ASA5510 VPN PASSTHRU HELP

TDPadministrator · ‎07-29-2010

We are unable to get VPN passthrough to our SBS 2003 server. Here is the design of our current network.

Cable Modem - ASA5510 (outside)

ASA5510 (inside) - DLINK wireless router (WAN) port

DLINK - Catalyst 2960E switch

SBS 2003 - switch

I have addeed access-list outside_in extended permit tcp any host (asa's IP) eq PORT to all our open ports (i.e., RWW, RDP, etc.).

I also added static (inside,outside) tcp interface PORT ASA's IP PORT netmask 255.255.255.255.

The DLINK is set with a static IP from the ASA5510. DHCP is turned on in the DLINK on a separate network segment (i.e., 192.168.1.1, 255.255.255.0). Both the staic IP and the DHCP are on the same subnet.

We can RDP into the server with no problems.

DHCP and DNS are turned off on the SBS 2003 server.

I don't know why the VPN or RWW is not working.

August Ritchie · ‎07-29-2010

Hmm is it ipsec passthru? Perhaps you would be interested in the following:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1668213

Diego Armando Cambronero Arias · ‎07-29-2010

for the VPN you will need to work with NAT-T SInce you are natting one of the endpoints with your ASA so enable NAT-T in the endpoints. You should open port UDP 500 and 4500 as well. For RWW open TCP pórt 4125.. (NAT and ACL)

The VPN is between the server and something in the OUTSIDE right?

TDPadministrator · ‎07-29-2010

The VPN is on the SBS 2003 server.

TDPadministrator · ‎07-29-2010

Ok, I made the changes and here is a copy of my sh run.

TDP-FW> enable
Password: ***********
TDP-FW# config t
TDP-FW(config)# access-list ipsecpassthruacl permit udp any any eq 500
TDP-FW(config)# class-map ipsecpassthru-traffic
TDP-FW(config-cmap)# match access-list ipsecpassthruacl
TDP-FW(config-cmap)# policy-may type inspect ipsec-pass-thru iptmap
^
ERROR: % Invalid input detected at '^' marker.
TDP-FW(config-cmap)# policy-map type inspect ipsec-pass-thru iptmap
TDP-FW(config-pmap)# parameters
TDP-FW(config-pmap-p)# esp per-client-max 10 timeout 0:11:00
TDP-FW(config-pmap-p)# ah per-client-max 5 timeout 0:06:00
TDP-FW(config-pmap-p)# policy-map inspection_policy
TDP-FW(config-pmap)# class ipsecpassthru-traffic
TDP-FW(config-pmap-c)# inspect ipsec-pass-thru iptmap
TDP-FW(config-pmap-c)# config t
TDP-FW(config)# policy-map type inspect ipsec-pass-thru iptmap
TDP-FW(config-pmap)# parameters
TDP-FW(config-pmap-p)# esp per-client-max 15 timeout 0:11:0
TDP-FW(config-pmap-p)# ah per-client-max 5 timeout 0:06:00
TDP-FW(config-pmap-p)# esp per-client-max 15 timeout 0:11:00
TDP-FW(config-pmap-p)# config t
TDP-FW(config)# policy-map inspection_policy
TDP-FW(config-pmap)# class ipsecpassthru-traffic
TDP-FW(config-pmap-c)# conf t
TDP-FW(config)# service-policy inspeciton_policy interface outside
ERROR: % policy-map inspeciton_policy does not exist
TDP-FW(config)# access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx
TDP-FW(config)# access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx
TDP-FW(config)# static (inside,outside) tcp interface 500 172.30.50.9 500 netmask 255.255.255.255
TDP-FW(config)# static (inside,outside) tcp interface 4500 173.30.50.9 4500 netmask 255.255.255.255
TDP-FW(config)# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname TDP-FW
domain-name tdp.local
enable password QOFp9hPzCVesh/Cv encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
description Cox IP
nameif outside
security-level 0
ip address 70.183.140.196 255.255.255.192
!
interface Ethernet0/1
duplex full
nameif inside
security-level 100
ip address 172.30.50.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
domain-name tdp.local
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq www
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq 3389
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq https
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq pptp
access-list outside_in extended permit gre any host 70.xxx.xxx.xxx
access-list outside_in extended deny ip any any log
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq 8080
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq 500
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq 4500
access-list traffic extended permit tcp any any eq www
access-list inside_in extended permit tcp any any eq www
access-list outside-in extended permit tcp any host 70.xxx.xxx.xxx eq 4125
access-list ipsecpassthruacl extended permit udp any any eq isakmp
!
tcp-map tcp_timestamp_clear
tcp-options timestamp clear
!
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 172.xxx.xxx.xxx www netmask 255.255.255.255
static (inside,outside) tcp interface https 172.xxx.xxx.xxx https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 172.xxx.xxx.xxx 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 172.xxx.xxx.xxx pptp netmask 255.255.255.255
static (inside,outside) tcp interface 8080 172.xxx.xxx.xxx 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 4125 172.xxx.xxx.xxx 4125 netmask 255.255.255.255
static (inside,outside) tcp interface 500 172.xxx.xxx.xxx 500 netmask 255.255.255.255
static (inside,outside) tcp interface 4500 173.xxx.xxx.xxx 4500 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.xxx.xxx.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 30
ssh version 2
console timeout 0
dhcpd dns 4.2.2.2 8.8.8.8
dhcpd lease 3000
dhcpd domain TDP
!
dhcpd address 172.xxx.xxx.10-172.xxx.xxx.254 inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
username test password 0AKWGtPSEgAcPI9K encrypted
username helpme password 6VYata1A20tbjBwx encrypted
!
class-map ipsecpassthru-traffic
match access-list ipsecpassthruacl
class-map inspection_default
match default-inspection-traffic
class-map traffic-class
match access-list traffic
!
!
policy-map type inspect ipsec-pass-thru iptmap
parameters
esp per-client-max 15 timeout 0:11:00
ah per-client-max 5 timeout 0:06:00
policy-map inspection_policy
class ipsecpassthru-traffic
inspect ipsec-pass-thru iptmap
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns migrated_dns_map_1
inspect icmp
inspect pptp
inspect ipsec-pass-thru
class traffic-class
set connection advanced-options tcp_timestamp_clear
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:69bb1417bae44fe1e03fe6d710cd01ac
: end
TDP-FW(config)#

August Ritchie · ‎07-29-2010

It looks like you had a typo here

TDP-FW(config)# service-policy inspeciton_policy interface outside
ERROR: % policy-map inspeciton_policy does not exist

should be

conf t

service-policy inspection_policy interface outside

TDPadministrator · ‎07-29-2010

After correcting the error, do I need to re-run the RRAS on the SBS 2003 server? When I re-run it, do I use

DHCP settings (which is coming from the router)?

Thanks

TDPadministrator · ‎07-29-2010

I set the timeout for 0:11:00 but its kicking users off after 11 seconds. How do I can the time for

connection to a longer period? Here is a copy of my updated config

ah per-client-max 5 timeout 0:06:00
policy-map inspection_policy
class ipsecpassthru-traffic
inspect ipsec-pass-thru iptmap
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns migrated_dns_map_1
inspect icmp
inspect pptp
inspect ipsec-pass-thru
class traffic-class
set connection advanced-options tcp_timestamp_clear
!
service-policy global_policy global
service-policy inspection_policy interface outside
prompt hostname context
Cryptochecksum:69bb1417bae44fe1e03fe6d710cd01ac
: end
TDP-FW(config)# policy-map type inspect ipsec-pass-thru iptmap
TDP-FW(config-pmap)# parameters
TDP-FW(config-pmap-p)# esp per-client-max 15 timeout 4:30:00
TDP-FW(config-pmap-p)# ah per-client-max 5 timeout 2:00:00
TDP-FW(config-pmap-p)# conf t
TDP-FW(config)# policy-map inspection_policy
TDP-FW(config-pmap)# class ipsecpassthru-traffic
TDP-FW(config-pmap-c)# inspect ipsec-pass-thru iptmap
TDP-FW(config-pmap-c)# conf t
TDP-FW(config)# service-policy inspection_policy interface outside
WARNING: Policy map inspection_policy is already configured as a service policy
TDP-FW(config)# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname TDP-FW
domain-name tdp.local
enable password QOFp9hPzCVesh/Cv encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
description Cox IP
nameif outside
security-level 0
ip address 70.xxx.xxx.xxx 255.255.255.192
!
interface Ethernet0/1
duplex full
nameif inside
security-level 100
ip address 172.xxx.xxx.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
domain-name tdp.local
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq www
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq 3389
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq https
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq pptp
access-list outside_in extended permit gre any host 70.xxx.xxx.xxx
access-list outside_in extended deny ip any any log
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq 8080
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq 500
access-list outside_in extended permit tcp any host 70.xxx.xxx.xxx eq 4500
access-list traffic extended permit tcp any any eq www
access-list inside_in extended permit tcp any any eq www
access-list outside-in extended permit tcp any host 70.xxx.xxx.xxx eq 4125
access-list ipsecpassthruacl extended permit udp any any eq isakmp
!
tcp-map tcp_timestamp_clear
tcp-options timestamp clear
!
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 172.xxx.xxx.xxx www netmask 255.255.255.255
static (inside,outside) tcp interface https 172.xxx.xxx.xxx https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 172.xxx.xxx.xxx 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 172.xxx.xxx.xxx pptp netmask 255.255.255.255
static (inside,outside) tcp interface 8080 172.xxx.xxx.xxx 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 4125 172.xxx.xxx.xxx 4125 netmask 255.255.255.255
static (inside,outside) tcp interface 500 172.xxx.xxx.xxx 500 netmask 255.255.255.255
static (inside,outside) tcp interface 4500 173.xxx.xxx.xxx 4500 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.183.140.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.xxx.xxx.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp nat-traversal 20
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 30
ssh version 2
console timeout 0
dhcpd dns 4.2.2.2 8.8.8.8
dhcpd lease 3000
dhcpd domain TDP
!
dhcpd address 172.xxx.xxx.10-172.xxx.xxx.254 inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
username test password 0AKWGtPSEgAcPI9K encrypted
username helpme password 6VYata1A20tbjBwx encrypted
!
class-map ipsecpassthru-traffic
match access-list ipsecpassthruacl
class-map inspection_default
match default-inspection-traffic
class-map traffic-class
match access-list traffic
!
!
policy-map type inspect ipsec-pass-thru iptmap
parameters
esp per-client-max 15 timeout 4:30:00
ah per-client-max 5 timeout 2:00:00
policy-map inspection_policy
class ipsecpassthru-traffic
inspect ipsec-pass-thru iptmap
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns migrated_dns_map_1
inspect icmp
inspect pptp
inspect ipsec-pass-thru
class traffic-class
set connection advanced-options tcp_timestamp_clear
!
service-policy global_policy global
service-policy inspection_policy interface outside
prompt hostname context
Cryptochecksum:69bb1417bae44fe1e03fe6d710cd01ac
: end
TDP-FW(config)#