Cisco VPN connection to PIX515 and Remote Desktop doesn't work behind ASA5505

**Iphone** · 10-Apr-2007, 04:41 AM

I have been using a Cisco VPN connection for the past few years without a problem however I just setup an ASA5505 at a remote location and am having trouble connecting to my PIX515 and remote desktop. The actual VPN client seems to connect okay but I can no longer make a Remote Desktop connection. I am assuming that it is a port issue with my firewall on my ASA5505 on the client end.

I am posting my config to see if anyone can help me determine what change to make.

If anyone is feeling advantageous I am trying to get my VPN connection working on this ASA5505 using RADIUS but have not been able to successfully connect from the outside yet.

Result of the command: "write term"

ASA Version 7.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password fRUCgOpCf3K0WWsh encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.208.210 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
no nameif
no security-level
no ip address
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Ethernet0/4
no nameif
no security-level
no ip address
!
interface Ethernet0/5
no nameif
no security-level
no ip address
!
interface Ethernet0/6
no nameif
no security-level
no ip address
!
interface Ethernet0/7
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip any 192.168.1.32 255.255.255.224
access-list outside_cryptomap extended permit ip any 192.168.1.32 255.255.255.224
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 192.168.1.40-192.168.1.49 mask 255.255.255.0
asdm image disk0:/asdm-521.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.208.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server VPN protocol radius
aaa-server VPN host 192.168.1.200
timeout 5
key chbe*pho
group-policy RADIUS internal
group-policy RADIUS attributes
dns-server value 192.168.1.200
vpn-tunnel-protocol IPSec
default-domain value matchless.local
username rstowe password ptL2GtG1qXXbDeUg encrypted privilege 15
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group RADIUS type ipsec-ra
tunnel-group RADIUS general-attributes
address-pool VPN_Pool
authentication-server-group VPN
authorization-server-group VPN
default-group-policy RADIUS
tunnel-group RADIUS ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.50-192.168.1.99 inside
dhcpd dns x.x.208.30 x.x.16.30 interface inside
dhcpd enable inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0e6d52be896a31035d8a2bb2d4201545
: end
[OK]

**Iphone** · 10-Apr-2007, 04:41 AM

Can you verify that nat-traversal is enabled on the PIX515?

10-Apr-2007, 04:41 AM	#1 (permalink)
Iphone Fixed Error! Posts: 4,202 Join Date: Mar 2007 Rep Power: 6 IM:	Cisco VPN connection to PIX515 and Remote Desktop doesn't work behind ASA5505 I have been using a Cisco VPN connection for the past few years without a problem however I just setup an ASA5505 at a remote location and am having trouble connecting to my PIX515 and remote desktop. The actual VPN client seems to connect okay but I can no longer make a Remote Desktop connection. I am assuming that it is a port issue with my firewall on my ASA5505 on the client end. I am posting my config to see if anyone can help me determine what change to make. If anyone is feeling advantageous I am trying to get my VPN connection working on this ASA5505 using RADIUS but have not been able to successfully connect from the outside yet. Result of the command: "write term" ASA Version 7.2(1) ! hostname ciscoasa domain-name default.domain.invalid enable password fRUCgOpCf3K0WWsh encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address x.x.208.210 255.255.255.240 ! interface Ethernet0/0 switchport access vlan 2 no nameif no security-level no ip address ! interface Ethernet0/1 no nameif no security-level no ip address ! interface Ethernet0/2 no nameif no security-level no ip address ! interface Ethernet0/3 no nameif no security-level no ip address ! interface Ethernet0/4 no nameif no security-level no ip address ! interface Ethernet0/5 no nameif no security-level no ip address ! interface Ethernet0/6 no nameif no security-level no ip address ! interface Ethernet0/7 no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid access-list inside_nat0_outbound extended permit ip any 192.168.1.32 255.255.255.224 access-list outside_cryptomap extended permit ip any 192.168.1.32 255.255.255.224 pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool VPN_Pool 192.168.1.40-192.168.1.49 mask 255.255.255.0 asdm image disk0:/asdm-521.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 x.x.208.209 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute aaa-server VPN protocol radius aaa-server VPN host 192.168.1.200 timeout 5 key chbepho group-policy RADIUS internal group-policy RADIUS attributes dns-server value 192.168.1.200 vpn-tunnel-protocol IPSec default-domain value matchless.local username rstowe password ptL2GtG1qXXbDeUg encrypted privilege 15 http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication crack encryption 3des hash sha group 2 lifetime 86400 tunnel-group RADIUS type ipsec-ra tunnel-group RADIUS general-attributes address-pool VPN_Pool authentication-server-group VPN authorization-server-group VPN default-group-policy RADIUS tunnel-group RADIUS ipsec-attributes pre-shared-key telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.50-192.168.1.99 inside dhcpd dns x.x.208.30 x.x.16.30 interface inside dhcpd enable inside ! ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:0e6d52be896a31035d8a2bb2d4201545 : end [OK]

10-Apr-2007, 04:41 AM	#2 (permalink)
Iphone Fixed Error! Posts: 4,202 Join Date: Mar 2007 Rep Power: 6 IM:	Re: Cisco VPN connection to PIX515 and Remote Desktop doesn't work behind ASA5505 Can you verify that nat-traversal is enabled on the PIX515?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)