Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How do I setup ASA5520 VPN for Network (Client) Access?

I have an ASA5520 and need to allow users to connect to the inside network (and some users to the management network if possible), using the VPN client. I went through the wizard on the ASDM and created an access control list for the ports used by the VPN client. When checking the logs, it tends to say that the access to the port is denied by the outside interface. Using the packet trace feature it fails on my implicit deny all for the outside interface, even though I specifically gave access on those ports. Could this be a group policy issue, or some other feature not being setup properly?

Here is what I'm allowing:

object-group service DM_INLINE_SERVICE_4
service-object esp
service-object tcp-udp eq 10000
service-object udp eq isakmp

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any host IP1

This is what I see on the log:

2Apr 06 201011:29:2010600610.10.101.284765IP1500Deny inbound UDP from 10.10.101.28/4765 to IP1/500 on interface outside

6 REPLIES

Re: How do I setup ASA5520 VPN for Network (Client) Access?

Hi,

Please chjeck the below link to make sure everything is configured correctly.

http://www9.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/remvpn.html

If you still experience issues, post the configs of the ASA (show runn).

hth

MS

New Member

Re: How do I setup ASA5520 VPN for Network (Client) Access?

Thanks for the reply.

I ran through the wizard again using the link you gave me. I get the same line in the log:

2Apr 06 201013:57:3110600672.96.164.16116142IP1500Deny inbound UDP from 72.96.164.161/16142 to IP1/500 on interface outside

My startup config is attached.

New Member

Re: How do I setup ASA5520 VPN for Network (Client) Access?

Make sure the client is offering the transforms you have set on your ASA.

For example, if you are tying to use AES-128, the IPSEC client needs to offer AES-128.

If you are connected to the CLI of the ASA and run debug crypto isakmp 254 and then try to connect. The "Wall of text" that appears will also show the transform sets the client is offering to the ASA.  Depending on the ipsec client I have seen this vary from 4 to 12 offerings.  Make sure you configure the ASA to one of those options.

New Member

Re: How do I setup ASA5520 VPN for Network (Client) Access?

How do I configure the VPN client to the transforms on the ASA? I'm using Cisco VPN Client v5.0.06.0160.

On another note, what are transforms? Are they necessary? Is there a document on this so I can do some more reading?

Thanks

New Member

Re: How do I setup ASA5520 VPN for Network (Client) Access?

My apologies, I misread the error.

As a test, edit the VPN using the ASDM to bypass the access list when connecting to the VPN.  This is in step one of configuring the VPN.

If that works, it could be the access list "...service_4" is permitting traffic to an IP that is not on the firewall.

New Member

Re: How do I setup ASA5520 VPN for Network (Client) Access?

I thought about this last night.  The denied error is to IP1.  Are you telling the VPN client to connect to the outside interface of the ASA or are you trying to connect the VPN to IP1?

When you run the wizard, it will setup the VPN to allow it to connect to the interface you specify in the wizard.  In this case I would guess that you would want to use the outside interface.  Your VPN client should then use that host address (Outside interface) to connect to.  That deny almost looks like you are trying to connect to IP1.

5495
Views
0
Helpful
6
Replies