cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2845
Views
9
Helpful
16
Replies

VPN Remote - IPSec-spoof error

amprince042
Level 1
Level 1

I'm VERY new to the Cisco firewall interface, OS and all.  I've got VPN sort of working for me but I have an issue that is kind of strange.  I can VNC on port 5950 to ONE machine (my own) that is also configured as a machine that can run the ASDM and telnet into the Firewall.  According to Packet Tracer this connection should be getting stopped as well as the others.  Not a clue.  I cannot VNC into anything else, nor can I access internal web pages or network shares.  If I use the Web VPN configuration and the Java plugin for VNC I CAN get to things.  They are using the same policy and IP pool and I'm stumped.

I'm sure that this is something relatively simple but my knowledge of IPSec is smaller than my understanding of the Cisco ASA.  Any help would be much appreciated.

Attached is my running config.

16 Replies 16

Alisia

You're saying that you can access internal resources remotely using an SSL VPN connection but not an IPsec connection?

If so, please post the output of the following commands when attempting to connect:

sh cry isa sa

sh cry ips sa

Make sure that you have these commands on your configurations also:

management-access inside

crypto isakmp nat-t

sysopt connection permit-vpn

Federico.

To clarify:  If I use the SSL Clientless Web VPN, I can use the Java VNC plugin and/or the URL tool to browse internal resources.  If I use the IPsec VPN client, I can connect to my machine (the one that is allowed management rights) with VNC but cannot get to internal websites or VNC or browse shares into any other machine.

Here's the output from those 2 commands:

Result of the command: "sh cry isa sa"

There are no isakmp sas

Result of the command: "sh cry ips sa"

There are no ipsec sas

I ran the commands that you suggested as well and still no difference in the results.

A

It means the IPsec VPN client is not even connecting at all.

Do the following to determine the cause:

debug crypto isa 127

debug crypto ipsec 127

ter mon

Post the output when attempting to connect with the IPsec VPN client.

Federico.

Here you go.

Alisia,

I would remove these lines:
no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
no crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
no crypto map dmz_map interface dmz
no crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
no crypto map inside_map interface inside

So, when you try the IPsec client, you use this information:
IP:
Group name: IS
Group password: 4dm1n1str@t0R

And then you get prompted for user/pass credentials for local authentication....


The problem I see is that you're trying to connect with user Alisia
I don't know if I'm missing something but I don't see the local user Alisia in the configuration.
I only see a user called user1

Try this and let me know.

Federico.

The user does exist but I chopped it out of the config when I posted it the first time.  So, this is what I get now when I do the debug.

Now,


You got succesfully authenticated
May 27 09:33:52 [IKEv1]: Group = IS, Username = Alisia, IP = 64.40.84.98, User (Alisia) authenticated.

Got an IP
May 27 09:33:52 [IKEv1 DEBUG]: Group = IS, Username = Alisia, IP = 64.40.84.98, Obtained IP addr (192.168.4.1) prior to initiating Mode Cfg (XAuth enabled)

Phase 1 completed
May 27 09:33:52 [IKEv1]: Group = IS, Username = Alisia, IP = 64.40.84.98, PHASE 1 COMPLETED

Phase 2 completed
May 27 09:33:52 [IKEv1]: Group = IS, Username = Alisia, IP = 64.40.84.98, PHASE 2 COMPLETED (msgid=6db36b86)

But the problem is here:


May 27 09:36:20 [IKEv1]: Group = IS, Username = Alisia, IP = 64.40.84.98, Connection terminated for peer Alisia.  Reason: Peer Terminate  Remote Proxy 192.168.4.1, Local Proxy 0.0.0.0
May 27 09:36:20 [IKEv1 DEBUG]: Group = IS, Username = Alisia, IP = 64.40.84.98, Active unit receives a delete event for remote peer 64.40.84.98

The ASA is receving a terminate message from 64.40.84.98 (which is the public IP where you're coming from correct)?

There's no connectivity interruption when attempting to connect?

Federico.

There shouldn't be anything going on on the remote side unless something is configured wrong on the VPN client itself.  It doesn't matter whether I connect from home or from here at work with our public wireless so that's the only common denominator.  My home machine is Win7 64bit and the one here is 32bit XP.

I've got Group Authentication configured.

Transport tab: Transparent Tunneling is checked and the radio button for IPSec over UDP (NAT/PAT) is selected.  Also, Allow local LAN Access is checked.

I have no backup servers or Dial-Up configured.

A

Ok, try this:

Don't remove any configuration, just add these commands:

######################################################

group-policy TEST internal
group-policy TEST attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IS_splitTunnelAcl

tunnel-group TEST type remote-access
tunnel-group TEST general-attributes
address-pool IS
authorization-server-group LOCAL
default-group-policy TEST
tunnel-group TEST ipsec-attributes
pre-shared-key TEST123

user test password test123

######################################################

From the VPN client, try to connect with this information:

IP:  Same IP

Group: TEST

Pass: TEST123

When prompted for credentials use:

user: test

pass: test123

I just want to see if the VPN works in this way please.

Federico.

No difference. :-(  Here's the log.

Alisia,

Actually I was able to connect fine.

I am thinking that the PCF file is not configured correctly.

Here's what I did:

VPN connecting to 152.27.20.100

Group name: TEST

Group password: TEST123

It prompts for user/pass which I entered and I'm in....

Check your VPN profile settings.

Federico.

I got in too.  But once in, I couldn't do anything except VNC to that one machine.  Here's the profile file.

Do the following...

1. Delete the tunnel-group that I sent you (to avoid having anybody connecting)

2. From the VPN client you're trying to access the 172.16.1.0/24 or the 192.168.2.0/24?

Make sure both networks have a default gateway pointing to the ASA.

Federico.

Oh noooo... that's what's wrong.  The one machine that I could get to (my own) was using the new firewall as a gateway so that I could test access.  The core switch is using the old firewall still.  I'm not going to be able to test it again until tomorrow when I flip the switch and shut down the old firewall.

Sorry for taking up so much of your time on such a noob mistake.

A

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: