Solved

VPN tunnel through ASA 5510

Posted on 2009-04-03
22
1,431 Views
Last Modified: 2012-05-06
Hello EE,

I am trying to setup a VPN connection with our local school district and am running into brick wall.  They provided us with the VPN client they use to connect to their Cisco Device and credentials.  At this time I do not know what that device it.  The workstation I am using to connect is behind our Cisco ASA 5510.  I cannot connect.  Is there some thing in our firewall that need to be done to allow this connection? (i.e. NAT Rules, Access Rulles).  Can someone offer some assistance or advice?  See my attachments.

Thanks,

COK
KISD-VPN.jpg
kisdvpn.JPG
0
Comment
Question by:CityofKerrville
  • 10
  • 6
  • 4
  • +2
22 Comments
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility

VPN Ports through Firewalls
*****For IPSec VPNs*****
UDP 500 ISAKMP
UDP 4500 Nat-Traversal*
TCP 10000 (Cisco VPN clients can use this port if its been set on the client)
Protocol 50 (ESP)


Note2:To allow Cisco Client through a PIX/ASA version 7 or above
 
add the following

policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
0
 
LVL 29

Expert Comment

by:Michael W
Comment Utility
Are you allowing the GRE protocol across the ASA 5510?

Using the Microsoft VPN client through Cisco ASA/PIX
http://www.petenetlive.com/TecBin/KB/0000009.htm
0
 

Author Comment

by:CityofKerrville
Comment Utility
"Using the Microsoft VPN client through Cisco ASA/PIX"
I am using a Cisco Client not a Microsoft Client
0
 
LVL 29

Expert Comment

by:Michael W
Comment Utility
Which Cisco VPN client version are you currently using?

Cisco VPN Client: Reason 412 - The remote peer is no longer responding
http://www.lamnk.com/blog/vpn/cisco-vpn-client-reason-412-the-remote-peer-is-no-longer-responding/
0
 

Author Comment

by:CityofKerrville
Comment Utility
ProductName=Cisco Systems VPN Client 3.6.3 (B)

Suggested fixes from the link you provided
added exception rules for port 500, port 4500 and the ESP
Turned on NAT-T/TCP in your profile
Edited your profile and changed ForceKeepAlive=0 to 1

Still Cannot connect

firewall-rules.JPG
client.JPG
profile.JPG
0
 
LVL 29

Expert Comment

by:Michael W
Comment Utility
The Cisco Systems VPN Client 3.6.3 is dated back to 2003. The latest Cisco VPN client is up to version 5.x now or you might consider the Cisco AnyConnect VPN Client v2.x as an alternative.

Cisco VPN Client
http://www.cisco.com/en/US/products/sw/secursw/ps2308/

0
 

Author Comment

by:CityofKerrville
Comment Utility
Being that it is not my equipment that we are attempting access through VPN, I am at the mercy of what ever they give me on the client side.  We use anyconnect for our VPN connection here but I am pretty sure the security device has to be configured for anyconnect.  Would a newer client other than anyconnect make that much of a differance.  Does it look like the issue is on their end and not mine?  thanks.
0
 
LVL 15

Expert Comment

by:Voltz-dk
Comment Utility
Some older Cisco VPN devices doesn't support the TCP encapsulation - you could test this by trying to make a telnet to it on port 10000.  Do you get a connection?
If not, then skip trying that..  (Of cuz they could have set it to a nondefault port, but I'd expect they had told you or preconfigured the client then).

Next thing, enable logging in the client.  And change log setting - initially you're interested in IKE (ISAKMP), set that to high (lvl 3), and all others to 0.
Open log window, clear it, and then try your connection.  Might give you an idea of what goes wrong.. (or maybe us if you post it :)
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
> Cisco Systems VPN Client 3.6.3
>Would a newer client other than anyconnect make that much of a differance
Absolutely. The VPN client release is for the client, not the server end. If you have Vista, then you cannot use this old 3.6.3 client. You can easily upgrade your client to 4.9 or even higher on your end, regardless of the vpn server device at the other end.
You are correct that AnyConnect is a totally different animal and requires configuration (and licenses) on their end.
0
 

Author Comment

by:CityofKerrville
Comment Utility
Tried a newer client. Version 5.something and had the same results.  I cannnot get my contact at the remote site on the phone?  Given what I ave shown already, what is the probability that problem is on his end?
0
 
LVL 15

Expert Comment

by:Voltz-dk
Comment Utility
Hard to say..  Try to enable logging in the client, change log settings so IKE & IPSEC are high, and then open log window.
Clear it, and try to connect.  What do you get?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:CityofKerrville
Comment Utility

Cisco Systems VPN Client Version 5.0.01.0600
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
1      13:47:33.715  04/06/09  Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 98.x.x.x.
2      13:47:33.725  04/06/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 98.x.x.x
3      13:47:33.795  04/06/09  Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
4      13:47:33.795  04/06/09  Sev=Info/4 IPSEC/0x63700014
Deleted all keys
5      13:47:38.813  04/06/09  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
6      13:47:38.813  04/06/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 98.x.x.x
7      13:47:43.830  04/06/09  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
8      13:47:43.830  04/06/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 98.x.x.x
9      13:47:48.848  04/06/09  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
10     13:47:48.848  04/06/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 98.x.x.x
11     13:47:53.865  04/06/09  Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=C060E9D0D7A9977E R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
12     13:47:54.367  04/06/09  Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=C060E9D0D7A9977E R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
13     13:47:54.417  04/06/09  Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
14     13:47:54.889  04/06/09  Sev=Info/4 IPSEC/0x63700014
Deleted all keys
15     13:47:54.889  04/06/09  Sev=Info/4 IPSEC/0x63700014
Deleted all keys
16     13:47:54.889  04/06/09  Sev=Info/4 IPSEC/0x63700014
Deleted all keys
17     13:47:54.889  04/06/09  Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
0
 
LVL 15

Expert Comment

by:Voltz-dk
Comment Utility
Well, client is trying hard to contact but gets no replies.

It's of cuz guesswork, but I'd say chances are biggest that it doesn't reach the destination or is denied at the destination.
If you machine otherwise have basic Internet access, and you don't have some devices behind the ASA that could block IKE.  Then I'd say chances are pretty good problem is on other end.
0
 

Author Comment

by:CityofKerrville
Comment Utility
There is a Cisco ISR 2821 between the Workstation and the ASA but I have not set up any blocking on it.  Would something like that be enabled by default?
0
 
LVL 15

Expert Comment

by:Voltz-dk
Comment Utility
No, that is not likely.  And according to the dump above, you got hitcount on the ASA so the traffic did reach the ASA.
I was concerned about device between ASA and Internet.
0
 

Author Comment

by:CityofKerrville
Comment Utility
Call Cisco for verification and got the answer I expected.  It is NOT my firewall blocking the traffice.
0
 

Author Comment

by:CityofKerrville
Comment Utility
Update
 
I took my laptop over the remote site and used there test connection to acces the the VPN and it work, but it still will not work behind my firewall.  After talking with Cisco, I feel confident that my firewall is not blocking the traffic and I read somewhere that the remote site needs to have NAT-T enabled?  Anyone know anything ablout this?
0
 
LVL 15

Expert Comment

by:Voltz-dk
Comment Utility
NAT-T allows IPSEC to work through NAT/PAT - but you never even get a reply to your first IKE packet..  Yes, it'll need NAT-T, but it might already have that.  Your problems begin before that.
0
 

Accepted Solution

by:
CityofKerrville earned 0 total points
Comment Utility
Called Cisco again.  Resolved with this document
 
http://www.cisco.com/application/pdf/paws/63881/ipsec-pix70-nat.pdf
0
 
LVL 15

Expert Comment

by:Voltz-dk
Comment Utility
I wonder.. what is it that you found in that document, which PeteLong didn't have in his first post?
0
 

Author Comment

by:CityofKerrville
Comment Utility
The rules added per his post were partially the solution but did not fix the problem.  The ultimate fix was a Static NAT from the client machine inside my ASA to a public IP address..  2 unbearable hours on the phone with Cisco fixed the problem.
0
 
LVL 29

Expert Comment

by:Michael W
Comment Utility
Even though the question was closed, I still recommend in the future that you also assign points to those that offered partial solutions for questions.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This article is focussed on erradicating the confusion with slash notations. This article will help you identify and understand the purpose and use of slash notations. A deep understanding of this will help you identify networks quicker especially w…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now