[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1087
  • Last Modified:

Remote VPN into ASA5505 with Cisco VPN Client

We're trying to create a remote access VPN so a user can connect to the ASA5505  using Cisco VPN Client 5.0.  I can connect to the router from an outside network, and get an IP from the pool, but cannot  access any of the network resources (RDP, server shares, etc) either by IP or server name.  When I'm connected to the VPN, an IPConfig shows that I have an IP of 192.168.4.1 and a default gateway of 192.168.4.2 (Not sure if this is right?).  The configuration is posted below.  Thanks

: Saved
:
ASA Version 7.2(2)
!
hostname host
domain-name domain.local
enable password encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.153 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
Passwd encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.local
object-group service Email tcp
 description Email in to Server
 port-object range pop3 pop3
 port-object range 135 135
 port-object range 1677 1677
 port-object range 2200 2200
 port-object range 2211 2211
 port-object range smtp smtp
 port-object range 8009 8009
object-group network Mothership
 network-object 192.168.1.0 255.255.255.0
access-list outside_access_in remark Email inbound
access-list outside_access_in extended permit tcp host x.x.x.154 object-group Email host 192.168.0.10 object-group Email log
access-list outside_access_in remark Citrix Incoming
access-list outside_access_in extended permit tcp host x.x.x.155 eq citrix-ica host 192.168.0.235 eq citrix-ica log
access-list outside_access_in remark Inbound RDP
access-list outside_access_in extended permit tcp host x.x.x.156 eq 3389 host 192.168.0.216 eq 3389 log
access-list outside_access_in remark Inbound mail
access-list outside_access_in extended permit tcp any object-group Email host 192.168.0.10 object-group Email log
access-list outside_access_in remark Email Test
access-list outside_access_in extended permit ip any host 192.168.0.10
access-list outside_access_in extended permit ip any any
access-list inside_access_out remark Email out to interweb
access-list inside_access_out extended permit tcp host 192.168.0.10 object-group Email any object-group Email log
access-list inside_access_out remark Email inside to out
access-list inside_access_out extended permit tcp host 192.168.0.10 object-group Email host x.x.x.154 object-group Email log
access-list inside_access_out remark RDP to ServerWin1
access-list inside_access_out extended permit tcp host 192.168.0.250 host x.x.x.155 eq 3389 log
access-list inside_access_out remark RDP inside to outside
access-list inside_access_out extended permit tcp host 192.168.0.216 eq 3389 host x.x.x.156 eq 3389 log
access-list inside_access_out extended permit ip any any log disable
access-list inside_access_out extended permit icmp any any
access-list dmz_access_in extended permit tcp any host x.x.x.156 eq 3389
access-list Moving_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 object-group Mothership
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.0.0 255.255.255.0 object-group Mothership
access-list ASA5505 standard permit 192.168.0.0 255.255.255.0
access-list ASA5505_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool Default 192.168.4.0-192.168.4.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,outside) x.x.x.154 192.168.0.10 netmask 255.255.255.255 dns
static (inside,outside) x.x.x.156 192.168.0.216 netmask 255.255.255.255
static (inside,outside) x.x.x.152 192.168.0.0 netmask 255.255.255.255
static (inside,outside) x.x.x.153 192.168.0.254 netmask 255.255.255.255
static (inside,outside) x.x.x.155 192.168.0.250 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.158 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy ASA5505_1 internal
group-policy ASA5505_1 attributes
 wins-server value 192.168.0.250
 dns-server value 192.168.0.250 4.2.2.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ASA5505_splitTunnelAcl
 default-domain value domain.local
group-policy Moving internal
group-policy Moving attributes
 dns-server value 192.168.0.250 4.2.2.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Moving_splitTunnelAcl
 default-domain value domain.com
group-policy moving internal
group-policy moving attributes
 dns-server value 192.168.0.250 4.2.2.1
 vpn-tunnel-protocol IPSec
 default-domain value domain.local
group-policy ASA5505 internal
group-policy ASA5505 attributes
 dns-server value 192.168.0.250 4.2.2.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Moving_splitTunnelAcl
 default-domain value domain.local
 address-pools value Default
username User password encrypted privilege 0
username User attributes
 vpn-group-policy ASA5505_1
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-AES-128-SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer y.y.y.137
crypto map outside_map 20 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400
tunnel-group ASA5505 type ipsec-ra
tunnel-group ASA5505 general-attributes
 address-pool Default
 default-group-policy ASA5505_1
tunnel-group ASA5505 ipsec-attributes
 pre-shared-key *
tunnel-group y.y.y.137 type ipsec-l2l
tunnel-group y.y.y.137 ipsec-attributes
 pre-shared-key *
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect icmp
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect pptp
!
prompt hostname context
Cryptochecksum:22b474e2912bbd97721aac933b901e31
: end
asdm image disk0:/asdm-522.bin
no asdm history enable

0
OAC Technology
Asked:
OAC Technology
1 Solution
 
lrmooreCommented:
Try this

group-policy ASA5505_1 attributes
address-pools value Default
crypto isakmp nat-traversal 20
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now