1. Check out OCAU's review of the SpaceX Starlink satellite internet service!
    Dismiss Notice

IPSec hell

Discussion in 'Business & Enterprise Computing' started by Spiredore, Oct 11, 2016.

  1. Spiredore

    Spiredore Member

    Joined:
    Sep 5, 2002
    Messages:
    306
    Location:
    Sydney
    While this is a networking connection I'm sure it has more chance of making sense here.

    I am having problems making connections to a remote Cisco ASA from the office LAN.

    The office LAN is behind a Windows Server RRAS with several public IPs.

    What I can do is take my workstation off the LAN and tether it up to a mobile phone and it connects correctly to the ASA.

    Anyone have any suggestions on what to attack first as I am not sure where it is going wrong?


    I have read a few things this arvo about having to enable NAT-T on the RRAS box but it is not clear if this will work.

    Cheers,
    Spire
     
  2. Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,897
    Location:
    Brisbane
    How are you connecting to the ASA externally?

    Are you attempting to set up a VPN connection to the RRAS server? Have you forwarded the ports required
     
  3. OP
    OP
    Spiredore

    Spiredore Member

    Joined:
    Sep 5, 2002
    Messages:
    306
    Location:
    Sydney
    I have a win 7 box running the Cisco VPN client.
    From the logs it appears to be not getting past Phase 1 of the connection process.


    The ASA is in another city and belongs to another company.

    I only bring up RRAS as that is the only difference I have between a working and failing setup.
    This is the flow
    my PC -> Server RRAS that has multiple IPs -> internet -> remote ASA.

    If I change the flow to
    my PC -> Mobile phone tether -> internet -> remote ASA.
    It works.

    This would suggest that the Server RRAS is blocking it somehow.
    All the articles I have been reading are about site to site configs which dont apply here.

    I don't understand how IPSec works very well but it is either the RRAS is blocking ports or there is something funky with NAT are my current lines of thought.

    Cheers,
    Spire
     
  4. Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,897
    Location:
    Brisbane
    Can you ping the ASA?

    What happens when you run a tracert to the IP of the ASA?

    If you cannot ping it behind the RRAS but can ping via a hotspot you have a routing issue with the RRAS. If you cannot ping from both then ICMP response might be turned off.

    If you can ping are their any deny rules for the RRAS IP addesses on the ASA?
     
  5. OP
    OP
    Spiredore

    Spiredore Member

    Joined:
    Sep 5, 2002
    Messages:
    306
    Location:
    Sydney
    I can Ping and tracert the ASA from behind the RRAS.
    It is 11 hops to it.

    Same from the tether in terms of ping.

    The ASA has no rules denying my RRAS IP.
     
  6. Punk

    Punk Member

    Joined:
    Mar 15, 2002
    Messages:
    1,058
    Location:
    Walking on Sunshine
    Sounds like you might need to allow the ports for Outbound on the RRAS.
     
  7. OP
    OP
    Spiredore

    Spiredore Member

    Joined:
    Sep 5, 2002
    Messages:
    306
    Location:
    Sydney
    the WAN side of the RRAS?

    The public interface windows firewall setting doesnt block any outgoing connections.
     
    Last edited: Oct 11, 2016
  8. Punk

    Punk Member

    Joined:
    Mar 15, 2002
    Messages:
    1,058
    Location:
    Walking on Sunshine
    I just realised I was thinking of something else.

    Sorry ignore me, so tired from the kids keeping me up all night.

    Might spin up my old RRAS and have a look.
     
  9. OP
    OP
    Spiredore

    Spiredore Member

    Joined:
    Sep 5, 2002
    Messages:
    306
    Location:
    Sydney
    From what i can get my head around, I want a IPSec passthrough config for RRAS.
    Does that ring any bells?
     
  10. Punk

    Punk Member

    Joined:
    Mar 15, 2002
    Messages:
    1,058
    Location:
    Walking on Sunshine
    Sorry mate don't have the test bed anymore.

    The only thing I can think of is to either setup the Firewall or the Static Filters for the required ports and services.

    Maybe someone else can help?
     
  11. OP
    OP
    Spiredore

    Spiredore Member

    Joined:
    Sep 5, 2002
    Messages:
    306
    Location:
    Sydney
    I setup a RRAS at home last night and it worked.

    The difference being at home

    RRAS has one public IP and no VPN.


    RRAS at office has multiple public IPs and VPN turned on.


    Must be a badly configured NAT setting on the RRAS.
     
  12. OP
    OP
    Spiredore

    Spiredore Member

    Joined:
    Sep 5, 2002
    Messages:
    306
    Location:
    Sydney
    errant IP in the address pool.

    Thanks all.
     
  13. Punk

    Punk Member

    Joined:
    Mar 15, 2002
    Messages:
    1,058
    Location:
    Walking on Sunshine
    good to hear you go it sorted, sorry I couldn't help I will shut up next time :p
     

Share This Page

Advertisement: