We help IT Professionals succeed at work.

VPN tunnel through ASA 5510

CityofKerrville
CityofKerrville asked
on
22 Comments
1 Solution
1,479 Views
Last Modified: 2012-05-06
Hello EE,

I am trying to setup a VPN connection with our local school district and am running into brick wall.  They provided us with the VPN client they use to connect to their Cisco Device and credentials.  At this time I do not know what that device it.  The workstation I am using to connect is behind our Cisco ASA 5510.  I cannot connect.  Is there some thing in our firewall that need to be done to allow this connection? (i.e. NAT Rules, Access Rulles).  Can someone offer some assistance or advice?  See my attachments.

Thanks,

COK
KISD-VPN.jpg
kisdvpn.JPG
Comment
Watch Question

View Solution Only

Pete LongTechnical Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:

VPN Ports through Firewalls
*****For IPSec VPNs*****
UDP 500 ISAKMP
UDP 4500 Nat-Traversal*
TCP 10000 (Cisco VPN clients can use this port if its been set on the client)
Protocol 50 (ESP)


Note2:To allow Cisco Client through a PIX/ASA version 7 or above
 
add the following

policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
Michael WorshamCloud/Infrastructure Solutions Architect
CERTIFIED EXPERT

Commented:
Are you allowing the GRE protocol across the ASA 5510?

Using the Microsoft VPN client through Cisco ASA/PIX
http://www.petenetlive.com/TecBin/KB/0000009.htm
CityofKerrville

Author

Commented:
"Using the Microsoft VPN client through Cisco ASA/PIX"
I am using a Cisco Client not a Microsoft Client
Michael WorshamCloud/Infrastructure Solutions Architect
CERTIFIED EXPERT

Commented:
Which Cisco VPN client version are you currently using?

Cisco VPN Client: Reason 412 - The remote peer is no longer responding
http://www.lamnk.com/blog/vpn/cisco-vpn-client-reason-412-the-remote-peer-is-no-longer-responding/
CityofKerrville

Author

Commented:
ProductName=Cisco Systems VPN Client 3.6.3 (B)

Suggested fixes from the link you provided
added exception rules for port 500, port 4500 and the ESP
Turned on NAT-T/TCP in your profile
Edited your profile and changed ForceKeepAlive=0 to 1

Still Cannot connect

firewall-rules.JPG
client.JPG
profile.JPG
Michael WorshamCloud/Infrastructure Solutions Architect
CERTIFIED EXPERT

Commented:
The Cisco Systems VPN Client 3.6.3 is dated back to 2003. The latest Cisco VPN client is up to version 5.x now or you might consider the Cisco AnyConnect VPN Client v2.x as an alternative.

Cisco VPN Client
http://www.cisco.com/en/US/products/sw/secursw/ps2308/

CityofKerrville

Author

Commented:
Being that it is not my equipment that we are attempting access through VPN, I am at the mercy of what ever they give me on the client side.  We use anyconnect for our VPN connection here but I am pretty sure the security device has to be configured for anyconnect.  Would a newer client other than anyconnect make that much of a differance.  Does it look like the issue is on their end and not mine?  thanks.
Voltz-dk

Commented:
Some older Cisco VPN devices doesn't support the TCP encapsulation - you could test this by trying to make a telnet to it on port 10000.  Do you get a connection?
If not, then skip trying that..  (Of cuz they could have set it to a nondefault port, but I'd expect they had told you or preconfigured the client then).

Next thing, enable logging in the client.  And change log setting - initially you're interested in IKE (ISAKMP), set that to high (lvl 3), and all others to 0.
Open log window, clear it, and then try your connection.  Might give you an idea of what goes wrong.. (or maybe us if you post it :)
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
> Cisco Systems VPN Client 3.6.3
>Would a newer client other than anyconnect make that much of a differance
Absolutely. The VPN client release is for the client, not the server end. If you have Vista, then you cannot use this old 3.6.3 client. You can easily upgrade your client to 4.9 or even higher on your end, regardless of the vpn server device at the other end.
You are correct that AnyConnect is a totally different animal and requires configuration (and licenses) on their end.
CityofKerrville

Author

Commented:
Tried a newer client. Version 5.something and had the same results.  I cannnot get my contact at the remote site on the phone?  Given what I ave shown already, what is the probability that problem is on his end?
Voltz-dk

Commented:
Hard to say..  Try to enable logging in the client, change log settings so IKE & IPSEC are high, and then open log window.
Clear it, and try to connect.  What do you get?
CityofKerrville

Author

Commented:

Cisco Systems VPN Client Version 5.0.01.0600
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
1      13:47:33.715  04/06/09  Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 98.x.x.x.
2      13:47:33.725  04/06/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 98.x.x.x
3      13:47:33.795  04/06/09  Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
4      13:47:33.795  04/06/09  Sev=Info/4 IPSEC/0x63700014
Deleted all keys
5      13:47:38.813  04/06/09  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
6      13:47:38.813  04/06/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 98.x.x.x
7      13:47:43.830  04/06/09  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
8      13:47:43.830  04/06/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 98.x.x.x
9      13:47:48.848  04/06/09  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
10     13:47:48.848  04/06/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 98.x.x.x
11     13:47:53.865  04/06/09  Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=C060E9D0D7A9977E R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
12     13:47:54.367  04/06/09  Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=C060E9D0D7A9977E R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
13     13:47:54.417  04/06/09  Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
14     13:47:54.889  04/06/09  Sev=Info/4 IPSEC/0x63700014
Deleted all keys
15     13:47:54.889  04/06/09  Sev=Info/4 IPSEC/0x63700014
Deleted all keys
16     13:47:54.889  04/06/09  Sev=Info/4 IPSEC/0x63700014
Deleted all keys
17     13:47:54.889  04/06/09  Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Voltz-dk

Commented:
Well, client is trying hard to contact but gets no replies.

It's of cuz guesswork, but I'd say chances are biggest that it doesn't reach the destination or is denied at the destination.
If you machine otherwise have basic Internet access, and you don't have some devices behind the ASA that could block IKE.  Then I'd say chances are pretty good problem is on other end.
CityofKerrville

Author

Commented:
There is a Cisco ISR 2821 between the Workstation and the ASA but I have not set up any blocking on it.  Would something like that be enabled by default?
Voltz-dk

Commented:
No, that is not likely.  And according to the dump above, you got hitcount on the ASA so the traffic did reach the ASA.
I was concerned about device between ASA and Internet.
CityofKerrville

Author

Commented:
Call Cisco for verification and got the answer I expected.  It is NOT my firewall blocking the traffice.
CityofKerrville

Author

Commented:
Update
 
I took my laptop over the remote site and used there test connection to acces the the VPN and it work, but it still will not work behind my firewall.  After talking with Cisco, I feel confident that my firewall is not blocking the traffic and I read somewhere that the remote site needs to have NAT-T enabled?  Anyone know anything ablout this?
Voltz-dk

Commented:
NAT-T allows IPSEC to work through NAT/PAT - but you never even get a reply to your first IKE packet..  Yes, it'll need NAT-T, but it might already have that.  Your problems begin before that.
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Voltz-dk

Commented:
I wonder.. what is it that you found in that document, which PeteLong didn't have in his first post?
CityofKerrville

Author

Commented:
The rules added per his post were partially the solution but did not fix the problem.  The ultimate fix was a Static NAT from the client machine inside my ASA to a public IP address..  2 unbearable hours on the phone with Cisco fixed the problem.
Michael WorshamCloud/Infrastructure Solutions Architect
CERTIFIED EXPERT

Commented:
Even though the question was closed, I still recommend in the future that you also assign points to those that offered partial solutions for questions.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.

View Solution