I have issues to make the VPN IPsec Remote Access work.
The objective is to be able to connect to our internal network from home or wherever else.
When I try to connect to my VPN from home, I don't go farther than Phase 1.
My architecture is a Cisco ASA5505 behind a router-gateway from ISP. The IP address of the modem is 192.168.1.1 for outside.
The IP address of the ASA is 192.168.1.254 for outside and 10.0.0.1 for inside. I've put the ASA in a DMZ of the ISP modem to be able to reach it through the Internet (I wanted to use the ISP modem-router-gateway just as a simple gateway and manage the other things with the ASA).
So my problem is that I don't manage to connect to the VPN through the public IP address.
Here is my config :
ASA Version 8.2(5)
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
switchport access vlan 2
ip address 10.0.0.1 255.255.255.0
ip address 192.168.1.254 255.255.255.0
ftp mode passive
clock timezone GMT 1
access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.1.1-10.0.1.50
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 10.0.0.42 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA-TS esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN-MAP 10 set transform-set RA-TS
crypto map VPN-MAP 30 ipsec-isakmp dynamic DYN-MAP
crypto map VPN-MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 20
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.10-10.0.0.40 inside
dhcpd dns 18.104.22.168 22.214.171.124 interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 10.0.0.42 /srv/tftp/cisco-rtr-01-config
username admin password 4RdDnLO1w2ilihWc encrypted
username test password zGOnThs6HPdiZhqs encrypted
tunnel-group testvpn type remote-access
tunnel-group testvpn general-attributes
tunnel-group testvpn ipsec-attributes
prompt hostname context
no call-home reporting anonymous
My client config is in attachment.
When I watch what's happened during the connectin with Wireshark, I can see "Port unreachable". Do I have to do something on my ISP router ? Because I've read that it is not necessary to use NAT if the device is in the DMZ.
Can you help me please ?
Solved! Go to Solution.
first I would like to ask you why you are using 3th party VPN client. Cisco has their own Anyconnect VPN client.
Next you will need open IPSec ports on router if you want to use IPSec for VPN otherwise you can use SSL VPN which communicate on port 443.
When I tried to download the Anyconnect VPN client, I didn't manage to do it...
So you mean that I have to do some NAT on the modem level ? I've deactivated the firewall of the modem so it can't be the firewall which is blocking the flow.
I thought that putting the ASA in the DMZ would be enough ?
So I did the port forwarding for those ports :
ISAKMP - UDP 500
ESP - ESP 50
ISAKMP NAT-Traversal - UDP 4500
IPSEC Over UDP - UDP 10000
IPSEC Over TCP - TCP 10000
Yes I have just one public IP address from my ISP.
Thanks, I'll test the connection soon and let you know about it.
I've also put the ASA in the DMZ and I can reach the VPN server from home. But I get stuck on phase 1 key exchange.
I get the error message : "protocol not supported".
I'll try to register my product to be able to get Cisco's VPN client then.
Thanks for your help Jan.
glad to hear you discovered where is the problem. I have never used 3th party VPN clients with ASA exactly for this reasons. But it is challenge to try it.
Anyconnect should be bundeled with ASA CD. I you do not have CD so it is possible to download it from Cisco download BUT unfortunately you NEED valid service contract with Cisco to download newest VPN client.
I didn't see that there are VPN clients setup in the ASA CD ... Thanks !
I don't really need the lastest version if the provided version is working.
Have a nice day !
I have checked some CD's and found it should contain some Anyconnect installation appropriate when ASA was released.
Of course You don't need latest version of VPN client, you can work with client version supplied.