dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1043

phantasm11b
Premium Member
join:2007-11-02

1 edit

phantasm11b

Premium Member

[HELP] New to ASA's - VPN question

I've been doing R&S for about 5 years now and have recently started dabbling with the ASA. I picked up a 5505 Sec+ model and have it up and running just fine. The issue I have though is that I cannot establish an outbound VPN connection from a client machine behind the ASA.

I've permitted GRE, ESP, AH, ISAKMP, and IPSEC outbound; also configured pptp inspection. I'm getting no response from the VPN gateway though. If I disconnect my ASA then the VPN connects just fine.

Any info is appreciated. I've been Googling and what not but haven't found what I'm missing.

-phantsam
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

Your existing config for starters would help.

Question, is said client machine on the INSIDE or OUTSIDE of the ASA? Likewise,
is the VPN gateway on the INSIDE or OUTSIDE of the ASA?

In terms of troubleshooting, here's what I'd try.

1) ping
2) traceroute
3) telnet [VPN gateway IP] [port service is running]
4) sh conn | i [IP of client or VPN gateway]
5) packet-tracer

My 00000010bits

Regards

phantasm11b
Premium Member
join:2007-11-02

phantasm11b

Premium Member

First off the answers to your question. The client machine is on the INSIDE interface of the ASA ande VPN exists on the OUTSIDE. Web browsing and everything else works so far except traceroute. I'm still trying to figure that out as well.

Regardless, the IP of my VPN gateway pings. I checked it in Packet Tracer and it is stopping at the ASA. The config is below:

ASA Version 9.2(2)4
!
hostname office-asa
domain-name wv.net
enable password n/a encrypted
names
!
interface Ethernet0/0
 description OUTSIDE
 switchport access vlan 2
!
interface Ethernet0/1
 description INSIDE
!
interface Ethernet0/2
 description DMZ
 switchport access vlan 3
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.252
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan3
 nameif DMZ
 security-level 50
 ip address 172.16.0.1 255.255.255.240
!
boot system disk0:/asa922-4-k8.bin
ftp mode passive
clock timezone EDT -5
clock summer-time EST recurring
dns server-group DefaultDNS
 domain-name wv.net
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network INSIDE_SUBNET
 subnet 192.168.129.0 255.255.255.0
object service dropbox_lan_sync
 service tcp destination eq 17500
object network INSIDE_LAN_SUBNET
 subnet 192.168.10.0 255.255.255.0
object service Clash_of_Clans
 service tcp destination eq 9339
object service minecraft
 service tcp destination eq 25565
object service ipsec_2
 service udp destination eq 4500
object-group network BOGONS
 network-object 127.0.0.0 255.0.0.0
 network-object 169.254.0.0 255.255.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 192.0.0.0 255.255.255.0
 network-object 192.0.2.0 255.255.255.0
 network-object 192.88.99.0 255.255.255.0
 network-object 192.168.0.0 255.255.0.0
 network-object 198.18.0.0 255.254.0.0
 network-object 10.0.0.0 255.0.0.0
 network-object 192.51.100.0 255.255.255.0
 network-object 203.0.113.0 255.255.255.0
 network-object 224.0.0.0 240.0.0.0
 network-object 240.0.0.0 240.0.0.0
object-group service network_resources
 service-object tcp-udp destination eq domain
 service-object udp destination eq ntp
 service-object tcp destination eq ssh
 service-object icmp echo
 service-object icmp echo-reply
 service-object icmp traceroute
 service-object icmp unreachable
 service-object icmp time-exceeded
object-group service web_resources
 service-object tcp destination eq www
 service-object tcp destination eq https
object-group service vpn_resources
 service-object esp
 service-object gre
 service-object ah
 service-object object ipsec
 service-object udp destination eq isakmp
 service-object object ipsec_2
object-group service DM_INLINE_SERVICE_1
 service-object object dropbox_lan_sync
 group-object network_resources
 group-object web_resources
 group-object vpn_resources
object-group service battle_net
 service-object tcp-udp destination eq www
 service-object tcp-udp destination eq 443
 service-object tcp-udp destination eq 1119
 service-object tcp-udp destination range 6881 6999
object-group service diablo_3
 service-object tcp destination eq www
 service-object tcp destination eq 1119
 service-object tcp destination range 6881 6999
 service-object udp destination eq 1119
 service-object udp destination eq 6120
 service-object udp destination range 6881 6999
object-group service starcraft_2
 service-object tcp-udp destination eq 1119
 service-object tcp-udp destination eq 6113
 service-object tcp-udp destination eq 1120
 service-object tcp-udp destination eq www
 service-object tcp-udp destination eq 3724
object-group service battle_net_downloader
 service-object tcp-udp destination eq 1119
 service-object tcp-udp destination eq 1120
 service-object tcp-udp destination eq 3724
 service-object tcp-udp destination eq 4000
 service-object tcp-udp destination eq 6112
 service-object tcp-udp destination eq 6113
 service-object tcp-udp destination eq 6114
 service-object tcp-udp destination range 6881 6999
object-group service world_of_warcraft
 service-object tcp-udp destination eq 3724
 service-object tcp-udp destination eq 1119
object-group service game_ports
 service-object object Clash_of_Clans
 service-object object minecraft
 group-object battle_net
 group-object diablo_3
 group-object starcraft_2
 group-object battle_net_downloader
 group-object world_of_warcraft
object-group service DM_INLINE_SERVICE_2
 group-object network_resources
 group-object web_resources
 service-object object dropbox_lan_sync
 group-object game_ports
object-group service DM_INLINE_SERVICE_3
 group-object network_resources
 group-object web_resources
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object time-exceeded
 icmp-object unreachable
 icmp-object echo-reply
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list inside_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 object INSIDE_SUBNET any
access-list inside_access_in_1 extended permit object-group DM_INLINE_SERVICE_3 object INSIDE_LAN_SUBNET any
pager lines 24
logging enable
logging timestamp
logging asdm notifications
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 10 burst-size 5
icmp deny any outside
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
access-group inside_access_in_1 in interface inside
access-group outside_access_in in interface outside
router ospf 10
 router-id 1.1.1.1
 network 192.168.0.0 255.255.255.252 area 0
 area 0
 log-adj-changes
 default-information originate always
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.129.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
sysopt noproxyarp outside
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 subject-name CN=192.168.129.1,CN=home-isp-asa
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_1
 enrollment self
 subject-name CN=192.168.0.1,CN=office-asa
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_2
 enrollment self
 subject-name CN=192.168.0.1,CN=office-asa
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_1
 na/a
  quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_2
 n/a
  quit
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.129.0 255.255.255.0 inside
ssh timeout 15
ssh key-exchange group dh-group1-sha1
console timeout 0
 
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.10.20 prefer
ssl trust-point ASDM_Launcher_Access_TrustPoint_2 inside vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_2 inside
webvpn
 anyconnect-essentials
username n/a password n/a encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
  inspect pptp
policy-map global-policy
 class inspection_default
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
n/a
: end
 
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to phantasm11b

MVM

to phantasm11b
Your object group vpn_resources is defined under object-group DM_INLINE_SERVICE_1, but your existing ACL inside_access_in_1 doesn't specify DM_INLINE_SERVICE_1
to be permitted.

Regarding traceroute through the ASA, try this guide

Regards

phantasm11b
Premium Member
join:2007-11-02

phantasm11b

Premium Member

said by HELLFIRE:

Your object group vpn_resources is defined under object-group DM_INLINE_SERVICE_1, but your existing ACL inside_access_in_1 doesn't specify DM_INLINE_SERVICE_1
to be permitted.

Regarding traceroute through the ASA, try this guide

Regards

Thanks Hellfire. That did it. I'm not sure how I missed that.. actually I am. I'm still getting used to reading ASA configs. Much appreciated. I'll check out that link you provided as well for the traceroute issue.

ua_hockey
join:2003-08-07
Columbus, OH

ua_hockey to phantasm11b

Member

to phantasm11b
You'll probably want to also add "inspect ipsec-pass-through" to your global policy as well, assuming your VPN is IPSEC.