Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Remote Access IPsec VPN on ASA 7.2

I have recently configured a remote access VPN on a customer ASA7.2. I have tested the RA IPSEC vpn on using an IP address that is in the same segment as the outside interface of the ASA and it works.

But the funny thing right now is if I am using a client that is using NAT to access the network, I have problem connecting. It cant even contact the security gateway and go pass the phrase 1 authentication of the tunnel group and pre-sharekey. There is nothing on the VPN client log.

I have configured NAT-T too.

Anyone have any idea? Here's the config that's relevant to the remote access IPSEC VPN.

access-list inside_nat0_outbound extended permit ip 10.203.1.0 255.255.255.0 10.

203.8.0 255.255.255.0

ip local pool vpnpool 10.203.8.100-10.203.8.199 mask 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

group-policy ntnvpn internal

group-policy ntnvpn attributes

dns-server value 165.21.83.88 165.21.100.88

vpn-tunnel-protocol IPSec

default-domain value x

username hw-support password x

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group ntnvpn type ipsec-ra

tunnel-group ntnvpn general-attributes

address-pool vpnpool

default-group-policy ntnvpn

tunnel-group ntnvpn ipsec-attributes

pre-shared-key *

7 REPLIES
Cisco Employee

Re: Remote Access IPsec VPN on ASA 7.2

Hi,

If you are sitting in the 10.203.1.0 and going to the Internet through the same ASA and connecting to the outside IP of the ASA, then it is not funny. It is an incorrect way of connecting.

If it is something else, then please reply.

Regards.

New Member

Re: Remote Access IPsec VPN on ASA 7.2

Hi,

My test method was not sitting on the 10.203.1.0 network and connecting to the outside IP of the ASA. What I mean was, sitting on the outside interface of the ASA and using a public IP to a client.

New Member

Re: Remote Access IPsec VPN on ASA 7.2

What kind of errors on the ASA are you getting? Turn on debug cryp isakmp and debug cryp ipsec and see what happens when that client tries to connect.

New Member

Re: Remote Access IPsec VPN on ASA 7.2

One other thing, might be very obvious, but do you have a default route setup? You mentioned that it works when on the same subnet but I'm assuming that when you're behind whatever nat device, you're coming from another network? I might be totally off but being that I don't know the details of your test environment, just check that to make sure.

New Member

Re: Remote Access IPsec VPN on ASA 7.2

Yes, there's a default route set and I have tried using a 56k dialup and it's not working. I guess I gotta do some debugs to further troubleshoot the problem.

Anyway someone suggested disabling pfs. Anyone knows what this does?

crypto dynamic-map outside_dyn_map 20 set pfs"

And he also suggested changing sha to md5.

New Member

Re: Remote Access IPsec VPN on ASA 7.2

See here for a somewhat cryptic explanation of pfs, i.e. perfect forward secrecy:

http://en.wikipedia.org/wiki/Perfect_forward_secrecy

If you're doing client vpn, I don't think changing this stuff helps. Usually, modifying pfs, md5/sha is important to match up on lan-to-lan tunnels. With a client, the end device (your router/concentrator) tells the client what to use. As long as you're not using a very outdated client, I wouldn't think there'd be a problem.

Keep in mind that you can also turn on some debugging in the Cisco client. I believe it's under 'Options'.

Cisco Employee

Re: Remote Access IPsec VPN on ASA 7.2

Hi,

Begin with a small test here...

Test if you are able to ping the Outside ip address of ASA from the client pc, if you are, then check the device in between which is doing the natting, is not blocking

UDP 500

ESP

UDP 4500

If its not, then check if you have "Transparent Tunneling" enabled on the client.

You also want to check the coonection using "IPSec over TCP".

HTH,

-Kanishka

118
Views
0
Helpful
7
Replies
CreatePlease login to create content