05-26-2010 12:28 PM - edited 02-21-2020 04:40 PM
I'm VERY new to the Cisco firewall interface, OS and all. I've got VPN sort of working for me but I have an issue that is kind of strange. I can VNC on port 5950 to ONE machine (my own) that is also configured as a machine that can run the ASDM and telnet into the Firewall. According to Packet Tracer this connection should be getting stopped as well as the others. Not a clue. I cannot VNC into anything else, nor can I access internal web pages or network shares. If I use the Web VPN configuration and the Java plugin for VNC I CAN get to things. They are using the same policy and IP pool and I'm stumped.
I'm sure that this is something relatively simple but my knowledge of IPSec is smaller than my understanding of the Cisco ASA. Any help would be much appreciated.
Attached is my running config.
05-27-2010 04:12 AM
Alisia
You're saying that you can access internal resources remotely using an SSL VPN connection but not an IPsec connection?
If so, please post the output of the following commands when attempting to connect:
sh cry isa sa
sh cry ips sa
Make sure that you have these commands on your configurations also:
management-access inside
crypto isakmp nat-t
sysopt connection permit-vpn
Federico.
05-27-2010 05:01 AM
To clarify: If I use the SSL Clientless Web VPN, I can use the Java VNC plugin and/or the URL tool to browse internal resources. If I use the IPsec VPN client, I can connect to my machine (the one that is allowed management rights) with VNC but cannot get to internal websites or VNC or browse shares into any other machine.
Here's the output from those 2 commands:
Result of the command: "sh cry isa sa"
There are no isakmp sas
Result of the command: "sh cry ips sa"
There are no ipsec sas
I ran the commands that you suggested as well and still no difference in the results.
A
05-27-2010 05:06 AM
It means the IPsec VPN client is not even connecting at all.
Do the following to determine the cause:
debug crypto isa 127
debug crypto ipsec 127
ter mon
Post the output when attempting to connect with the IPsec VPN client.
Federico.
05-27-2010 05:44 AM
05-27-2010 06:12 AM
Alisia,
I would remove these lines:
no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
no crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
no crypto map dmz_map interface dmz
no crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
no crypto map inside_map interface inside
So, when you try the IPsec client, you use this information:
IP:
Group name: IS
Group password: 4dm1n1str@t0R
And then you get prompted for user/pass credentials for local authentication....
The problem I see is that you're trying to connect with user Alisia
I don't know if I'm missing something but I don't see the local user Alisia in the configuration.
I only see a user called user1
Try this and let me know.
Federico.
05-27-2010 06:44 AM
05-27-2010 06:52 AM
Now,
You got succesfully authenticated
May 27 09:33:52 [IKEv1]: Group = IS, Username = Alisia, IP = 64.40.84.98, User (Alisia) authenticated.
Got an IP
May 27 09:33:52 [IKEv1 DEBUG]: Group = IS, Username = Alisia, IP = 64.40.84.98, Obtained IP addr (192.168.4.1) prior to initiating Mode Cfg (XAuth enabled)
Phase 1 completed
May 27 09:33:52 [IKEv1]: Group = IS, Username = Alisia, IP = 64.40.84.98, PHASE 1 COMPLETED
Phase 2 completed
May 27 09:33:52 [IKEv1]: Group = IS, Username = Alisia, IP = 64.40.84.98, PHASE 2 COMPLETED (msgid=6db36b86)
But the problem is here:
May 27 09:36:20 [IKEv1]: Group = IS, Username = Alisia, IP = 64.40.84.98, Connection terminated for peer Alisia. Reason: Peer Terminate Remote Proxy 192.168.4.1, Local Proxy 0.0.0.0
May 27 09:36:20 [IKEv1 DEBUG]: Group = IS, Username = Alisia, IP = 64.40.84.98, Active unit receives a delete event for remote peer 64.40.84.98
The ASA is receving a terminate message from 64.40.84.98 (which is the public IP where you're coming from correct)?
There's no connectivity interruption when attempting to connect?
Federico.
05-27-2010 07:14 AM
There shouldn't be anything going on on the remote side unless something is configured wrong on the VPN client itself. It doesn't matter whether I connect from home or from here at work with our public wireless so that's the only common denominator. My home machine is Win7 64bit and the one here is 32bit XP.
I've got Group Authentication configured.
Transport tab: Transparent Tunneling is checked and the radio button for IPSec over UDP (NAT/PAT) is selected. Also, Allow local LAN Access is checked.
I have no backup servers or Dial-Up configured.
A
05-27-2010 07:38 AM
Ok, try this:
Don't remove any configuration, just add these commands:
######################################################
group-policy TEST internal
group-policy TEST attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IS_splitTunnelAcl
tunnel-group TEST type remote-access
tunnel-group TEST general-attributes
address-pool IS
authorization-server-group LOCAL
default-group-policy TEST
tunnel-group TEST ipsec-attributes
pre-shared-key TEST123
user test password test123
######################################################
From the VPN client, try to connect with this information:
IP: Same IP
Group: TEST
Pass: TEST123
When prompted for credentials use:
user: test
pass: test123
I just want to see if the VPN works in this way please.
Federico.
05-27-2010 07:59 AM
05-27-2010 08:13 AM
Alisia,
Actually I was able to connect fine.
I am thinking that the PCF file is not configured correctly.
Here's what I did:
VPN connecting to 152.27.20.100
Group name: TEST
Group password: TEST123
It prompts for user/pass which I entered and I'm in....
Check your VPN profile settings.
Federico.
05-27-2010 08:29 AM
05-27-2010 08:42 AM
Do the following...
1. Delete the tunnel-group that I sent you (to avoid having anybody connecting)
2. From the VPN client you're trying to access the 172.16.1.0/24 or the 192.168.2.0/24?
Make sure both networks have a default gateway pointing to the ASA.
Federico.
05-27-2010 10:31 AM
Oh noooo... that's what's wrong. The one machine that I could get to (my own) was using the new firewall as a gateway so that I could test access. The core switch is using the old firewall still. I'm not going to be able to test it again until tomorrow when I flip the switch and shut down the old firewall.
Sorry for taking up so much of your time on such a noob mistake.
A
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: