how are you connecting to VPN, i see you are getting ip via pppoe

are you connecting using hostname

i did not see any no nat rule in your config, could you please add that and paste the output of show nat

Thanks for your reply.

@Ankur

I can`t connect to VPN. If i try the only thing i see in the log is that:

    52314    192.168.5.21    500    Teardown UDP connection 16081 for outside:/52314 to inside:192.168.5.21/500 duration 0:02:01 bytes 868

and a show crypto ipsec sa while i try to connect:

ciscoasa# show crypto ipsec sa
There are no ipsec sas

see attached the log from the vpn client.

@jathaval

I have on a client a dyndns configured but i have also tried to connect to the pppoe IP. The same.

Let me short explain maybe this make it clear for you both:

192.168.5.1 - ASA (pppoe)

192.168.5.2 - ADSL modem

192.168.5.21 - Fritzbox (WLAN, VoIP)

And as you can see in the log i postet Ankur, the external IP trying to make a vpn connection with the 192.168.5.21:500 and not with the ASA.

Hope that make it clearly.

please nable nat traversal and try, i didnt find it in your config

crypto isakmp nat-traversal

it is now active.

If i remove these object nat:

object network FritzBox
nat (any,outside) static interface

After remove it works. But i need this rule for SIP for the fritzbox. If i enable the nat again the following appears in the CLI:

WARNING: All traffic destined to the IP address of the outside interface is being redirected.
WARNING: Users may not be able to access any service enabled on the outside interface.

How can i fix this? I need some ports forwarded to the fritzbox.....

regards

jason

Hi Jason,

The behavior you are seeing is expected if you have the NAT rule mentioned. Any traffic destined to the outisde interface IP address of the ASA will be redirected to the "FritzBox".

This is not recommended. Now if you know the exact ports that the FritzBox needs to be accessible using, please try using a Static PAT in the format below.

Say you want to enable access to the FritzBox on TCP port 80, use:

object network FritzBox
nat (any,outside) static interface service tcp 80 80

Here is the command reference for the same:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/no.html#wp1778544

Let me know if this helps!!

Thanks and Regards,

Prapanch

I need more ports for the Fritzbox. How is the command for object nat with more ports? Do i have to create a group with ports?

Hey,

Well there is not a way to do that unfortunately as can be seen from the command reference as well. You will need to have a separate translation for each of the ports you would like.

In case the number of ports is very high, I guess the best way to go ahead will be to get a separate IP address from your ISP so that you can have a separate IP address for your outside interface and for translating the FritzBox.

Regards,

Prapanch

Is there no other way? Maybe with static NAT and ACL ?

For me it`s no option to get another IP from my ISP.

I only want forward ports (port-ranges) to this inside lan device.

Hi,

thanks to both. Now it works with this solution

nat (inside,outside) source static obj_inside obj_inside destination static obj_vpnpool obj_vpnpool description NAT exemption (VPN)
nat (inside,outside) source static obj_FritzBox interface service SIP1 SIP1 description SIP FritzBox
nat (inside,outside) source static obj_FritzBox interface service SIP2 SIP2 description SIP FritzBox
nat (inside,outside) source static obj_FritzBox interface service SIP3 SIP3 description SIP FritzBox
nat (inside,outside) source static obj_FritzBox interface service SIP4 SIP4 description SIP FritzBox

Another short question:

Is there a way to test the vpn from inside the LAN? At the moment i have to rdp to another location and try from there the remote access?

If your VPN is terminating on the outside interface, then you will not be able to connect from the inside of the ASA.

regards,

prapanch