cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
441
Views
0
Helpful
5
Replies

We moved from an AS500 to an ASA5500 and are having an issue with port forwarding and VPN

staylor07
Level 1
Level 1

When we moved from our old AS500 to the new ASA5505, we did not have an issue getting up and running as far as internet and email access goes. What we are having an issue setting up is with our port forwarding for our IP Phone systems and IPsec VPN.

I have attached our current running config to see if anyone might be able to spot the solution to the issues we are having. I am sure it is something simple that we missed when setting up the rules.

 

Thank you in advanced

Stephen

 

1 Accepted Solution

Accepted Solutions

Hi,

 

I would suggest changing the VPN Pool to be completely different subnet from the LAN.

 

For example

 

ip local pool VPN-POOL 192.168.100.10-192.168.100.20 mask 255.255.255.0

 

tunnel-group test-vpn-group general-attributes
 no address-pool TEST-VPN-POOL
 address-pool VPN-POOL

 

no nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.1.160_27 NETWORK_OBJ_192.168.1.160_27 no-proxy-arp route-lookup

 

object network LAN
 subnet 192.168.1.0 255.255.255.0

 

object network VPN-POOL
 subnet 192.168.100.0 255.255.255.0

 

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

 

And then try connecting through the VPN again

 

- Jouni

 

View solution in original post

5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

There is atleast a simpler way of trying to configure Static PAT (Port Forward) without having to use so many different "object".

 

I would suggest removing the current configurations and using the following as template to configure all the require Static PAT configurations you need

 

object network <object name>
 host <internal ip>
 nat (inside,outside) static interface service <udp/tcp> <real port> <mapped port>

 

Make the above configurations for every port you need. Notice that a single "object" can only hold a single "nat" configurations so each Static PAT configuration requires its own "object". If there are several ports forwarded to a single server I personally tend to do so that I create an additional "object" that just contains the internal server IP address and use that in the external interface ACL rules to allow connections. I do this to avoid having to use multiple different named "object" in the ACL even though it would be possible to use the "object" created in the above NAT configurations.

 

With regards to the VPN connections, what are you trying to accomplish?

 

There are several configurations under the Default groups which I would avoid doing. There is also Hardware client configurations, L2L VPN configurations and VPN Client configurations on the ASA.

 

I would suggest clearing these configurations IF they are not required. In the case of the Default Group configurations you might need to just remove the configurations under those "group-policy" and "tunnel-group" configurations. I don't think you can even remove the actual groups as they are the default ones.

 

vpnclient server 192.168.1.1
vpnclient mode client-mode
vpnclient vpngroup REDACTED password *****
vpnclient username REDACTED password *****
dhcpd auto_config outside

webvpn
 enable outside

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.1.11 192.168.1.20
 vpn-tunnel-protocol l2tp-ipsec 
 default-domain value patc.net
group-policy DfltGrpPolicy attributes
 address-pools value PATC-VPN-IPPool

group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev1 ikev2 
 address-pools value PATC-VPN-IPPool

tunnel-group DefaultRAGroup general-attributes
 address-pool (outside) PATC-VPN-IPPool
 address-pool PATC-VPN-IPPool
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool (inside) PATC-VPN-IPPool
 address-pool PATC-VPN-IPPool
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 ikev1 pre-shared-key *****

tunnel-group PATCVPN type ipsec-l2l
tunnel-group PATCVPN general-attributes
 default-group-policy GroupPolicy1
tunnel-group PATCVPN ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

 

After this I would simply suggest that you log into the ASA with ASDM and run the Wizard for the VPN Client configuration (if that is what you are after) and use it to create a basic IPsec VPN Client configuration (or SSL VPN if you have the required software)

 

After that is done we can take a look at the configurations again if VPN connections are not working.

 

- Jouni

Port forwarding was successful! Thank you!

 

I removed all the old VPN information and ran the VPN Wizard as you suggested and we are still not able to open a tunnel, it is almost like we are not getting a good handshake with the ASA.

 

Attached is the new running-config for your review. Again, thank you for your assistance.

With regards to the VPN connections,  we are trying to accomplish an IPsec conneciton with both windows and apple using the built in VPN connections with these operating systems.

Hi,

 

I would suggest changing the VPN Pool to be completely different subnet from the LAN.

 

For example

 

ip local pool VPN-POOL 192.168.100.10-192.168.100.20 mask 255.255.255.0

 

tunnel-group test-vpn-group general-attributes
 no address-pool TEST-VPN-POOL
 address-pool VPN-POOL

 

no nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.1.160_27 NETWORK_OBJ_192.168.1.160_27 no-proxy-arp route-lookup

 

object network LAN
 subnet 192.168.1.0 255.255.255.0

 

object network VPN-POOL
 subnet 192.168.100.0 255.255.255.0

 

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

 

And then try connecting through the VPN again

 

- Jouni

 

That worked a treat! iPhone connected straight away, windows PC also connected. Now to find out why the Apple Macbook Air doesnt connect. I think it is a configuration setting on the Macbook that is the issue.

 

Thank you very much!

Stephen

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: