 100 points or more

Have a VPN Concentrator at remote end working fine with other endpoints behind PIX, none behind ASA

VPN Endpoint (Cisco 1721 VPN Router) is behing ASA and plugs into local switch block with the ASA.  1-to-1 NAT is configured on the ASA end with ACL permitting isakmp, 4500, & esp.

Below are the errors I receive in the ASA.

*Note - 172.2.0.1 is the remote VPN concentrator.
        10.1.1.3 is the local workstation initiating HTTPS traffic that goes across the 1721.




Apr 02 2010 20:14:01: %ASA-1-106021: Deny TCP reverse path check from 172.2.0.1 to 10.1.1.3 on interface inside



after turning "no ip verify reverse-path interface in & out"


Apr 02 2010 20:15:31: %ASA-2-106001: Inbound TCP connection denied from 172.2.0.1/443 to 10.1.1.3/4324 flags SYN ACK  on interface inside
Apr 02 2010 20:15:31: %ASA-2-106001: Inbound TCP connection denied from 172.2.0.1/443 to 10.1.1.3/4327 flags SYN ACK  on interface inside
Apr 02 2010 20:15:34: %ASA-2-106001: Inbound TCP connection denied from 172.2.0.1/443 to 10.1.1.3/4324 flags SYN ACK  on interface inside
Apr 02 2010 20:15:34: %ASA-2-106001: Inbound TCP connection denied from 172.2.0.1/443 to 10.1.1.3/4327 flags SYN ACK  on interface inside
Apr 02 2010 20:15:40: %ASA-2-106001: Inbound TCP connection denied from 172.2.0.1/443 to 10.1.1.3/4324 flags SYN ACK  on interface inside
Apr 02 2010 20:15:40: %ASA-2-106001: Inbound TCP connection denied from 172.2.0.1/443 to 10.1.1.3/4327 flags SYN ACK  on interface inside
Apr 02 2010 20:15:46: %ASA-2-106001: Inbound TCP connection denied from 172.2.0.1/443 to 10.1.1.3/4331 flags SYN ACK  on interface inside






Any suggestions what I'm doing wrong?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Fri, 04/02/2010 - 17:56
User Badges:
  • Green, 3000 points or more

Hi,


The logs are denying port TCP 443 which is HTTPS.

Is this an IPsec VPN connection or an SSL connection?


If this is an SSL indeed, check that the ACL allows 443.


Federico.

Adam Frederick Fri, 04/02/2010 - 18:45
User Badges:
  • Bronze, 100 points or more

The VPN Connection is IPSec.


I was trying to access an SSL web page from internal address.

Federico Coto F... Fri, 04/02/2010 - 19:02
User Badges:
  • Green, 3000 points or more

So, this tunnel that you're trying to establish is between the concentrator and the 1721 (which is behind an ASA
correct?)


You're trying an HTTPS connection from an internal machine 10.1.1.3
This connection should bring up the IPsec tunnel? (The SSL web page is part of the VPN traffic?)

The logs are saying that the inbound TCP connection from 172.2.0.1 (concentrator) to the internal machine is
being denied.


It seems like the tunnel is not getting established, the traffic is not being encrypted and that's why the
ASA sees the HTTPS connection. (If the IPsec tunnel was established, then the ASA will only see ESP packets
through).


I don't think the problem is the ASA since you only need the 1-1 STATIC NAT and permit ESP, ISAKMP and 4500 as you
mentioned.


The problem seems to be that the internal machine 10.1.1.3 is not triggering the tunnel to establish.

Do you see the tunnel trying to establish on either the 1721 or the concentrator?


Federico.

Actions

This Discussion

Related Content