Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't Connect via VPN

Have an ASA5505. Below is the error message that the VPN Client log gives while trying to connect.

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Can't Connect via VPN

Here are the changes from your initial posted config. This will allow you to hit all your existing ports to 192.168.1.50 and 1.30. It will also keep your outside interface clear for the vpn.

no static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

clear xlate

Your final static config should look like this...

static (inside,outside) xxxx.170.20 192.168.1.30 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

Just wanted to add that this would disconnect any existing connections but will not effect routing.

10 REPLIES
Silver

Re: Can't Connect via VPN

Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT

traversal enables ESP packets to pass through one or more NAT devices

apply the following command on the ASA

isakmp nat-traversal 120

Green

Re: Can't Connect via VPN

^ Version 7.2.2 it is "crypto isakmp nat-traversal" and it is already in his config.

New Member

Re: Can't Connect via VPN

Attached are the current running configs. And the log file from the VPN client and the only activity that I see on on the FW.

Thanks

Hall of Fame Super Silver

Re: Can't Connect via VPN

Thomas

I think that I see what the issue is. You want the client to send the ISAKMP negotiation packets (UDP port 500) to the ASA to negotiate the Security Association. But the client is reporting that there is no response. I see the first clue in the debug output from the ASA:

6|Jul 09 2007|10:58:33|302015|70.200.193.240|192.168.1.50|Built inbound UDP connection 4711 for outside:70.200.193.240/1157 (70.200.193.240/1157) to inside:192.168.1.50/500 (66.64.170.18/500)

note that it is building an inbound connection. And note that it is building it to destination address 192.168.1.50. So the ISAKMP is being sent to some device on the inside network rather than being processed on the ASA. The inside device is not processing the ISAKMP request and this is why the client receives no response.

I believe that this is due to this line in the config:

static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

this will translate any traffic arriving on the outside interface to the 192.168.1.50 address - including your ISAKMP traffic.

I believe that if you are going to translate all inbound traffic to the inside address that you need a translation of UDP 500 and of ESP to stay on the ASA outside address.

HTH

Rick

New Member

Re: Can't Connect via VPN

I agree with you assessment, however I do not have the savvy to "translate all inbound traffic to the inside address that you need a translation of UDP 500 and of ESP to stay on the ASA outside address."

How do I go about doing that?

Thanks in advance!

Green

Re: Can't Connect via VPN

You could set up port address translation instead for each of the ports you need access to...

no static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

etc.

New Member

Re: Can't Connect via VPN

I just need to make sure that I don't cause any problems with the current routing as I had some difficulty getting it set up in the first place.

On XXX.XXX.XXX.20 needs SMTP on 192.168.1.30

XXX.XXX.XXX.18 needs SMTP on 192.168.1.50

XXX.XXX.XXX.18 is the "Outside interface" and has a route to XXX.XXX.XXX.17.

Hall of Fame Super Silver

Re: Can't Connect via VPN

Thomas

I have not tried it this way but I wonder if you could add this:

static (inside,outside) udp interface isakmp 66.64.170.18 isakmp netmask 255.255.255.255

static (inside,outside) esp interface 66.64.170.18 netmask 255.255.255.255

before the existing translate.

HTH

Rick

Green

Re: Can't Connect via VPN

Here are the changes from your initial posted config. This will allow you to hit all your existing ports to 192.168.1.50 and 1.30. It will also keep your outside interface clear for the vpn.

no static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

clear xlate

Your final static config should look like this...

static (inside,outside) xxxx.170.20 192.168.1.30 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

Just wanted to add that this would disconnect any existing connections but will not effect routing.

New Member

Re: Can't Connect via VPN

Thanks to all for the help. That was the issue. There was the static 1 - 1 on the outside interface that was effectively forwarding all traffic ( including VPN ) to the internal address.

295
Views
0
Helpful
10
Replies