Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA5505 - VPN not working

Hello everybody,

I have issues to make the VPN IPsec Remote Access work.

The objective is to be able to connect to our internal network from home or wherever else.

When I try to connect to my VPN from home, I don't go farther than Phase 1.

My architecture is a Cisco ASA5505 behind a router-gateway from ISP. The IP address of the modem is 192.168.1.1 for outside.

The IP address of the ASA is 192.168.1.254 for outside and 10.0.0.1 for inside. I've put the ASA in a DMZ of the ISP modem to be able to reach it through the Internet (I wanted to use the ISP modem-router-gateway just as a simple gateway and manage the other things with the ASA).

So my problem is that I don't manage to connect to the VPN through the public IP address.

Here is my config :

: Saved

:

ASA Version 8.2(5)

!

hostname Cisco-ASA-5505

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.1.254 255.255.255.0

!

ftp mode passive

clock timezone GMT 1

access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNpool 10.0.1.1-10.0.1.50

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

route inside 192.168.2.0 255.255.255.0 10.0.0.42 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set RA-TS esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN-MAP 10 set transform-set RA-TS

crypto map VPN-MAP 30 ipsec-isakmp dynamic DYN-MAP

crypto map VPN-MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 3600

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 10.0.0.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 10.0.0.10-10.0.0.40 inside

dhcpd dns 81.253.149.9 80.10.246.1 interface inside

dhcpd update dns both override interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tftp-server inside 10.0.0.42 /srv/tftp/cisco-rtr-01-config

webvpn

username admin password 4RdDnLO1w2ilihWc encrypted

username test password zGOnThs6HPdiZhqs encrypted

tunnel-group testvpn type remote-access

tunnel-group testvpn general-attributes

address-pool VPNpool

tunnel-group testvpn ipsec-attributes

pre-shared-key *****

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:c3d233f44e742110aa0ce1f81173d47c

: end


My client config is in attachment.

When I watch what's happened during the connectin with Wireshark, I can see "Port unreachable". Do I have to do something on my ISP router ? Because I've read that it is not necessary to use NAT if the device is in the DMZ.

Can you help me please ?

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

ASA5505 - VPN not working

Because you have private address on your outside interface you will have to tell your router to forward traffic to ASA. So you can do NAT or port forward to ASA.

I assume that you have only one public IP assigned by your ISP.

Regards,

Jan

8 REPLIES
Bronze

ASA5505 - VPN not working

Hello John,

first I would like to ask you why you are using 3th party VPN client. Cisco has their own Anyconnect VPN client.

Next you will need open IPSec ports on router if you want to use IPSec for VPN otherwise you can use SSL VPN which communicate on port 443.

Best regards,

Jan

New Member

ASA5505 - VPN not working

When I tried to download the Anyconnect VPN client, I didn't manage to do it...

So you mean that I have to do some NAT on the modem level ? I've deactivated the firewall of the modem so it can't be the firewall which is blocking the flow.

I thought that putting the ASA in the DMZ would be enough ?

Bronze

ASA5505 - VPN not working

Because you have private address on your outside interface you will have to tell your router to forward traffic to ASA. So you can do NAT or port forward to ASA.

I assume that you have only one public IP assigned by your ISP.

Regards,

Jan

New Member

ASA5505 - VPN not working

So I did the port forwarding for those ports :

ISAKMP - UDP 500

ESP - ESP 50

ISAKMP NAT-Traversal - UDP 4500

IPSEC Over UDP - UDP 10000

IPSEC Over TCP - TCP 10000

Yes I have just one public IP address from my ISP.

Thanks, I'll test the connection soon and let you know about it.

New Member

ASA5505 - VPN not working

I've also put the ASA in the DMZ and I can reach the VPN server from home. But I get stuck on phase 1 key exchange.

I get the error message : "protocol not supported".

I'll try to register my product to be able to get Cisco's VPN client then.

Thanks for your help Jan.

Bronze

ASA5505 - VPN not working

Hi John,

glad to hear you discovered where is the problem. I have never used 3th party VPN clients with ASA exactly for this reasons. But it is challenge to try it.

Anyconnect should be bundeled with ASA CD. I you do not have CD so it is possible to download it from Cisco download BUT unfortunately you NEED valid service contract with Cisco to download newest VPN client.

Best regards,

Jan

New Member

ASA5505 - VPN not working

Jan,

I didn't see that there are VPN clients setup in the ASA CD ... Thanks !

I don't really need the lastest version if the provided version is working.

Have a nice day !

John

Bronze

Re: ASA5505 - VPN not working

I have checked some CD's and found it should contain some Anyconnect installation appropriate when ASA was released.

Of course You don't need latest version of VPN client, you can work with client version supplied.

Jan

279
Views
5
Helpful
8
Replies
CreatePlease to create content