CISCO ASA 5505 PIX Device

aromeo409 · 05-08-2008, 10:46 AM

Hello,

We just upgraded our Small Business Server 2003 to new box and ever since then our VPN stopped working. We are using a CISCO ASA 5505 pix device as our Firewall and VPN and we now receive the error
"Secure VPN Connection terminated by Peer. Reason 433: (Reason Not Specified by Peer)"

I ran this command at the device isakmp nat-t to fix the issue and this did not resolve the issue.

This has been driving me crazy. Does anyone have any ideas?

Thanks!

rtrice81 · 05-08-2008, 07:53 PM

Aromeo409,

It seems to me that your old windows server was a RADIUS Server, which the ASA Pass on the auth process onto the RADIUS Server (aka your old windows server).

Hope this helps
-Richie

Here's an article about integrating the Cisco ASA firewall/VPN concentrator 5500 family with Windows 2003 Server's RADIUS server, called Internet Authentication Server - AIS. What I will describe is setting up a ASA 5500 appliance to do Remote Access VPNs authenticating against a MS IAS RADIUS server; the twist to this setup is differentiating between multiple Windows user groups - linking a Windows AD group to a specific tunnel-group.
I decided to write this article becouse I had to search for too much how to do some of the things described below.

In the first part we'll take care of setting up the 2003 Server.

First of all make sure that if you're deploying RADIUS for a large organization you're using the Enterprise flavor of Windows 2003 Server. It has more extensive capabilities than the Standard edition - see http://www.winsupersite.com/showcase...3_editions.asp for example.

Second, install IAS on the 2003 Server - it doesn't come installed by default:

In order to use the IAS with a client (in our case, the ASA device) you have to declare the client to IAS, otherwise the server will not answer the queries: enter the IAS management console, right click on the "RADIUS Clients" on the left > New RADIUS Client. Here choose a name for the ASA device; this will be unique and you'll be using it later. Next, as Client-Vendor choose RADIUS standard, and as secret - a phrase that you'll use later in your ASA config to pair with the IAS server.
Next, the server needs a Connection request policy to allow the client to connect: Connection Request Processing > Connection Request Policies > New... Here make a custom policy and as Policy Condition you can use for example "Client-Friendly-Name" and specify the name you chose in the previous step when you declared the client:

The next thing to do is to create a Remote Access Policy, again a custom one.
For this you have to have prepared one or more Windows groups (local or better - AD groups) in which you include the users that can access the VPN.
So, in policy conditions add the Client Friendly name (for example) and the Windows-Groups attribute; here you'll be asked for the group. Next, "Grant remote access permision" and edit the profile. In the Authentication tab choose only "Unencrypted authentication" and in the Encryption tab choose only "No encryption". We'll handle the Advanced tab later.

Now the ASA appliance.
I won't describe in detail how to set up a Remote Access VPN, there are plenty of tutorials and guides for doing this. One would be http://www.cisco.com/warp/public/110...tevpn-asdm.pdf.
Here's a sample setup of doing this:

aaa-server group1 protocol radius aaa-server group1 host 192.168.1.2 key secret
group1 will be used to authenticate the VPN users against the 192.168.1.2 server (this is the IP of the 2003 Server box with IAS). Before continuing with the setup let's test the RADIUS communication:

ASA# test aaa-server authentication group1 username user password passwd
Server IP Address or name: 192.168.1.2
INFO: Attempting Authentication test to IP address <192.168.1.2> (timeout: 12 seconds)
INFO: Authentication Successful
If the authentication was successful you will get the above message. If not, you need to debug it. On the IAS server side you can check the Event Log in the System category. Every attempt of authentication is logged there is successful or not. Typical pitfalls are misconfigured Remote Access Policies of Connection Request Policies. You will get a "Reason" for the failure.
If you don't even get a Event Log message then you need to check your security device configuration or IP connectivity.
The rest of the configuration:

ip local pool vpn-pool 10.0.1.2 - 10.0.1.255
group-policy testvpn internal
group-policy testvpn attributes
dns-server value 192.168.1.3
vpn-tunnel-protocol IPSec
default-domain value test.local
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto map Outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map Outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group testvpn-group type ipsec-ra
tunnel-group testvpn-group general-attributes
address-pool vpn-pool
authentication-server-group group1
default-group-policy testvpn
tunnel-group testvpn-group ipsec-attributes
pre-shared-key *
Please note that is only an example config and your needs may require some other config options.
To complicate matters, if you have multiple VPN tunnel groups then you need to differentiate between users that are allowed to access each tunnel then you need to add a special attribute in the Remote Access Policy: go to the Remote Access Policy you're editing and in the Advanced tab add a Class attribute with a string value of OU=value. The value must match the name of the tunnel group:

On the ASA:

group-policy testvpn attributes
group-lock value testvpn-group
What I couldn't figure out is how to differentiate the VPN users from the management users (console, ASDM etc). If anybody knows please let me know.

05-08-2008, 10:46 AM	#1 (permalink)
aromeo409 Registered User Join Date: May 2008 Posts: 1 OS: Small Business Server 2003	CISCO ASA 5505 PIX Device Hello, We just upgraded our Small Business Server 2003 to new box and ever since then our VPN stopped working. We are using a CISCO ASA 5505 pix device as our Firewall and VPN and we now receive the error "Secure VPN Connection terminated by Peer. Reason 433: (Reason Not Specified by Peer)" I ran this command at the device isakmp nat-t to fix the issue and this did not resolve the issue. This has been driving me crazy. Does anyone have any ideas? Thanks! Last edited by aromeo409 : 05-08-2008 at 10:50 AM.

05-08-2008, 07:53 PM	#2 (permalink)
rtrice81 Registered User Join Date: May 2008 Posts: 1 OS: Vista, XP Pro	Re: CISCO ASA 5505 PIX Device Aromeo409, It seems to me that your old windows server was a RADIUS Server, which the ASA Pass on the auth process onto the RADIUS Server (aka your old windows server). Hope this helps -Richie Here's an article about integrating the Cisco ASA firewall/VPN concentrator 5500 family with Windows 2003 Server's RADIUS server, called Internet Authentication Server - AIS. What I will describe is setting up a ASA 5500 appliance to do Remote Access VPNs authenticating against a MS IAS RADIUS server; the twist to this setup is differentiating between multiple Windows user groups - linking a Windows AD group to a specific tunnel-group. I decided to write this article becouse I had to search for too much how to do some of the things described below. In the first part we'll take care of setting up the 2003 Server. First of all make sure that if you're deploying RADIUS for a large organization you're using the Enterprise flavor of Windows 2003 Server. It has more extensive capabilities than the Standard edition - see http://www.winsupersite.com/showcase...3_editions.asp for example. Second, install IAS on the 2003 Server - it doesn't come installed by default: In order to use the IAS with a client (in our case, the ASA device) you have to declare the client to IAS, otherwise the server will not answer the queries: enter the IAS management console, right click on the "RADIUS Clients" on the left > New RADIUS Client. Here choose a name for the ASA device; this will be unique and you'll be using it later. Next, as Client-Vendor choose RADIUS standard, and as secret - a phrase that you'll use later in your ASA config to pair with the IAS server. Next, the server needs a Connection request policy to allow the client to connect: Connection Request Processing > Connection Request Policies > New... Here make a custom policy and as Policy Condition you can use for example "Client-Friendly-Name" and specify the name you chose in the previous step when you declared the client: The next thing to do is to create a Remote Access Policy, again a custom one. For this you have to have prepared one or more Windows groups (local or better - AD groups) in which you include the users that can access the VPN. So, in policy conditions add the Client Friendly name (for example) and the Windows-Groups attribute; here you'll be asked for the group. Next, "Grant remote access permision" and edit the profile. In the Authentication tab choose only "Unencrypted authentication" and in the Encryption tab choose only "No encryption". We'll handle the Advanced tab later. Now the ASA appliance. I won't describe in detail how to set up a Remote Access VPN, there are plenty of tutorials and guides for doing this. One would be http://www.cisco.com/warp/public/110...tevpn-asdm.pdf. Here's a sample setup of doing this: aaa-server group1 protocol radius aaa-server group1 host 192.168.1.2 key secret group1 will be used to authenticate the VPN users against the 192.168.1.2 server (this is the IP of the 2003 Server box with IAS). Before continuing with the setup let's test the RADIUS communication: ASA# test aaa-server authentication group1 username user password passwd Server IP Address or name: 192.168.1.2 INFO: Attempting Authentication test to IP address <192.168.1.2> (timeout: 12 seconds) INFO: Authentication Successful If the authentication was successful you will get the above message. If not, you need to debug it. On the IAS server side you can check the Event Log in the System category. Every attempt of authentication is logged there is successful or not. Typical pitfalls are misconfigured Remote Access Policies of Connection Request Policies. You will get a "Reason" for the failure. If you don't even get a Event Log message then you need to check your security device configuration or IP connectivity. The rest of the configuration: ip local pool vpn-pool 10.0.1.2 - 10.0.1.255 group-policy testvpn internal group-policy testvpn attributes dns-server value 192.168.1.3 vpn-tunnel-protocol IPSec default-domain value test.local crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000 crypto map Outside_map 10 ipsec-isakmp dynamic outside_dyn_map crypto map Outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 20 tunnel-group testvpn-group type ipsec-ra tunnel-group testvpn-group general-attributes address-pool vpn-pool authentication-server-group group1 default-group-policy testvpn tunnel-group testvpn-group ipsec-attributes pre-shared-key * Please note that is only an example config and your needs may require some other config options. To complicate matters, if you have multiple VPN tunnel groups then you need to differentiate between users that are allowed to access each tunnel then you need to add a special attribute in the Remote Access Policy: go to the Remote Access Policy you're editing and in the Advanced tab add a Class attribute with a string value of OU=value. The value must match the name of the tunnel group: On the ASA: group-policy testvpn attributes group-lock value testvpn-group What I couldn't figure out is how to differentiate the VPN users from the management users (console, ASDM etc). If anybody knows please let me know.