Remote Access VPN Setup
Hello Support,
I have a question regarding a remote access VPN setup with the following. I have a Cisco 6500 with multiple VLANs, and an FWSM setup in mutliple context mode. Each of our clients sits behind their own context, and has their own associated VLANs. Each context has a shared interface, so that one network (our management network) can see all of the networks. We are using a Cisco ASA to terminate P2P VPNs as the FWSms cannot do so, but I would like to setup a remote access VPN from the ASA, but I will need to connect in and have access to all networks. Currently the ASA has an outside interface for internet, two client inside interfaces, and one interface on the shared network.
If I setup a remote access VPN from the ASA with a separate scope will I be able to see all the networks that I setup routes and nonats for or is there more to it?
I provided a brief diagram showing all the vlans, I will need to be able to access all of the 6500s vlans when connected using the VPN.
Thanks in advance for all ideas, suggestions, and assistance.
Hello John,
You will need to configure the respective IP Address pool for the Anyconnect users,
Then create the no_nat rules from all of the internal subnets to the Anyconnect Pool.
That should do it bud . I mean just make sure the internal network (core) knows that in order to reach the anyconnect pool must send the traffic to the ASA.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
Similar Messages
-
NAT for remote access VPN clients
Hello,
I have a simple remote access VPN setup on a 2811 router. The remote subnet of the clients connecting have access to the local LAN subnet, but I am wondering if it is possible to somehow NAT those remote access users, so that they can go beyond the local LAN, and through the VPN routers outside connection, giving them access to other resources.
The remote subnet would need to be added to the NAT overload pool that the local LAN is on somehow, but since no interface is created, I am unsure where I would need to put "ip nat inside" if it even needs to be done, or if I am just missing something.
I guess really what I want to do is tunnel all traffic, and have that remote client IP translate to the NAT pool on the router for internet access.
Thanks.Have a look here for solution
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml
Regards -
I have a customer that has a ASA 5510 version 8.3 with IPSEC Client Access that includes some of their networks on the Inside interface. The issue they are having is when their mobile users connect with the vpn client (which is using split tunneling), they can no longer access their web server applications that are running in the DMZ. Without the client connected, they access the web servers via the external public IP. Once they are connected via vpn, their default dns server becomes the internal AD DNS server, which resolves the DNS of the web servers to the private DMZ ip address.
Can a Remote Access VPN client connection be allowed to connect to both the DMZ interface and the Inside Interface? I had always only setup RA VPN clients to connect to networks on the Inside Interface.
I tried adding the DMZ network to the Split Tunnel list, but I could not access anything it while connected to vpn using the private IP addresses.Yes, you should be able to access DMZ subnets as well if they are added to the split tunnel ACL. You could check the NAT exemption configuration for the DMZ and also check if the ASA is forwarding the packet through DMZ interface by configuring captures on the DMZ interface.
Share the configuration if you want help with the NAT exemption part. -
Can ASA5505 forward remote-access-VPN clients to LAN
I currently have ASA-5505 and 2911-Router and I'm trying to configure VPN topology.
Can ASA5505 forward remote-access-VPN clients to LAN operated by a different router?
Are these two cases possible?:
(1) ASA-5505 and 2911-Router are on separate WAN interfaces, each directly connected to ISP. But then can I connect one of other LAN interfaces of ASA-5505 into a switch managed by 2911-Router to inject remote-SSL-VPN clients into the LAN managed by the router?
(2) ASA-5505 is behind 2911-Router. Can 2911 Router assign a public ip address or have public ip address VPN-access attempts directly be forwarded to ASA-5505 when there is only one public ip address available?
Long put short, can ASA-5505 inject its remote-access-VPN clients as one of hosts on the LAN managed by 2911-router?
Thanks.I could help you more if you can explain the purpose of this setup and the connectivity between the ASA and router.
You can enable reverse-route on the Dynamic map on the ASA. The ASA will install a static route for the client on the routing table. You can use a Routing protocol to redistribute the static routes to your switch on the LAN side of the ASA. -
Remote access vpn clients, access to Internet resources
Hello, we currently have a remote access vpn set up terminating on an ASA 5520. Remote access users connect into this ASA and are able to access resources inside of the firewall- the public IP of the ASA is 1.1.1.135. We need these users to be able to access resources natted behind another ASA firewall on the same public IP segment, at IP address 1.1.1.165.
I have gotten to the point where I believe I have all of my Nat/global statements in place, along with my ACLs on both firewalls, but I am not able to make the connection to the server behind the second ASA.
running packet tracer on the second ASA (hosting the 1.1.1.165 server) shows that the packet will be allowed. RUnning packet tracer on the Remote access VPN ASA is showing that the packet is dropped due to :
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected
To me, this should be a simple setup, very similar to a company that tunnels all traffic (including Internet traffic) for remote access VPN users. It just doesn't seem like my traffic is getting to the second ASA wioth the remote host.
Anyone have any ideas?I figured out the answer- I had to add a nat statement form my VPN user subnet to be natted to the outside global IP:
nat (outside) 1 10.2.2.0 255.255.255.0 (this is my vpn subnet)
global (outside) 1 interface -
Hi All,
I'm looking to setup a Remote Access VPN via my ASA 5510. The clients will be using Cisco Anyconnect (which I assume is compatible...?) When I use the wizard it only mentions Cisco VPN Client.
When my clients connect up to the ASA via Anyconect, can I get them to just use DHCP via my AD servers or do I need to configure a seperate independent scope specifically for VPN clients?
ThanksHi Grant,
When you configure Remote access VPN , you need to configure a seprated pool of ip address for the vpn user.
Regards,
Bikas R.Pandey. -
Remote access VPN with ASA 5510 using DHCP server
Hi,
Can someone please share your knowledge to help me find why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?
I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
ASA Version 8.2(5)
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.6.0.12 255.255.254.0
ip local pool testpool 10.6.240.150-10.6.240.159 mask 255.255.248.0 !(worked with this)
route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface inside
crypto isakmp enable inside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
vpn-addr-assign aaa
vpn-addr-assign dhcp
group-policy testgroup internal
group-policy testgroup attributes
dhcp-network-scope 10.6.192.1
ipsec-udp enable
ipsec-udp-port 10000
username testlay password *********** encrypted
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
default-group-policy testgroup
dhcp-server 10.6.20.3
tunnel-group testgroup ipsec-attributes
pre-shared-key *****
I got following output when I test connect to ASA with Cisco VPN client 5.0
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDO
4024 bytesR copied in 3.41 0 secs (1341 by(tes/sec)13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 853
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ISA_KE payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received xauth V6 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received DPD VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Fragmentation VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received NAT-Traversal ver 02 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, Connection landed on tunnel_group testgroup
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing IKE SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ISAKMP SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for Responder...
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Cisco Unity VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing xauth V6 VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing dpd vid payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Traversal VID ver 02 payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Fragmentation VID + extended capabilities payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
[OK]
kens-mgmt-012# P = 10.15.200.108, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 87
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing MODE_CFG Reply attributes.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: IP Compression = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling Policy = Disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, User (testlay) authenticated.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg ACK attributes
Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=49ae1bb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 182
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg Request attributes
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 net mask!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DNS server address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for WINS server address!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Received unsupported transaction mode attribute: 5
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Banner!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Save PW setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Default Domain Name!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split Tunnel List!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split DNS!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for PFS setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Browser Proxy Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for backup ip-sec peer list!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Application Version!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Client Type: WinNT Client Application Version: 5.0.07.0440
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for FWTYPE!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DHCP hostname for DDNS is: DEC20128!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for UDP Port!
Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=b04e830f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE received response of type [] to a request from the IP address utility
Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Cannot obtain an IP address for remote peer
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE TM V6 FSM error history (struct &0xd8030048) <state>, <event>: TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE AM Responder FSM error history (struct &0xd82b6740) <state>, <event>: AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b terminating: flags 0x0945c001, refcnt 0, tuncnt 0
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending delete/delete with reason message
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing IKE delete payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=9de30522) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Regards,
LayFor RADIUS you need a aaa-server-definition:
aaa-server NPS-RADIUS protocol radius
aaa-server NPS-RADIUS (inside) host 10.10.18.12
key *****
authentication-port 1812
accounting-port 1813
and tell your tunnel-group to ask that server:
tunnel-group VPN general-attributes
authentication-server-group NPS-RADIUS LOCAL
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Remote access VPN on ASA5520 Ping Issues.
Hi I hope someone might be able to help me. I have setup a remote access VPN on an ASA 5520. The VPN client connects ok, accepts my username and password and then I am in. I get an allocated IP address of 172.16.1.1 from the local pool. The problem is that I cannot then ping the inside LAN which is 192.168.1.1. I've got isakmp nat traversal set to default which is 20. I've been looking at this all day and I think I've gone crossed eyed, a fresh pair of eyes are definitley required, so any help would be gratefully received. My config is
Saved
ASA Version 7.0(8)
hostname Hospira-firewall
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 213.212.66.52 255.255.255.248
interface GigabitEthernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
ftp mode passive
same-security-traffic permit intra-interface
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list Split standard permit 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool mypool 172.16.1.1-172.16.1.253 mask 255.255.255.0
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 213.212.66.49 1
route outside 172.16.1.0 255.255.255.0 213.212.66.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy hospira internal
group-policy hospira attributes
vpn-simultaneous-logins 400
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split
webvpn
username user password 08S9WUsiSMr3RauN encrypted
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set hospira esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dmap 1 set transform-set hospira
crypto dynamic-map dmap 1 set security-association lifetime seconds 28800
crypto dynamic-map dmap 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map dmap 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dmap
crypto map mymap 2 match address NONAT
crypto map mymap 2 set security-association lifetime seconds 28800
crypto map mymap 2 set security-association lifetime kilobytes 4608000
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal 20
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group hospira type ipsec-ra
tunnel-group hospira general-attributes
address-pool mypool
default-group-policy hospira
tunnel-group hospira ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
service-policy global_policy global
Cryptochecksum:98f85c39a5cbffe66b0f6585d5083c7c
: end
Many thanksHi Richard ,
- we don't need access-list with RA connection , we have the dynamic map that acts as a template , so your crypto config :
crypto map mymap 1 ipsec-isakmp dynamic dmap
crypto map mymap 2 match address NONAT
crypto map mymap 2 set security-association lifetime seconds 28800
crypto map mymap 2 set security-association lifetime kilobytes 4608000
crypto map mymap interface outside
map with seq 1 is being binded to the dynamic map , now map 2 you are using the nonat access list as the encryption trigger for this map , so this should not be there as it encrypt traffic from the inside subnet to the pool .
please remove the second entry, then test if not working please provide a capture from the inside interface .
HTH
Mohammad. -
Remote access vpn on cisco 866VAE-k9
Hi All,
I need to create a remote access vpn tunnel to a cisco 866VAE-k9 (interfaceport GE0).
i have tried multiple configuration options like i found them in the documentation, but wasn't able to get it to work.
the current setup is:
866VAE-k9 LAN ip: 192.168.178.1, public ip: 83.xx.xx.xx
remote pc local ip: 192.168.178.x, public ip: 90.xx.xx.xx
the current vpn configuration (not working) is:
aaa authentication login userauthen local
aaa authorization network groupauthor local
username user password 0 secret
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
sh run
crypto isakmp client configuration group vpnclient
key vpnkey
domain xxx.local
pool ippool
acl 101
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface gigabitethernet0/0
ip address 83.xx.xx.xx 255.255.255.0
ip nat outside
crypto map clientmap
ip local pool ippool 192.168.178.93 192.168.178.94
ip nat inside source list 111 interface GigabitEthernet0/0 overload
access-list 111 deny ip 192.168.178.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any
access-list 101 permit ip 192.168.178.0 0.0.0.255 192.168.1.0 0.0.0.255
What should i do to get a working vpn tunnel?Hi David Castro,
Thanks for your answer,
I configed following your guide, but it have not worked yet. I saw that I cannot ping IP gateway Internet . I using ADSL Internet and config PPPoE and my router receive IP from ISP. Here show ip int brief :
GigabitEthernet0/0 192.168.1.1 YES NVRAM up up
GigabitEthernet0/1 unassigned YES NVRAM up up
GigabitEthernet0/2 unassigned YES NVRAM up up
Dialer1 210.245.54.49 YES IPCP up up
Dialer2 101.99.7.73 YES IPCP up up
NVI0 192.168.1.1 YES unset up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
Virtual-Access3 unassigned YES unset up up
But I cannot ping Interface Dialer 1, so may be VPN is does not worked. Do you have some ideal ?
Thanks very much ! -
Remote Access VPN, how to specify on which interface clients will be placed on?
Hi,
I have a general understanding problem with remote access VPN and Cisco ASA.
If I have an ASA with multiple interfaces and I want to make sure that a Remote Access VPN Client is placed onto a specific interface, how do I do this?
example:
ASA has 4 interfaces: outside, inside-clients, inside-workers, inside-lab.
I want to allow multiple Remote Access VPN configurations that put clients coming from "outside" to "inside-lab" and "inside-clients", with two different profiles and two different IP pools, as the IP addresses for each of the interfaces is different.
How do I do that?
If possible be as explanatory as possible for me to really grasp the concept.
Many thanks
PatHi,
The ASA will view the hosts in its routing table behind the ASA interface which forms the VPN connection with the VPN Client. This is most of the time the interface called "outside".
By default the ASA allows all traffic coming from a VPN connection to bypass the interface ACL of the ASA. The thought process behind this is I guess the fact that the VPN devices/clients have already proven they have right to connect to the network to all traffic is allowed.
The configuration that controls this setting globally on the ASA is
sysopt connection permit-vpn
The above is the default setting of the command and it WONT show up in the CLI format configurations because its a default setting.
If you were to issue the following command
no sysopt connection permit-vpn
Then this would mean that the ASA would require an ACL statement on its VPN terminating interface (outside) to permit the traffic from the VPN Pool to the LAN networks.
Naturally you would have to take into consideration also that if you have existing VPNs and insert the above global command they would also need ACL statements on the "outside" interface ACL or the inbound traffic from the VPN will start to get blocked.
Other option (wihtout touching the above setting) would be to configure VPN Filter ACL that is a separate ACL that is only attached to a certain user or group of users.
I personally prefer the method of using the above global setting and using the "outside" interface ACL to control traffic.
Naturally it still leaves the question of how you are going to configure the Tunnel Groups, Group Policys and Usernames. To be honest, I have gotten a bit distracted from VPN client setups and have forgotten a lot of stuff since I dont work with them on a day to day basis. I mostly handle L2L VPN nowadays among normal firewall configurations.
If I had to suggest something simple at this point it would be this
Configure separate Tunnel Groups
Configure separate VPN Pools for the above Tunnel Groups
Configure separate Group Policys for the above Tunnel Groups
Configure the above mentioned Global setting to limit inbound traffic from VPN
Configure the "outside" interface ACL so that you only permit traffic from a certain VPN Tunnel Group users only to certain LAN networks
Configure the required NAT0 configurations for traffic between these networks
As Marcin said, there are multiple different ways to achieve the same thing as above.
And as I said I have gotten a bit rusty with the VPN Client side on the ASA so I am not sure if at the moment I can even consider all the possible options but surely the simple ones.
PS. The link that Marcin posted seems to point to a Group Policy setting that would let you lock the that VPN connection to use only a certain local Vlan (subinterface) on the ASA and therefore limit traffic from going to networks behind other interfacec
Hope this helps
- Jouni -
Trouble setting up remote access vpn
26-Jul-2013 09:41 (in response to ciscomoderator)
Re: Ask the Expert: Understanding MPLS L3VPN: concepts, terminology, control and data plane call flow
Keddian Gilbert
Hi
Concerning the nature of my problemes, am trying to setup a remote access vpn to my 3620 series router; however
am not able to use the command prompt because of my limited knowledge of the necessary commands. to configure a remote VPN conniction.
I checked out several instructions on the internet but all of them used GROUP PROFILE and the TUNNEL command in their config
which my router does not support. All I want is the specific configuration for this version IOS seeing it differs in configuration.
I cant use SDM. My router does not have enough memory to accept it.
Here is an out put of a SHOW VER command
digix-lan>sh ver
Cisco Internetwork Operating System Software
IOS (tm) 3600 Software (C3620-JK9S-M), Version 12.2(29), RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Wed 11-May-05 12:54 by kellmill
Image text-base: 0x60008930, data-base: 0x61598000
ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
ROM: 3600 Software (C3620-JK9S-M), Version 12.2(29), RELEASE SOFTWARE (fc3)
digix-lan uptime is 2 days, 1 hour, 42 minutes
System returned to ROM by power-on
System image file is "flash:c3620-jk9s-mz.122-29.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco 3620 (R4700) processor (revision 0x81) with 60416K/5120K bytes of memory.
Processor board ID 10707060
R4700 CPU at 80Mhz, Implementation 33, Rev 1.0
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
4 Ethernet/IEEE 802.3 interface(s)
DRAM configuration is 32 bits wide with parity disabled.
29K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
I really need this help sir! THANK YOU much
FROM: KEDDIAN GILBERTFor SSLVPN and HTTPS in general it's best to have a certificates with from one of the big PKI providers.
For IPsec however it is not required. You can have both ASA and user certificates provided by an internal CA (windows CA, openCA, ejbca, etc...)
There is a basic configuration example:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
It might not be EXACTLY what you're looking for but should get you started. -
Remote Access VPN Clients Cannot Access inside LAN
I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with. I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA. Thay can ping each other. The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10. I do not need split tunneling to be enabled. The active WAN interface is the one labeled outside_cable.
: Saved
ASA Version 8.2(1)
hostname ASA5505
domain-name default.domain.invalid
enable password eelnBRz68aYSzHyz encrypted
passwd eelnBRz68aYSzHyz encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group dataDSL
ip address 76.244.75.57 255.255.255.255 pppoe
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.9.1 255.255.255.0
interface Vlan10
nameif outside_cable
security-level 0
ip address 50.84.96.178 255.255.255.240
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group service Netbios udp
port-object eq 139
port-object eq 445
port-object eq netbios-ns
object-group service Netbios_TCP tcp
port-object eq 445
port-object eq netbios-ssn
object-group network DM_INLINE_NETWORK_1
network-object host 192.168.100.177
network-object host 192.168.100.249
object-group service Web_Services tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_10
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_11
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_2
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_3
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_4
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_5
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_6
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_7
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_8
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_9
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network VPN
network-object 192.168.255.0 255.255.255.0
access-list outside_access_in extended permit icmp any host 76.244.75.61
access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp
access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp-data
access-list outside_access_in extended permit tcp any host 76.244.75.62 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.62 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.59 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.59 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.60 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.60 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.58 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.58 eq https
access-list dmz_access_in remark Quickbooks
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host 192.168.100.5 eq 56719
access-list dmz_access_in remark Quickbooks range
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host 192.168.100.5 range 55333 55337
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_8 host 192.168.100.5 eq 1434
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 host 192.168.100.5 eq 49398
access-list dmz_access_in remark QB
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.100.5 eq 8019
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_2 host 192.168.100.5 eq 2638
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_11 host 192.168.100.5 object-group Netbios
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 192.168.100.5 object-group Netbios_TCP
access-list dmz_access_in extended deny ip host 192.168.9.4 host 192.168.100.5 inactive
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_4 any
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any
access-list dmz_access_in remark Printer
access-list dmz_access_in extended permit ip 192.168.9.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list dmz_access_in extended permit tcp 192.168.9.0 255.255.255.0 any object-group Web_Services
access-list dmz_access_in extended permit udp 192.168.9.0 255.255.255.0 any eq domain
access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0 echo-reply
access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0 echo-reply log disable
access-list dmz_access_in remark QB probably does not need any udp
access-list dmz_access_in extended permit udp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
access-list dmz_access_in remark QB included in other rule range
access-list dmz_access_in extended permit tcp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
access-list dmz_access_in remark May be required for Quickbooks
access-list dmz_access_in extended permit icmp host 192.168.9.4 host 192.168.100.5
access-list CAD_capture extended permit ip host 192.168.9.4 host 192.168.100.5
access-list CAD_capture extended permit ip host 192.168.100.5 host 192.168.9.4
access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.16.10.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.16.20.0 255.255.255.240
access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
access-list outside_cable_access_in extended permit icmp any host 50.84.96.182
access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp
access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp-data
access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq https
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list vpnusers_spitTunnelACL extended permit ip 192.168.100.0 255.255.255.0 any
access-list nonat-in extended permit ip 192.168.100.0 255.255.255.0 172.16.20.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu outside_cable 1500
ip local pool VPN_IP_range 192.168.255.1-192.168.255.10 mask 255.255.255.0
ip local pool VPN_Phone 172.16.20.1-172.16.20.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (outside_cable) 10 interface
nat (inside) 0 access-list nonat-in
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 10 0.0.0.0 0.0.0.0
static (inside,outside) 76.244.75.62 192.168.100.25 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.61 192.168.9.123 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.59 192.168.9.124 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.58 192.168.9.4 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (dmz,outside) 76.244.75.60 192.168.9.10 netmask 255.255.255.255 dns
static (inside,outside_cable) 50.84.96.183 192.168.100.25 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.182 192.168.9.123 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.180 192.168.9.124 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.179 192.168.9.4 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.181 192.168.9.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group outside_cable_access_in in interface outside_cable
route outside_cable 0.0.0.0 0.0.0.0 50.84.96.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
http 204.107.173.0 255.255.255.0 outside
http 204.107.173.0 255.255.255.0 outside_cable
http 0.0.0.0 0.0.0.0 outside_cable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_cable_map interface outside_cable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable outside_cable
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh 204.107.173.0 255.255.255.0 outside
ssh 204.107.173.0 255.255.255.0 outside_cable
ssh 0.0.0.0 0.0.0.0 outside_cable
ssh timeout 15
console timeout 0
vpdn group dataDSL request dialout pppoe
vpdn group dataDSL localname [email protected]
vpdn group dataDSL ppp authentication pap
vpdn username [email protected] password *********
dhcpd address 192.168.100.30-192.168.100.99 inside
dhcpd dns 192.168.100.5 68.94.156.1 interface inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.100.5
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy cad_supplies_RAVPN internal
group-policy cad_supplies_RAVPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cad_supplies_RAVPN_splitTunnelAcl
group-policy VPNPHONE internal
group-policy VPNPHONE attributes
dns-server value 192.168.100.5
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
client-firewall none
client-access-rule none
username swinc password BlhBNWfh7XoeHcQC encrypted
username swinc attributes
vpn-group-policy cad_supplies_RAVPN
username meredithp password L3lRjzwb7TnwOyZ1 encrypted
username meredithp attributes
vpn-group-policy cad_supplies_RAVPN
service-type remote-access
username ipphone1 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone1 attributes
vpn-group-policy VPNPHONE
username ipphone2 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone2 attributes
vpn-group-policy VPNPHONE
username ipphone3 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone3 attributes
vpn-group-policy VPNPHONE
username oethera password WKJxJq7L6wmktFNt encrypted
username oethera attributes
vpn-group-policy cad_supplies_RAVPN
service-type remote-access
username markh password nqH+bk6vj0fR83ai0SAxkg== nt-encrypted
username markh attributes
vpn-group-policy cad_supplies_RAVPN
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group cad_supplies_RAVPN type remote-access
tunnel-group cad_supplies_RAVPN general-attributes
address-pool VPN_IP_range
default-group-policy cad_supplies_RAVPN
tunnel-group cad_supplies_RAVPN ipsec-attributes
pre-shared-key *
tunnel-group VPNPHONE type remote-access
tunnel-group VPNPHONE general-attributes
address-pool VPN_Phone
default-group-policy VPNPHONE
tunnel-group VPNPHONE ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1500
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8b25ecc61861a2baa6d2556a3679cc7c
: endHi,
You have your "group-policy" set so that you have excluding some networks from being tunneled.
In this access-list named Local_LAN_Access you specify "0.0.0.0"
Doesnt this mean you are excluding all networks from being tunneled? In other words no traffic goes to your tunnel.
This access-list should only contain your local LAN network from where you are connecting with the VPN Client. If you dont need to access anything on your local LAN while having the VPN on, you don't even need this setting on. You could just tunnel all traffic instead of excluding some networks.
- Jouni -
Can i use same address pool for different remote access VPN tunnel groups and policy
Hi all,
i want to create a different remote access VPN profile in ASA. ihave one RA vpn already configured for some purpose.
can i use the same ip address pool used for the existing one for the new tunnel-group (to avoid add rotuing on internal devices for new pool) and its a temporary requirement)
thanks in advance
ShnailThanks Karsten..
but still i can have filtering right? iam planning to create a new group policy and tunnelgroup and use the existing pool for new RA and i have to do some filetring also. for the new RA i have to restrict access to a particualr server ,my existing RA have full access.
so iam planning to create new local usernames for the new RA and new group policy with vpn-filter value access-list to apply for that user as below, this will achive waht i need right??
access-list 15 extended permit tcp any host 192.168.205.134 eq 80
username test password password test
username test attributes
vpn-group-policy TEST
vpn-filter value 15
group-policy TEST internal
group-policy TEST attributes
dns-server value 192.168.200.16
vpn-filter value 15
vpn-tunnel-protocol IPSec
address-pools value existing-pool
tunnel-group RAVPN type ipsec-ra
tunnel-group RAVPN general-attributes
address-pool existing-pool
default-group-policy TEST
tunnel-group Payroll ipsec-attributes
pre-shared-key xxx -
Remote Access VPN - Unable to Access LAN / Inside Network
Hi,
I am facing a problem with Cisco ASA remote access VPN, the remote client is connected to VPN and receiving IP address but the client is not able to ping or telnet any internal network.
I have attached running configuration for your reference. Please let me know I miss any configuartion.
FW : ASA5510
Version : 8.0
Note : Site to Site VPN is working without any issues
Thanks
JamalHi,
Very nice network diagram
Are you saying that originally the VPN Client user is behind the Jeddah ASA?
If this is true wouldnt it be wiser to just use the already existing L2L VPN between these sites?
In real situation I think the VPN Client would only be needed when you are outside either Head Quarter or Jeddah Network. And since you tested it infront of the ASA and it worked there shouldnt be any problem.
Now to the reason why the VPN Client isnt working from behind the Jeddah ASA.
Can you check that the following configuration is found on the Jeddah ASA (Depending on the software level of the ASA the format of the command might change. I'm not 100% sure)
isakmp nat-traversal To enable NAT traversal globally, check that ISAKMP is enabled (you can enable it with the isakmp enable command) in global configuration mode and then use the isakmp nat-traversal command. If you have enabled NAT traversal, you can disable it with the no form of this command.
isakmp nat-traversal natkeepalive
no isakmp nat-traversal natkeepalive
Syntax Description
natkeepalive
Sets the NAT keep alive interval, from 10 to 3600 seconds. The default is 20 seconds.
Defaults
By default, NAT traversal (isakmp nat-traversal) is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System
Global configuration
Command History
Release
Modification
Preexisting
This command was preexisting.
7.2(1)
This command was deprecated. The crypto isakmp nat-traversal command replaces it.
Usage Guidelines Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.
The security appliance supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps.
This command enables NAT-T globally on the security appliance. To disable in a crypto-map entry, use the crypto map set nat-t-disable command.
Examples
The following example, entered in global configuration mode, enables ISAKMP and then enables NAT traversal with an interval of 30 seconds:
hostname(config)# isakmp enable
hostname(config)# isakmp nat-traversal 30
- Jouni -
ASA Remote Access VPN Clients - Multiple DNS Suffixes?
Hi community!
I am setting up a new remote access VPN using the traditional IPSec client via ASA 5515-X runnning OS 8.6.1(5).
We require to provide each client multiple DNS suffixes, but are only to provide a single DNS suffix in the grouip policy.
I have tested using an external DHCP server, but using our Windows Server 2008 infrastructure and Option 119 the list is not provided to clients, and I have read that Windows 7 clietns may ignore this option anyway.
Other than umanually configuring the clients , does anybody have any other suggestions on how we may get this to work?
Full marks for helpful posts!
Kind regards, Ash.Hi
I am looking into the same issue, and I am finding conflicting documentation about this and wondered if you got the answers you were looking for.
I have a remote access requirement for users from separate AD's to authenticate through an ASA.
I was reading about Global Catalogue Server but this is not specifically what I want; and also creating a new AAA server group but the user would need to accept which group to use when they log in
Regards
Maybe you are looking for
-
Can anyone tell me why my MacBook Pro screen crashes when I attempt to play any game?
The screen splits in two and scrambles. If I'm able to close the game, the screen goes back to normal. Is it the video card? Motherboard?
-
See above
-
IDOC for listing/exclusion conditions (transaction VB01)
Hello, we need to export the conditions for listing or exclusion entered in transaction VB01 (tables KOTG900 ff) to an external sales order system. Does the system provide an idoc for this purpose? best regards Rainer Fischer
-
I have put a LaCie ssd disk to my MacBook and try to move a FCPX project to it. De disk is connected thorugh either a ThunderBolt or the USB3 connection but in both case FCPX fails to see the disk. The disk however is neatly shown on the desktop. Why
-
How to enable Remote Management on multiple Macs using Workgroup Manager?
Hi I want to use workgroup manager to enable remote management on multiple macs I manage. How can I do that? Regards, Omer Barel