ASA5510 VPN PASSTHRU HELP

Unanswered Question
Jul 29th, 2010
User Badges:

We are unable to get VPN passthrough to our SBS 2003 server.  Here is the design of our current network.

Cable Modem - ASA5510 (outside)

ASA5510 (inside) - DLINK wireless router (WAN) port

DLINK - Catalyst 2960E switch

SBS 2003 - switch


I have addeed access-list outside_in extended permit tcp any host (asa's IP) eq PORT to all our open ports (i.e., RWW, RDP, etc.).

I also added static (inside,outside) tcp interface PORT ASA's IP PORT netmask 255.255.255.255.


The DLINK is set with a static IP from the ASA5510.  DHCP is turned on in the DLINK on a separate network segment (i.e., 192.168.1.1, 255.255.255.0).  Both the staic IP and the DHCP are on the same subnet.


We can RDP into the server with no problems.


DHCP and DNS are turned off on the SBS 2003 server.


I don't know why the VPN or RWW is not working.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Diego Armando C... Thu, 07/29/2010 - 13:04
User Badges:
  • Bronze, 100 points or more

for the VPN you will need to work with NAT-T SInce you are natting one of the endpoints with your ASA so enable NAT-T in the endpoints. You should open port UDP 500 and 4500 as well. For RWW open TCP pórt 4125.. (NAT and ACL)


The VPN is between the server and something in the OUTSIDE right?

TDPadministrator Thu, 07/29/2010 - 14:15
User Badges:

Ok, I made the changes and here is a copy of my sh run.


TDP-FW> enable
Password: ***********
TDP-FW# config t
TDP-FW(config)# access-list ipsecpassthruacl permit udp any any eq 500
TDP-FW(config)# class-map ipsecpassthru-traffic
TDP-FW(config-cmap)# match access-list ipsecpassthruacl
TDP-FW(config-cmap)# policy-may type inspect ipsec-pass-thru iptmap
                              ^
ERROR: % Invalid input detected at '^' marker.
TDP-FW(config-cmap)# policy-map type inspect ipsec-pass-thru iptmap
TDP-FW(config-pmap)# parameters
TDP-FW(config-pmap-p)# esp per-client-max 10 timeout 0:11:00
TDP-FW(config-pmap-p)# ah per-client-max 5 timeout 0:06:00
TDP-FW(config-pmap-p)# policy-map inspection_policy
TDP-FW(config-pmap)# class ipsecpassthru-traffic
TDP-FW(config-pmap-c)# inspect ipsec-pass-thru iptmap
TDP-FW(config-pmap-c)# config t
TDP-FW(config)# policy-map type inspect ipsec-pass-thru iptmap
TDP-FW(config-pmap)# parameters
TDP-FW(config-pmap-p)# esp per-client-max 15 timeout 0:11:0
TDP-FW(config-pmap-p)# ah per-client-max 5 timeout 0:06:00
TDP-FW(config-pmap-p)# esp per-client-max 15 timeout 0:11:00
TDP-FW(config-pmap-p)# config t
TDP-FW(config)# policy-map inspection_policy
TDP-FW(config-pmap)# class ipsecpassthru-traffic
TDP-FW(config-pmap-c)# conf t
TDP-FW(config)# service-policy inspeciton_policy interface outside
ERROR: % policy-map inspeciton_policy does not exist
TDP-FW(config)# access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx
TDP-FW(config)# access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx
TDP-FW(config)# static (inside,outside) tcp interface 500 172.30.50.9 500 netmask 255.255.255.255
TDP-FW(config)# static (inside,outside) tcp interface 4500 173.30.50.9 4500 netmask 255.255.255.255
TDP-FW(config)# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname TDP-FW
domain-name tdp.local
enable password QOFp9hPzCVesh/Cv encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
description Cox IP
nameif outside
security-level 0
ip address 70.183.140.196 255.255.255.192
!
interface Ethernet0/1
duplex full
nameif inside
security-level 100
ip address 172.30.50.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
domain-name tdp.local
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq www
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq 3389
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq https
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq pptp
access-list outside_in extended permit gre any host 70.xxx.xxx.xxx
access-list outside_in extended deny ip any any log
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq 8080
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq 500
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq 4500
access-list traffic extended permit tcp any any eq www
access-list inside_in extended permit tcp any any eq www
access-list outside-in extended permit tcp any host 70.xxx.xxx.xxx eq 4125
access-list ipsecpassthruacl extended permit udp any any eq isakmp
!
tcp-map tcp_timestamp_clear
  tcp-options timestamp clear
!
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 172.xxx.xxx.xxx www netmask 255.255.255.255
static (inside,outside) tcp interface https 172.xxx.xxx.xxx https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 172.xxx.xxx.xxx 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 172.xxx.xxx.xxx pptp netmask 255.255.255.255
static (inside,outside) tcp interface 8080 172.xxx.xxx.xxx 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 4125 172.xxx.xxx.xxx 4125 netmask 255.255.255.255
static (inside,outside) tcp interface 500 172.xxx.xxx.xxx 500 netmask 255.255.255.255
static (inside,outside) tcp interface 4500 173.xxx.xxx.xxx 4500 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.xxx.xxx.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 30
ssh version 2
console timeout 0
dhcpd dns 4.2.2.2 8.8.8.8
dhcpd lease 3000
dhcpd domain TDP
!
dhcpd address 172.xxx.xxx.10-172.xxx.xxx.254 inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
username test password 0AKWGtPSEgAcPI9K encrypted
username helpme password 6VYata1A20tbjBwx encrypted
!
class-map ipsecpassthru-traffic
match access-list ipsecpassthruacl
class-map inspection_default
match default-inspection-traffic
class-map traffic-class
match access-list traffic
!
!
policy-map type inspect ipsec-pass-thru iptmap
parameters
  esp per-client-max 15 timeout 0:11:00
  ah per-client-max 5 timeout 0:06:00
policy-map inspection_policy
class ipsecpassthru-traffic
  inspect ipsec-pass-thru iptmap
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 4096
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect dns migrated_dns_map_1
  inspect icmp
  inspect pptp
  inspect ipsec-pass-thru
class traffic-class
  set connection advanced-options tcp_timestamp_clear
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:69bb1417bae44fe1e03fe6d710cd01ac
: end
TDP-FW(config)#

August Ritchie Thu, 07/29/2010 - 14:19
User Badges:
  • Bronze, 100 points or more

It looks like you had a typo here


TDP-FW(config)# service-policy inspeciton_policy interface outside
ERROR: % policy-map inspeciton_policy does not exist


should be


conf t

service-policy inspection_policy interface outside

TDPadministrator Thu, 07/29/2010 - 15:06
User Badges:

After correcting the error, do I need to re-run the RRAS on the SBS 2003 server?  When I re-run it, do I use

DHCP settings (which is coming from the router)?


Thanks

TDPadministrator Thu, 07/29/2010 - 15:41
User Badges:

I set the timeout for 0:11:00 but its kicking users off after 11 seconds.  How do I can the time for

connection to a longer period?  Here is a copy of my updated config


  ah per-client-max 5 timeout 0:06:00
policy-map inspection_policy
class ipsecpassthru-traffic
  inspect ipsec-pass-thru iptmap
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 4096
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect dns migrated_dns_map_1
  inspect icmp
  inspect pptp
  inspect ipsec-pass-thru
class traffic-class
  set connection advanced-options tcp_timestamp_clear
!
service-policy global_policy global
service-policy inspection_policy interface outside
prompt hostname context
Cryptochecksum:69bb1417bae44fe1e03fe6d710cd01ac
: end
TDP-FW(config)# policy-map type inspect ipsec-pass-thru iptmap
TDP-FW(config-pmap)# parameters
TDP-FW(config-pmap-p)# esp per-client-max 15 timeout 4:30:00
TDP-FW(config-pmap-p)# ah per-client-max 5 timeout 2:00:00
TDP-FW(config-pmap-p)# conf t
TDP-FW(config)# policy-map inspection_policy
TDP-FW(config-pmap)# class ipsecpassthru-traffic
TDP-FW(config-pmap-c)# inspect ipsec-pass-thru iptmap
TDP-FW(config-pmap-c)# conf t
TDP-FW(config)# service-policy inspection_policy interface outside
WARNING: Policy map inspection_policy is already configured as a service policy
TDP-FW(config)# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname TDP-FW
domain-name tdp.local
enable password QOFp9hPzCVesh/Cv encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
description Cox IP
nameif outside
security-level 0
ip address 70.xxx.xxx.xxx 255.255.255.192
!
interface Ethernet0/1
duplex full
nameif inside
security-level 100
ip address 172.xxx.xxx.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
domain-name tdp.local
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq www
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq 3389
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq https
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq pptp
access-list outside_in extended permit gre any host 70.xxx.xxx.xxx
access-list outside_in extended deny ip any any log
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq 8080
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq 500
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq 4500
access-list traffic extended permit tcp any any eq www
access-list inside_in extended permit tcp any any eq www
access-list outside-in extended permit tcp any host 70.xxx.xxx.xxx eq 4125
access-list ipsecpassthruacl extended permit udp any any eq isakmp
!
tcp-map tcp_timestamp_clear
  tcp-options timestamp clear
!
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 172.xxx.xxx.xxx www netmask 255.255.255.255
static (inside,outside) tcp interface https 172.xxx.xxx.xxx https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 172.xxx.xxx.xxx 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 172.xxx.xxx.xxx pptp netmask 255.255.255.255
static (inside,outside) tcp interface 8080 172.xxx.xxx.xxx 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 4125 172.xxx.xxx.xxx 4125 netmask 255.255.255.255
static (inside,outside) tcp interface 500 172.xxx.xxx.xxx 500 netmask 255.255.255.255
static (inside,outside) tcp interface 4500 173.xxx.xxx.xxx 4500 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.183.140.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.xxx.xxx.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp nat-traversal  20
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 30
ssh version 2
console timeout 0
dhcpd dns 4.2.2.2 8.8.8.8
dhcpd lease 3000
dhcpd domain TDP
!
dhcpd address 172.xxx.xxx.10-172.xxx.xxx.254 inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
username test password 0AKWGtPSEgAcPI9K encrypted
username helpme password 6VYata1A20tbjBwx encrypted
!
class-map ipsecpassthru-traffic
match access-list ipsecpassthruacl
class-map inspection_default
match default-inspection-traffic
class-map traffic-class
match access-list traffic
!
!
policy-map type inspect ipsec-pass-thru iptmap
parameters
  esp per-client-max 15 timeout 4:30:00
  ah per-client-max 5 timeout 2:00:00
policy-map inspection_policy
class ipsecpassthru-traffic
  inspect ipsec-pass-thru iptmap
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 4096
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect dns migrated_dns_map_1
  inspect icmp
  inspect pptp
  inspect ipsec-pass-thru
class traffic-class
  set connection advanced-options tcp_timestamp_clear
!
service-policy global_policy global
service-policy inspection_policy interface outside
prompt hostname context
Cryptochecksum:69bb1417bae44fe1e03fe6d710cd01ac
: end
TDP-FW(config)#

Actions

This Discussion