dupont2406
asked on
Allow IPSEC Traffic Through Firewall
I need to allow traffic thorugh my CIsico ASA 5055 for a vendor VPN as follows:
Ouside IP of FIrewall is 68.195.229.10
Inside IP of Firewall is 192.168.1.10
Outbound to 197.199.10.243 IP/UDP Port 5000 (ISAKMP)
Outbound to 197.199.20.243 IP/UDP Port 5000 (ISAKMP)
Outbound to 197.199.10.243 IP 50 (ESP)
Outbound to 197.199.20.243 IP 50 (ESP)
Inbound 197.199.10.243 IP 50 (ESP)
Inbound 197.199.20.243 IP 50 (ESP)
What Commands do I need to run to enable this access.
Thanks!!
Ouside IP of FIrewall is 68.195.229.10
Inside IP of Firewall is 192.168.1.10
Outbound to 197.199.10.243 IP/UDP Port 5000 (ISAKMP)
Outbound to 197.199.20.243 IP/UDP Port 5000 (ISAKMP)
Outbound to 197.199.10.243 IP 50 (ESP)
Outbound to 197.199.20.243 IP 50 (ESP)
Inbound 197.199.10.243 IP 50 (ESP)
Inbound 197.199.20.243 IP 50 (ESP)
What Commands do I need to run to enable this access.
Thanks!!
ASKER
We were given a piece of hardware that will sit behind the firewall. Someone from inside the network will VPN to the vendor. The Firewall just needs to allow the trafiic through.
Dupont2406,
Maybe I am not understanding correctly, but VPN access out of your network through the ASA should work out of the box. The only thing that you may need to turn on would bet NAT-T.
Do you have an access-list on you inside interface and if so can you post it?
Regards,
3nerds
Maybe I am not understanding correctly, but VPN access out of your network through the ASA should work out of the box. The only thing that you may need to turn on would bet NAT-T.
Do you have an access-list on you inside interface and if so can you post it?
Regards,
3nerds
ASKER
I dont even have the Firewall configured yet. I am not sure what access list I need to create etc. to allow the VPN Traffic. The stuff I posted in my question is from the vendor. I have to make sure I configure the firewall so that traffic passes through.
Dupont2406,
I am sorry I am confused now.
Do you currently have the ASA in your network and allowing traffic to pass through it? Meaning can people browse the internet right now through it?
Or
This device is sitting on you desk and you are configuring the whole device right now?
Sorry if I am being slow.
But the Devil's in the details.
Regards,
3nerds
I am sorry I am confused now.
Do you currently have the ASA in your network and allowing traffic to pass through it? Meaning can people browse the internet right now through it?
Or
This device is sitting on you desk and you are configuring the whole device right now?
Sorry if I am being slow.
But the Devil's in the details.
Regards,
3nerds
ASKER
OK
I am replacing a pix 501 with this ASA box. The ASA box is not configured yet. I would like to get the access lists etc. all set before I swap it with the 501. I know how to configure the basics on the ASA.
Thanks
I am replacing a pix 501 with this ASA box. The ASA box is not configured yet. I would like to get the access lists etc. all set before I swap it with the 501. I know how to configure the basics on the ASA.
Thanks
Alright now we are on the same page.
You can basically dump your PIX code into the asa and it will convert 90% or better of it into what the ASA needs. Make sure and test that it work for internet browsing. Once that is done then complicate the issue with the VPN.
But
As to allowing VPN out of your network to a vendor site, provided you do not have an ACL applied to the inside interface then it should work out of the box with out needing anything additional. The only thing that I would make sure that you do have is NAT-T enabled.
If you have an ACL on the inside interface please post it and I can help you with that.
Regards,
3nerds
You can basically dump your PIX code into the asa and it will convert 90% or better of it into what the ASA needs. Make sure and test that it work for internet browsing. Once that is done then complicate the issue with the VPN.
But
As to allowing VPN out of your network to a vendor site, provided you do not have an ACL applied to the inside interface then it should work out of the box with out needing anything additional. The only thing that I would make sure that you do have is NAT-T enabled.
If you have an ACL on the inside interface please post it and I can help you with that.
Regards,
3nerds
ASKER
how do I enable NAT-T?
crypto isakmp nat-traversal
If it is not on you will see
no crypto isakmp nat-traversal
in your config once you add it, the line disapears. There was bug in the early code with the check mark in the asdm of the early versions of code.
Good luck,
3nerds
If it is not on you will see
no crypto isakmp nat-traversal
in your config once you add it, the line disapears. There was bug in the early code with the check mark in the asdm of the early versions of code.
Good luck,
3nerds
ASKER
This is the config on the new firewall. Let me know if this looks OK and will pass the traffic. I am testing with the Vendor on Monday. Thanks!
ASA Version 7.2(4)
!
hostname XXX
enable password XXX encrypted
passwd XXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 68.195.229.10 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 68.195.229.8 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp nat-traversal 20
telnet timeout 5
ssh timeout 5
console timeout 0
username admin password XXX encrypted privilege 15
!
class-map inspection_default
match default-inspection-t
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7942e14321b a21ae31a07 0cf5d6ae8c f
: end
ASA Version 7.2(4)
!
hostname XXX
enable password XXX encrypted
passwd XXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 68.195.229.10 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 68.195.229.8 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp nat-traversal 20
telnet timeout 5
ssh timeout 5
console timeout 0
username admin password XXX encrypted privilege 15
!
class-map inspection_default
match default-inspection-t
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7942e14321b
: end
I see no issues.
Your not specifically blocking anything outbound and as such VPN should work just fine. Also I don't see the no NAT-T so it should be enabled.
Good Luck,
3nerds
Your not specifically blocking anything outbound and as such VPN should work just fine. Also I don't see the no NAT-T so it should be enabled.
Good Luck,
3nerds
ASKER
Does not work. I triead adding an access list. I will post the new config below. I get this error now on the log when trying to connect
06-08-2009 12:53:20 Local4.Error 192.168.1.1 Jun 08 2009 08:22:04: %ASA-3-305006: regular translation creation failed for protocol 50 src inside:192.168.1.2 dst outside:xxx.xxx.xxx.xx
see config
ASA Version 7.2(4)
!
enable password ss encrypted
passwd s encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 68.195.229.10 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit tcp any interface outside eq 50
access-list outside_in extended permit udp any interface outside eq 50
access-list outside_in extended permit esp any interface outside
pager lines 24
logging enable
logging timestamp
logging trap notifications
logging asdm informational
logging host inside 192.168.1.226
mtu inside 1500
mtu outsid
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 50 192.168.1.2 50 netmask 255.255.255.255
static (inside,outside) udp interface 50 192.168.1.2 50 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.195.229.8 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username admin password sd
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:404caff9391 9de0995580 3e880d3a89 3
: end
06-08-2009 12:53:20 Local4.Error 192.168.1.1 Jun 08 2009 08:22:04: %ASA-3-305006: regular translation creation failed for protocol 50 src inside:192.168.1.2 dst outside:xxx.xxx.xxx.xx
see config
ASA Version 7.2(4)
!
enable password ss encrypted
passwd s encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 68.195.229.10 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit tcp any interface outside eq 50
access-list outside_in extended permit udp any interface outside eq 50
access-list outside_in extended permit esp any interface outside
pager lines 24
logging enable
logging timestamp
logging trap notifications
logging asdm informational
logging host inside 192.168.1.226
mtu inside 1500
mtu outsid
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 50 192.168.1.2 50 netmask 255.255.255.255
static (inside,outside) udp interface 50 192.168.1.2 50 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.195.229.8 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username admin password sd
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:404caff9391
: end
to clarify:
your doing the following:
user -->VPN --> ASA --> inet --> ASA (vendor)
Is this correct? What device is on the vendor end and what client are you using to connect?
You don't have ISAKMP enabled on your device so you can try this command also:
policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
maybe they dont have NAT-T enabled on there end.
Good Luck,
3nerds
your doing the following:
user -->VPN --> ASA --> inet --> ASA (vendor)
Is this correct? What device is on the vendor end and what client are you using to connect?
You don't have ISAKMP enabled on your device so you can try this command also:
policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
maybe they dont have NAT-T enabled on there end.
Good Luck,
3nerds
ASKER
I have no control over what the vendor does and have no idea what hardware the vendor uses on their end. On my end they gave me a Cisco 1800. I need to get this working using my firewall. The instructions from the vendor I posted in my question. That is all I have. The topology you have is correct.
Do i need to put in an ACL for all the ports and IP's etc that are in the instructions?
Do i need to put in an ACL for all the ports and IP's etc that are in the instructions?
did you put this in and test?
policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
let me know.
3nerds
policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
let me know.
3nerds
ASKER
i put that it still does not work
outbound vpn should work out of the box as stated earlier, obviously it isn't.
Thank you for the clarification, do you know if the 1800router is going to be terminating vpn connections to it? Do you know if it is going to be providing a site to site vpn link?
Also looking at your list of ports ISAKMP is normally on port 500 not 5000 is it possible that is a typo? Or the alternate is 4500 IPSEC NAT-T.
If the router is terminating VPN's then adding what you have for port 50(esp) for 500? and 4500 would not hurt to try.
Good Luck,
3nerds
Thank you for the clarification, do you know if the 1800router is going to be terminating vpn connections to it? Do you know if it is going to be providing a site to site vpn link?
Also looking at your list of ports ISAKMP is normally on port 500 not 5000 is it possible that is a typo? Or the alternate is 4500 IPSEC NAT-T.
If the router is terminating VPN's then adding what you have for port 50(esp) for 500? and 4500 would not hurt to try.
Good Luck,
3nerds
ASKER
yes 5000 is a typo it is 500.
so what should i try?
so what should i try?
add statics for port 500 as well as the acl entries.
same as what you did for port 50.
Regards,
3nerds
same as what you did for port 50.
Regards,
3nerds
ASKER
tried that. still no good. The only purpose of this firewall is to pass the VPN traffic. It does not provide internet access. Would it be easier if NAT was disabled?
I am not sure that would be of benefit as it would affect the rest of your network or is your whole network behind this router?
I am not sure what you are running into, I had asked the question earlier and didn't get a response maybe you just are not sure so you are not able to answer.
Do you know if the 1800router is going to be terminating vpn connections to it? Do you know if it is going to be providing a site to site vpn link?
Regards,
3nerds
I am not sure what you are running into, I had asked the question earlier and didn't get a response maybe you just are not sure so you are not able to answer.
Do you know if the 1800router is going to be terminating vpn connections to it? Do you know if it is going to be providing a site to site vpn link?
Regards,
3nerds
ASKER
Yes the 1800 terminates the VPN link. And yes I believe it creates a site to site link. My network is not behind this router. I have cisco 2600 the network is behind. If the connection to the vendor is required for a user the 2600 routes the traffic to the 1800 router. thaqt is the only traffic that goes to the 1800 router and the ASA firewall. Internet traffic is router by the 2600 to a pix 506.
Dupont2406,
I am not sure.
I assume you do not have access to the route to see what stage the VPN is getting to when it attempts to connect?
This seems odd to me because as long as the site link is initiated from the 1800 side behind the asa it should let traffic pass. The only cavets to this are the NAT-T and the inspect pieces that I had you enter.
I am sorry but at this point if you want to close this and open a new one to see if someone else is able to better help you I would have no objections I don;t want to hold this up for you.
was this working with the pix501? Or is this a brand new setup?
Regards,
3nerds
I am not sure.
I assume you do not have access to the route to see what stage the VPN is getting to when it attempts to connect?
This seems odd to me because as long as the site link is initiated from the 1800 side behind the asa it should let traffic pass. The only cavets to this are the NAT-T and the inspect pieces that I had you enter.
I am sorry but at this point if you want to close this and open a new one to see if someone else is able to better help you I would have no objections I don;t want to hold this up for you.
was this working with the pix501? Or is this a brand new setup?
Regards,
3nerds
ASKER
Brand new setup. According to the doc from the vendor I need to pass the inbound IP/50 ESP traffic to the 1800 box. As you said the outbound should work out of the box. The ESP traffic is not port 50 it is protocol 50. Do you know how to get the ASA box to pass the IP/50 ESP traffic to the 192.168.1.12 which is the cisco 1800. I think that would make it work
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That is one the vendor said to do a 1 to 1 nat. yes I have 5 public ip's avail.
so put in the static line and i should be OK??
so put in the static line and i should be OK??
ASKER
sorry typed to fast. it should say
That is what the vendor said to do (1 to 1 NAT)
That is what the vendor said to do (1 to 1 NAT)
At this point I won't say you will be ok, but I will say it looks like it is needed. =)
3nerds
3nerds
ASKER
another quick question. From where I am now I can only access the console, I cannot see the syslog server of the ASA box. Is there a command I can run on the ASA when I try to access the VPN to see any errors occuring or do I have to get access to the syslog server?
Thanks!!
Thanks!!
easiest this imho is to use the asdm and look at the logs on the home screen.
make sure the "Latest ASDM syslog messages" is checked.
save you from having to access the syslog and doesn't spam your screen while you try to config the device.
Regards,
3nerds
make sure the "Latest ASDM syslog messages" is checked.
save you from having to access the syslog and doesn't spam your screen while you try to config the device.
Regards,
3nerds
if you want them on the screen while you are consoled in with a cisco cable it is:
logging console <level>
for a telnet session it is
logging monitor <level>
Regards,
3nerds
logging console <level>
for a telnet session it is
logging monitor <level>
Regards,
3nerds
ASKER
the 1 to 1 ended up working. Thank you for all your help and patience!!!
ASKER
Thanks!!
Glad it worked!!
woot!
3nerds
woot!
3nerds
or
You need to allow a vendor to VPN into your network? If this one then is the vpn being terminated by the ASA or a price of equipment inside your network that the vendor placed?
Regards,
3nerds