Nevermore.us

So, im pretty new to this whole cisco equipment stuff but man is it cool.  I took over the net admin position at this company as the last guy left and was pretty much worthless anyway or so everyone around here seems to say and they were right in the middle of a network upgrade that had been going on for over a year and a half lol….yeah….stupid.

Anyway, they bought a Cisco ASA5510 to be their new firewall however, they are currently using microsoft ISA to route traffic to the webservers as a reverse proxy and the ASA series of course do not offer this feature.  So the thing has been sitting around since i started working here without power at all and in the last month ive figured out all our network setting which were not documented anywhere of course, and configured both the inside and outside adapters and after some help from my friend david had my static route setup and everything was good.  I could get out from the inside to the interwebs without issue.  Sweet!  Alright, now on to VPN cuz eventually we’re going to need it for access to the webservers which im going to setup in a DMZ.

So i run through the VPN wizard in the ASDM 6.1 software.  Oh btw, i updated the asa firmware and asdm too.  That was easy.  All i did was install a tftp server on a machine i had access to that had an internet ip and then issued the following commands:

ASA5510# copy tftp disk0
Address or name of remote host []? ipgoeshere
Source filename []? asa803-k8.bin
Destination filename [disk0]? disk0:asa803-k8.bin
Accessing tftp://ipgoeshere/asa802-k8.bin...!!!!!! x 290731982471
Writing file disk0:/asa802-k8.bin... !!!!! x 9274918274182974
14524416 bytes copied in 118.210 secs (123088 bytes/sec)

I did the same thing for the ASDM-611.bin as well.

Anyway, back to the VPN. So i run the wizard and setup the remote access pool and group and add a user and set it to the internet interface for “where connections are comming from” and clicked finished and then went to try and connect and i was able to connect but couldnt see any other hosts or even connect via IP address.

I then started reading about common Cisco VPN issues and i found the article on this page:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#topic1

reading through it the first thing i found was:
Problem – An IPsec VPN Configuration Does Not Work

A recently configured or modified IPsec VPN solution does not work.

A current IPsec VPN configuration no longer works.
Solutions

This section contains solutions to the most common IPsec VPN problems. Although they are not listed in any particular order, these solutions can be used as a checklist of items to verify or try before you engage in in-depth troubleshooting and call the TAC. All of these solutions come directly from TAC service requests and have resolved numerous customer issues.

Note: Some of the commands in these sections have been brought down to a second line due to spatial considerations.
Enable NAT-Traversal (#1 RA VPN Issue)

NAT-Traversal or NAT-T allows VPN traffic to pass through NAT or PAT devices, such as a Linksys SOHO router. If NAT-T is not enabled, VPN Client users often appear to connect to the PIX or ASA without a problem, but they are unable to access the internal network behind the security appliance.

If you do not enable the NAT-T in the NAT/PAT Device, you can receive the regular translation creation failed for protocol 50 src inside:10.0.1.26 dst outside:10.9.69.4 error message in the PIX/ASA.

Similarly, if you are unable to do simultaneous login from the same IP address, the Secure VPN connection terminated locally by client. Reason 412: The remote peer is no longer responding. error message appears. Enable NAT-T in the head end VPN device in order to resolve this error.

Note: With Cisco IOS Software Release 12.2(13)T and later, NAT-T is enabled by default in Cisco IOS.

Here is the command to enable NAT-T on a Cisco Security Appliance. The 20 in this example is the keepalive time (default).

PIX/ASA 7.1 and earlier

pix(config)#isakmp nat-traversal 20

PIX/ASA 7.2(1) and later

securityappliance(config)#crypto isakmp nat-traversal 20

The clients need to be modified as well in order for it to work.

In Cisco VPN Client, choose to Connection Entries and click Modify. It opens a new window where you have to choose the Transport tab. Under this tab, choose Enable Transparent Tunneling and the IPSec over UDP ( NAT / PAT ) radio button. Then click Save and test the connection.

So i did exactly that through the CLI on the ASA5500 and connected again and OMG i can RDP into other machines on the network through VPN either by hostname or IP and i can map network drives too which is good. Now i just gotta setup the DMZ and a new reverse proxy (cough nginx cough)