Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1453
  • Last Modified:

VPN tunnel through ASA 5510

Hello EE,

I am trying to setup a VPN connection with our local school district and am running into brick wall.  They provided us with the VPN client they use to connect to their Cisco Device and credentials.  At this time I do not know what that device it.  The workstation I am using to connect is behind our Cisco ASA 5510.  I cannot connect.  Is there some thing in our firewall that need to be done to allow this connection? (i.e. NAT Rules, Access Rulles).  Can someone offer some assistance or advice?  See my attachments.

Thanks,

COK
KISD-VPN.jpg
kisdvpn.JPG
0
CityofKerrville
Asked:
CityofKerrville
Advertise Here
  • 10
  • 6
  • 4
  • +2
1 Solution
 
Pete LongTechnical ConsultantCommented:

VPN Ports through Firewalls
*****For IPSec VPNs*****
UDP 500 ISAKMP
UDP 4500 Nat-Traversal*
TCP 10000 (Cisco VPN clients can use this port if its been set on the client)
Protocol 50 (ESP)


Note2:To allow Cisco Client through a PIX/ASA version 7 or above
 
add the following

policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
0
 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
Are you allowing the GRE protocol across the ASA 5510?

Using the Microsoft VPN client through Cisco ASA/PIX
http://www.petenetlive.com/TecBin/KB/0000009.htm
0
 
CityofKerrvilleAuthor Commented:
"Using the Microsoft VPN client through Cisco ASA/PIX"
I am using a Cisco Client not a Microsoft Client
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Learn More
 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
Which Cisco VPN client version are you currently using?

Cisco VPN Client: Reason 412 - The remote peer is no longer responding
http://www.lamnk.com/blog/vpn/cisco-vpn-client-reason-412-the-remote-peer-is-no-longer-responding/
0
 
CityofKerrvilleAuthor Commented:
ProductName=Cisco Systems VPN Client 3.6.3 (B)

Suggested fixes from the link you provided
added exception rules for port 500, port 4500 and the ESP
Turned on NAT-T/TCP in your profile
Edited your profile and changed ForceKeepAlive=0 to 1

Still Cannot connect

firewall-rules.JPG
client.JPG
profile.JPG
0
 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
The Cisco Systems VPN Client 3.6.3 is dated back to 2003. The latest Cisco VPN client is up to version 5.x now or you might consider the Cisco AnyConnect VPN Client v2.x as an alternative.

Cisco VPN Client
http://www.cisco.com/en/US/products/sw/secursw/ps2308/

0
 
CityofKerrvilleAuthor Commented:
Being that it is not my equipment that we are attempting access through VPN, I am at the mercy of what ever they give me on the client side.  We use anyconnect for our VPN connection here but I am pretty sure the security device has to be configured for anyconnect.  Would a newer client other than anyconnect make that much of a differance.  Does it look like the issue is on their end and not mine?  thanks.
0
 
Voltz-dkCommented:
Some older Cisco VPN devices doesn't support the TCP encapsulation - you could test this by trying to make a telnet to it on port 10000.  Do you get a connection?
If not, then skip trying that..  (Of cuz they could have set it to a nondefault port, but I'd expect they had told you or preconfigured the client then).

Next thing, enable logging in the client.  And change log setting - initially you're interested in IKE (ISAKMP), set that to high (lvl 3), and all others to 0.
Open log window, clear it, and then try your connection.  Might give you an idea of what goes wrong.. (or maybe us if you post it :)
0
 
lrmooreCommented:
> Cisco Systems VPN Client 3.6.3
>Would a newer client other than anyconnect make that much of a differance
Absolutely. The VPN client release is for the client, not the server end. If you have Vista, then you cannot use this old 3.6.3 client. You can easily upgrade your client to 4.9 or even higher on your end, regardless of the vpn server device at the other end.
You are correct that AnyConnect is a totally different animal and requires configuration (and licenses) on their end.
0
 
CityofKerrvilleAuthor Commented:
Tried a newer client. Version 5.something and had the same results.  I cannnot get my contact at the remote site on the phone?  Given what I ave shown already, what is the probability that problem is on his end?
0
 
Voltz-dkCommented:
Hard to say..  Try to enable logging in the client, change log settings so IKE & IPSEC are high, and then open log window.
Clear it, and try to connect.  What do you get?
0
 
CityofKerrvilleAuthor Commented:

Cisco Systems VPN Client Version 5.0.01.0600
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
1      13:47:33.715  04/06/09  Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 98.x.x.x.
2      13:47:33.725  04/06/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 98.x.x.x
3      13:47:33.795  04/06/09  Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
4      13:47:33.795  04/06/09  Sev=Info/4 IPSEC/0x63700014
Deleted all keys
5      13:47:38.813  04/06/09  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
6      13:47:38.813  04/06/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 98.x.x.x
7      13:47:43.830  04/06/09  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
8      13:47:43.830  04/06/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 98.x.x.x
9      13:47:48.848  04/06/09  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
10     13:47:48.848  04/06/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 98.x.x.x
11     13:47:53.865  04/06/09  Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=C060E9D0D7A9977E R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
12     13:47:54.367  04/06/09  Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=C060E9D0D7A9977E R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
13     13:47:54.417  04/06/09  Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
14     13:47:54.889  04/06/09  Sev=Info/4 IPSEC/0x63700014
Deleted all keys
15     13:47:54.889  04/06/09  Sev=Info/4 IPSEC/0x63700014
Deleted all keys
16     13:47:54.889  04/06/09  Sev=Info/4 IPSEC/0x63700014
Deleted all keys
17     13:47:54.889  04/06/09  Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
0
 
Voltz-dkCommented:
Well, client is trying hard to contact but gets no replies.

It's of cuz guesswork, but I'd say chances are biggest that it doesn't reach the destination or is denied at the destination.
If you machine otherwise have basic Internet access, and you don't have some devices behind the ASA that could block IKE.  Then I'd say chances are pretty good problem is on other end.
0
 
CityofKerrvilleAuthor Commented:
There is a Cisco ISR 2821 between the Workstation and the ASA but I have not set up any blocking on it.  Would something like that be enabled by default?
0
 
Voltz-dkCommented:
No, that is not likely.  And according to the dump above, you got hitcount on the ASA so the traffic did reach the ASA.
I was concerned about device between ASA and Internet.
0
 
CityofKerrvilleAuthor Commented:
Call Cisco for verification and got the answer I expected.  It is NOT my firewall blocking the traffice.
0
 
CityofKerrvilleAuthor Commented:
Update
 
I took my laptop over the remote site and used there test connection to acces the the VPN and it work, but it still will not work behind my firewall.  After talking with Cisco, I feel confident that my firewall is not blocking the traffic and I read somewhere that the remote site needs to have NAT-T enabled?  Anyone know anything ablout this?
0
 
Voltz-dkCommented:
NAT-T allows IPSEC to work through NAT/PAT - but you never even get a reply to your first IKE packet..  Yes, it'll need NAT-T, but it might already have that.  Your problems begin before that.
0
 
CityofKerrvilleAuthor Commented:
Called Cisco again.  Resolved with this document
 
http://www.cisco.com/application/pdf/paws/63881/ipsec-pix70-nat.pdf 
0
 
Voltz-dkCommented:
I wonder.. what is it that you found in that document, which PeteLong didn't have in his first post?
0
 
CityofKerrvilleAuthor Commented:
The rules added per his post were partially the solution but did not fix the problem.  The ultimate fix was a Static NAT from the client machine inside my ASA to a public IP address..  2 unbearable hours on the phone with Cisco fixed the problem.
0
 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
Even though the question was closed, I still recommend in the future that you also assign points to those that offered partial solutions for questions.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Learn More!
  • 10
  • 6
  • 4
  • +2
Advertise Here
Tackle projects and never again get stuck behind a technical roadblock.
Join Now