cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2767
Views
0
Helpful
6
Replies

Asa 5505 vpn from internet native vpn client, tcp discarted 1723

juvesito69
Level 1
Level 1

Hello to all,

I'm configuring this asa for to connect home users to my network using the native microsoft vpn clients with windows xp over internet.

This asa have on the outside interface one public intenet ip and in the inside inferface have configured in the the network 192.168.0.x and i want to acces to this network from internet users using native vpn clients.

I tested with one pc connected directly to the outside interface and works well, but when i connect this interface to internet and tried to connect on user to the vpn i can see in the logs this, and can't connect with error 800.

TCP request discarded from "public_ip_client/61648" to outside:publicip_outside_interface/1723"

Can help me please?, Very thanks in advance !

(running configuration)

: Saved

:

ASA Version 8.4(3)

!

hostname ciscoasa

enable password *** encrypted

passwd *** encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address publicinternetaddress 255.255.255.0

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network gatewayono

host gatewayofinternetprovideraccess

description salida gateway ono

object service remotointerno

service tcp destination eq 3389

description remoto

object network pb_clienteing_2

host 192.168.0.15

description Pebble cliente ingesta 2

object service remotoexternopebble

service tcp destination eq 5353

description remotoexterno

object network actusmon

host 192.168.0.174

description Actus monitor web

object service Web

service tcp destination eq www

description 80

object network irdeto

host 192.168.0.31

description Irdeto

object network nmx_mc_p

host 192.168.0.60

description NMX Multicanal Principal

object network nmx_mc_r

host 192.168.0.61

description NMX multicanal reserva

object network tarsys

host 192.168.0.10

description Tarsys

object network nmx_teuve

host 192.168.0.30

description nmx cabecera teuve

object network tektronix

host 192.168.0.20

description tektronix vnc

object service vnc

service tcp destination eq 5900

description Acceso vnc

object service exvncnmxmcr

service tcp destination eq 5757

description Acceso vnc externo nmx mc ppal

object service exvncirdeto

service tcp destination eq 6531

description Acceso vnc externo irdeto

object service exvncnmxmcp

service tcp destination eq 5656

object service exvnctektronix

service tcp destination eq 6565

object service exvncnmxteuve

service tcp destination eq 6530

object service ssh

service tcp destination eq ssh

object service sshtedialexterno

service tcp destination eq 5454

object-group service puertosabiertos tcp

description remotedesktop

port-object eq 3389

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network DM_INLINE_NETWORK_1

network-object object irdeto

network-object object nmx_mc_p

network-object object nmx_mc_r

network-object object nmx_teuve

network-object object tektronix

object-group service vpn udp

port-object eq 1723

object-group service DM_INLINE_TCP_1 tcp

port-object eq https

port-object eq pptp

object-group network DM_INLINE_NETWORK_2

network-object object actusmon

network-object object tarsys

access-list inside_access_in extended permit object remotointerno any any

access-list inside_access_in extended permit object ssh any any

access-list inside_access_in extended permit object-group TCPUDP any any eq www

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit object vnc any any

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit object remotointerno any object pb_clienteing_2

access-list outside_access_in extended permit object-group TCPUDP any object actusmon eq www

access-list outside_access_in remark Acceso tedial ssh

access-list outside_access_in extended permit tcp any object tarsys eq ssh

access-list outside_access_in extended permit object vnc any object-group DM_INLINE_NETWORK_1

access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1

access-list outside_access_in extended deny icmp any any

access-list corporativa standard permit 192.168.0.0 255.255.255.0

access-list Split-Tunnel-ACL standard permit 192.168.0.0 255.255.255.0

pager lines 24

logging enable

logging monitor debugging

logging asdm debugging

logging debug-trace

mtu inside 1500

mtu outside 1500

ip local pool clientesvpn 192.168.0.100-192.168.0.110 mask 255.255.255.0

ip local pool clientesvpn2 192.168.1.120-192.168.1.130 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

nat (outside,inside) source static any interface destination static interface actusmon service Web Web unidirectional

nat (outside,inside) source static any interface destination static interface tarsys service sshtedialexterno ssh unidirectional

nat (outside,inside) source static any interface destination static interface pb_clienteing_2 service remotoexternopebble remotointerno unidirectional

nat (outside,inside) source static any interface destination static interface irdeto service exvncirdeto vnc unidirectional

nat (outside,inside) source static any interface destination static interface nmx_mc_p service exvncnmxmcp vnc unidirectional

nat (outside,inside) source static any interface destination static interface nmx_mc_r service exvncnmxmcr vnc unidirectional

nat (outside,inside) source static any interface destination static interface nmx_teuve service exvncnmxteuve vnc unidirectional

nat (outside,inside) source static any interface destination static interface tektronix service exvnctektronix vnc unidirectional

nat (any,outside) source dynamic DM_INLINE_NETWORK_2 interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside per-user-override

route outside 0.0.0.0 0.0.0.0 gatewayinternetprovideracces 1

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

eou allow none

aaa local authentication attempts max-fail 10

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

no sysopt connection permit-vpn

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set clientewindowsxp esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set clientewindowsxp mode transport

crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set mode transport

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev1 transform-set clientewindowsxp

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto dynamic-map L2TP-MAP 10 set ikev1 transform-set L2TP-IKE1-Transform-Set

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map L2TP-VPN-MAP 20 ipsec-isakmp dynamic L2TP-MAP

crypto map L2TP-VPN-MAP interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint Ingenieria

crypto ikev1 enable inside

crypto ikev1 enable outside

crypto ikev1 policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 8.8.8.8

dhcpd auto_config outside

!

dhcpd address 192.168.0.5-192.168.0.36 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!

no threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point Ingenieria outside

webvpn

tunnel-group-list enable

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server none

dns-server value 192.168.0.1

vpn-tunnel-protocol l2tp-ipsec

default-domain none

group-policy DfltGrpPolicy attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec

group-policy ingenieria internal

group-policy ingenieria attributes

vpn-tunnel-protocol l2tp-ipsec

default-domain none

group-policy L2TP-Policy internal

group-policy L2TP-Policy attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split-Tunnel-ACL

intercept-dhcp enable

username ingenieria password 4fD/5xY/6BwlkjGqMZbnKw== nt-encrypted privilege 0

username ingenieria attributes

vpn-group-policy ingenieria

username rjuve password SjBNOLNgSkUi5KWk/TUsTQ== nt-encrypted

tunnel-group DefaultRAGroup general-attributes

address-pool clientesvpn

address-pool clientesvpn2

authentication-server-group (outside) LOCAL

authorization-server-group LOCAL

default-group-policy L2TP-Policy

authorization-required

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

!

class-map inspection_default

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

!

prompt hostname context

call-home reporting anonymous

Cryptochecksum:59b54f1d10fe829aeb47bafee57ba95e

: end

no asdm history enable

1 Accepted Solution

Accepted Solutions

I ramon i guess the service policy is not applied in the firewall. So it is not taking the non trusted other than the same public segment.

Apply like this.

service-policy global_policy global.

bcos as per the old configs i do see the policy was not applied. Please let me know the results.

Please rate if the given info helps.

View solution in original post

6 Replies 6

nkarthikeyan
Level 7
Level 7

Hi Ramon,

Ist thing you have to add the inspect statement in policy-map global-policy which is in the last

policy-map global_policy

inspect pptp

!

After that also if it not works... then allow gre from source to destination.

This will resolve the issue i guess...

Please rate if the given info helps.

Yep i'm real beginning user of Cisco and i don't how i can add this in the configuration, i'm using 6.4 asdm or telnet to the cisco, but i can't put "inspect pptp" directly.

I can acces with telnet, after this i loggued, put "configure t" and after i go to the polity-map global_policy but inside i can't put inspect... it's possible this don't work for i have diferent version?

Thanks in advance Karthikeyan !

Hi Ramon,

Either you can get in to the policy map and do it or to make it simple....

from conf t # fixup protocol pptp 1723

it will add to the inspect. also you can have the below added as well for other service which is normally there in default configuration.

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect xdmcp

  inspect netbios

  inspect tftp

  inspect sqlnet

!

Yes with this command creates this

policy-map global_policy

    class inspection_default

     inspect pptp

!

But don't work. I also tried to add the pptp and gre in the outside access rules but nothing...

I don't understand why if a connect directly to the outside interface with the same outside network works well.

ej: the pc have 89.120.145.14 ip and the outside asa have 89.120.145.140 and if I create one vpn in this pc the outside ip 89.120.145.140 with the correct parameters the asa don't discart 1723 and connect ok but if this ip is not of this range discards 1723...

I ramon i guess the service policy is not applied in the firewall. So it is not taking the non trusted other than the same public segment.

Apply like this.

service-policy global_policy global.

bcos as per the old configs i do see the policy was not applied. Please let me know the results.

Please rate if the given info helps.

Thanks, after change this, the packet has not dicarted but i can't connect windows xp and windows 7 to the vpn server using l2tp-ipsec, have error 800.

After this i tried the configuration for anyconnect client webbased and this works very fast and better.  I thinks is better solution.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: