Urgent Help in ASA 5055 VPN

Answered Question
May 14th, 2010

Hey guys ...

am beginner in ASA and cisco configuration , i always use ASDM Launcher  to configure or modifying my Cisco ASA5055 Firewall , i tried to enable  VPN on my ASA using IPsec VPN Wizard , Remote VPN section and i made  correct configuration for Cisco VPN Client (not windows) , until this  moment i still unable to connect to my VPN , i dont know where is the  problem exactly , is it routing ? or access list?
here is running configuration  :

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

: Saved
:
ASA Version 8.0(3)6
!
hostname ciscoasa
enable password ******* encrypted
passwd ********* encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.2 255.255.255.252
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list DALLAS_splitTunnelAcl standard permit host 192.168.3.229
access-list DALLAS_splitTunnelAcl standard permit 10.10.10.0 255.255.255.252
access-list DALLAS_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0
access-list dallas_VPN_splitTunnelAcl standard permit 10.10.10.0 255.255.255.252
access-list Out extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.252 192.168.14.0 255.255.255.192
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1492
ip local pool Dallas 192.168.14.1-192.168.14.50 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) interface 192.168.3.229 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
route inside 192.168.3.0 255.255.255.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 1:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
vpnclient server xx.xx.xx.xx
vpnclient mode client-mode
vpnclient vpngroup dallas password ********
vpnclient username dallas password ********
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy dallas internal
group-policy dallas attributes
dns-server value xx.xx.xx.xx
vpn-tunnel-protocol IPSec
username admin password *************** encrypted privilege 15
username dallas password *********  nt-encrypted privilege 0
username dallas attributes
vpn-group-policy DefaultRAGroup
username user1 password *********** nt-encrypted privilege 0
username cisco password ********* encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group dallas type remote-access
tunnel-group dallas general-attributes
address-pool Dallas
default-group-policy dallas
tunnel-group dallas ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:beac138dba28b1b3b58dffbcbc4fbb93
: end
asdm image disk0:/asdm-603.bin
no asdm history enable

when i use VPN Client to connect to my VPN network using real IP ,this  message appears





please if anyone can see the problem and tell me how to solve it by ASDM  GUI or CLI , but i preferred ASDM..

Note : VPN tunnel should connect to Internal Network IP Range  192.168.3.X
which is accessible by ASA as you see from redirection to 192.168.3.229

thanks everyone

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 8 months ago

Here are the step by step on all the commands that are required so far:

conf t

sysopt connection permit-vpn

crypto isakmp nat-traversal 25

access-list  inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0  192.168.14.0 255.255.255.192

group-policy dallas attributes

     split-tunnel-policy tunnelspecified

     split-tunnel-network-list value DALLAS_splitTunnelAcl

username dallas attributes

  no vpn-group-policy DefaultRAGroup

  vpn-group-policy dallas

no static (inside,outside) interface 192.168.3.229 netmask  255.255.255.255

static (inside,outside) tcp interface 80 192.168.3.229 80 netmask  255.255.255.255

static (inside,outside) tcp interface 132 192.168.3.229 132 netmask   255.255.255.255

static (inside,outside) tcp interface 444 192.168.3.229 444 netmask   255.255.255.255

static (inside,outside) tcp interface 66 192.168.3.229 66 netmask   255.255.255.255

static (inside,outside) tcp interface 77 192.168.3.229 77 netmask   255.255.255.255

clear xlate

And finally "wr mem" to save the configuration.

In regards to spam, ASA can't block spam unless you have CSC module installed on the ASA.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
maenabutabanjeh Fri, 05/14/2010 - 15:41

where are you people , moderators ... no one is live in there??? heloooooooooooooooo

Jennifer Halim Fri, 05/14/2010 - 15:58

This static NAT statement is incorrect:

static (inside,outside) interface 192.168.3.229 netmask 255.255.255.255

Please remove the above line.

You might want to enable NAT-T too just in case you are connecting from PAT device:

crypto isakmp nat-traversal 25

Split tunnel has not been applied to your group policy even though you have configured ACL for it. To apply the split tunnel (assuming you are using Dallas group):

group-policy dallas attributes

     split-tunnel-policy tunnelspecified

     split-tunnel-network-list value DALLAS_splitTunnelAcl

Lastly, if you are using username "dallas", currently the group policy is assigned to "DefaultRAGroup". If you want to use "dallas" group policy instead for "dallas" username, you might want to change it to be assigned to "dallas" default group policy:

username dallas attributes
  no vpn-group-policy DefaultRAGroup

  vpn-group-policy dallas

Hope the above will help.

PS: this is an online community, and no moderator that provides urgent assistance. If you would like urgent assistance, pls open a Cisco TAC case, and engineer can provide urgent assistance. Thanks.

maenabutabanjeh Fri, 05/14/2010 - 22:04

thank you man for replying  , first about this statement :

static (inside,outside) interface 192.168.3.229 netmask  255.255.255.255

I cant remove it because its uses to redirect users to Citrix Server through Web through port 80 , users connecting to citrix server to access our applications by using static IP (http://xx.xx.xx.xx) , this NAT statement will redirect connecton to Citrix Essential , so its looks like Port forward from 1-65000 --> 192.168.3.229. i dont know if there is method to specifiy some ports to be redirected to Citrix instead of redirect all ports connection to one server  , i mean if citrix ports were for example (80,132,444,66,77) , how can i redirect theses ports to 192.168.3.229?


this why i can remove NAT STATEMENT.

i will try and tell you what will happen ..

thank you man in advance

Jennifer Halim Fri, 05/14/2010 - 22:08

You need to do port redirection if you are using the outside interface ip address for your citrix translation. Otherwise, all will be forwarded to citrix including the IPSec traffic.

Here is the example of port redirection:

static (inside,outside) tcp interface 80 192.168.3.229 80 netmask  255.255.255.255

static (inside,outside) tcp interface 132 192.168.3.229 132 netmask   255.255.255.255

static (inside,outside) tcp interface 444 192.168.3.229 444 netmask   255.255.255.255

static (inside,outside) tcp interface 66 192.168.3.229 66 netmask   255.255.255.255

static (inside,outside) tcp interface 77 192.168.3.229 77 netmask   255.255.255.255

"clear xlate" after the configuration changes.

maenabutabanjeh Fri, 05/14/2010 - 22:31

really thank you for replaying , someone in other forums answered the following :

here's one thing:

no  sysopt connection permit-vpn

i don't know ASDM so I can't  tell you where to enable this feature in the GUI, sorry. if you want to  get into the CLI you will just issue sysopt  connection permit-vpn

.

you will also need to add this  line to enable communication from your 3 network out to your vpn  clients:


access-list  inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0  192.168.14.0 255.255.255.192


is that correct??? and now what should i do?? exactly , am sorry for that i know , but you do a good help for me , using CLI i will open terminal and write
ena , ... and then??? i mean tell me step by step what to do , because i dont know how to use CLI Commands , i always use GUI ..

one more thing , can i use ASA rules or filters to prevent outgoing SPAM??
thank you again
Correct Answer
Jennifer Halim Fri, 05/14/2010 - 22:54

Here are the step by step on all the commands that are required so far:

conf t

sysopt connection permit-vpn

crypto isakmp nat-traversal 25

access-list  inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0  192.168.14.0 255.255.255.192

group-policy dallas attributes

     split-tunnel-policy tunnelspecified

     split-tunnel-network-list value DALLAS_splitTunnelAcl

username dallas attributes

  no vpn-group-policy DefaultRAGroup

  vpn-group-policy dallas

no static (inside,outside) interface 192.168.3.229 netmask  255.255.255.255

static (inside,outside) tcp interface 80 192.168.3.229 80 netmask  255.255.255.255

static (inside,outside) tcp interface 132 192.168.3.229 132 netmask   255.255.255.255

static (inside,outside) tcp interface 444 192.168.3.229 444 netmask   255.255.255.255

static (inside,outside) tcp interface 66 192.168.3.229 66 netmask   255.255.255.255

static (inside,outside) tcp interface 77 192.168.3.229 77 netmask   255.255.255.255

clear xlate

And finally "wr mem" to save the configuration.

In regards to spam, ASA can't block spam unless you have CSC module installed on the ASA.

maenabutabanjeh Sat, 05/15/2010 - 00:11

sir after applying these settings i was unable to connect to my ASA through ASDM or even through http://10.10.10.2/admin

i only through terminal on COM2


the users want to kill me they cant access citrix and i cant also access ASA through asdm

Jennifer Halim Sat, 05/15/2010 - 00:18

I would strongly recommend that you open a Cisco TAC case so an engineer can assist you with the configuration.

For citrix access, just reconfigure the static statement that works before.

maenabutabanjeh Sat, 05/15/2010 - 00:25

man wait here , i will let you access my computer through team viewer and check the configuration ... please stay here i will provide you with user name and password to check the configuration ... just please for a minutes there 6 branchs currently cant use application

maenabutabanjeh Sat, 05/15/2010 - 00:29

all right man , download Teamviewer ID :


**************

password *************


please connect to my computer and i will lead you to terminal just i want you to roll back configuration and re-enable redirection to 192.168.3.229 all ports , same as was and enable web management and ASDM Managment all what i want is this ... please i dont want loose my job

Actions

This Discussion