VPN Remote - IPSec-spoof error

Unanswered Question
May 26th, 2010
User Badges:

I'm VERY new to the Cisco firewall interface, OS and all.  I've got VPN sort of working for me but I have an issue that is kind of strange.  I can VNC on port 5950 to ONE machine (my own) that is also configured as a machine that can run the ASDM and telnet into the Firewall.  According to Packet Tracer this connection should be getting stopped as well as the others.  Not a clue.  I cannot VNC into anything else, nor can I access internal web pages or network shares.  If I use the Web VPN configuration and the Java plugin for VNC I CAN get to things.  They are using the same policy and IP pool and I'm stumped.


I'm sure that this is something relatively simple but my knowledge of IPSec is smaller than my understanding of the Cisco ASA.  Any help would be much appreciated.


Attached is my running config.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Federico Coto F... Thu, 05/27/2010 - 04:12
User Badges:
  • Green, 3000 points or more

Alisia


You're saying that you can access internal resources remotely using an SSL VPN connection but not an IPsec connection?


If so, please post the output of the following commands when attempting to connect:

sh cry isa sa

sh cry ips sa


Make sure that you have these commands on your configurations also:

management-access inside

crypto isakmp nat-t

sysopt connection permit-vpn


Federico.

amprince042 Thu, 05/27/2010 - 05:01
User Badges:

To clarify:  If I use the SSL Clientless Web VPN, I can use the Java VNC plugin and/or the URL tool to browse internal resources.  If I use the IPsec VPN client, I can connect to my machine (the one that is allowed management rights) with VNC but cannot get to internal websites or VNC or browse shares into any other machine.


Here's the output from those 2 commands:



Result of the command: "sh cry isa sa"


There are no isakmp sas



Result of the command: "sh cry ips sa"


There are no ipsec sas


I ran the commands that you suggested as well and still no difference in the results.


A

Federico Coto F... Thu, 05/27/2010 - 05:06
User Badges:
  • Green, 3000 points or more

It means the IPsec VPN client is not even connecting at all.

Do the following to determine the cause:


debug crypto isa 127

debug crypto ipsec 127

ter mon


Post the output when attempting to connect with the IPsec VPN client.


Federico.

Federico Coto F... Thu, 05/27/2010 - 06:12
User Badges:
  • Green, 3000 points or more

Alisia,


I would remove these lines:
no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
no crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
no crypto map dmz_map interface dmz
no crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
no crypto map inside_map interface inside


So, when you try the IPsec client, you use this information:
IP:
Group name: IS
Group password: 4dm1n1str@t0R


And then you get prompted for user/pass credentials for local authentication....


The problem I see is that you're trying to connect with user Alisia
I don't know if I'm missing something but I don't see the local user Alisia in the configuration.
I only see a user called user1

Try this and let me know.


Federico.

amprince042 Thu, 05/27/2010 - 06:44
User Badges:

The user does exist but I chopped it out of the config when I posted it the first time.  So, this is what I get now when I do the debug.

Attachment: 
Federico Coto F... Thu, 05/27/2010 - 06:52
User Badges:
  • Green, 3000 points or more

Now,


You got succesfully authenticated
May 27 09:33:52 [IKEv1]: Group = IS, Username = Alisia, IP = 64.40.84.98, User (Alisia) authenticated.


Got an IP
May 27 09:33:52 [IKEv1 DEBUG]: Group = IS, Username = Alisia, IP = 64.40.84.98, Obtained IP addr (192.168.4.1) prior to initiating Mode Cfg (XAuth enabled)


Phase 1 completed
May 27 09:33:52 [IKEv1]: Group = IS, Username = Alisia, IP = 64.40.84.98, PHASE 1 COMPLETED


Phase 2 completed
May 27 09:33:52 [IKEv1]: Group = IS, Username = Alisia, IP = 64.40.84.98, PHASE 2 COMPLETED (msgid=6db36b86)


But the problem is here:


May 27 09:36:20 [IKEv1]: Group = IS, Username = Alisia, IP = 64.40.84.98, Connection terminated for peer Alisia.  Reason: Peer Terminate  Remote Proxy 192.168.4.1, Local Proxy 0.0.0.0
May 27 09:36:20 [IKEv1 DEBUG]: Group = IS, Username = Alisia, IP = 64.40.84.98, Active unit receives a delete event for remote peer 64.40.84.98


The ASA is receving a terminate message from 64.40.84.98 (which is the public IP where you're coming from correct)?

There's no connectivity interruption when attempting to connect?


Federico.

amprince042 Thu, 05/27/2010 - 07:14
User Badges:

There shouldn't be anything going on on the remote side unless something is configured wrong on the VPN client itself.  It doesn't matter whether I connect from home or from here at work with our public wireless so that's the only common denominator.  My home machine is Win7 64bit and the one here is 32bit XP.


I've got Group Authentication configured.

Transport tab: Transparent Tunneling is checked and the radio button for IPSec over UDP (NAT/PAT) is selected.  Also, Allow local LAN Access is checked.

I have no backup servers or Dial-Up configured.


A

Federico Coto F... Thu, 05/27/2010 - 07:38
User Badges:
  • Green, 3000 points or more

Ok, try this:


Don't remove any configuration, just add these commands:


######################################################


group-policy TEST internal
group-policy TEST attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IS_splitTunnelAcl


tunnel-group TEST type remote-access
tunnel-group TEST general-attributes
address-pool IS
authorization-server-group LOCAL
default-group-policy TEST
tunnel-group TEST ipsec-attributes
pre-shared-key TEST123


user test password test123


######################################################


From the VPN client, try to connect with this information:

IP:  Same IP

Group: TEST

Pass: TEST123


When prompted for credentials use:

user: test

pass: test123


I just want to see if the VPN works in this way please.


Federico.

Federico Coto F... Thu, 05/27/2010 - 08:13
User Badges:
  • Green, 3000 points or more

Alisia,


Actually I was able to connect fine.

I am thinking that the PCF file is not configured correctly.

Here's what I did:


VPN connecting to 152.27.20.100

Group name: TEST

Group password: TEST123


It prompts for user/pass which I entered and I'm in....


Check your VPN profile settings.


Federico.

Federico Coto F... Thu, 05/27/2010 - 08:42
User Badges:
  • Green, 3000 points or more

Do the following...


1. Delete the tunnel-group that I sent you (to avoid having anybody connecting)


2. From the VPN client you're trying to access the 172.16.1.0/24 or the 192.168.2.0/24?

Make sure both networks have a default gateway pointing to the ASA.


Federico.

amprince042 Thu, 05/27/2010 - 10:31
User Badges:

Oh noooo... that's what's wrong.  The one machine that I could get to (my own) was using the new firewall as a gateway so that I could test access.  The core switch is using the old firewall still.  I'm not going to be able to test it again until tomorrow when I flip the switch and shut down the old firewall.


Sorry for taking up so much of your time on such a noob mistake.


A

Federico Coto F... Thu, 05/27/2010 - 10:35
User Badges:
  • Green, 3000 points or more

No worries, glad you find it out  :-)


Remember to rate the threat if you find it useful.


Federico.

amprince042 Thu, 05/27/2010 - 10:39
User Badges:

It was bit about the gateway that made the lightbulb come on.  It finally dawned on me that that was why I could get to my machine with VNC.  It was using the ASA as a gateway.


A

Actions

This Discussion

Related Content