Advertisement

05.07.2008 at 06:37AM PDT, ID: 23382692
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
6.4

VPN Auto-Reconnect

Asked by andyoww in Cisco PIX Firewall, Networking Hardware Firewalls, Enterprise Firewalls

Tags: , ,

We are using this ASA for remote access VPNs.

The majority of these are coming in from squad cars using cell modems to connect to the Internet.
The problem we are having is if the user goes into an area with limited or no cell coverage (our area is very hilly and this happens a lot), they lose connection to the Internet and then the VPN connection is dropped.  When they come back into a good coverage area, the user is prompted to input their password for the VPN.

This wouldn't be a big issue if our area was flat, but since we have so many hills they could be prompted for their password 10 times in a 10 mile stretch.

I need to make this reconnect without the user's input.

I would like the user to put their password in the first time they fire their machines up, then not be prompted again until after they shut their machine down and fire it up again.

Full config and vpnclient.ini are listed below.
Thanks for your help.Start Free Trial 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:

ASA CONFIG:
 
ASA Version 7.0(7)
!
hostname MYASA
domain-name domain.com
enable password password encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 69.x.x.x 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd password encrypted
ftp mode passive
clock timezone cst -6
clock summer-time cst recurring
dns domain-lookup inside
dns name-server 192.168.3.101
access-list outside_acl extended permit udp any host 192.168.3.101 eq ntp
access-list outside_acl extended deny ip host 24.x.x.x any
access-list outside_acl extended deny tcp any any eq 161
access-list outside_acl extended deny udp any any eq snmp
access-list outside_acl extended deny tcp any any eq telnet
access-list outside_acl extended permit ip any any
access-list Local_LAN_Access remark VPN Client Local LAN Access
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list nonat extended permit ip any 192.168.50.0 255.255.255.0
access-list vpn_split_tunnel standard permit 192.168.3.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.3.0 255.255.255.0
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 69.x.x.x.x 1
route inside 10.113.255.231 255.255.255.255 192.168.3.200 1
route inside 10.113.255.210 255.255.255.255 192.168.3.200 1
route inside 10.113.255.212 255.255.255.255 192.168.3.200 1
route inside 10.113.255.250 255.255.255.255 192.168.3.200 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server value 192.168.3.101
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 18
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp enable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain value domain.com
 split-dns none
 secure-unit-authentication disable
 user-authentication enable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  port-forward-name value Application Access
group-policy MYPolicy internal
group-policy MYPolicy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn_split_tunnel
 default-domain value domain.com
 webvpn
username user1 password password encrypted
username user1 attributes
 vpn-group-policy MYPolicy
 vpn-framed-ip-address 192.168.50.2 255.255.255.0
 webvpn
 
<----snip for brevity---->
 
username user16 password password encrypted
username user16 attributes
 vpn-group-policy MYPolicy
 vpn-framed-ip-address 192.168.50.17 255.255.255.0
 webvpn
http server enable
http 192.168.3.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec transform-set MYset esp-3des esp-md5-hmac
crypto dynamic-map MYmap 10 set transform-set MYset
crypto dynamic-map MYmap 10 set reverse-route
crypto map IPSec_map 65535 ipsec-isakmp dynamic MYmap
crypto map IPSec_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20
tunnel-group MYVPN type ipsec-ra
tunnel-group MYVPN ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh scopy enable
ssh 69.x.x.x 255.255.255.248 outside
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:CHECKSUM
: end
 
-------------------------------------
VPNCLIENT.INI CONFIG:
-------------------------------------
 
[main]
ClientLanguage=
AutoInitiationEnable=1
AutoInitiationRetryInterval=1
AutoInitiationRetryLimit=0
AutoInitiationList=SD
ConnectOnOpen=1
EnableLog=1
[SD]
ConnectionEntry=MYCONNECTION
[GUI]
DefaultConnectionEntry=MYCONNECTION
WindowWidth=600
WindowHeight=330
WindowX=44
WindowY=58
VisibleTab=2
ConnectionAttribute=0
AdvancedView=1
LogWindowWidth=0
LogWindowHeight=0
LogWindowX=0
LogWindowY=0
MinimizeOnConnect=1
UseWindowSettings=1
ShowTooltips=0
ShowConnectHistory=0
AccessibilityOption=0
[LOG.IKE]
LogLevel=1
[LOG.CM]
LogLevel=1
[LOG.PPP]
LogLevel=1
[LOG.DIALER]
LogLevel=1
[LOG.CVPND]
LogLevel=1
[LOG.XAUTH]
LogLevel=1
[LOG.CERT]
LogLevel=1
[LOG.IPSEC]
LogLevel=1
[LOG.CLI]
LogLevel=1
[LOG.FIREWALL]
LogLevel=1
[LOG.GUI]
LogLevel=1
[+][-]05.12.2008 at 07:52AM PDT, ID: 21547488

View this solution now by starting your 14-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Cisco PIX Firewall, Networking Hardware Firewalls, Enterprise Firewalls
Tags: Cisco, ASA, 5510-SEC-BUN-K9
Sign Up Now!
Solution Provided By: andyoww
Participating Experts: 0
Solution Grade: A
 
 
 
Loading Advertisement...
20081112-EE-VQP-43 / EE_QW_2_20070628