07-24-2013 12:53 AM
Hello everybody,
I have issues to make the VPN IPsec Remote Access work.
The objective is to be able to connect to our internal network from home or wherever else.
When I try to connect to my VPN from home, I don't go farther than Phase 1.
My architecture is a Cisco ASA5505 behind a router-gateway from ISP. The IP address of the modem is 192.168.1.1 for outside.
The IP address of the ASA is 192.168.1.254 for outside and 10.0.0.1 for inside. I've put the ASA in a DMZ of the ISP modem to be able to reach it through the Internet (I wanted to use the ISP modem-router-gateway just as a simple gateway and manage the other things with the ASA).
So my problem is that I don't manage to connect to the VPN through the public IP address.
Here is my config :
: Saved
:
ASA Version 8.2(5)
!
hostname Cisco-ASA-5505
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.254 255.255.255.0
!
ftp mode passive
clock timezone GMT 1
access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.1.1-10.0.1.50
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 10.0.0.42 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA-TS esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN-MAP 10 set transform-set RA-TS
crypto map VPN-MAP 30 ipsec-isakmp dynamic DYN-MAP
crypto map VPN-MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.10-10.0.0.40 inside
dhcpd dns 81.253.149.9 80.10.246.1 interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 10.0.0.42 /srv/tftp/cisco-rtr-01-config
webvpn
username admin password 4RdDnLO1w2ilihWc encrypted
username test password zGOnThs6HPdiZhqs encrypted
tunnel-group testvpn type remote-access
tunnel-group testvpn general-attributes
address-pool VPNpool
tunnel-group testvpn ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c3d233f44e742110aa0ce1f81173d47c
: end
My client config is in attachment.
When I watch what's happened during the connectin with Wireshark, I can see "Port unreachable". Do I have to do something on my ISP router ? Because I've read that it is not necessary to use NAT if the device is in the DMZ.
Can you help me please ?
Solved! Go to Solution.
07-24-2013 05:11 AM
Because you have private address on your outside interface you will have to tell your router to forward traffic to ASA. So you can do NAT or port forward to ASA.
I assume that you have only one public IP assigned by your ISP.
Regards,
Jan
07-24-2013 04:12 AM
Hello John,
first I would like to ask you why you are using 3th party VPN client. Cisco has their own Anyconnect VPN client.
Next you will need open IPSec ports on router if you want to use IPSec for VPN otherwise you can use SSL VPN which communicate on port 443.
Best regards,
Jan
07-24-2013 04:47 AM
When I tried to download the Anyconnect VPN client, I didn't manage to do it...
So you mean that I have to do some NAT on the modem level ? I've deactivated the firewall of the modem so it can't be the firewall which is blocking the flow.
I thought that putting the ASA in the DMZ would be enough ?
07-24-2013 05:11 AM
Because you have private address on your outside interface you will have to tell your router to forward traffic to ASA. So you can do NAT or port forward to ASA.
I assume that you have only one public IP assigned by your ISP.
Regards,
Jan
07-24-2013 06:30 AM
So I did the port forwarding for those ports :
ISAKMP - UDP 500
ESP - ESP 50
ISAKMP NAT-Traversal - UDP 4500
IPSEC Over UDP - UDP 10000
IPSEC Over TCP - TCP 10000
Yes I have just one public IP address from my ISP.
Thanks, I'll test the connection soon and let you know about it.
07-26-2013 01:39 AM
I've also put the ASA in the DMZ and I can reach the VPN server from home. But I get stuck on phase 1 key exchange.
I get the error message : "protocol not supported".
I'll try to register my product to be able to get Cisco's VPN client then.
Thanks for your help Jan.
07-26-2013 02:12 AM
Hi John,
glad to hear you discovered where is the problem. I have never used 3th party VPN clients with ASA exactly for this reasons. But it is challenge to try it.
Anyconnect should be bundeled with ASA CD. I you do not have CD so it is possible to download it from Cisco download BUT unfortunately you NEED valid service contract with Cisco to download newest VPN client.
Best regards,
Jan
07-26-2013 02:32 AM
Jan,
I didn't see that there are VPN clients setup in the ASA CD ... Thanks !
I don't really need the lastest version if the provided version is working.
Have a nice day !
John
07-26-2013 03:40 AM
I have checked some CD's and found it should contain some Anyconnect installation appropriate when ASA was released.
Of course You don't need latest version of VPN client, you can work with client version supplied.
Jan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: