Solved: Re: Cisco VPN through ASA 5505

orhan.tagizade · ‎09-28-2010

Hi everyone,

I have a Cisco ASA5505 installed. config is below:

pb-gw2# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname pb-gw2
domain-name pshb1.local
enable password mjgSKfuQzL4x1LLu encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.5 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 81.21.95.13 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name pshb1.local
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 10 192.168.10.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 81.21.95.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
username admin password RS6hkLNrh/9fCzGC encrypted privilege 15
prompt hostname context
Cryptochecksum:b496f66403b8d94b36238fb2567b8cd2
: end
pb-gw2#

**********************************************

We are establishing a connection with Cisco VPN Client ver. 5.0.07.0290 to the external VPN Host 95.86.133.30. Connection is established successfully, then we try to open link https://x.x.x.x:7777/accr. This is the link to the system where you are authenticated with a certificate already installed i personal certificate store. Certificate is valid.

Thing is, that if we are trying to do this while behind the ASA - internet explorer displays his favourite "Internet Explorer cannot display the webpage".

If we connect the laptop directly to the internet with public ip address - everything works fine. As I undesrtand the problem is localized - something is missing from ASA configuration. The question is - what?

Will appreciate any help.

Thanks a lot in advance.

Jennifer Halim · ‎09-30-2010

OK, I understand what the problem is now.

There is nothing wrong with the ASA 5505. However, because ASA is only doing PAT, then you would need NAT-T to be enabled on the VPN device (95.86.133.30), so the VPN traffic (ESP) is encapsulated into UDP or TCP.

Alternatively, if you have spare public ip address, you can also configure static NAT for the PC where you have the vpn client (192.168.10.83) as follows:

static (inside,outside) 81.21.95.x 192.168.10.83 netmask 255.255.255.255

"x" would be a spare public ip address that you have. Then "clear xlate" after the changes.

If you don't have a spare public IP address, then you would need to ask the remote VPN device to enable NAT-T.

View solution in original post

Jennifer Halim · ‎09-28-2010

Don't quite understand your topology. Can you please share your topology diagram on how the ASA and the VPN device are connected?

The VPN is terminated on another device and how is the VPN device connects to the ASA5505 that passes through the VPN traffic? I assume that your VPN device is also a Cisco device possibly an ASA? since you are using Cisco VPN Client to connect.

And when you say trying to connect to https://x.x.x.x:7777/accr after connected via VPN, where is x.x.x.x connected? Inside the ASA or on the Internet? Is that public ip address or private ip address?

orhan.tagizade · ‎09-28-2010

Thanks for the reply.

Here is the topology:

Hope situation is more clear now. Will happy to provide any additional information.

Note: Remote VPN Host is not managed by us, it belongs to other organization which provides the access to their information system.

Again - everything works fine when my laptop is connected directly to the internet - I think something is happening to the packets when they are passing ASA.

praprama · ‎09-28-2010

Hey,

Well looking at the scenarios you have descriped, the only difference when connectin laptop through the ASA and without the ASA is the fact that ASA is going to be performing NAT on the traffic pasing thorugh it. Now, with dynamic PAT (nat and global command) on the ASA, ESP(IPSec traffic) will not pass through. The reason for that is as below:

The header of encrypted packets is going to be as below:

| | | |

| IP | ESP| Encrypted Data |

| | | |

Now with Dynamic PAT, both the IP address and port number is translated. Now, in the above situation, the ESP header does not have any port numbers for the ASA to be able to translate and hence will fail.

On the Remote VPN headend, please have a check if "NAT traversal" is enabled. What this does is inserts a UDP header in between the IP and ESP header which the ASA can use to translate the port number as well:

| | | | |

| IP | UDP | ESP| Encrypted Data |

| | | | |

I hope this is clear enough. I am guessing the reaosn for the connection failing is due to the above fact. To confirm this, please enable NAT traversal on the headend. Also, are you able to ping/connect to any device thoruhg the VPN tunnel thorugh the ASA?

Thanks and Regards,

Prapanch

orhan.tagizade · ‎09-28-2010

Please advise how to enable NAT Traversal?

What do you mean by headend? The other remote firewall?

praprama · ‎09-28-2010

Hi,

Yes by headend i mean the remote firewall to which the clients are connecting. What is that device?

Regards,

Prapanch

orhan.tagizade · ‎09-28-2010

I will try to get some information, but as it is a government organization, I'm sure no additional information will be provided

.

Assume we don't know what device is there. And as I wrote in my previous post in this topic, we were doing ok while we had ISA 2006 as a firewall.

Thank you.

praprama · ‎09-28-2010

To enable it on the ASA, the command is "crypto isakmp nat-traversal". Do you have syslogs from the ASA when trying to send traffic from the VPN client? You should be able to see some syslogs for the client's IP address and the remote firewall's IP adress.

Regards,

Prapanch

orhan.tagizade · ‎09-28-2010

I also need to know howe to enable Nat traversal on ASA.\

Thanks in advance

Jennifer Halim · ‎09-28-2010

Do you know whether it is split tunnel or no split tunnel VPN Client? Once you are connected, you can check under statistics --> route. If you can share the screenshot of that, it would help.

Also, what is x.x.x.x? Is that behind the other remote ASA? private IP or public IP? If you can access it from the internet, I assume that it will be public IP address. Most times when you try to access it via VPN, you would need to access the private IP address instead if it is actually connected behind the remote ASA. Please check how NATing is done for x.x.x.x if it's behind ASA when accessing it via VPN.

orhan.tagizade · ‎09-28-2010

Screenshot attached.

Also, what is x.x.x.x? Is that behind the other remote ASA? private IP or public IP? If you can access it from the internet, I assume that it will be public IP address. Most times when you try to access it via VPN, you would need to access the private IP address instead if it is actually connected behind the remote ASA. Please check how NATing is done for x.x.x.x if it's behind ASA when accessing it via VPN.

x.x.x.x as you can see from the network topology is 172.23.19.5 (private IP), and this host is behind the remote firewall 95.86.133.30 (public IP), i'm not sure if this is asa or any other vendor supplied firewall.

All components of the remote network are neither physically available, nor configurable for me.

Everything worked fine when we were using connection to this remote VPN host when we had ISA Server 2006 as firewall. But now it's gone and I need to configure this on ASA 5505.

Think this would make situation more clear.

Thanks for all your help and time!

orhan.tagizade · ‎09-29-2010

syslog files are attached.

Cisco ASA5505 8.0.(2)

Syslog level: Debugging

Facility: Local7 and Local4 (if it does make any sense)

Hope this help to narrow down the problem.

Jennifer Halim · ‎09-30-2010

OK, I understand what the problem is now.

There is nothing wrong with the ASA 5505. However, because ASA is only doing PAT, then you would need NAT-T to be enabled on the VPN device (95.86.133.30), so the VPN traffic (ESP) is encapsulated into UDP or TCP.

Alternatively, if you have spare public ip address, you can also configure static NAT for the PC where you have the vpn client (192.168.10.83) as follows:

static (inside,outside) 81.21.95.x 192.168.10.83 netmask 255.255.255.255

"x" would be a spare public ip address that you have. Then "clear xlate" after the changes.

If you don't have a spare public IP address, then you would need to ask the remote VPN device to enable NAT-T.

orhan.tagizade · ‎09-30-2010

Dear Jennifer, Prapanch,

Thank you for your help!

Today i finally reached the CCIE from IT Outsourcing company, which provides maintenance for that particular VPN gateway, which is btw Cisco PIX Firewall. Indeed, the company had that guy switch NAT-T off

Now, as Jennifer advised, I will try to check if Static Nat will work for me.

Thank you all for your time and attention!

Jennifer Halim · ‎09-30-2010

Great to hear you are able to find out the issue. The static NAT should work.