Unable to establish remote access VPN connection from behind ASA

Unanswered Question
Jul 17th, 2012

Hi,

We have two sites, Site-A with a ASA 5520 (Remote Access IPSEC VPN server) at one end and a new ASA 5515-X at Site-B. Users at Site-B are unable to establish a VPN connection to Site-A via Cisco VPN client from behind the new ASA 5515-X. They see the following error:

"Secure VPN Connection terminated locally by the client.

Reason 412: The remote peer is no longer responding.

They are able to access the same from home or elsewhere so I believe there is nothing wrong with Site-A ASA vpn config which we have been using for a while now. The new 5515-X (version 8.6) has a very basic config  with all outbound traffic allowed. I'm pasting the config below. Do I need to enable/allow anything for it to work?

CISCOASA# sh run
: Saved
:
ASA Version 8.4(3)
!
hostname CISCOASA
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/1
nameif backup
security-level 0
ip address 172.16.16.11 255.255.255.0
!
interface Ethernet0/2
shutdown
 no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
ftp mode passive
dns server-group abc
object network obj-172.16.16.0
subnet 172.16.16.0 255.255.255.0
object network obj-172.16.17.0
subnet 172.16.17.0 255.255.255.0
object network obj-172.16.18.0
subnet 172.16.18.0 255.255.255.0
object network obj-172.16.19.0
subnet 172.16.19.0 255.255.255.0
access-list 101 extended permit icmp any any
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu backup 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj-172.16.16.0
nat (inside,outside) dynamic interface
object network obj-172.16.17.0
nat (inside,outside) dynamic interface
object network obj-172.16.18.0
nat (inside,outside) dynamic interface
object network obj-172.16.19.0
nat (inside,outside) dynamic interface
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 172.16.17.0 255.255.255.0 172.16.16.1 1
route inside 172.16.18.0 255.255.255.0 172.16.16.1 1
route inside 172.16.19.0 255.255.255.0 172.16.16.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
!
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username test password xxxxxxxxxxxx encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:fb76bae794475f06d31c2c7ba32ca49a
: end
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
nkarthikeyan Tue, 07/17/2012 - 07:00

do u have the internet connection working fine with this firewall. I suggest you to place a rule for the VPN connection. Lets say if it is a cisco vpn permit 500,4500,10000-10001

you can create the object group to make it simpler for this below acl.

access-list intoout permit tcp/udp eq 500/4500/10000/10001

and check if the packets are hitting and going out from the ASA. So you can isolate the problem and get that fixed.

Also you can check from ASA (VPN client) to ASA (VPN server) is reachable. verify the connections.

Please rate if the given info helps.

Regards

Karthik

kunal.hans Tue, 07/17/2012 - 07:33

Hi,

I have not received any other complaints regarding the internet connection so apart from this issue, everything seems fine.

I got someone at Site-B to connect the internet link direct from the ISP modem to his laptop and check and the vpn client was able to connect. So the packets are not able to go out from the Site-B ASA 5515-X itself. The Site-A public IP is reachable from behind the Site-B. ASA. I was under the impression that all outbound connections are allowed by default. Could the NAT config be causing problems?

nkarthikeyan Tue, 07/17/2012 - 09:47

Hi Kunal,

I guess you have mentioned inside interface also with the same security level as the outside i.e. 0.

If you make the inside interface as sec level 100 it should work....

:-) Sometimes small mistakes will makes us to be screwed....

do rate if the given info helps.

kunal.hans Tue, 07/17/2012 - 12:18

Hi,

Sorry thats an older config backup, where E0/1 was configured for a backup internet link. I edited it to reflect the new config. The sec level is set to 100 already. Any other ideas? I read something about NAT-traversal but not sure if it applies in my case.

jportugu Tue, 07/17/2012 - 12:36

Hi Kunal,

Please try the following:

crypto isakmp nat-traversal 30

!

policy-map global_policy

class inspection_default

  inspect  ipsec-pass-thru

!

Keep us posted.

* Please rate any post that you find helpful.

kunal.hans Wed, 07/18/2012 - 03:49

Hi,

I've added the commands to Site-B ASA but still no luck. Pasting the new config below:

ASA Version 8.6(1)

!

hostname Harpoon

domain-name xxxxx.com

enable password xxxxxxxx encrypted

passwd xxxxxxxxxxxx encrypted

names

!

interface GigabitEthernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.252

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.29.0.100 255.255.0.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

banner motd -----------------------------------------------------------------------------

banner motd This system is solely for the use of authorised users for official purposes.

banner motd You have no expectation of privacy in its use and to ensure that the system

banner motd is functioning properly, individuals using this computer system are subject

banner motd to having all their activities monitored and recorded by system personell.

banner motd Use of this system evidence an express consent to such monitoring and

banner motd agreement that if such monitoring reveals evidence of possible abuse or

banner motd criminal activity, system personnel may provide the result of such

banner motd monitoring to appropiate officials.

banner motd -----------------------------------------------------------------------------

boot system disk0:/asa861-smp-k8.bin

ftp mode passive

clock timezone IST 5 30

dns server-group DefaultDNS

domain-name xxxxxx.com

object network obj-172.29.0.0

subnet 172.29.0.0 255.255.0.0

object network obj-172.28.0.0

subnet 172.28.0.0 255.255.254.0

object network obj-172.28.2.0

subnet 172.28.2.0 255.255.254.0

access-list 101 extended permit icmp any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

!

object network obj-172.29.0.0

nat (inside,outside) dynamic interface

object network obj-172.28.0.0

nat (inside,outside) dynamic interface

object network obj-172.28.2.0

nat (inside,outside) dynamic interface

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 172.28.0.0 255.255.254.0 172.29.0.1 1

route inside 172.28.2.0 255.255.254.0 172.29.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto isakmp nat-traversal 30

telnet 172.29.0.0 255.255.0.0 inside

telnet timeout 7

ssh 0.0.0.0 0.0.0.0 inside

ssh 172.29.0.0 255.255.0.0 inside

ssh timeout 10

ssh version 2

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1

webvpn

username mak password xxxxxxxxxxx encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect ipsec-pass-thru

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:0ad853bb6a88686aebdb58ea91cde878

: end

nkarthikeyan Wed, 07/18/2012 - 05:01

have you checked by specifiying the rules for the vpn connection alone...

udp 500(NAT-T),4500,10000-10001.

access-list in-to-out permit udp host eq 500 like that for all the ports and

down to that you specify the rules for internet permit ip any any for internet permit. Also permit esp and ah as well for testing.

assign that access-list to inside interface and check.

So that you can find the hits that will be helpful in troubleshooting.

I don't think we have problem with the NAT bcos if we have pbm in that internet connection will not go through.

Do let me know the results.

Please do rate if the given info helps.

By

Karthik

jportugu Wed, 07/18/2012 - 06:03

Just to clarify, because I think I got lost here...

Are you connecting from inside - outside?

I am sorry but if thats the case all you need is a PAT rule to reach the remote VPN server in the Internet.

What error do you get on the VPN client?

If you are connecting from inside - outside, please remove the inspection and the isakmp command because you dont need them.

Please keep me posted.

kunal.hans Wed, 07/18/2012 - 07:19

Yes, users at Site-B are behind the 5515-X ASA whos config I have posted, so inside to outside. Right now I have applied the following permit rule on the Site-B 5515-X outside interface in inbound direction and I'm able to connect. But not sure if this is the recommended approach to the problem.

access-list 101 line 2 extended permit udp host any

nkarthikeyan Wed, 07/18/2012 - 10:47

Hmm...  inbound rule solved the pbm. good to hear that problem is solved. But for your query. Yes VPN sometimes requires two way rules. I faced the similar problem few years ago. That y i insist you to have the rules in place to verify.

Thanks for the update kunal.

Please do rate if the given info helps.

By

Karthik

sean chang Thu, 07/19/2012 - 09:34

Hi, Everyone,

I get similar  configurations to Kunal and very similar problem for outbound VPN connections. The difference is we are using  PIX 535, Firmware 8.0.4, our site is the main office, we have IPSec VPN server here and it's been working for long time--- VPN client 4.x and 5.x can connect to our site from outsite, but we can't use  VPN Client or QuickVPN connect to our other offices ( they use PIX515E or something like Cisco WSVS4400N IPsec VPN). Here  almost all networking services are  fine: including internet connections /exchange servers etc, inbond or outbound. VPN outgoing connection is the only problem we are having so far. Below are some disgnosis I have done so far:

#1---the branch office VPN server is working, verified by connections from my home PCs, which uses the cheap Linksys router with default settings

#2---the branch office  IP is reachable from our main office

#3---when I use  QuickVPN to connect to branch office from main office, the first stage connection is fine, saying something like "server's certificate doesn't exist on your local computer, do you want quit the connection?", I chose go No, then it goes through --active policy, verify network...  all are fine  until last step  it says "the remote gateway is not responding, do you want to wait"

#4:  I added similar rule for incoming connections:  access-list 101 line 2 extended permit udp  any any and other things suggested here like nat-travesal.... nothing works so far.

#5: I can't find any log info about the VPN connections on our pix log file ( which is using Unix Syslog and very verbal)

I know I may need start a new dicussion, I just thought my problem is very similar to Kunal's.

Any suggestions and advices are greatly appreciated

nkarthikeyan Thu, 07/19/2012 - 20:10

Hi Sean,

I am little confused over here. But these are my ideas.

Quick vpn uses Ports 443,60443,500 & 4500 ports for establising the IPSec VPN connection. Please make sure that you have allowed the ports in the main office firewall for outgoing traffic.

Also if you are using windows machine in ur main office... make sure that you have installed the correct vpn client as per your OS. for quick vpn windows firewall must be on.

configure fixup protocol ipsec-pass-thru.

If that not works the allow in the inbound direction as well for those ports.

do a packet tracer comand in ur main office firewall to check if the specific rule in allowing or getting dropped somewhere. Hope this helps.

sean chang Fri, 07/20/2012 - 07:07

Thnak you very much Karthikeyan,

Outgoing traffic for ports 443,60443,500 &4500 from main office PC to branch office router is allowed, verified by Packet Tracer; Incoming UDP is  DENIED even if I put  a rule to allow any host to have Incoming UDP traffic because of  Dynamic NAT configurations---- all PCs here  except servers are mapped to our  gateway IP by dynamic NAT , the packet tracer saying this way (NAT with X mark ): Inside PCs are "dynamic translation to pool 10 (70.169.X.X) ([interface PAT])", which means there is no way for outside host initiates a connection unless I do static NAT mapping.(not feasible here).

I also tried >  conf t

> fixup protocol ipsec-pass-thru

the CLI says error, I can see it has  about  15 choices like ftp, http but ipsec-pass-thru is NOT valid choice, I don't know how to add IPSEC-pass-thru as one of the protocols by fixup.

One again I do appreciate your help

nkarthikeyan Fri, 07/20/2012 - 09:50

Hi Sean,

Please apply like the below. It should take & allows ur vpn to get connect.

policy-map global_policy
class inspection_default

inspect ipsec-pass-thru

!

even after that also not works... specify the specific ports for vpn and check. I don think so this option would be the right one. firewall should be a stateful.

Please do rate if the given information helps.

By

Karthik

sean chang Fri, 07/20/2012 - 11:12

Thank you Karthikeyan.  unfortunately it doesn't work out. I have  3 Policy maps, here:

------------------

!

class-map vpn-udp-class

match access-list vpn-udp-acl

class-map inspection_default

match default-inspection-traffic

!

!

policy-map vpn-udp-policy

class vpn-udp-class

  inspect ipsec-pass-thru

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 768

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect http

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect pptp

  inspect ipsec-pass-thru

!

service-policy global_policy global

service-policy vpn-udp-policy interface outside

********** I still could not use fixup protocol with ip-sec-pass-thru**** here:

pix535# conf t

pix535(config)# fixup protocol ipsec-pass-thru

                                ^

ERROR: % Invalid input detected at '^' marker.

pix535(config)# fixup protocol ?

configure mode commands/options:

  ctiqbe     

  dns        

  ftp        

  h323       

  http       

  icmp       

  ils        

  mgcp       

  mmp        

  netbios    

  pptp       

  rsh        

  rtsp       

  sip        

  skinny     

  smtp       

  snmp       

  sqlnet     

  sunrpc     

  sunrpc_udp 

  tftp       

  waas       

  xdmcp      

******* I know this is a touchy issue and it has been bothering me for long time****

****manually pickup port instead of  auto ports not helping

Thank you very much for spending your valuable time helping us out

Actions

Login or Register to take actions

This Discussion

Posted July 17, 2012 at 3:29 AM
Stats:
Replies:15 Avg. Rating:
Views:3399 Votes:0
Shares:0
Categories: ASA
+

Related Content

Discussions Leaderboard