Cisco VPN Client Behind ASA 5505

vpn cisco cisco-asa cisco-vpn
5,846

Solution 1

I am assuming your workstation is behind the ASA5505's inside interface on the 192.168.1.0/24 network. Your workstation, the IKE/IPSec initiator, is connecting to a far-off ASA5510, the IKE/IPSec responder, on your ASA5505's outside Interface (the Internet). Your workstation is dynamic PAT'd when it's traffic crosses inside -> outside.

Without seeing the remote ASA5510 config and additional debug output it is difficult to determine the problem. Instead, I will describe the three possible ways to get IKE/IPSec working across NAT/PAT boundaries. Each one of the below is a complete solution.

ASA configuration entries below are valid for ASA 8.4.

1. Enable IKE NAT Traversal (IKE NAT-T) on the responder (ASA5510) and configure the Cisco VPN client to use IPSec over UDP/NAT-T. IKE NAT-T is not to be confused with general NAT traversal like STUN, etc.. IKE NAT-T is defined in RFC3947 and is supported in many initiators and responders -- both software and hardware. IKE NAT-T has also been called IPSec over UDP and uses UDP/500 and UDP/4500 (usually) on the responder. Ensure the initiator can connect to the responder on UDP/500 and UDP/4500.

crypto isakmp nat-traversal 30

2. Enable IPSec over TCP on the responder (ASA5510) and configure the Cisco VPN client to use IPSec over TCP. With IPSec over TCP the IKE and IPSec connectivity and sessions solely use the TCP port specified. TCP/10000 is default. Make sure the initiator can connect to the responder on the chosen TCP port.

crypto ikev1 ipsec-over-tcp 10000

3. Configure static NAT for the workstation/initiator -- not dynamic PAT or static PAT -- and enable inspect ipsec-pass-thru ALG/inspection on the initiator side (your) ASA. Per the ASA 8.4 (and under) documentation the ASA's ipsec-pass-thru ALG is only supported on static NAT (traditional NAT) and no-NAT traffic, not on PAT'd traffic.

object network hst-192.168.1.100
 description WS01
 host 192.168.1.100
 nat (inside,outside) static 1.2.3.4

class-map default_inspection_class
 match default-inspection-traffic    

policy-map example_policy
 class default_inspection_class
  inspect ipsec-pass-thru

To my knowledge those are the only known ways of getting IPSec working through NAT -- be it PAT or NAT. Look at your situation with your ASA, the remote ASA, and take your pick.

-Weaver

Solution 2

It's very possible that it's a NAT issue. You need to configure NAT traversal on the 5510. Do that like this:

crypto isakmp nat-traversal 30

If that doesn't work, can you provide us show runs on both devices?

Share:
5,846

Related videos on Youtube

fdf33
Author by

fdf33

Updated on September 18, 2022

Comments

  • fdf33
    fdf33 over 1 year

    I'm trying to get connected to another ASA via Cisco VPN Client. I am behind an ASA 5505 myself and I am tryihng to VPN to a 5510.

    I get the message:

    Secure VPN Connection terminated locally by the Client. Reason 412: The remote peer is no longer responding.

    I can connect to the other ASA if I use a normal cheap Linksys.

    Here's the version of my ASA:

    Result of the command: "sh ver"

    Cisco Adaptive Security Appliance Software Version 8.4(1)

    Any help would be great.

    Thanks

    running-config

    
    : Saved
: Written by enable_15 at 23:12:32.378 UTC Fri Jul 1 2011
!
ASA Version 8.4(1) 
!
hostname aaaasa
domain-name aaa.local
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.254.0 
!
interface Vlan5
 no nameif
 security-level 50
 ip address 172.16.0.254 255.255.255.0 
!
interface Vlan500
 no nameif
 security-level 100
 ip address 10.10.10.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa841-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 4.2.2.2
 domain-name aaa.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network A_93.97.168.1 
 host 93.97.168.1
object network rdp 
 host 192.168.1.2
object network NETWORK_OBJ_192.168.1.0_24 
 subnet 192.168.1.0 255.255.255.0
access-list 101 extended permit tcp any host 192.168.1.2 eq 3389 
access-list 101 extended permit icmp any any echo-reply 
access-list 101 extended permit icmp any any source-quench 
access-list 101 extended permit icmp any any time-exceeded 
access-list 101 extended permit icmp any any unreachable 
access-list 102 extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1492
ip local pool VPNPool 192.168.2.200-192.168.2.210 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
!
object network rdp
 nat (inside,outside) static interface service tcp 3389 3389 
!
nat (inside,outside) after-auto source dynamic any interface
access-group 101 in interface outside
access-group 102 out interface outside
!
router ospf 1
 network 192.168.1.0 255.255.255.0 area 0
 log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 93.97.168.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=ciscoasa
 proxy-ldc-issuer
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 8877d64d
    30820248 308201b1 a0030201 02020488 77d64d30 0d06092a 864886f7 0d010105 
    05003036 3111300f 06035504 03130863 6973636f 61736131 21301f06 092a8648 
    86f70d01 09021612 63697363 6f617361 2e6e6a64 2e6c6f63 616c301e 170d3131 
    30353231 30383533 34325a17 0d323130 35313830 38353334 325a3036 3111300f 
    06035504 03130863 6973636f 61736131 21301f06 092a8648 86f70d01 09021612 
    63697363 6f617361 2e6e6a64 2e6c6f63 616c3081 9f300d06 092a8648 86f70d01 
    01010500 03818d00 30818902 818100ea 1aa95141 480e616c efee6816 a96d6511 
    313b6776 cd3dd57b cd84b4d2 5e108aee 7c980086 4d92e2eb b6c7bf66 4585af0a 
    ccbf153a db9270be c6f5c67b db9dd8d1 2f78d033 3348b056 df4be0da 70e08953 
    53adf294 9db6c020 597d250f bf448b43 b90179c8 ff0b15d8 744632d9 31c1945f 
    0b11e258 b4c1d224 692efff4 7b2f5102 03010001 a3633061 300f0603 551d1301 
    01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23 
    04183016 8014493c 19db183a ab1af9e9 b1e44ad4 2a408b3c 89d1301d 0603551d 
    0e041604 14493c19 db183aab 1af9e9b1 e44ad42a 408b3c89 d1300d06 092a8648 
    86f70d01 01050500 03818100 1dd1760a fdd15941 4803fb9a cd6f44a7 2e275854 
    a1c0fbe1 d19f2cc9 182d43ef a547f854 8df96d15 3ea79c62 cf3fcb1c 5820360b 
    c607dbfc 4de8bb16 19f727e9 b928a085 665816d8 138e4a35 ed610950 7910dd4a 
    0b1a9dd9 0e26f1c8 b78bc0cc cbf19eb2 4c4c3931 45199ea5 249e3266 661e44fd 
    7a00d376 dcfc6e4e d43f10b8
  quit
crypto isakmp nat-traversal 30
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd dns 4.2.2.2 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host number-of-rate 3
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 82.219.4.31 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 anyconnect profiles AnyConnectVPN_client_profile disk0:/AnyConnectVPN_client_profile.xml
 anyconnect profiles SSLAnyConnectVPN_client_profile disk0:/SSLAnyConnectVPN_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_AnyConnectVPN internal
group-policy GroupPolicy_AnyConnectVPN attributes
 wins-server none
 dns-server value 4.2.2.2
 vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
 default-domain value aaa.local
 webvpn
  url-list none
  anyconnect profiles value AnyConnectVPN_client_profile type user
group-policy GroupPolicy_SSLAnyConnectVPN internal
group-policy GroupPolicy_SSLAnyConnectVPN attributes
 wins-server none
 dns-server value 4.2.2.2
 vpn-tunnel-protocol ikev2 ssl-client 
 default-domain value aaa.local
 webvpn
  anyconnect profiles value SSLAnyConnectVPN_client_profile type user
username testuser password xxxxxxxxxxxxxxxxx encrypted privilege 0
username testuser attributes
 vpn-group-policy GroupPolicy_AnyConnectVPN
tunnel-group SSLPOL type remote-access
tunnel-group SSLPOL general-attributes
 default-group-policy GroupPolicy_AnyConnectVPN
tunnel-group SSLAnyConnectVPN type remote-access
tunnel-group SSLAnyConnectVPN general-attributes
 address-pool VPNPool
 default-group-policy GroupPolicy_SSLAnyConnectVPN
tunnel-group SSLAnyConnectVPN webvpn-attributes
 group-alias SSLAnyConnectVPN enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect esmtp 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect sip  
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:94a65341aa27d3929d5e92a32ba22120
: end
    • Zypher
      Zypher almost 13 years
      Is there anything in the ASA log?
  • Jason Berg
    Jason Berg almost 13 years
    This isn't needed at all. Return traffic is permitted by the firewall. The configuration you gave here is if he had a VPN server on the other side of the firewall that he was trying to connect to. Even if that were the solution, the configuration you posted is not compatible with his version of ASA software.
  • fdf33
    fdf33 almost 13 years
    Hi, I've put my running-conf above. I can't provide the other ASA config, but this is the config of my ASA that my Cisco VPN client is behind. I've edited it and taken out sensitive parts, though you'll get the idea. The other ASA can be connected to by anything other than my connection behind my ASA. For example, I can use a 3G dongle, friends ADSL connection, all fine.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Phase 2 Mismatch when connecting Windows 7 to ASA5505 VPN
Cleanest, quickest way to generate a Cisco VPN .pcf file?
Is it possible to configure a Cisco AnyConnect VPN to use two separate LDAP authentication methods simultaneously?
Can't access shared drive when connecting over VPN
Cisco ASA - Restrict IP for WebVPN access
Recently I configured a Site-2-Site VPN Tunnel and I'm getting this errors:
Cisco ASA WebVPN RDP Plugin Fullscreen
Cisco Anyconnect: does it support Start Before Login (SBL) on Vista?
iPad connections to Cisco VPN error -- "Enter your user authentication"
Cisco ASA VPN Uptime