cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1742
Views
0
Helpful
3
Replies

Cisco 1721 VPN endpoint not working behind ASA

Adam Frederick
Level 3
Level 3

Have a VPN Concentrator at remote end working fine with other endpoints behind PIX, none behind ASA

VPN Endpoint (Cisco 1721 VPN Router) is behing ASA and plugs into local switch block with the ASA.  1-to-1 NAT is configured on the ASA end with ACL permitting isakmp, 4500, & esp.

Below are the errors I receive in the ASA.

*Note - 172.2.0.1 is the remote VPN concentrator.
        10.1.1.3 is the local workstation initiating HTTPS traffic that goes across the 1721.


Apr 02 2010 20:14:01: %ASA-1-106021: Deny TCP reverse path check from 172.2.0.1 to 10.1.1.3 on interface inside


after turning "no ip verify reverse-path interface in & out"


Apr 02 2010 20:15:31: %ASA-2-106001: Inbound TCP connection denied from 172.2.0.1/443 to 10.1.1.3/4324 flags SYN ACK  on interface inside
Apr 02 2010 20:15:31: %ASA-2-106001: Inbound TCP connection denied from 172.2.0.1/443 to 10.1.1.3/4327 flags SYN ACK  on interface inside
Apr 02 2010 20:15:34: %ASA-2-106001: Inbound TCP connection denied from 172.2.0.1/443 to 10.1.1.3/4324 flags SYN ACK  on interface inside
Apr 02 2010 20:15:34: %ASA-2-106001: Inbound TCP connection denied from 172.2.0.1/443 to 10.1.1.3/4327 flags SYN ACK  on interface inside
Apr 02 2010 20:15:40: %ASA-2-106001: Inbound TCP connection denied from 172.2.0.1/443 to 10.1.1.3/4324 flags SYN ACK  on interface inside
Apr 02 2010 20:15:40: %ASA-2-106001: Inbound TCP connection denied from 172.2.0.1/443 to 10.1.1.3/4327 flags SYN ACK  on interface inside
Apr 02 2010 20:15:46: %ASA-2-106001: Inbound TCP connection denied from 172.2.0.1/443 to 10.1.1.3/4331 flags SYN ACK  on interface inside

Any suggestions what I'm doing wrong?

3 Replies 3

Hi,

The logs are denying port TCP 443 which is HTTPS.

Is this an IPsec VPN connection or an SSL connection?

If this is an SSL indeed, check that the ACL allows 443.

Federico.

The VPN Connection is IPSec.

I was trying to access an SSL web page from internal address.

So, this tunnel that you're trying to establish is between the concentrator and the 1721 (which is behind an ASA
correct?)

You're trying an HTTPS connection from an internal machine 10.1.1.3
This connection should bring up the IPsec tunnel? (The SSL web page is part of the VPN traffic?)

The logs are saying that the inbound TCP connection from 172.2.0.1 (concentrator) to the internal machine is
being denied.

It seems like the tunnel is not getting established, the traffic is not being encrypted and that's why the
ASA sees the HTTPS connection. (If the IPsec tunnel was established, then the ASA will only see ESP packets
through).

I don't think the problem is the ASA since you only need the 1-1 STATIC NAT and permit ESP, ISAKMP and 4500 as you
mentioned.


The problem seems to be that the internal machine 10.1.1.3 is not triggering the tunnel to establish.

Do you see the tunnel trying to establish on either the 1721 or the concentrator?

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: