Solved

Do I create a site-to-site IPSEC VPN or use EasyVPN with Cisco ASA5505?

Posted on 2009-05-06
10
1,158 Views
Last Modified: 2012-05-06
Here's the situation.

Windows Server A ----- Cisco ASA 5505 ----- Internet ----- External Company Remote Device ----- External Company Network

Server A NIC 192.168.1.10 with NAT on 10.10.10.200
Cisco ASA 5505 Internal 192.168.1.1 External 10.10.10.10
External Company Remote Device (Cisco I think but unkown model)  External IP 20.20.20.20
External Company Network 192.168.150.0/24

We only manage Server A and Cisco ASA 5505 and have no saying in the other network settings.

From the external company we only received
IP Address, Group Authentication Name, Group Authentication Password.

With the Cisco Client from the Windows Server A we can connect to their network via VPN.
This '"works" but we want to use the ASA 5505. in a site-to-site connection. (Because there are now more servers in our network and installing and managing the Cisco VPN client on each machine and making sure it is always connected is a lot of work)

Normally I create a Site to Site connection from an ASA5505 to a Cisco Router or other ASA.
For this connection I need a preshared key.
But now I have no preshared key and the extenal company says they don't use this (or a certificate).
Can I still create a site to site ? Or do I need extra settings?

I saw you could use EasyVPN in client mode but when I create this connection we cannnot reach the internal servers that are NATed. I cannot use EasyVPN and create an Exempt Access List. I receive an error.
[ERROR] vpnclient enable
      * Remove "nat (inside) 0 inside_nat0_outbound"

CONFIG CONFLICT: Configuration that would prevent successful Cisco Easy VPN Remote
operation has been detected, and is listed above. Please resolve the
above configuration conflict(s) and re-enable.

So basically My Question is.
? How can I create a realiable connection from the Cisco ASA5505 to the remote network that works like a site to site VPN connection? Do I use site-to-site IPSec or do I use easyVPN?

Thanks.
0
Comment
Question by:ensermo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 2

Expert Comment

by:e3user
ID: 24313338
hey,

you should be able to configure the site to site using the vpn wizard. the Group Authentication Password is your preshared key.

0
 
LVL 2

Author Comment

by:ensermo
ID: 24313756
Really? Hmm. Im trying that now. I just received an extra e-mail with a username and password from the external company.
Thus now I have
VPN Endpoint IP Address
Group Authentication Name
Group Authentication Password.
*Username when the client connects
*Password when the client connects.

Are those last ones somethin like xAuth or so?

I keep getting these messages on the logs
6      May 06 2009      14:22:28      713219                              IP = 20.20.20.20, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
3      May 06 2009      14:22:49      713902                              IP =  20.20.20.20, Removing peer from peer table failed, no match!
4      May 06 2009      14:22:49      713903                              IP = 20.20.20.20, Error: Unable to remove PeerTblEntry
5      May 06 2009      14:22:50      713041                              IP = 20.20.20.20, IKE Initiator: New Phase 1, Intf inside, IKE Peer 20.20.20.20  local Proxy Address 192.168.1.0, remote Proxy Address 192.168.150.0,  Crypto map (outside_map)
0
 
LVL 2

Expert Comment

by:e3user
ID: 24313934
what is the of vpn server on the other end?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 2

Author Comment

by:ensermo
ID: 24314074
No idea. They network admins just mail this info and say "it should work".
They keep telling me to use Cisco Client but I've tried a thousand times to tell them we have MORE than one connection and we have an ASA. But I just keep getting this semi copy paste mail with "we tested it and de client works" lol.
That's why Im trying to figure it out myself.
Does it matter? If they configured it as a client-server VPN concentrator will I still be able to create a site-to-site from de ASA (or use the easyVPN?)
0
 
LVL 2

Expert Comment

by:e3user
ID: 24314793
try entering this in CLI :
 
tunnel-group groupname ipsec-attributes
    isakmp ikev1-user-authentication (outside) none
0
 
LVL 2

Author Comment

by:ensermo
ID: 24322981
Using site-to-site VPN didn't work. I believe the ASA doesn't allow a site-to-site with authentication.
since I need to authenticate with a username and password.

After some tweaking I was able to create a connection using the Easy VPN.
I see the connection is made in the log files (PHASE 1 and PHASE 2 completed).
The concection is up

ciscoasa# show crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 20.20.20.20
    Type    : user            Role    : initiator
    Rekey   : no              State   : AM_ACTIVE


But I cannot communicate from the ASA or Server A to the External Company Network.

In the logs I see these kind of messages. (we use port 3810 for a service on their internal server 192.168.150.140)

6      May 07 2009      08:24:43      302013      192.168.150.140      3810      192.168.1.10      2894      Built outbound TCP connection 6989 for outside:192.168.150.140/3810 (192.168.145.140/3810) to inside:192.168.1.10/2894 (10.10.10.200/2894)
6      May 07 2009      08:24:49      302014      192.168.150.140      3810      192.168.1.10      2885      Teardown TCP connection 6985 for outside:192.168.150.140/3810 to inside:192.168.1.10/2885 duration 0:00:30 bytes 0 SYN Timeout

also these messages when I ping the server. (192.168.150.140)
6      May 07 2009      08:34:27      302020      192.168.1.10      512      192.168.145.140      0      Built outbound ICMP connection for faddr 192.168.150.140/0 gaddr 10
10.10.10/512 laddr 192.168.1.10/512
6      May 07 2009      08:35:33      302021      192.168.150.140      0      192.168.1.10      512      Teardown ICMP connection for faddr 192.168.150.140/0 gaddr 10.10.10.10/512 laddr 192.168.1.10/512

So I believe Im close to the solution.
Could it be something with accesslists? (I cannot change much parameters with easyVPN like Expempt Traffic from Natting etc)
0
 
LVL 2

Expert Comment

by:e3user
ID: 24323356
yes you can using the nat0. create an access list permitting only the interesting traffic i.e. allow his subnet to yours  then put

nat (inside) 0 access-list
0
 
LVL 2

Author Comment

by:ensermo
ID: 24323698
That doesnt work with easyVPN since I am the "Client" thus cannot really decide much.


access-list inside_nat0_outbound line 1 extended permit ip 192.168.1.0 255.255.255.0 192.168.150.0 255.255.255.0
[ERROR] nat (inside) 0 access-list inside_nat0_outbound  tcp 0 0 udp 0

       Policy NAT cannot be be configured with VPN Client enabled.

0
 
LVL 2

Assisted Solution

by:e3user
e3user earned 50 total points
ID: 24324916
If you are the client I dont think it will work if they have xauth, unlike a router which can save these credentials.
0
 
LVL 2

Accepted Solution

by:
ensermo earned 0 total points
ID: 24325565
Ive solved the problem.

One key thing I forgot is that

Server A has an static mapping to another external IP address (10.10.10.200) THAN the address of the ASA. (10.10.10.10)

Thus the ASA connected via easyVPN to the remote connection BUT static NAT is/was preventing communciaton to ServerA correctly. (packages left correctly to the remote VPN network but on their way back the NAT mapping messed thins up)

I had to map server A only to the ports we needed and somehow it now works. (I can ping and connect to ports on the remote network from serverA)
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question