ASA 5520 Version 8.2(1) Split tunnel enable Process
Hi,
We have configured a cisco ASA 5520 firewall as a remote VPN. Remote VPN user connected properly but VPN user disconnected form internet. So we need to configure split tunnel. Please help us how to configure split tunnel and require parameters/field. Thanks...
Hi,
The setup is usually pretty easy
First you should create a Standard ACL that defines the networks which are found behind the VPN connection from the users perspective. In other words the networks that need to be tunneled.
For example if your LAN networks was 10.0.0.0/24
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0
Then you would need to configure some additional things in your VPN client connections "group-policy"
For example
group-policy CLIENT attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
The above would essentially handle the Split Tunnel portion of the configurations. The "split-tunnel-policy" command specifies how the network selection for the VPN is handled. It might aswell be configured to specify Full Tunnel or to simply Exclude some networks. The "split-tunnel-network-list value" command tells the ASA the networks used in the Split Tunnel (the ACL we created)
Hope this helps
- Jouni
Similar Messages
-
ASA 5520 VERSION 8.2 UPGRADE TO 9.0
Hello friends,
I am considering to perform an upgrade of my ASA 5520 with versión 8.2 to 9.0, so I will enjoy the benefits of anyconnect for mobile devices. I clearly understand that I must pay special attention to:
NAT Rules.
RAM Memory: 2 GB.
Adding the part numbers to power on the newest versions of anyconnect and for mobile devices
L-ASA-AC-E-5520= ASA-AC-M-5520=
am I missing any other thing? Flash requirement? Or to pay attention to some other configurations?
Any comment or documentation will be appreciated.
Regards!You can run the latest AnyConnect client - including mobile clients - with those licenses even on an ASA with the current 8.2 code - 8.2(5) as of now. While it's a bit old and lacking some of the newer features, it's a solid and stable release.
That would save you the trouble of migrating your NAT configuration (and other bits) and upgrading memory.
Since the ASA 5500 series (5510, 5520 etc.) is past End of Sales you have a limited future on those platforms. For instance, ASA 9.1(x) is the last set of code releases that will be available for them. (The current software on the 5500-X is 9.3(1).) -
Cisco 871 to Cisco ASA 5545 Site-to-Site VPN Split Tunnel not working.
Tunnel comes up and can see and access protected traffic but cannot access web (Split Tunnel). Don't know if access problem or route issue.
Listed below is configuration for Cisco 871, any help very much appreciated.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key test address x.x.x.x
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to x.x.x.x
set peer x.x.x.x
set transform-set ESP-3DES-SHA
match address 100
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
ip address 4.34.195.193 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 172.200.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip tcp adjust-mss 1452
ip route 0.0.0.0 0.0.0.0 4.34.195.193 permanent
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
logging trap debugging
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.200.1.0 0.0.0.255 172.16.2.0 0.0.0.255I don't see any NAT configuration above. Check you can PING out to the internet (8.8.8.8 for example) from the router itself as it won't need NAT to PING from the outside interface.
Have a look at this document on setting up NAT for your inside devices:
http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html -
ASA 5520 Upgrade From 8.2 to 9.1
To All Pro's Out There,
I have 2 x ASA 5520 in Active/Standby state (Routed, Single context) running 8.2(3) image. They are working great and everybody is happy. Now it's time for us to upgrade to the latest and greatest version: 9.1 and as you know there are some architectural changes Cisco made to NAT statements and Access Lists. As one can tell, we have a monster environment in terms of NAT statements and access list that are currently configured on the appliances.
In order to make the upgrade process "less" painful, I was able to find a loaner ASA 5520 device so I can practice the upgrade process offline and if needed, I use it in production (in conjunction with existing Primary and Secondary devices) should it be helpful. I currently don't have any plans on how to move forward with these 3 devices and put together an smooth upgrade. I am asking advice from experts that perhaps have done this in the past and know some Do's and Don’ts and can provide me some options toward getting best result: Minimum downtime and Smooth upgrade.
I appreciate all the help in advance.Hi,
My personal approach from the start has been to learn the new NAT configuration format on the ASA CLI and manually convert the configurations for the new ASA software. I am under the impression that the automatic conversion that the ASA does by rebooting straight into a new software level causes quite a lot of configurations and they arent really optimal.
In your case it seems that you have a pretty much better situation than most people that dont have the chance to use a test device to test out the setup before actually putting it in production.
What you can basically do is
Insert the 8.2 configuration to the test ASA and boot it straight to the higher software levels and see what the conversion has done to the ASA configurations.
You can use "packet-tracer" command to test if correct NAT rules are still hit after the conversion
So far I have been lucky in the sense that most of the upgrades I have done have involved new hardware which has basically let me configure everything ready and just switch devices for the customer. So far everything has went really well and there has been only a 1-2 mistakes in NAT configurations because of misstyping some IP address or interface name which basically resulted from a lot of copy/paste when building the configurations. And these couple of mistakes have been from around 150 firewall migrations (of which most from FWSM Security Context to a ASA Security Context)
If you have time to put into this then I would suggest you try to learn the new NAT format and write your NAT configurations yourself. Converting the existing configurations should essentially give you the tools to then maintain that firewall configuration easily in the future and apply that knowledge elsewhere.
If you want to read a bit about the new NAT configuration format then I would suggest having a look at the NAT 8.3+ document I made:
https://supportforums.cisco.com/docs/DOC-31116
My personal approach when starting to convert NAT configurations for the upgrade is
Collect all NAT configurations from the current ASA including any ACLs associated with the Policy type NATs and NAT0 configurations
Divide NAT configurations based on type
Dynamic NAT/PAT
Static NAT
Static PAT
NAT0
All Policy Dynamic/Static NAT/PAT
Learn the basic configuration format for each type of NAT configuration
Start by converting the easiest NAT configurations
Dynamic NAT/PAT
Static NAT/PAT
Next convert the NAT0 configurations
And finally go through the Policy NAT/PAT configurations
Finally go through the interface ACLs and change them to use the real IP address as the destination in all cases since the NAT IP address is not used anymore. In most common screnarios this basically usually only involves modifying the "outside" interfaces ACL but depending if the customer has some other links to external resourses then its highly likely that same type of ACL changes are required on those interfaces also.
The most important thing is to understand how the NAT is currently working and then configure the new NAT configuration to match that. Again, the "packet-tracer" command is a great tool to confirm that everything is working as expected.
One very important thing to notice also is that you might have a very large number of Identity NAT configurations between your local networks interfaces of the ASA.
For example
static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
In the new software you can pretty much leave all of these out. If you dont need to perform NAT between your local interfaces then you simply leave out all NAT configurations.
Naturally you can also use these forums to ask help with NAT configuration conversions. Even though its a very common topic, I dont personally mind helping out with those.
So to summarize
Try out the ASAs automatic configuration conversion when simply booting to new software levels on the test ASA you have
Learn the new NAT configuration format
Ask for help here on CSC about NAT configuration formats and help with converting old to new configurations.
Personally if I was looking at a samekind of upgrade (which I will probably be looking at again soon) I would personally do the following
Convert the configurations manually
Lab/test the configurations on an test ASA
During Failover pairs upgrade I would remove the Standby device from network, erase its configurations, reboot it to new software, insert manually written configurations.
Put the upgraded ASA to the device rack and have cables ready connected to the customer devices if possible (or use existing ones)
Disconnect currently active ASA running 8.2 and connect the new ASA to the network while clearing ARP on the connected routers to avoid any problems with traffic forwarding.
Test connectivity and monitor ASAs connection and xlate tables to confirm everything is working
Will add more later if anything comes to mind as its getting quite late here
Hope this helps
- Jouni -
ASA 5520 auto-update polling error
Hi,
the polling service for auto-update on my ASA 5520 is not working properly. Does anyone have ideas which could be the reason for this?
Platform: ASA 5520
Version: 8.4(2)
Config:
auto-update device-id hostname
auto-update poll-at thursday 5:00 randomize 3 3
auto-update server https://*@X.X.X.X/autoupdate/AutoUpdateServlet
Output of sh auto-update:
Server: https://X.X.X.X/autoupdate/AutoUpdateServlet
Poll thursday randomly between 5:00 and 5:03, retry count: 3, retry period: 5 minutes
Timeout: none
Device ID: host name [dontletthemin]
Under normal circumstances i would expect additional lines from the sh auto-update command like:
Next poll in 4.93 minutes
Last poll: 11:36:46 PST Tue Nov 13 2012
But this output does not appear. I've searced the bug-Toolkit but did not found a entry which could explain this behaviour.Hi
Many thanks for the respose.
Sorry I have not made any progress with this as yet: the only thing I have done is us the packet tracer, which passed I am just going to check the route of the packet once it has left the interface as it has got to be that or the URL is wrong.
Regards MJ -
RA VPN on ASA and Split Tunneling
Hello Forum,
I'm having an issue with RA VPN and split tunneling. Our company doesn't allow split tunneling.
I have the following....
ASA 5520 - ASA Version - 8.0(3)
Group Policies defined for different groups. My test group, I thought I disabled split tunneling but they are still able to surf the net.
For Split Tunneling Policy...
Inherit is unchecked
I have "Tunnel Network List Below"
Testing_splitTunnelAcl is my acl. I have a bunch of host IPs in the list. I don't have any or 0.0.0.0 in the list.
But they can still surf the net.
I would like to block access to net. No hairpinning or internet u-turns.
How do I do this?
Any help greatly appreciated.
Regards,What does your Testing_spliTunnelAcl have?
To disable split tunneling, your Testing_spliTunnelAcl should only have this...
access-list Testing_splitTunnelAcl standard permit any
...which means all traffic will be encrypted and will be sent to ASA no matter what. If you add any IP Address, only those traffic destined to the IP Address in the list will be encrypted and send to ASA, everything else will go to internet from the client.
It may be confusing but try and see what happens. -
How to set up Split Tunneling on ASA 5505
Good Morning,
I have an ASA 5505 with security plus licensing. I need to set up split tunneling on the ASA and not sure how. I am very new to Cisco but am learning quickly. What I want to accomplish, if possible is to send all traffic to our corporate web site (static ip address) straight out to the internet and all other traffic to go though the tunnel as normal. Basically we have a remote office that is using a local ISP to provide internet service. IF our connection at the main office goes down, we want the branch office to still be able to get to our corporate website without having to unplug cables and connect their computer directly to the local ISP modem. Any help with be greatly appriciated. Thanks in advance. Below is a copy of our current config.
ASA Version 7.2(4)
hostname TESTvpn
enable password rBtWtkaB8W1R3ub8 encrypted
passwd rBtWtkaB8W1R3ub8 encrypted
names
name 10.0.0.0 Corp_LAN
name 192.168.64.0 Corp_Voice
name 172.31.155.0 TESTvpn
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif Corp_Voice
security-level 100
ip address 172.30.155.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
object-group network SunVoyager
network-object host 64.70.8.160
network-object host 64.70.8.242
object-group network Corp_Networks
network-object Corp_LAN 255.0.0.0
network-object Corp_Voice 255.255.255.0
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list inside_access_in extended permit ip TESTvpn 255.255.255.0 any
access-list inside_access_in extended permit icmp TESTvpn 255.255.255.0 any
access-list Corp_Voice_access_in extended permit ip 172.30.155.0 255.255.255.0 any
access-list Corp_Voice_access_in extended permit icmp 172.30.155.0 255.255.255.0 any
access-list VPN extended deny ip TESTvpn 255.255.255.0 object-group SunVoyager
access-list VPN extended permit ip TESTvpn 255.255.255.0 any
access-list VPN extended permit ip 172.30.155.0 255.255.255.0 any
access-list data-vpn extended permit ip TESTvpn 255.255.255.0 any
access-list voice-vpn extended permit ip 172.30.155.0 255.255.255.0 any
access-list all-vpn extended permit ip TESTvpn 255.255.255.0 any
access-list all-vpn extended permit ip 172.30.155.0 255.255.255.0 any
pager lines 24
logging enable
logging buffer-size 10000
logging monitor debugging
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Corp_Voice 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list data-vpn
nat (inside) 1 TESTvpn 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Corp_Voice) 0 access-list voice-vpn
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Corp_Voice_access_in in interface Corp_Voice
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http TESTvpn 255.255.255.0 inside
http Corp_LAN 255.0.0.0 inside
http 65.170.136.64 255.255.255.224 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN esp-3des esp-md5-hmac
crypto map outside_map 1 match address VPN
crypto map outside_map 1 set peer 66.170.136.65
crypto map outside_map 1 set transform-set VPN
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh Corp_LAN 255.0.0.0 inside
ssh TESTvpn 255.255.255.0 inside
ssh 65.170.136.64 255.255.255.224 outside
ssh timeout 20
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd option 150 ip 192.168.64.4 192.168.64.3
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 10.10.10.7 10.10.10.44 interface inside
dhcpd domain sun.ins interface inside
dhcpd enable inside
dhcpd address 172.30.155.10-172.30.155.30 Corp_Voice
dhcpd dns 10.10.10.7 10.10.10.44 interface Corp_Voice
dhcpd domain sun.ins interface Corp_Voice
dhcpd enable Corp_Voice
username admin password kM12Q.ZBqkvh2p03 encrypted privilege 15
tunnel-group 66.170.136.65 type ipsec-l2l
tunnel-group 66.170.136.65 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:953e50e9cbc02e1b264830dab4a3f2bd
: endSo I tried to use the exclude way that you suggested. Here is my new config. It is still not working. The address I put in for the excluded list was 4.2.2.2 and when I do a trace route to it from the computer, it still goes though the vpn to the main office and out the switch at the main office and not from the local isp. Any other suggestions?
hostname TESTvpn
domain-name default.domain.invalid
enable password rBtWtkaB8W1R3ub8 encrypted
passwd rBtWtkaB8W1R3ub8 encrypted
names
name 10.0.0.0 Corp_LAN
name 192.168.64.0 Corp_Voice
name 172.31.155.0 TESTvpn
interface Vlan1
nameif inside
security-level 100
ip address 172.31.155.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif Corp_Voice
security-level 100
ip address 172.30.155.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network SunVoyager
network-object host 64.70.8.160
network-object host 64.70.8.242
object-group network Corp_Networks
network-object Corp_LAN 255.0.0.0
network-object Corp_Voice 255.255.255.0
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list inside_access_in extended permit ip TESTvpn 255.255.255.0 any
access-list inside_access_in extended permit icmp TESTvpn 255.255.255.0 any
access-list Corp_Voice_access_in extended permit ip 172.30.155.0 255.255.255.0 a
ny
access-list Corp_Voice_access_in extended permit icmp 172.30.155.0 255.255.255.0
any
access-list VPN extended deny ip TESTvpn 255.255.255.0 object-group SunVoyager
access-list VPN extended permit ip TESTvpn 255.255.255.0 any
access-list VPN extended permit ip 172.30.155.0 255.255.255.0 any
access-list data-vpn extended permit ip TESTvpn 255.255.255.0 any
access-list voice-vpn extended permit ip 172.30.155.0 255.255.255.0 any
access-list all-vpn extended permit ip TESTvpn 255.255.255.0 any
access-list all-vpn extended permit ip 172.30.155.0 255.255.255.0 any
access-list TEST standard permit host 4.2.2.2
pager lines 24
logging enable
logging buffer-size 10000
logging monitor debugging
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Corp_Voice 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list data-vpn
nat (inside) 1 TESTvpn 255.255.255.0
nat (Corp_Voice) 0 access-list voice-vpn
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Corp_Voice_access_in in interface Corp_Voice
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http TESTvpn 255.255.255.0 inside
http Corp_LAN 255.0.0.0 inside
http 65.170.136.64 255.255.255.224 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN esp-3des esp-md5-hmac
crypto map outside_map 1 match address VPN
crypto map outside_map 1 set peer 66.170.136.65
crypto map outside_map 1 set transform-set VPN
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh Corp_LAN 255.0.0.0 inside
ssh TESTvpn 255.255.255.0 inside
ssh 65.170.136.64 255.255.255.224 outside
ssh timeout 20
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd option 150 ip 192.168.64.4 192.168.64.3
dhcpd address 172.31.155.10-172.31.155.30 inside
dhcpd dns 10.10.10.7 10.10.10.44 interface inside
dhcpd domain sun.ins interface inside
dhcpd enable inside
dhcpd address 172.30.155.10-172.30.155.30 Corp_Voice
dhcpd dns 10.10.10.7 10.10.10.44 interface Corp_Voice
dhcpd domain sun.ins interface Corp_Voice
dhcpd enable Corp_Voice
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy excludespecified
split-tunnel-network-list value TEST
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not
been met or due to some specific group policy, you do not have permission to us
e any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
username admin password kM12Q.ZBqkvh2p03 encrypted privilege 15
tunnel-group 66.170.136.65 type ipsec-l2l
tunnel-group 66.170.136.65 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8b3caaecf2a0dec7334633888081c367
: end -
Help With split tunneling and multiple subnets behind asa
Hello All,
our vpn clients can no longer access internet while connected to vpn.
I was hoping I could get an answer on here for an issue we are having. let me explain this with as little words as possible.
here was old network layout:
ASA
192.168.1.1 ----> the rest of the internal subnet (was only subnet in network)
now
ASA 3560
192.168.254.1/24 ----->192.168.254.2/24-->192.168.1.1/24
192.168.2.1/24
so what we did was route from 3560 to asa so we would be able to have multiple subnets since our asa has base license.
Our vpn with easy connect worked with our split tunneling before and now we made the change above and it no longer works. Can someone help me out as to why it no longer works and what changed need to be made to make it work.
Thank you.
ciscoasa# sh run
: Saved
ASA Version 8.2(2)
hostname ciscoasa
enable password 1N7bTm05RXLnBcUc encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.254.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
ftp mode passive
clock timezone est -5
same-security-traffic permit intra-interface
access-list NoNat extended permit ip any 172.16.5.0 255.255.255.0
access-list SplitTunnel standard permit 192.168.1.0 255.255.255.0
access-list SplitTunnel standard permit 192.168.2.0 255.255.255.0
access-list SplitTunnel standard permit 192.168.254.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPool 172.16.5.1-172.16.5.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.1.0 255.255.255.0 192.168.254.2 1
route inside 192.168.2.0 255.255.255.0 192.168.254.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TransformSet1 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DynamicMap1 1 set transform-set TransformSet1
crypto map MainMap 999 ipsec-isakmp dynamic DynamicMap1
crypto map MainMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 64.90.182.55 source outside
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.0217-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy RenotreUsers internal
group-policy RemoteUsers internal
group-policy RemoteUsers attributes
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnel
tunnel-group RemoteUsers type remote-access
tunnel-group RemoteUsers general-attributes
address-pool VPNPool
default-group-policy RemoteUsers
tunnel-group RemoteUsers webvpn-attributes
group-alias Southeast-Security-VPN enable
tunnel-group RemoteUsers ipsec-attributes
pre-shared-key *****I think it could be your NAT statement. You should try an avoid using any unless you tunnel everything. Try making this change
no access-list NoNat extended permit ip any 172.16.5.0 255.255.255.0
object-group network INTERNAL_NETWORKS
description Internal Networks
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.254.0 255.255.255.0
access-list NoNat extended permit ip object-group INTERNAL_NETWORKS 172.16.5.0 255.255.255.0
You may have to re-add your NAT0
nat (inside) 0 access-list NoNat -
CISCO ASA 5505 Split Tunnel DNS with Site to Site VPN
I have a working configuration for Site to Site VPN between our head office and a private AWS VPC instance.
The tunnel is active and I can ping the IP address of the remote network and connect to the remote machines using the IP address, but we need to use the FQDN and not the IP. We have a DNS server set up in AWS for any DNS queries for the remote domain name.
My question is whether or not the ASA 5505 supports a DNS split tunnel for Site to Site VPN and how it can be configured.
I can not find where I can interogate the DNS query to be redirected to the VPN tunnel when our domain name is used in a DNS query. Thus, any pings I try with the FQDN of our servers in AWS are failing as they are going to the default DNS, which is the internet.
Can any one point me in the right direction on how to configure this DNS rewrite so that we can access our AWS private cloud using FQDN from our AWS domain rather than an IP address?Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface. Try to be more restrictive than an '...ip any any' rule for outside_in connections. For instance, this is what I have for incoming VOIP (access list and nat rules):
access list rule:
access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
nat rule:
nat (inside,outside) source static server interface service voip-range voip-range
- 'server' is a network object *
- 'voip-range' is a service group range
I'd assume you can do something similar here in combination with my earlier comment:
access-list incoming extended permit tcp any any eq 5900
Can you explain your forwarding methodology a little more? I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to. Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ? -
Cisco ASA 5520 Site-to-site VPN TUNNELS disconnection problem
Hi,
i recently purchased a Cisco ASA 5520 and running firmware v. 8.4(2) and ASDM v. 6.4(5)106.
I have installed 50 Site-to-Site VPN tunnels, and they work fine.
but randomly the VPN Tunnels keep disconnecting and few seconds after it connects it self automaticly....
it happens when there is no TRAFIC on, i suspect.
in ASDM in Group Policies under DfltGrpPolicy (system default) i have "idle timeout" to "UNLMITED" but still they keep disconnecting and connecting again... i have also verified that all VPN TUNNELS are using this Group Policie. and all VPN tunnels have "Idle Timeout: 0"
this is very annoying as in my case i have customers having a RDP (remote dekstop client) open 24/7 and suddenly it gets disconnected due to no traffic ?
in ASDM under Monitoring -> VPN .. i can see all VPN tunnels recently disconnected in "Login Time Duration"... some 30minutes, 52minutes, 40minutes and some 12 minutes ago.. and so on... they dont DISCONNECT at SAME time.. all randomly..
i dont WANT the VPN TUNNELS to disconnect, i want them to RUN until we manually disconnect them.
Any idea?
Thanks,
DanielWhat is the lifetime value configured for in your crypto policies?
For example:
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400 -
Older version of openssl in cisco asa 5520
Hi,
Recently my security has scanned all the network devices for vulnerabilities and found that cisco asa 5520 , which we use for RAS VPN has older version of openssl. Have to check that and fix this problem? FYI, recently we have installed a SSL cert for webmail users.
Thanks,
SridharSridhar,
W update OpenSSL libraries on our side quite often, especially if new vulnarabilities are found.
You can check recently published vulnarabilities in www.cisco.com/go/psirt (not only specific to ASA)
In general ASA 8.4 is what you should go for to have "latest and greatest" revisions of openssl and ASA code itself.
Marcin -
Is it possible configurate split-tunnel at l2tp over ipsec vpn at asa
Dear i want to know is it possibly to configurate split-tunnel at l2tp over ipsec vpn at asa???
thanks.please help me.
-
Connectivity Issue between ASA 5520 firewall and Cisco Call Manager
Recently i have installed ASA 5520 firewall, Below is the detail for my network
ASA 5520 inside ip: 10.12.10.2/24
Cisco Switch 3560 IP: 10.12.10.1/24 for Data and 10.12.110.2/24 for Voice
Cisco Call Manager 3825 IP: 10.12.110.2/24
The users and the IP phone are getting IP from the DHCP server which configured on cisco 3560 Switch.
the Default Gateway for Data user is 10.12.10.2/24 and
for the voice users is 10.12.110.2/24
now the problem is that the users is not able to ping 10.12.110.2 call manager. please if somebody can help in this regard. i will appreciate the prompt response against this issues.Actually i don't wana to insert new subnet and complicate the nework. i need a simple way to solve the problem. below is the details for the asa 5520 config.
ASA Version 8.2(1)
name x.x.x.x Mobily
interface GigabitEthernet0/0
nameif inside
security-level 99
ip address 10.12.10.2 255.255.255.0
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp
service-object ip
service-object icmp
service-object udp
service-object tcp eq ftp
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ssh
service-object tcp eq telnet
access-list RA_VPN_splitTunnelAcl_1 standard permit Inside-Network 255.255.255.0
access-list RA_VPN_splitTunnelAcl standard permit Inside-Network 255.255.255.0
access-list inside_nat0_outbound extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
access-list inside_nat0_outbound extended permit object-group DM_INLINE_SERVICE_1 10.12.10.16 255.255.255.240 Inside-Network 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu mgmt 1500
ip local pool VPN-Pool 172.16.1.1-172.16.1.30 mask 255.255.255.0
ip local pool VPN-Users 10.12.10.21-10.12.10.30 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 Inside-Network 255.255.255.0
route outside 0.0.0.0 0.0.0.0 Mobily 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Mgmt-Network 255.255.255.0 mgmt
http Inside-Network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet Inside-Network 255.255.255.0 inside
telnet timeout 5
ssh Inside-Network 255.255.255.255 inside
<--- More ---> ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RA_VPN internal
group-policy RA_VPN attributes
dns-server value 86.51.34.17 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_VPN_splitTunnelAcl
username admin password LPtK/u1LnvHTA2vO encrypted privilege 15
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
address-pool VPN-Users
default-group-policy RA_VPN
tunnel-group RA_VPN ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:e5a64fa92ae465cd7dabd01ce605307d
: end -
VPN clients not able to ping Remote PCs & Servers : ASA 5520
VPN is connected successfully. But not able to ping any remote ip or fqdn from client pc. But able to ping ASA 5520 firewalls inside interface. Also some clients able to access, some clients not able to access. I new to these firewalls. I tried most of ways from internet, please any one can help asap.
Remote ip section : 192.168.1.0/24
VPN IP Pool : 192.168.5.0/24
Running Config :
ip address 192.168.1.2 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
passwd z40TgSyhcLKQc3n1 encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone GST 4
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 213.42.20.20
domain-name default.domain.invalid
access-list outtoin extended permit tcp any host 83.111.113.114 eq 3389
access-list outtoin extended permit tcp any host 83.111.113.113 eq https
access-list outtoin extended permit tcp any host 83.111.113.114 eq smtp
access-list outtoin extended permit tcp any host 83.111.113.114 eq https
access-list outtoin extended permit tcp any host 83.111.113.114 eq www
access-list outtoin extended permit tcp any host 83.111.113.115 eq https
access-list outtoin extended permit tcp any host 94.56.148.98 eq 3389
access-list outtoin extended permit tcp any host 83.111.113.117 eq ssh
access-list fualavpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0
92.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 1
2.168.5.0 255.255.255.0
access-list inet_in extended permit icmp any any time-exceeded
access-list inet_in extended permit icmp any any unreachable
access-list inet_in extended permit icmp any any echo-reply
access-list inet_in extended permit icmp any any echo
pager lines 24
logging enable
logging asdm informational
logging from-address [email protected]
logging recipient-address [email protected] level errors
logging recipient-address [email protected] level emergencies
logging recipient-address [email protected] level errors
mtu outside 1500
mtu inside 1500
ip local pool fualapool 192.168.5.10-192.168.5.50 mask 255.255.255.0
ip local pool VPNPool 192.168.5.51-192.168.5.150 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound outside
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 94.56.148.98 192.168.1.11 netmask 255.255.255.255
static (inside,outside) 83.111.113.114 192.168.1.111 netmask 255.255.255.255
access-group inet_in in interface outside
route outside 0.0.0.0 0.0.0.0 83.111.113.116 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have no
been met or due to some specific group policy, you do not have permission to u
e any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy fualavpn internal
group-policy fualavpn attributes
dns-server value 192.168.1.111 192.168.1.100
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value fualavpn_splitTunnelAcl
username test password I7ZgrgChfw4FV2AW encrypted privilege 0
username Mohamed password Vqmmt8cR/.Qu7LhU encrypted privilege 0
username Moghazi password GMr7xgdqmGEQ2SVR encrypted privilege 0
username Moghazi attributes
password-storage enable
username fualauaq password E6CgvoOpTKphiM2U encrypted privilege 0
username fualauaq attributes
password-storage enable
username fuala password IFtijSYb7LAOV/IW encrypted privilege 15
username Basher password Djf15nXIJXmayfjY encrypted privilege 0
username Basher attributes
password-storage enable
username fualafac password VGC/7cKXW1A6eyXS encrypted privilege 0
username fualafac attributes
password-storage enable
username fualaab password ONTH8opuP4RKgRXD encrypted privilege 0
username fualaab attributes
password-storage enable
username fualaadh2 password mNEgLxzPBeF4SyDb encrypted privilege 0
username fualaadh2 attributes
password-storage enable
username fualaain2 password LSKk6slwsVn4pxqr encrypted privilege 0
username fualaain2 attributes
password-storage enable
username fualafj2 password lE4Wu7.5s7VXwCqv encrypted privilege 0
username fualafj2 attributes
password-storage enable
username fualakf2 password 38oMUuwKyShs4Iid encrypted privilege 0
username fualakf2 attributes
password-storage enable
username fualaklb password .3AMGUZ1NWU1zzIp encrypted privilege 0
username fualaklb attributes
password-storage enable
username fualastr password RDXSdBgMaJxNLnaH encrypted privilege 0
username fualastr attributes
password-storage enable
username fualauaq2 password HnjodvZocYhDKrED encrypted privilege 0
username fualauaq2 attributes
password-storage enable
username fualastore password wWDVHfUu9pdM9jGj encrypted privilege 0
username fualastore attributes
password-storage enable
username fualadhd password GK8k1MkMlIDluqF4 encrypted privilege 0
username fualadhd attributes
password-storage enable
username fualaabi password eYL0j16kscNhhci4 encrypted privilege 0
username fualaabi attributes
password-storage enable
username fualaadh password GTs/9BVCAU0TRUQE encrypted privilege 0
username fualaadh attributes
password-storage enable
username fualajuh password b9QGJ1GHhR88reM1 encrypted privilege 0
username fualajuh attributes
password-storage enable
username fualadah password JwVlqQNIellNgxnZ encrypted privilege 0
username fualadah attributes
password-storage enable
username fualarak password UE41e9hpvcMeChqx encrypted privilege 0
username fualarak attributes
password-storage enable
username fualasnk password ZwZ7fVglexrCWFUH encrypted privilege 0
username fualasnk attributes
password-storage enable
username rais password HrvvrIw5tEuam/M8 encrypted privilege 0
username rais attributes
password-storage enable
username fualafuj password yY2jRMPqmNGS.3zb encrypted privilege 0
username fualafuj attributes
password-storage enable
username fualamaz password U1YUfQzFYrsatEzC encrypted privilege 0
username fualamaz attributes
password-storage enable
username fualashj password gN4AXk/oGBTEkelQ encrypted privilege 0
username fualashj attributes
password-storage enable
username fualabdz password tg.pB7RXJx2CWKWi encrypted privilege 0
username fualabdz attributes
password-storage enable
username fualamam password uwLjc0cV7LENI17Y encrypted privilege 0
username fualamam attributes
password-storage enable
username fualaajm password u3yLk0Pz0U1n.Q0c encrypted privilege 0
username fualaajm attributes
password-storage enable
username fualagrm password mUt3A60gLJ8N5HVr encrypted privilege 0
username fualagrm attributes
password-storage enable
username fualakfn password ceTa6jmvnzOFNSgF encrypted privilege 0
username fualakfn attributes
password-storage enable
username Fualaain password Yyhr.dlc6/J7WvF0 encrypted privilege 0
username Fualaain attributes
password-storage enable
username fualaban password RCJKLGTrh7VM2EBW encrypted privilege 0
username John password D9xGV1o/ONPM9YNW encrypted privilege 15
username John attributes
password-storage disable
username wrkshopuaq password cFKpS5e6Whp0A7TZ encrypted privilege 0
username wrkshopuaq attributes
password-storage enable
username Talha password 3VoAABwXxVonLmWi encrypted privilege 0
username Houssam password Cj/uHUqsj36xUv/R encrypted privilege 0
username Faraj password w2qYfE3DkYvS/oPq encrypted privilege 0
username Faraj attributes
password-storage enable
username gowth password HQhALLeiQXuIzptCnTv1rA== nt-encrypted privilege 15
username Hameed password 0Kr0N1VRmLuWdoDE encrypted privilege 0
username Hameed attributes
password-storage enable
username Hassan password Uy4ASuiNyEd70LCw encrypted privilege 0
username cisco password IPVBkPI1GLlHurPD encrypted privilege 15
username Karim password 5iOtm58EKMyvruZA encrypted privilege 0
username Shakir password BESX2bAvlbqbDha/ encrypted privilege 0
username Riad password iB.miiOF7qMESlCL encrypted privilege 0
username Azeem password 0zAqiCG8dmLyRQ8f encrypted privilege 15
username Azeem attributes
password-storage disable
username Osama password xu66er.7duIVaP79 encrypted privilege 0
username Osama attributes
password-storage enable
username Mahmoud password bonjr0B19aOQSpud encrypted privilege 0
username alpha password x8WO0aiHL3pVFy2E encrypted privilege 15
username Wissam password SctmeK/qKVNLh/Vv encrypted privilege 0
username Wissam attributes
password-storage enable
username Nabil password m4fMvkTgVwK/O3Ms encrypted privilege 0
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.4 255.255.255.255 inside
http 192.168.1.100 255.255.255.255 inside
http 192.168.1.111 255.255.255.255 inside
http 192.168.1.200 255.255.255.255 inside
http 83.111.113.117 255.255.255.255 outside
http 192.168.1.17 255.255.255.255 inside
http 192.168.1.16 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group fualavpn type ipsec-ra
tunnel-group fualavpn type ipsec-ra
tunnel-group fualavpn general-attributes
address-pool fualapool
address-pool VPNPool
default-group-policy fualavpn
tunnel-group fualavpn ipsec-attributes
pre-shared-key *
tunnel-group fualavpn ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
Cryptochecksum:38e41e83465d37f69542355df734db35
: endHi,
What about translating the traffic on the local ASA (Active unit) for traffic received from the VPN tunnel to the internal interface IP address? You can try something like nat (outside,inside) source dynamic obj-VpnRemoteTraffic interface destination static StandbyIP StandbyIP
Regards, -
ASA 5520 site-to-site VPN question
Hello,
We have a Cisco 5520 ASA 8.2(1) connected to a Cisco RVS4000 router via an IPsec Site-to-Site VPN. The RVS4000 is located at a branch office. The tunnel works beautifully. When computers at the remote site are turned on the tunnel is established, and data is transferred back and forth.
The only issue I'm having is being able to Remote Desktop to the branch office computers, or ping for that matter. I can ping and Remote Desktop from the branch office computers to computers at the main site where the ASA is located.
After doing some research, I came across the this command;
sysopt connection permit-vpn
I haven't tried entering the command yet, but was wondering if this is something that I can try initially to see it it resolves the problem.
Thanks,
JohnWhat are your configs and network diagrams at each location? What are you doing for DNS? I can help quicker with that info. Also, here are some basic site to site VPN examples if it helps.
hostname cisco
domain-name cisco.com
enable password XXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.2 255.255.255.0
interface Ethernet0/2
nameif backup
security-level 0
no ip address
interface Ethernet0/3
nameif outsidetwo
security-level 0
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.com
same-security-traffic permit intra-interface
access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list nonat extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list nonat extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list nonat extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list split standard permit 10.0.0.0 255.255.255.0
access-list split standard permit 10.90.238.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered errors
logging trap notifications
logging asdm informational
logging class vpn buffered debugging
mtu outside 1500
mtu inside 1500
mtu backup 1500
mtu outsidetwo 1500
mtu management 1500
ip local pool vpnpool 10.0.10.100-10.0.10.200
ip audit name Inbound-Attack attack action alarm drop
ip audit name Inbound-Info info action alarm
ip audit interface outside Inbound-Info
ip audit interface outside Inbound-Attack
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address XXX
crypto map outside_map 1 set peer XXX.XXX.XXX.XXX
crypto map outside_map 1 set transform-set myset
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address XXX2
crypto map outside_map 2 set peer XXX.XXX.XXX.XXX
crypto map outside_map 2 set transform-set myset
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address XXX3
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer XXX.XXX.XXX.XXX
crypto map outside_map 3 set transform-set myset
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy XXXgroup internal
group-policy XXXgroup attributes
dns-server value XXX.XXX.XXX.XXX
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value domain.local
username XXX24 password XXXX encrypted privilege 15
username admin password XXXX encrypted
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key XXXXXXXXXX
tunnel-group XXXgroup type remote-access
tunnel-group XXXgroup general-attributes
address-pool vpnpool
default-group-policy rccgroup
tunnel-group XXXgroup ipsec-attributes
pre-shared-key XXXXXXXXXX
isakmp ikev1-user-authentication none
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key XXXXXXXXXX
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key XXXXXXXXXX
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Maybe you are looking for
-
In my sytem.log file I keep getting this error Aug 30 09:06:33 E2 /Library/Frameworks/Compressor.framework/Resources/CompressorTranscoderX.bundle /Contents/MacOS/compressord: kCGErrorRangeCheck : Window Server communications from outside of session a
-
HELP! GTX 560Ti MPE?
Hello Guys first post. I'm a noob with grahpics card and have a two question, If I buy the GTX 560Ti will I be able to use MPE with adobe premeire pro cs5.5? Also, will this card run smoothly with After Effects Cs6 Thanks!
-
Crystal Viewer not working with Parameterized file
When I run a classic ASP file without parameter collections, I can see Crystal Viewer with data from the db. This works fine. If, however, I run an ASP file with parameter collections, I get static text only. The viewer is not displaying records from
-
Lion Mail.app won't sync with Exchange 2003
Hello, After upgrading to Lion, I am having an issue with my Exchange email in Mail.app. I get new emails, however if I file any emails from the Inbox into another folder and then leave view another folder or exit Mail, when I return the emails are b
-
Meine Serien-Nr. wurde nicht erkannt!
Meine Serien-Nr wurde beim installieren von Photoshop CS2 nicht akzeptiert, obwohl sie im Chat als richtige bestätigt wurde. Da spielt Adobe ein unwürdiges Spiel. Zvonimir