How do I setup ASA5520 VPN for Network (Client) Access?

Unanswered Question

I have an ASA5520 and need to allow users to connect to the inside network (and some users to the management network if possible), using the VPN client. I went through the wizard on the ASDM and created an access control list for the ports used by the VPN client. When checking the logs, it tends to say that the access to the port is denied by the outside interface. Using the packet trace feature it fails on my implicit deny all for the outside interface, even though I specifically gave access on those ports. Could this be a group policy issue, or some other feature not being setup properly?

Here is what I'm allowing:

object-group service DM_INLINE_SERVICE_4
service-object esp
service-object tcp-udp eq 10000
service-object udp eq isakmp

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any host IP1

This is what I see on the log:

2Apr 06 201011:29:2010600610.10.101.284765IP1500Deny inbound UDP from 10.10.101.28/4765 to IP1/500 on interface outside
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
scootertgm Tue, 04/06/2010 - 12:17

Make sure the client is offering the transforms you have set on your ASA.

For example, if you are tying to use AES-128, the IPSEC client needs to offer AES-128.

If you are connected to the CLI of the ASA and run debug crypto isakmp 254 and then try to connect. The "Wall of text" that appears will also show the transform sets the client is offering to the ASA.  Depending on the ipsec client I have seen this vary from 4 to 12 offerings.  Make sure you configure the ASA to one of those options.

scootertgm Tue, 04/06/2010 - 13:42

My apologies, I misread the error.

As a test, edit the VPN using the ASDM to bypass the access list when connecting to the VPN.  This is in step one of configuring the VPN.

If that works, it could be the access list "...service_4" is permitting traffic to an IP that is not on the firewall.

scootertgm Wed, 04/07/2010 - 06:49

I thought about this last night.  The denied error is to IP1.  Are you telling the VPN client to connect to the outside interface of the ASA or are you trying to connect the VPN to IP1?

When you run the wizard, it will setup the VPN to allow it to connect to the interface you specify in the wizard.  In this case I would guess that you would want to use the outside interface.  Your VPN client should then use that host address (Outside interface) to connect to.  That deny almost looks like you are trying to connect to IP1.

Actions

This Discussion