Allow IPSEC Traffic Through Firewall

I need to allow traffic thorugh my CIsico ASA 5055 for a vendor VPN as follows:
Ouside IP of FIrewall is 68.195.229.10
Inside IP of Firewall is 192.168.1.10
Outbound to 197.199.10.243 IP/UDP Port 5000 (ISAKMP)
Outbound to 197.199.20.243 IP/UDP Port 5000 (ISAKMP)
Outbound to 197.199.10.243 IP 50 (ESP)
Outbound to 197.199.20.243 IP 50 (ESP)

Inbound 197.199.10.243 IP 50 (ESP)
Inbound 197.199.20.243 IP 50 (ESP)
What Commands do I need to run to enable this access.

Thanks!!

dupont2406Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

3nerdsCommented:
You need to allow someone to VPN from inside your network out to a Vendor?

or

You need to allow a vendor to VPN into your network? If this one then is the vpn being terminated by the ASA or a price of equipment inside your network that the vendor placed?

Regards,

3nerds
0
dupont2406Author Commented:
We were given a piece of hardware that will sit behind the firewall.  Someone from inside the network will VPN to the vendor.  The Firewall just needs to allow the trafiic through.  
0
3nerdsCommented:
Dupont2406,

Maybe I am not understanding correctly, but VPN access out of your network through the ASA should work out of the box. The only thing that you may need to turn on would bet NAT-T.

Do you have an access-list on you inside interface and if so can you post it?

Regards,

3nerds
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

dupont2406Author Commented:
I dont even have the Firewall configured yet.  I am not sure what access list I need to create etc. to allow the VPN Traffic.  The stuff I posted in my question is from the vendor.  I have to make sure I configure the firewall so that traffic passes through.

0
3nerdsCommented:
Dupont2406,

I am sorry I am confused now.

Do you currently have the ASA in your network and allowing traffic to pass through it? Meaning can people browse the internet right now through it?

Or

This device is sitting on you desk and you are configuring the whole device right now?

Sorry if I am being slow.

But the Devil's in the details.

Regards,

3nerds
0
dupont2406Author Commented:
OK

I am replacing a pix 501 with this ASA box.  The ASA box is not configured yet.  I would like to get the access lists etc.  all set before I swap it with the 501.  I know how to configure the basics on the ASA.

Thanks
0
3nerdsCommented:
Alright now we are on the same page.

You can basically dump your PIX code into the asa and it will convert 90% or better of it into what the ASA needs. Make sure and test that it work for internet browsing. Once that is done then complicate the issue with the VPN.

But

As to allowing VPN out of your network to a vendor site, provided you do not have an ACL applied to the inside interface then it should work out of the box with out needing anything additional. The only thing that I would make sure that you do have is NAT-T enabled.

If you have an ACL on the inside interface please post it and I can help you with that.

Regards,

3nerds

0
dupont2406Author Commented:
how do I enable NAT-T?
0
3nerdsCommented:
crypto isakmp nat-traversal

If it is not on you will see

no crypto isakmp nat-traversal

in your config once you add it, the line disapears. There was bug in the early code with the check mark in the asdm of the early versions of code.

Good luck,

3nerds
0
dupont2406Author Commented:
This is the config on the new firewall.  Let me know if this looks OK and will pass the traffic.  I am testing with the Vendor on Monday.  Thanks!


ASA Version 7.2(4)                  
!
hostname XXX              
enable password XXX encrypted                                          
passwd XXX encrypted                                
names    
!
interface Vlan1              
 nameif inside              
 security-level 100                  
 ip address 192.168.10.1 255.255.255.0                                    
!
interface Vlan2              
 nameif outside              
 security-level 0                
 ip address 68.195.229.10 255.255.255.248                                        
!
interface Ethernet0/0                    
 switchport access vlan 2                        
!
interface Ethernet0/1                    
!
interface Ethernet0/2                    
!
interface Ethernet0/3                    
!
interface Ethernet0/4                    
!
interface Ethernet0/5                    
!
interface Ethernet0/6                    
!
interface Ethernet0/7                    
!
ftp mode passive                
pager lines 24              
logging asdm informational                          
mtu inside 1500              
mtu outside 1500                
icmp unreachable rate-limit 1 burst-size 1                                          
no asdm history enable                      
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 1 0.0.0.0 0.0.0.0                              
route outside 0.0.0.0 0.0.0.0 68.195.229.8 1                                            
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                              
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                              
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute                                                            
http server enable                  
http 192.168.1.0 255.255.255.0 inside                                    
no snmp-server location                      
no snmp-server contact                      
snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                      
crypto isakmp nat-traversal  20                              
telnet timeout 5                
ssh timeout 5            
console timeout 0                

username admin password XXX encrypted privilege 15                                                              
!
class-map inspection_default                            
 match default-inspection-t                        
!
!
policy-map type inspect dns preset_dns_map                                          
 parameters          
  message-length maximum 512                            
policy-map global_policy                        
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7942e14321ba21ae31a070cf5d6ae8cf
: end
0
3nerdsCommented:
I see no issues.

Your not specifically blocking anything outbound and as such VPN should work just fine. Also I don't see the no NAT-T so it should be enabled.

Good Luck,

3nerds

0
dupont2406Author Commented:
Does not work.  I triead adding an access list.  I will post the new config below.  I get this error now on the log when trying to connect

06-08-2009      12:53:20      Local4.Error      192.168.1.1      Jun 08 2009 08:22:04: %ASA-3-305006: regular translation creation failed for protocol 50 src inside:192.168.1.2 dst outside:xxx.xxx.xxx.xx

see config

ASA Version 7.2(4)                  
!    
enable password ss encrypted                                          
passwd s encrypted                                
names    
!
interface Vlan1              
 nameif inside              
 security-level 100                  
 ip address 192.168.1.1 255.255.255.0                                    
!
interface Vlan2              
 nameif outside              
 security-level 0                
 ip address 68.195.229.10 255.255.255.248                                        
!
interface Ethernet0/0                    
 switchport access vlan 2                        
!
interface Ethernet0/1                    
!
interface Ethernet0/2                    
!
interface Ethernet0/3                    
!
interface Ethernet0/4                    
!
interface Ethernet0/5                    
!
interface Ethernet0/6                    
!
interface Ethernet0/7                    
!
ftp mode passive                
access-list outside_in extended permit icmp any any echo-reply                                                              
access-list outside_in extended permit tcp any interface outside eq 50                                                                      
access-list outside_in extended permit udp any interface outside eq 50                                                                      
access-list outside_in extended permit esp any interface outside                                                                
pager lines 24              
logging enable              
logging timestamp                
logging trap notifications                          
logging asdm informational                          
logging host inside 192.168.1.226                                
mtu inside 1500              
mtu outsid        
icmp unreachable rate-limit 1 burst-size 1                                          
no asdm history enable                      
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 1 0.0.0.0 0.0.0.0                              
static (inside,outside) tcp interface 50 192.168.1.2 50 netmask 255.255.255.255                                                                              

static (inside,outside) udp interface 50 192.168.1.2 50 netmask 255.255.255.255                                                                              

access-group outside_in in interface outside                                            
route outside 0.0.0.0 0.0.0.0 68.195.229.8 1                                            
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                              
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                              
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute                                                            
http server enable                  
http 192.168.1.0 255.255.255.0 inside                                    
no snmp-server location                      
no snmp-server contact                      
snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                      
telnet 192.168.1.0 255.255.255.0 inside                                      
telnet timeout 5                
ssh timeout 5            
console timeout 0                

username admin password sd                                
!
class-map inspection_default                            
 match default-inspection-traffic                                
!
!
policy-map type inspect dns preset_dns_map                                          
 parameters          
  message-length maximum 512                            
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:404caff93919de09955803e880d3a893
: end

0
3nerdsCommented:
to clarify:

your doing the following:

user -->VPN --> ASA --> inet --> ASA (vendor)

Is this correct? What device is on the vendor end and what client are you using to connect?

You don't have ISAKMP enabled on your device so you can try this command also:

policy-map global_policy
 class inspection_default
  inspect ipsec-pass-thru

maybe they dont have NAT-T enabled on there end.

Good Luck,

3nerds
0
dupont2406Author Commented:
I have no control over what the vendor does and have no idea what hardware the vendor uses on their end.  On my end they gave me a Cisco 1800.  I need to get this working using my firewall.  The instructions from the vendor I posted in my question.  That is all I have.  The topology you have is correct.  

Do i need to put in an ACL for all the ports and IP's etc that are in the instructions?

0
3nerdsCommented:
did you put this in and test?

policy-map global_policy
 class inspection_default
  inspect ipsec-pass-thru

let me know.

3nerds
0
dupont2406Author Commented:
i put that it still does not work
0
3nerdsCommented:
outbound vpn should work out of the box as stated earlier, obviously it isn't.

Thank you for the clarification, do you know if the 1800router is going to be terminating vpn connections to it? Do you know if it is going to be providing a site to site vpn link?

Also looking at your list of ports ISAKMP is normally on port 500 not 5000 is it possible that is a typo? Or the alternate is 4500 IPSEC NAT-T.

If the router is terminating VPN's then adding what you have for port 50(esp) for 500? and 4500 would not hurt to try.

Good Luck,

3nerds
0
dupont2406Author Commented:
yes 5000 is a typo it is 500.

so what should i try?
0
3nerdsCommented:
add statics for port 500 as well as the acl entries.

same as what you did for port 50.

Regards,

3nerds
0
dupont2406Author Commented:
tried that.  still no good.  The only purpose of this firewall is to pass the VPN traffic.  It does not provide internet access.  Would it be easier if NAT was disabled?  
0
3nerdsCommented:
I am not sure that would be of benefit as it would affect the rest of your network or is your whole network behind this router?

I am not sure what you are running into, I had asked the question earlier and didn't get a response maybe you just are not sure so you are not able to answer.

Do you know if the 1800router is going to be terminating vpn connections to it? Do you know if it is going to be providing a site to site vpn link?

Regards,

3nerds
0
dupont2406Author Commented:
Yes the 1800 terminates the VPN link.  And yes I believe it creates a site to site link.  My network is not behind this router.  I have cisco 2600 the network is behind.  If the connection to the vendor is required for a user the 2600 routes the traffic to the 1800 router.  thaqt is the only traffic that goes to the 1800 router and the ASA firewall.  Internet traffic is router by the 2600 to a pix 506.

0
3nerdsCommented:
Dupont2406,

I am not sure.

I assume you do not have access to the route to see what stage the VPN is getting to when it attempts to connect?

This seems odd to me because as long as the site link is initiated from the 1800 side behind the asa it should let traffic pass. The only cavets to this are the NAT-T and the inspect pieces that I had you enter.

I am sorry but at this point if you want to close this and open a new one to see if someone else is able to better help you I would have no objections I don;t want to hold this up for you.

was this working with the pix501? Or is this a brand new setup?

Regards,

3nerds
0
dupont2406Author Commented:
Brand new setup.  According to the doc from the vendor I need to pass the inbound IP/50 ESP traffic to the 1800 box.  As you said the outbound should work out of the box.  The ESP traffic is not port 50 it is protocol 50.  Do you know how to get the ASA box to pass the IP/50 ESP traffic to the 192.168.1.12 which is the cisco 1800.  I think that would make it work
0
3nerdsCommented:
Here is what I believe you are doing:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml

You are right it is a protocol and the only way to open that would be to do a 1 to 1 nat and then allow it with the ACL.
static (inside,outside) 68.195.229.11 192.168.1.2 netmask 255.255.255.255 --> you would need a second outside address to do this

you already have the right line in your ACL:
access-list outside_in extended permit esp any interface outside

Do you have a free outside address?

Regards,

3nerds
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dupont2406Author Commented:
That is one the vendor said to do a 1 to 1 nat.  yes I have 5 public ip's avail.

so put in the static line and i should be OK??
0
dupont2406Author Commented:
sorry typed to fast.  it should say

That is what the vendor said to do (1 to 1 NAT)
0
3nerdsCommented:
At this point I won't say you will be ok, but I will say it looks like it is needed. =)

3nerds
0
dupont2406Author Commented:
another quick question.  From where I am now I can only access the console, I cannot see the syslog server of the ASA box.  Is there a command I can run on the ASA when I try to access the VPN to see any errors occuring or do I have to get access to the syslog server?

Thanks!!
0
3nerdsCommented:
easiest this imho is to use the asdm and look at the logs on the home screen.

make sure the "Latest ASDM syslog messages" is checked.

save you from having to access the syslog and doesn't spam your screen while you try to config the device.

Regards,

3nerds
0
3nerdsCommented:
if you want them on the screen while you are consoled in with a cisco cable it is:

logging console <level>

for a telnet session it is

logging monitor <level>

Regards,

3nerds
0
dupont2406Author Commented:
the 1 to 1 ended up working.  Thank you for all your help and patience!!!

0
dupont2406Author Commented:
Thanks!!
0
3nerdsCommented:
Glad it worked!!

woot!

3nerds
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.