rcooper83
asked on
Cisco Client VPN Config.
I have a Cisco ASA 5510 and I want to make sure I have it configured properly before making it live. My concern is the VPN. It is strictly for client connections. Can someone look through the config and tell me if it looks correct for the VPN? I used the wizard and when I used to use the wizard on the PIX it would not work. Please let me know...
--------------------------
sh run
: Saved
:
ASA Version 7.2(2)
!
hostname nunya
domain-name nunyariskgroup.com
enable password encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 1.1.1.214 255.255.255.248
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name nunyariskgroup.com
access-list Inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.1.192 255.255.255.192
access-list nunyaVPN_splitTunnelAcl standard permit 10.0.1.0 255.255.255.0
access-list outsidein extended permit tcp any any eq h323
access-list outsidein extended permit udp any any eq isakmp
access-list outsidein extended permit esp any any
access-list outsidein extended permit tcp any any eq 1718
access-list outsidein extended permit tcp any any eq 1719
access-list outsidein extended permit tcp any any eq 1731
access-list outsidein extended permit tcp any any eq sip
access-list outsidein extended permit icmp any any
access-list outsidein extended permit tcp any host 10.0.1.150 eq 3389
access-list outsidein extended permit tcp any host 10.0.1.150 eq www
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool VPNPool 10.0.1.210-10.0.1.245 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
route Outside 0.0.0.0 0.0.0.0 1.1.1.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy nunyaVPN internal
group-policy nunyaVPN attributes
wins-server value 10.0.1.150
dns-server value 10.0.1.150 66.180.96.12
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nunyaVPN_splitTunnelAcl
default-domain value nunya.local
username nunya password encrypted privilege 0
username nunya attributes
vpn-group-policy nunyaVPN
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.1.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto map Outside_map interface Outside
crypto isakmp identity hostname
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
tunnel-group nunyaVPN type ipsec-ra
tunnel-group nunyaVPN general-attributes
address-pool VPNPool
default-group-policy nunyaVPN
tunnel-group nunyaVPN ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end
--------------------------
sh run
: Saved
:
ASA Version 7.2(2)
!
hostname nunya
domain-name nunyariskgroup.com
enable password encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 1.1.1.214 255.255.255.248
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name nunyariskgroup.com
access-list Inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.1.192 255.255.255.192
access-list nunyaVPN_splitTunnelAcl standard permit 10.0.1.0 255.255.255.0
access-list outsidein extended permit tcp any any eq h323
access-list outsidein extended permit udp any any eq isakmp
access-list outsidein extended permit esp any any
access-list outsidein extended permit tcp any any eq 1718
access-list outsidein extended permit tcp any any eq 1719
access-list outsidein extended permit tcp any any eq 1731
access-list outsidein extended permit tcp any any eq sip
access-list outsidein extended permit icmp any any
access-list outsidein extended permit tcp any host 10.0.1.150 eq 3389
access-list outsidein extended permit tcp any host 10.0.1.150 eq www
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool VPNPool 10.0.1.210-10.0.1.245 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
route Outside 0.0.0.0 0.0.0.0 1.1.1.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy nunyaVPN internal
group-policy nunyaVPN attributes
wins-server value 10.0.1.150
dns-server value 10.0.1.150 66.180.96.12
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nunyaVPN_splitTunnelAcl
default-domain value nunya.local
username nunya password encrypted privilege 0
username nunya attributes
vpn-group-policy nunyaVPN
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.1.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto map Outside_map interface Outside
crypto isakmp identity hostname
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
tunnel-group nunyaVPN type ipsec-ra
tunnel-group nunyaVPN general-attributes
address-pool VPNPool
default-group-policy nunyaVPN
tunnel-group nunyaVPN ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
How would I start from scratch and just delete the config I have created? I would like to go line for line with what you have and use what is necessary.
ASKER
Nevermind that last question....I am running through the process now of reconfiguring everything as it is listed here minus the webvpn. I do not want/need it.
ip local pool VPNPool 10.100.1.210-10.100.1.245 mask 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.100.1.192 255.255.255.192
You also want to enable nat-traversal
isakmp nat-traversal 20