Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1003
Views
0
Helpful
2
Replies

My First VPN with a ASA 5505

mrkylewood
Level 1
Level 1

‎05-09-2012 09:15 PM

First of all, thanks for reading my post.

I have a newly aquired asa 5505 that I just set up to the bare minimum configurations. I followed a cisco paper on how to create a "remote access vpn" setup for ipsec. I can sucessfully connect and establish a VPN, but when I try to access an inside resource from the vpn address, the asa blocks it.

Specific error is:


5 May 09 2012 15:17:48 305013 192.168.1.2 80 Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.1.220/53101 dst inside:192.168.1.2/80 denied due to NAT reverse path failure


Here is my config.

: Saved
:
ASA Version 8.2(2)
!
hostname asawood
domain-name wood.local
enable password W/KqlBn3sSTvaD0T encrypted
passwd W/KqlBn3sSTvaD0T encrypted
names
name 192.168.1.117 kylewooddesk description kyle
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name wood.local
object-group service rdp tcp
description rdp access
port-object eq 3389
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any interface outside eq 3333
access-list inside_nat0_outbound extended permit ip any 192.168.1.200 255.255.255.248
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.1.220-192.168.1.230
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 kylewooddesk 3389 netmask 255.255.255.255 dns
static (inside,outside) tcp interface 8080 kylewooddesk 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 3333 192.168.1.86 3333 netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 3000
!
dhcpd address 192.168.1.100-192.168.1.130 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username vpnkyle password p29RprV0OZB6997h encrypted
username mrkylewood password Q4339wmn1ourxj9X encrypted
tunnel-group woodgroup type remote-access
tunnel-group woodgroup general-attributes
address-pool vpnpool
tunnel-group woodgroup ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
policy-map type inspect dns MY_DNS_INSPECT_MAP
parameters
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/...es/DDCEService
destination address email
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f9f7a0ad86a0a913921eed28f1e7369c
: end
asdm image disk0:/asdm-631.bin
asdm location kylewooddesk 255.255.255.255 inside
no asdm history enable

Labels:
0 Helpful
2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

‎05-09-2012 11:11 PM

Hello Kyle,

The Unicast Reverses Path Check is going to drop the packet as he is going to receive a packet on the outside interface from a host from the inside interface subnet.

So here is what you can try:

1- THIS WILL SOLVE IT 100 % sure. Change the pool from the VPN remote users to a different one from the inside interface

2- Disable the uRPF check from the outside interface.

As a Security Engineer Guy I will go with option 1

Regards.

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

mrkylewood
Level 1
Level 1
In response to Julio Carvajal

‎05-10-2012 07:53 AM

I changed the vpn pool from ip local pool vpnpool 192.168.1.220-192.168.1.230

to  ip local pool vpnpool 192.168.2.220-192.168.2.230

And when I try to access an internal ip while on vpn, these error comes up in the log.

5May 10 201203:09:51305013192.168.1.280

Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.2.220/49730 dst inside:192.168.1.2/80 denied due to NAT reverse path failure
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents