Allow IPSEC Traffic Through Firewall

You need to allow someone to VPN from inside your network out to a Vendor?

or

You need to allow a vendor to VPN into your network? If this one then is the vpn being terminated by the ASA or a price of equipment inside your network that the vendor placed?

Regards,

3nerds

We were given a piece of hardware that will sit behind the firewall.  Someone from inside the network will VPN to the vendor.  The Firewall just needs to allow the trafiic through.  

Dupont2406,

Maybe I am not understanding correctly, but VPN access out of your network through the ASA should work out of the box. The only thing that you may need to turn on would bet NAT-T.

Do you have an access-list on you inside interface and if so can you post it?

Regards,

3nerds

I dont even have the Firewall configured yet.  I am not sure what access list I need to create etc. to allow the VPN Traffic.  The stuff I posted in my question is from the vendor.  I have to make sure I configure the firewall so that traffic passes through.

Dupont2406,

I am sorry I am confused now.

Do you currently have the ASA in your network and allowing traffic to pass through it? Meaning can people browse the internet right now through it?

Or

This device is sitting on you desk and you are configuring the whole device right now?

Sorry if I am being slow.

But the Devil's in the details.

Regards,

3nerds

OK

I am replacing a pix 501 with this ASA box.  The ASA box is not configured yet.  I would like to get the access lists etc.  all set before I swap it with the 501.  I know how to configure the basics on the ASA.

Thanks

Alright now we are on the same page.

You can basically dump your PIX code into the asa and it will convert 90% or better of it into what the ASA needs. Make sure and test that it work for internet browsing. Once that is done then complicate the issue with the VPN.

But

As to allowing VPN out of your network to a vendor site, provided you do not have an ACL applied to the inside interface then it should work out of the box with out needing anything additional. The only thing that I would make sure that you do have is NAT-T enabled.

If you have an ACL on the inside interface please post it and I can help you with that.

Regards,

3nerds

how do I enable NAT-T?

crypto isakmp nat-traversal

If it is not on you will see

no crypto isakmp nat-traversal

in your config once you add it, the line disapears. There was bug in the early code with the check mark in the asdm of the early versions of code.

Good luck,

3nerds

This is the config on the new firewall.  Let me know if this looks OK and will pass the traffic.  I am testing with the Vendor on Monday.  Thanks!


ASA Version 7.2(4)                  
!
hostname XXX              
enable password XXX encrypted                                          
passwd XXX encrypted                                
names    
!
interface Vlan1              
 nameif inside              
 security-level 100                  
 ip address 192.168.10.1 255.255.255.0                                    
!
interface Vlan2              
 nameif outside              
 security-level 0                
 ip address 68.195.229.10 255.255.255.248                                        
!
interface Ethernet0/0                    
 switchport access vlan 2                        
!
interface Ethernet0/1                    
!
interface Ethernet0/2                    
!
interface Ethernet0/3                    
!
interface Ethernet0/4                    
!
interface Ethernet0/5                    
!
interface Ethernet0/6                    
!
interface Ethernet0/7                    
!
ftp mode passive                
pager lines 24              
logging asdm informational                          
mtu inside 1500              
mtu outside 1500                
icmp unreachable rate-limit 1 burst-size 1                                          
no asdm history enable                      
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 1 0.0.0.0 0.0.0.0                              
route outside 0.0.0.0 0.0.0.0 68.195.229.8 1                                            
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                              
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                              
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute                                                            
http server enable                  
http 192.168.1.0 255.255.255.0 inside                                    
no snmp-server location                      
no snmp-server contact                      
snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                      
crypto isakmp nat-traversal  20                              
telnet timeout 5                
ssh timeout 5            
console timeout 0                

username admin password XXX encrypted privilege 15                                                              
!
class-map inspection_default                            
 match default-inspection-t                        
!
!
policy-map type inspect dns preset_dns_map                                          
 parameters          
  message-length maximum 512                            
policy-map global_policy                        
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7942e14321ba21ae31a070cf5d6ae8cf
: end

I see no issues.

Your not specifically blocking anything outbound and as such VPN should work just fine. Also I don't see the no NAT-T so it should be enabled.

Good Luck,

3nerds

Does not work.  I triead adding an access list.  I will post the new config below.  I get this error now on the log when trying to connect

06-08-2009      12:53:20      Local4.Error      192.168.1.1      Jun 08 2009 08:22:04: %ASA-3-305006: regular translation creation failed for protocol 50 src inside:192.168.1.2 dst outside:xxx.xxx.xxx.xx

see config

ASA Version 7.2(4)                  
!    
enable password ss encrypted                                          
passwd s encrypted                                
names    
!
interface Vlan1              
 nameif inside              
 security-level 100                  
 ip address 192.168.1.1 255.255.255.0                                    
!
interface Vlan2              
 nameif outside              
 security-level 0                
 ip address 68.195.229.10 255.255.255.248                                        
!
interface Ethernet0/0                    
 switchport access vlan 2                        
!
interface Ethernet0/1                    
!
interface Ethernet0/2                    
!
interface Ethernet0/3                    
!
interface Ethernet0/4                    
!
interface Ethernet0/5                    
!
interface Ethernet0/6                    
!
interface Ethernet0/7                    
!
ftp mode passive                
access-list outside_in extended permit icmp any any echo-reply                                                              
access-list outside_in extended permit tcp any interface outside eq 50                                                                      
access-list outside_in extended permit udp any interface outside eq 50                                                                      
access-list outside_in extended permit esp any interface outside                                                                
pager lines 24              
logging enable              
logging timestamp                
logging trap notifications                          
logging asdm informational                          
logging host inside 192.168.1.226                                
mtu inside 1500              
mtu outsid        
icmp unreachable rate-limit 1 burst-size 1                                          
no asdm history enable                      
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 1 0.0.0.0 0.0.0.0                              
static (inside,outside) tcp interface 50 192.168.1.2 50 netmask 255.255.255.255                                                                              

static (inside,outside) udp interface 50 192.168.1.2 50 netmask 255.255.255.255                                                                              

access-group outside_in in interface outside                                            
route outside 0.0.0.0 0.0.0.0 68.195.229.8 1                                            
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                              
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                              
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute                                                            
http server enable                  
http 192.168.1.0 255.255.255.0 inside                                    
no snmp-server location                      
no snmp-server contact                      
snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                      
telnet 192.168.1.0 255.255.255.0 inside                                      
telnet timeout 5                
ssh timeout 5            
console timeout 0                

username admin password sd                                
!
class-map inspection_default                            
 match default-inspection-traffic                                
!
!
policy-map type inspect dns preset_dns_map                                          
 parameters          
  message-length maximum 512                            
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:404caff93919de09955803e880d3a893
: end

to clarify:

your doing the following:

user -->VPN --> ASA --> inet --> ASA (vendor)

Is this correct? What device is on the vendor end and what client are you using to connect?

You don't have ISAKMP enabled on your device so you can try this command also:

policy-map global_policy
 class inspection_default
  inspect ipsec-pass-thru

maybe they dont have NAT-T enabled on there end.

Good Luck,

3nerds

I have no control over what the vendor does and have no idea what hardware the vendor uses on their end.  On my end they gave me a Cisco 1800.  I need to get this working using my firewall.  The instructions from the vendor I posted in my question.  That is all I have.  The topology you have is correct.  

Do i need to put in an ACL for all the ports and IP's etc that are in the instructions?

did you put this in and test?

policy-map global_policy
 class inspection_default
  inspect ipsec-pass-thru

let me know.

3nerds

i put that it still does not work

outbound vpn should work out of the box as stated earlier, obviously it isn't.

Thank you for the clarification, do you know if the 1800router is going to be terminating vpn connections to it? Do you know if it is going to be providing a site to site vpn link?

Also looking at your list of ports ISAKMP is normally on port 500 not 5000 is it possible that is a typo? Or the alternate is 4500 IPSEC NAT-T.

If the router is terminating VPN's then adding what you have for port 50(esp) for 500? and 4500 would not hurt to try.

Good Luck,

3nerds

yes 5000 is a typo it is 500.

so what should i try?

add statics for port 500 as well as the acl entries.

same as what you did for port 50.

Regards,

3nerds

tried that.  still no good.  The only purpose of this firewall is to pass the VPN traffic.  It does not provide internet access.  Would it be easier if NAT was disabled?  

I am not sure that would be of benefit as it would affect the rest of your network or is your whole network behind this router?

I am not sure what you are running into, I had asked the question earlier and didn't get a response maybe you just are not sure so you are not able to answer.

Do you know if the 1800router is going to be terminating vpn connections to it? Do you know if it is going to be providing a site to site vpn link?

Regards,

3nerds

Yes the 1800 terminates the VPN link.  And yes I believe it creates a site to site link.  My network is not behind this router.  I have cisco 2600 the network is behind.  If the connection to the vendor is required for a user the 2600 routes the traffic to the 1800 router.  thaqt is the only traffic that goes to the 1800 router and the ASA firewall.  Internet traffic is router by the 2600 to a pix 506.

Dupont2406,

I am not sure.

I assume you do not have access to the route to see what stage the VPN is getting to when it attempts to connect?

This seems odd to me because as long as the site link is initiated from the 1800 side behind the asa it should let traffic pass. The only cavets to this are the NAT-T and the inspect pieces that I had you enter.

I am sorry but at this point if you want to close this and open a new one to see if someone else is able to better help you I would have no objections I don;t want to hold this up for you.

was this working with the pix501? Or is this a brand new setup?

Regards,

3nerds

Brand new setup.  According to the doc from the vendor I need to pass the inbound IP/50 ESP traffic to the 1800 box.  As you said the outbound should work out of the box.  The ESP traffic is not port 50 it is protocol 50.  Do you know how to get the ASA box to pass the IP/50 ESP traffic to the 192.168.1.12 which is the cisco 1800.  I think that would make it work

That is one the vendor said to do a 1 to 1 nat.  yes I have 5 public ip's avail.

so put in the static line and i should be OK??

sorry typed to fast.  it should say

That is what the vendor said to do (1 to 1 NAT)

At this point I won't say you will be ok, but I will say it looks like it is needed. =)

3nerds

another quick question.  From where I am now I can only access the console, I cannot see the syslog server of the ASA box.  Is there a command I can run on the ASA when I try to access the VPN to see any errors occuring or do I have to get access to the syslog server?

Thanks!!

easiest this imho is to use the asdm and look at the logs on the home screen.

make sure the "Latest ASDM syslog messages" is checked.

save you from having to access the syslog and doesn't spam your screen while you try to config the device.

Regards,

3nerds

if you want them on the screen while you are consoled in with a cisco cable it is:

logging console <level>

for a telnet session it is

logging monitor <level>

Regards,

3nerds

the 1 to 1 ended up working.  Thank you for all your help and patience!!!

Thanks!!

Glad it worked!!

woot!

3nerds