03-20-2013 12:14 PM - edited 03-11-2019 06:17 PM
I am trying to configure an IPSEC vpn on an ASA5505
I setup an SSL vpn and it works fine, I can browse to the https: address log in and connnect to servers
However when I try to setup the ipsec client access vpn it will not connect and I am getting the errors below
I used the wizard for the initial configuration
Looks like the inital IKE is being blocked or dropped?
%ASA-7-710005: UDP request discarded from my external IP/35781 to external:ASA-external/500
%ASA-7-710005: UDP request discarded from my external IP/35781 to external:ASA-external/137
Roger
Solved! Go to Solution.
03-20-2013 10:55 PM
Hello,
Try
nat (inside,outside) 1 source static 192.168.100.0 192.168.100.0 destination static VPN_172 VPN_172
Regards
03-20-2013 12:38 PM
Hello
do you have the
crypto isakamp enable outside configured?
What version are you running?
03-20-2013 12:54 PM
crypto ikev2 enable external
crypto ikev1 enable external
Running version 8.4(1)
The ssl works perfectly
I then configured the IPSEC using the wizard and it wont' connect?
Scratching my head a bit
Thanks
Roger
03-20-2013 01:29 PM
Hello Roger,
Can you share the configuration so I can take a quick look at it
03-20-2013 04:00 PM
Problem nearly fixed, I rebooted the firewall and I am now able to log in
However traffic is only flowing one way lots of encrypted packets but 0 decrypted
Also my split tunnel does not seem to be working.
I will get the config into this post soon
Thanks
Roger
03-20-2013 04:11 PM
Hello,
Then we will need to check the confi
03-20-2013 05:00 PM
Ok, I am getting this error when pinging an internal host from the connected vpn client
VPN client is on 172.16.24.2 internal host is on 192.168.100.37
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src external:172.16.24.2 dst internal:192.168.100.37 (type 8, code 0) denied due to NAT reverse path failure
object network obj-192.168.50.10
host 192.168.50.10
object network obj-192.168.50.20
host 192.168.50.20
object network obj-192.168.50.21
host 192.168.50.21
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network NETWORK_OBJ_10.10.1.0_28
subnet 10.10.1.0 255.255.255.240
object network vpn_clients
subnet 192.168.199.0 255.255.255.0
object network 192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.199.0_24
subnet 192.168.199.0 255.255.255.0
object network VPN_172
subnet 172.16.24.0 255.255.255.0
object-group service RDP tcp
port-object eq 3389
object-group service SQL tcp
port-object eq 1433
object-group service RDP-SQL tcp
group-object RDP
group-object SQL
access-list outside_in extended permit udp any any log
access-list network_10_access_in extended permit ip interface internal any
access-list external_access_in extended permit ip object NETWORK_OBJ_192.168.199.0_24 interface internal
access-list external_access_in extended permit tcp any any inactive
access-list from_outside extended permit icmp any any log
access-list from_outside extended permit icmp any any echo
access-list split_VPN_Split standard permit 192.168.100.0 255.255.255.0
access-list external_access_in_1 extended permit ip object NETWORK_OBJ_192.168.199.0_24 192.168.100.0 255.255.255.0
access-list external_access_in_1 extended permit ip object VPN_172 192.168.100.0 255.255.255.0
pager lines 24
nat (internal,external) source static any any destination static NETWORK_OBJ_10.10.1.0_28 NETWORK_OBJ_10.10.1.0_28
nat (internal,external) source static 192.168.100.0 192.168.100.0 destination static NETWORK_OBJ_192.168.199.0_24 NETWORK_OBJ_192.168.199.0_24
nat (internal,external) source static any any destination static NETWORK_OBJ_192.168.199.0_24 NETWORK_OBJ_192.168.199.0_24
object network obj-192.168.50.10
nat (internal,external) static 192.168.0.81
object network obj-192.168.50.20
nat (internal,external) static 192.168.0.230
object network obj-192.168.50.21
nat (internal,external) static 192.168.0.231
object network obj_any
nat (internal,external) dynamic interface
object network obj_any-01
nat (internal,external) dynamic obj-0.0.0.0
access-group network_10_access_in in interface internal
access-group external_access_in_1 in interface external
route external 0.0.0.0 0.0.0.0 4.5.6.7.1 1
route internal 10.10.10.0 255.255.255.255 192.168.100.1 1
03-20-2013 10:55 PM
Hello,
Try
nat (inside,outside) 1 source static 192.168.100.0 192.168.100.0 destination static VPN_172 VPN_172
Regards
03-21-2013 01:30 AM
Thanks for that, we are now one step closer!
Now getting this error
%ASA-4-313004: Denied ICMP type=0, from laddr 172.16.24.2 on interface external to 192.168.100.37: no matching session
03-21-2013 01:40 AM
Thanks for your replies, I have marked the nat as the correct answer, after much head stratching, I have now realised the porblem.
This is another firewall added to the network.
The default gateway of the client I am pinging is another firewall so the ping is going in and then going back to the main firewall.
My issue lies on the internal network.
Thanks
Roger
03-21-2013 08:08 AM
Hello Roger,
Glad to know that I could help,
Have a great day
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide