Advertisement

08.19.2006 at 05:55PM PDT, ID: 21960471
[x]
Attachment Details

Cisco ASA - Howto configure remote access VPN via Cisco VPN Client

Asked by smckellar in Network Software Firewalls, Enterprise Firewalls

Tags: vpn, asa, cisco, client

Hi,

I have configured a VPN on a Cisco ASA firewall, and my client software (Cisco VPN Client) is connecting with no problems. The split tunneling works, i.e. I can still browse the net on my own connection whilst connection, however, no traffic for the VPN can be sent over the connection.

I have configured the VPN using ASDM under Wizards, VPN Wizard.

Please see sh run

name 192.168.1.105 WWW1-I
name 192.168.1.106 WWW2-I
name 192.168.1.108 WWW3-I
name 192.168.1.227 WWW4-I
name 61.XX.XX.128 Outside-Network
name 61.XX.XX.129 Internet-Router
name 61.XX.XX.133 WWW4-O
name 61.XX.XX.134 ASA-O
name 61.XX.XX.135 WWW_Web1-O
name 61.XX.XX.136 WWW_Web2-O
name 61.XX.XX.137 WWW_DB1-O
name 61.XX.XX.138 WWW_Report-O
name 210.XX.XX.226 WWW6-O
name 210.XX.XX.225 WWW2-O
name 210.XX.XX.227 WWW1-O
name 210.XX.XX.228 WWW3-O
name 192.168.1.89 ASA-I
name 192.168.1.109 WWW5
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address ASA-O 255.255.255.224
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address ASA-I 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
passwd <removed> encrypted
ftp mode passive
clock timezone AEST 10
clock summer-time AEDT recurring last Sun Oct 2:00 last Sun Mar 2:00
object-group icmp-type ICMP-Permitted
 description Permitted ICMP traffic
 icmp-object echo-reply
 icmp-object unreachable
 icmp-object echo
 icmp-object time-exceeded
object-group service Outbound-TCP tcp
 description TCP Ports Allowed Outbound
 port-object eq ftp
 port-object eq www
 port-object eq https
 port-object eq domain
 port-object eq 1863
 port-object eq 6901
 port-object eq 6891
 port-object eq 6900
 port-object eq 3389
 port-object eq 1433
 port-object eq telnet
 port-object eq pcanywhere-data
 port-object eq smtp
 port-object eq ftp-data
 port-object eq pop3
 port-object eq pop2
object-group service Outbound-UDP udp
 description UDP Ports Allowed Outbound
 port-object eq domain
 port-object eq ntp
 port-object eq isakmp
 port-object eq 4500
 port-object eq 1433
access-list Outside extended permit icmp any any object-group ICMP-Permitted
access-list Outside extended permit tcp any host WWW2-O eq www
access-list Outside extended permit tcp any host WWW6-O eq 5555
access-list Outside extended permit tcp any host WWW6-O eq www
access-list Outside extended permit tcp any host WWW6-O eq smtp
access-list Outside extended permit tcp any host WWW6-O eq pop3
access-list Outside extended permit tcp any host WWW6-O eq imap4
access-list Outside extended permit tcp any host WWW1-O eq ftp
access-list Outside extended permit tcp any host 61.XX.XX.139 eq www
access-list Outside extended permit tcp any host WWW1-O eq domain
access-list Outside extended permit tcp any host WWW1-O eq pop3
access-list Outside extended permit tcp any host WWW1-O eq smtp
access-list Outside extended permit tcp any host WWW1-O eq imap4
access-list Outside extended permit tcp any host WWW1-O eq https
access-list Outside extended permit tcp any host WWW1-O eq www
access-list Outside extended permit tcp any host WWW1-O eq 32000
access-list Outside extended permit tcp any any eq ssh
access-list Outside extended deny ip any any log notifications
access-list Inside extended permit icmp Inside-Network 255.255.255.0 any object-group ICMP-Permitted
access-list Inside extended permit tcp Inside-Network 255.255.255.0 any
access-list Inside extended permit udp Inside-Network 255.255.255.0 any
access-list Inside extended deny ip any any log notifications
access-list NONAT extended permit ip Inside-Network 255.255.255.0 10.10.10.0 255.255.255.0
access-list NONAT extended permit ip Inside-Network 255.255.255.0 192.168.253.0 255.255.255.0
access-list NONAT extended permit ip any 192.168.253.0 255.255.255.128
access-list VPNCLIENTS remark VPN Client Local LAN Access
access-list tac extended permit ip any any
access-list tac extended permit ip host 171.XX.XX.102 any
access-list tac extended permit ip any host 171.XX.XX.102
access-list ciscoASA_splitTunnelAcl standard permit Inside-Network 255.255.255.0
access-list ciscoASA_splitTunnelAcl standard permit 192.168.253.0 255.255.255.0
access-list outside_cryptomap_dyn_180 extended permit ip any 192.168.253.0 255.255.255.128
pager lines 24
logging enable
logging buffered warnings
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPNPOOL 192.168.253.1-192.168.253.99 mask 255.255.255.0
ip local pool VPNPOOL2 10.6.253.1-10.6.253.99 mask 255.255.255.0
ip verify reverse-path interface outside
asdm image disk0:/asdm-504.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 Inside-Network 255.255.255.0
static (inside,outside) tcp WWW2-O www WWW2-I 5555 netmask 255.255.255.255
static (inside,outside) tcp WWW1-O www WWW1-I www netmask 255.255.255.255
static (inside,outside) tcp WWW1-O https WWW1-I https netmask 255.255.255.255
static (inside,outside) tcp WWW1-O imap4 WWW1-I imap4 netmask 255.255.255.255
static (inside,outside) tcp WWW1-O smtp WWW1-I smtp netmask 255.255.255.255
static (inside,outside) tcp WWW1-O pop3 WWW1-I pop3 netmask 255.255.255.255
static (inside,outside) tcp WWW1-O domain WWW1-I domain netmask 255.255.255.255
static (inside,outside) tcp WWW1-O ftp WWW1-I ftp netmask 255.255.255.255
static (inside,outside) tcp WWW6-O www WWW6-I www netmask 255.255.255.255
static (inside,outside) tcp WWW6-O imap4 WWW6-I imap4 netmask 255.255.255.255
static (inside,outside) tcp WWW6-O pop3 WWW6-I pop3 netmask 255.255.255.255
static (inside,outside) tcp WWW6-O smtp WWW6-I smtp netmask 255.255.255.255
static (inside,outside) tcp WWW6-O 5555 WWW6-I 5555 netmask 255.255.255.255
static (inside,outside) WWW_Web1-O WWW_Web1-I netmask 255.255.255.255
static (inside,outside) WWW_Web2-O WWW_Web2-I netmask 255.255.255.255
static (inside,outside) WWW_DB1-O WWW_DB1-I netmask 255.255.255.255
static (inside,outside) WWW_Report-O WWW_Report-I netmask 255.255.255.255
static (inside,outside) WWW3-O WWW3-I netmask 255.255.255.255
static (inside,outside) 61.XX.XX.139 WWW5 netmask 255.255.255.255
access-group Outside in interface outside
access-group Inside in interface inside
route outside 0.0.0.0 0.0.0.0 Internet-Router 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ciscoASA internal
group-policy ciscoASA attributes
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ciscoASA_splitTunnelAcl
 webvpn
username user3 password <removed> encrypted
username user2 password <removed> encrypted
username user1 password <removed> encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 61.XX.XX.XXX 255.255.255.255 outside
http 218.XX.XX.XX 255.255.255.255 outside
http Inside-Network 255.255.255.0 inside
http 192.168.253.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN-SET esp-aes-256 esp-sha-hmac
crypto ipsec transform-set VPN-SET2 esp-3des esp-sha-hmac
crypto dynamic-map VPN-DYNMAP 100 set transform-set VPN-SET2
crypto dynamic-map VPN-DYNMAP 120 set transform-set VPN-SET2
crypto dynamic-map VPN-DYNMAP 140 set transform-set VPN-SET2
crypto dynamic-map VPN-DYNMAP 160 set transform-set VPN-SET2
crypto dynamic-map VPN-DYNMAP 180 match address outside_cryptomap_dyn_180
crypto dynamic-map VPN-DYNMAP 180 set transform-set VPN-SET2
crypto dynamic-map inside_dyn_map 20 set transform-set VPN-SET2
crypto map VPN-MAP 100 ipsec-isakmp dynamic VPN-DYNMAP
crypto map VPN-MAP interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
isakmp identity address
isakmp enable outside
isakmp enable inside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  30
isakmp ipsec-over-tcp port 15000
tunnel-group ciscoASA type ipsec-ra
tunnel-group ciscoASA general-attributes
 address-pool VPNPOOL
 default-group-policy ciscoASA
tunnel-group ciscoASA ipsec-attributes
 pre-shared-key *
telnet Inside-Network 255.255.255.0 inside
telnet timeout 5
ssh XX.XX.8.0 255.255.255.0 outside
ssh 61.XX.XX.150 255.255.255.255 outside
ssh 218.214.XX.XX 255.255.255.255 outside
ssh Inside-Network 255.255.255.0 inside
ssh timeout 10
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
ciscoASA-fw01#Start Free Trial
[+][-]08.20.2006 at 01:56AM PDT, ID: 17350794

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.20.2006 at 10:50AM PDT, ID: 17351948

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.20.2006 at 11:16AM PDT, ID: 17351991

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.20.2006 at 11:17AM PDT, ID: 17351994

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.20.2006 at 11:24AM PDT, ID: 17352019

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.20.2006 at 11:47AM PDT, ID: 17352064

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Network Software Firewalls, Enterprise Firewalls
Tags: vpn, asa, cisco, client
Sign Up Now!
Solution Provided By: lrmoore
Participating Experts: 4
Solution Grade: C
 
 
[+][-]08.21.2006 at 05:26AM PDT, ID: 17355252

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.21.2006 at 06:58AM PDT, ID: 17355854

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32