Unable to establish VPN connection from behind ASA 5505

[fraustbyte]

I have a brand new out-of-the-box ASA 5505 that has been setup to provide firewall protection to small SOHO environment. I need to be able to establish a VPN connection to a distant site from the SOHO network behind the ASA. This does not work successfully with the default configuration. Can someone let me know what is required to allow VPN traffic passthrough? Thx

 

[NetworkGhost]

Can you post a copy of your scrubbed config?

http://www.wr-mem.com

 

[fraustbyte]

You bet. Here you go.

: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2ed2c022e55bb3c8cb3e2b9886f50c1f
: end
asdm image disk0:/asdm-523.bin
no asdm history enable

 

[Supergrrover]

Try adding

isakmp enable
isakmp nat-traversal 30



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[NetworkGhost]

The isakmp commands are for tunnels terminating at the ASA or PIX.

1. Determine if nat traversal is supported on the remote side.

You can do a quick capture to see if IP 50 (ESP) is trying to talk on the firewall. This will tell you that nat t hasnt been enabled on the remote end.

<code>
ciscoasa(config)# access-list capcrypto permit 50 any any
ciscoasa(config)# access-list capcrypto permit udp any any eq 500
ciscoasa(config)# cap capvpn access-list capcrypto interface outside
! - Initiate Client traffic
ciscoasa(config)# sh cap capvpn
! - Post output on the forum
ciscoasa(config)# no cap capvpn
get rid of capture

You could also enable logging on the client.

http://www.wr-mem.com

 

[fraustbyte]

Here is the result of the capture:

****** START *******

2 packets captured
1: 11:33:46.375697 802.1Q vlan#2 P0 ###.###.###.###.33 > @@@.@@@.@@@.@@@.500: udp 160
2: 11:33:46:863450 802.1Q vlan#2 P0 @@@.@@@.@@@.@@@.500 > ###.###.###.###.500 udp 84
2 packets shown

******* END *******


###.###.###.### - My external IP address
@@@.@@@.@@@.@@@ - Remote IP address

 

[NetworkGhost]

change the capture access-list to

access-list capcrypto permit ip host @@@.@@@.@@@.@@@ any
access-list capcrypto permit ip host any @@@.@@@.@@@.@@@

and retry.

Did you enable logging on the VPN Client?

Go to Log Tab, Click enable.

Attempt to connect and post both outputs.

http://www.wr-mem.com

 

[fraustbyte]

OK. I changed the capture access-list as requested however the second entry you provided was not accepted as you had typed it out above. It reported back that there was a problem with "any" but only for the second entry. I replaced "any" with "0.0.0.0 0.0.0.0". I hope that is the same in this case.

After doing so this was the result of the capture:

1 packets captured
1: 11:33:46:863450 802.1Q vlan#2 P0 @@@.@@@.@@@.@@@.500 > ###.###.###.###.500 udp 84
1 packets shown

---------------------------

More information:
I am using the Greenbow VPN Client software v4.00 and connecting at the far end to a linksys router. I have used this VPN client software successfully for about a year now and have been connecting to this VPN endpoint for the same time. Prior to the ASA 5505 being on my network I had a Linksys router.

To be clear, if I remove the ASA from the equation it immediately connects without incident as it always has before. I just wanted to make sure it was clear that the only thing new here is the introduction of the default configured ASA 5505.

I did also turn on logging in the Greenbow VPN client. The result is lenghty but here it is:

20071018 172536 Sdep 90 notified with TGBMONITOR_SA_DEL
20071018 172536 SA 90 sa_find: no SA matched query
20071018 172538 Sdep 90 notified with VPNCONF_SA_OPEN
20071018 172538 SA 90 sa_find: no SA matched query
20071018 172538 Sdep 70 sysdep_connection_check: SA for MyConnectionProfileName-MyConnectionProfileName-P2 missing
20071018 172538 Misc 95 conf_get_str: configuration value not found [Phase 2]assive-connections
20071018 172538 Misc 75 get_p1name: no Phase 2 Passive-connections found
20071018 172538 Misc 95 conf_get_str: configuration value not found [Phase 2]assive-connections
20071018 172538 Misc 75 get_p1name: no Phase 2 Passive-connections found
20071018 172538 Misc 95 conf_get_str: [MyConnectionProfileName-MyConnectionProfileName-P2]hase->2
20071018 172538 Misc 95 conf_get_str: [MyConnectionProfileName-MyConnectionProfileName-P2]:ISAKMP-peer->MyConnectionProfileName-P1
20071018 172538 Misc 95 conf_get_str: configuration value not found [MyConnectionProfileName-P1]:ID
20071018 172538 Sdep 10 conf_x509_subject_set: No ID given for "MyConnectionProfileName-P1"
20071018 172538 Misc 95 conf_get_str: [MyConnectionProfileName-MyConnectionProfileName-P2]hase->2
20071018 172538 Misc 95 conf_get_str: [MyConnectionProfileName-MyConnectionProfileName-P2]:ISAKMP-peer->MyConnectionProfileName-P1
20071018 172538 SA 90 sa_find: no SA matched query
20071018 172538 Misc 95 conf_get_str: [MyConnectionProfileName-P1]hase->1
20071018 172538 Misc 95 conf_get_str: [MyConnectionProfileName-P1]hase->1
20071018 172538 Misc 95 conf_get_str: [MyConnectionProfileName-P1]:Transport->udp
20071018 172538 Misc 95 conf_get_str: configuration value not found [General]ort_IKE
20071018 172538 Misc 95 conf_get_str: [MyConnectionProfileName-P1]:Address->216.126.109.6
20071018 172538 Sdep 10 remote gateway is 216.126.109.6
20071018 172538 Misc 95 conf_get_str: configuration value not found [MyConnectionProfileName-P1]:Local-address
20071018 172538 Misc 95 conf_get_str: configuration value not found [General]:Listen-on
20071018 172538 Trpt 70 transport_add: adding 011330F0
20071018 172538 Misc 95 conf_get_str: [MyConnectionProfileName-P1]:Configuration->MyConnectionProfileName-main-mode
20071018 172538 Misc 95 conf_get_str: [MyConnectionProfileName-main-mode]OI->IPSEC
20071018 172538 Misc 95 conf_get_str: [MyConnectionProfileName-main-mode]:EXCHANGE_TYPE->ID_PROT
20071018 172538 Misc 95 conf_get_str: [General]:Exchange-max-time->80
20071018 172538 Timr 20 => timer_add_event
20071018 172538 Timr 20 => timer_debug
20071018 172538 Timr 20 <= timer_debug
20071018 172538 Timr 15 timer_add_event: add exchange_free_aux (004057A7) with arg 01132F30 expiration 1192750018
20071018 172538 Timr 15 timer_add_event: event exchange_free_aux(01132F30) added last, expiration in 80s
20071018 172538 Timr 20 => timer_debug
20071018 172538 Timr 15 timer 01133010 exchange_free_aux expiration in 80 s
20071018 172538 Timr 20 <= timer_debug
20071018 172538 Timr 20 <= timer_add_event
20071018 172538 Misc 95 conf_get_str: [MyConnectionProfileName-P1]:Configuration->MyConnectionProfileName-main-mode
20071018 172538 Misc 95 conf_get_str: configuration value not found [MyConnectionProfileName-P1]:Xauth
20071018 172538 Misc 95 conf_get_str: configuration value not found [MyConnectionProfileName-P1]:Rconf
20071018 172538 Misc 95 conf_get_str: configuration value not found [MyConnectionProfileName-P1]:XAuthMode
20071018 172538 Misc 95 conf_get_str: configuration value not found [MyConnectionProfileName-P1]:Xpopup
20071018 172538 Misc 95 conf_get_str: configuration value not found [MyConnectionProfileName-P1]:Xuser
20071018 172538 Misc 95 conf_get_str: configuration value not found [MyConnectionProfileName-P1]:Flags
20071018 172538 Cryp 60 hash_get: requested algorithm 1
20071018 172538 Exch 15 exchange_establish_p1: 01132F30 MyConnectionProfileName-P1 MyConnectionProfileName-main-mode policy initiator phase 1 doi 1 exchange 2 step 0
20071018 172538 Exch 15 exchange_establish_p1: icookie 4e5c4c7b377590ad rcookie 0000000000000000
20071018 172538 Exch 15 exchange_establish_p1: msgid 00000000
20071018 172538 Trpt 95 transport_reference: transport 011330F0 now has 1 references
20071018 172538 Mesg 90 message_alloc: allocated 01132E60
20071018 172538 SA 80 sa_reference: SA 01132CF0 now has 1 references
20071018 172538 SA 70 sa_enter: SA 01132CF0 added to SA list
20071018 172538 SA 80 sa_reference: SA 01132CF0 now has 2 references
20071018 172538 SA 60 sa_create: sa 01132CF0 phase 1 added to exchange 01132F30 (MyConnectionProfileName-P1)
20071018 172538 SA 80 sa_reference: SA 01132CF0 now has 3 references
20071018 172538 SA 80 Found SA in bucket 37
20071018 172538 SA 80 Dumping SA 01132CF0
20071018 172538 SA 80 SA name = (null)
20071018 172538 SA 80 SA flags = 00000000
20071018 172538 SA 80 SA phase = 1
20071018 172538 SA 80 SA references = 3
20071018 172538 SA 90 sa_find: no SA matched query
20071018 172538 Misc 95 conf_get_str: [MyConnectionProfileName-main-mode]:Transforms->3DES-SHA-GRP1
20071018 172538 Misc 95 conf_get_str: [3DES-SHA-GRP1]:ENCRYPTION_ALGORITHM->3DES_CBC
20071018 172538 Misc 95 conf_get_str: [3DES-SHA-GRP1]:HASH_ALGORITHM->SHA
20071018 172538 Misc 95 conf_get_str: [3DES-SHA-GRP1]:AUTHENTICATION_METHOD->PRE_SHARED
20071018 172538 Misc 95 conf_get_str: [3DES-SHA-GRP1]:GROUP_DESCRIPTION->MODP_768
20071018 172538 Misc 95 conf_get_str: [3DES-SHA-GRP1]:Life->LIFE_MAIN_MODE
20071018 172538 Misc 95 conf_get_str: [LIFE_MAIN_MODE]:LIFE_TYPE->SECONDS
20071018 172538 Misc 95 conf_get_str: [LIFE_MAIN_MODE]:LIFE_DURATION->1800,360:28800
20071018 172538 Misc 95 conf_get_str: configuration value not found [3DES-SHA-GRP1]RF
20071018 172538 Misc 70 attribute_set_constant: no PRF in the 3DES-SHA-GRP1 section
20071018 172538 Misc 95 conf_get_str: configuration value not found [3DES-SHA-GRP1]:KEY_LENGTH
20071018 172538 Misc 95 conf_get_str: configuration value not found [3DES-SHA-GRP1]:FIELD_SIZE
20071018 172538 Misc 95 conf_get_str: configuration value not found [3DES-SHA-GRP1]:GROUP_ORDER
20071018 172538 Cryp 60 hash_get: requested algorithm 1
20071018 172538 Misc 95 conf_get_str: configuration value not found [MyConnectionProfileName-P1]:NATT_ENABLED
20071018 172538 Misc 95 conf_get_str: configuration value not found [MyConnectionProfileName-P1]:NATT_ENABLED
20071018 172538 Misc 95 conf_get_str: configuration value not found [MyConnectionProfileName-P1]:NATT_ENABLED
20071018 172538 Exch 90 exchange_validate: checking for required SA
20071018 172538 Default (SA MyConnectionProfileName-P1) SEND phase 1 Main Mode [SA] [VID] [VID] [VID] [VID]
20071018 172538 Mesg 90 message_send: message 01132E60
20071018 172538 Mesg 70 ICOOKIE: 0x4e5c4c7b377590
20071018 172538 Mesg 70 RCOOKIE: 0x00000000000000
20071018 172538 Mesg 70 NEXT_PAYLOAD: SA
20071018 172538 Mesg 70 VERSION: 16
20071018 172538 Mesg 70 EXCH_TYPE: ID_PROT
20071018 172538 Mesg 70 FLAGS: [ ]
20071018 172538 Mesg 70 MESSAGE_ID: 0x000000
20071018 172538 Mesg 70 LENGTH: 160
20071018 172538 Mesg 90 message_send: 4e5c4c7b 377590ad 00000000 00000000 01100200 00000000 000000a0 0d000034
20071018 172538 Mesg 90 message_send: 00000001 00000001 00000028 01010001 00000020 00010000 80010005 80020002
20071018 172538 Mesg 90 message_send: 80030001 80040001 800b0001 800c0708 0d000014 4485152d 18b6bbcd 0be8a846
20071018 172538 Mesg 90 message_send: 9579ddcc 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 7d9419a6
20071018 172538 Mesg 90 message_send: 5310ca6f 2c179d92 15529d56 00000014 afcad713 68a1f1c9 6b8696fc 77570100
20071018 172538 Exch 40 exchange_run: exchange 01132F30 finished step 0, advancing...
20071018 172538 Exch 90 exchange_lookup_by_name: MyConnectionProfileName-P1 == MyConnectionProfileName-P1 && 1 == 1?
20071018 172538 Sdep 20 => check_pending_msg
20071018 172538 Trpt 20 => transport_send_messages
20071018 172538 Trpt 95 transport_reference: transport 011330F0 now has 2 references
20071018 172538 Trpt 95 transport_reference: transport 011A4090 now has 2 references
20071018 172538 Trpt 95 transport_reference: transport 00BBF760 now has 2 references
20071018 172538 Trpt 95 transport_reference: transport 00BBF6D0 now has 2 references
20071018 172538 Trpt 95 transport_reference: transport 00BBF710 now has 2 references
20071018 172538 Trpt 95 transport_reference: transport 00BBFF00 now has 2 references
20071018 172538 Trpt 95 transport_reference: transport 00BBFFC0 now has 2 references
20071018 172538 Trpt 95 transport_reference: transport 00BB0310 now has 2 references
20071018 172538 Trpt 95 transport_reference: transport 00BB0370 now has 2 references
20071018 172538 Trpt 20 => udp_send_message
20071018 172538 Trpt 20 <= udp_send_message
20071018 172538 Misc 95 conf_get_str: [General]:retransmits->5
20071018 172538 Trpt 30 transport_send_messages: message 01132E60 scheduled for retransmission 1 in 7 secs
20071018 172538 Timr 20 => timer_add_event
20071018 172538 Timr 20 => timer_debug
20071018 172538 Timr 15 timer 01133010 exchange_free_aux expiration in 80 s
20071018 172538 Timr 20 <= timer_debug
20071018 172538 Timr 15 timer_add_event: add message_send_expire (0041C873) with arg 01132E60 expiration 1192749945
20071018 172538 Timr 15 timer_add_event: event message_send_expire(01132E60) added before exchange_free_aux(01132F30), expiration in 7s
20071018 172538 Timr 20 => timer_debug
20071018 172538 Timr 15 timer 011329A0 message_send_expire expiration in 7 s
20071018 172538 Timr 15 timer 01133010 exchange_free_aux expiration in 80 s
20071018 172538 Timr 20 <= timer_debug
20071018 172538 Timr 20 <= timer_add_event
20071018 172538 Trpt 95 transport_release: transport 011330F0 now has 1 references
20071018 172538 Trpt 95 transport_release: transport 011A4090 now has 1 references
20071018 172538 Trpt 95 transport_release: transport 00BBF760 now has 1 references
20071018 172538 Trpt 95 transport_release: transport 00BBF6D0 now has 1 references
20071018 172538 Trpt 95 transport_release: transport 00BBF710 now has 1 references
20071018 172538 Trpt 95 transport_release: transport 00BBFF00 now has 1 references
20071018 172538 Trpt 95 transport_release: transport 00BBFFC0 now has 1 references
20071018 172538 Trpt 95 transport_release: transport 00BB0310 now has 1 references
20071018 172538 Trpt 95 transport_release: transport 00BB0370 now has 1 references
20071018 172538 Trpt 20 <= transport_send_messages
20071018 172538 Timr 20 => timer_handle_expirations
20071018 172538 Timr 20 => timer_debug
20071018 172538 Timr 15 timer 011329A0 message_send_expire expiration in 7 s
20071018 172538 Timr 15 timer 01133010 exchange_free_aux expiration in 80 s
20071018 172538 Timr 20 <= timer_debug
20071018 172538 Timr 20 => timer_debug
20071018 172538 Timr 15 timer 011329A0 message_send_expire expiration in 7 s
20071018 172538 Timr 15 timer 01133010 exchange_free_aux expiration in 80 s
20071018 172538 Timr 20 <= timer_debug
20071018 172538 Timr 20 <= timer_handle_expirations
20071018 172538 Sdep 20 <= check_pending_msg

 

[fraustbyte]

More interesting information:

I have a different computer, a laptop configured with a Nortel Contivity VPN client which I use to access a different network. Interestingly from my internal network located behind the ASA 5505 I am ABLE to establish a VPN connection to a different remote network using this laptop and Nortel VPN client.

I offer this info to show that at least some VPN related traffic is being allowed through the ASA. Obviously there are great differences between how Nortel has implemented their VPN solution and how the Greenbow has implemented it in their VPN client.

Again though, I will underscore that if I remove the ASA I can successfuly establish a VPN session using the Greenbow VPN client. So there is obviously some config required on the ASA to allow the Greenbow client to connect through it to remote VPN gateways.

 

[NetworkGhost]

Havent experienced this client before but my best guess is NAT Traversal is not enabled on the termination point:

20071018 172538 Misc 95 conf_get_str: configuration value not found [MyConnectionProfileName-P1]:NATT_ENABLED
20071018 172538 Misc 95 conf_get_str: configuration value not found [MyConnectionProfileName-P1]:NATT_ENABLED
20071018 172538 Misc 95 conf_get_str: configuration value not found [MyConnectionProfileName-P1]:NATT_ENABLED

This would explain the inability to pass phase 2. The ASA has a VPN pass through ability but I it works with net exmeption and nat but not PAT so this probably wont help you.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1668213

I did a little reading about the Greenbow client. You could try setting the client to force nat traversal. See the following link:

http://www.thegreenbow.fr/doc/html/eng/p1settingsadvanced.htm?zoom_highlightsub=traversal

There are instructions there on how to do this.

http://www.wr-mem.com

 

[garnetbobcat]

Try this for your capture ACL:

access-list capcrypto permit ip host @@@.@@@.@@@.@@@ any
access-list capcrypto permit ip any host @@@.@@@.@@@.@@@

That will capture traffic in both directions.

Have you checked the ASA's logs when you try this connection?

asa(config)# logging on
asa(config)# logging buffered debug

then before you start the connection

asa# clear logg buff

start the connection

asa# show logg

Check the output for deny messages or messages related to translations. Maybe there are some clues there. A quick check of TheGreenBow's website indicates that the client should be able to do NAT-T, so this is perplexing.

Matt
CCSP

http://www.wr-mem.com

 

[NetworkGhost]

God, Garnetbobcat. Its like you didnt even read my post!

http://www.wr-mem.com

 

[fraustbyte]

It is without any doubt a NAT related issue. A few questions:

I'm assuming the default configuration is for PAT? Especially since I have only a single dynamically assigned ip address on the outside interface from my ISP. If that is the case would it be any different when I had a Linksys router here instead of this ASA? Does the Linksys not do PAT by default as well?

Also on the far end as I mentioned is a Linksys router that I am attempting to VPN to. If any additional configuration needs to be made at that end to configure NAT Traversal where in the Linksys config do you do that? I can't find anything about it?

Please clarify all of my understanding as stated above. Thanks a lot for all the help thus far.

 

[NetworkGhost]

The linksys router is probably just allowing everything through without inspection. You could try some static statements. Did you try setting the force NAT T option with the greenbow client?

http://www.wr-mem.com

 

[brianinms]

In addition, did you follow the configuration guide for your linksys product?

http://www.thegreenbow.com/vpn_gateway.html

 

[fraustbyte]

I have tried forcing NAT-T in the Greenbow client but that doesn't seem to make any difference.

As far as following the instructions for configuring a Linksys router with the Greenbow client, as mentioned I have used the Greenbow with this particular Linksys VPN gateway for about a year and can still do so today, if I remove the ASA.

I have however reviewed their instructions a couple of times and it doesn't appear anything has been missed.

From the little reading I have done about NAT Traversal it appears as if this feature would need to be configured at each end not just on the client end. Is that correct?

All that being said, it is obvious I am probably moving beyond the realm of this being an issue with the ASA and should perhaps move this to a Greenbow or Linksys forum. Thanks for indulging me.