AboutPricingCommunityTeamsStart Free TrialLog in
Avatar of Dan560
Dan560
Flag for United Kingdom of Great Britain and Northern Ireland asked on

IPSEC rules for remote acces (vpn client)

Hi

Im very new to configuring vpn tunnels, but Im having problems connecting the vpn client to my network, (cisco 5505) do I need to configure the ipsec rule for the vpn client connection to be dynamic instead of static? I dont really know much about this

dan
Routers
Avatar of undefined
Last Comment
Dan560
8/22/2022 - Mon
naughton
hey dan,

run through the vpn wizard in the device manager software that came with the ASA - open a browser and point it to https:\\ip address of asa  you should be prompted to install the jave software.

in configuration, click on vpn - and then run through the remote access vpn configuration.
Dan560
ASKER
Thanks naughton

But I already have an exsisting remote access vpn tunnel for this, I just think i just messed something up with the ipsec rules, and I just want calrification on a few things..

Dan
naughton
ok -
can you post a sanitised running confg
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Dan560
ASKER
I'm not sure How helpful this will be as I had to take out company names and public IP's

Thanks
: Saved
:
ASA Version 7.2(2) 
!
hostname mycompany
domain-name mycompany.co.uk
enable password GMu/TWbb8D5So43N encrypted
names
name remoteip01 ADSL2
name remoteip02 LEASED
name remoteip03 ADSL1
name 192.168.100.0 RASVPN
name 192.168.0.0 lan-mycompany
name 10.10.10.0 lanremotecompany05
name publicip02 wan remote company
name 10.11.1.0 lanremotecompany06
name 10.12.1.0 remotecompany07
name ipremote06 wan-remotecompany06
name IP-Lacie-drive Lacie
name exchange server exchange server
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.254 255.255.255.0 
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address my public ip 255.255.255.252 
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name mycompany.co.uk
same-security-traffic permit intra-interface
object-group network ISGWEBB-SUPPORT
 network-object remoteip 255.255.255.255
 network-object remoteip 255.255.255.255
 network-object remoteip 255.255.255.255
access-list -RASVPN_splitTunnelAcl standard permit lan-mycompany 255.255.255.0 
access-list outside_20_cryptomap extended permit ip lan-mycompany 255.255.255.0 lanremotecompany05 255.255.255.0 
access-list outside_20_cryptomap extended permit ip LAN-RASVPN 255.255.255.0 lanremotecompany05 255.255.255.0 
access-list inside_nat0_outbound extended permit ip lan-mycompany 255.255.255.0 lanremotecompany05 255.255.255.0 
access-list inside_nat0_outbound extended permit ip lan-mycompany 255.255.255.0 lanremotecompany06 255.255.255.0 
access-list inside_nat0_outbound extended permit ip lan-mycompany 255.255.255.0 remotecompany07 255.255.255.0 
access-list inside_nat0_outbound extended permit ip lan-mycompany 255.255.255.0 LAN-RASVPN 255.255.255.128 
access-list outside_access_in extended permit ip LAN-RASVPN 255.255.255.0 lan-mycompany 255.255.255.0 
access-list outside_access_in extended permit tcp host public ip host my public ip eq 3389 
access-list outside_access_in extended permit tcp any host my public ip eq smtp 
access-list outside_access_in extended permit tcp any host my public ip eq https 
access-list outside_access_in extended permit icmp lanremotecompany05 255.255.255.0 lan-mycompany 255.255.255.0 
access-list outside_access_in extended permit icmp lanremotecompany06 255.255.255.0 lan-mycompany 255.255.255.0 
access-list outside_access_in extended permit tcp any host my public ip eq 3389 
access-list outside_access_in extended permit icmp remotecompany07 255.255.255.0 lan-mycompany 255.255.255.0 
access-list outside_access_in extended permit tcp any host my public ip eq ftp 
access-list outside_cryptomap_65535.20 extended permit ip any LAN-RASVPN 255.255.255.0 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit tcp any eq https any eq https 
access-list outside_cryptomap_30 extended permit ip lan-mycompany 255.255.255.0 lanremotecompany06 255.255.255.0 
access-list outside_cryptomap_30 extended permit ip LAN-RASVPN 255.255.255.0 lanremotecompany06 255.255.255.0 
access-list outside_cryptomap_1 extended permit ip lan-mycompany 255.255.255.0 lanremotecompany06 255.255.255.0 
access-list outside_cryptomap_2 extended permit ip lan-mycompany 255.255.255.0 lanremotecompany05 255.255.255.0 
access-list outside_cryptomap_3 extended permit ip LAN-RASVPN 255.255.255.0 lan-mycompany 255.255.255.0 
access-list outside_70_cryptomap extended permit ip lan-mycompany 255.255.255.0 remotecompany07 255.255.255.0 
access-list outside_cryptomap_50 extended permit ip LAN-RASVPN 255.255.255.0 lan-mycompany 255.255.255.0 
access-list outside_nat0_outbound extended permit ip LAN-RASVPN 255.255.255.0 lan-mycompany 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1400
ip local pool RASVPNPOOL 192.168.100.1-192.168.100.99 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 lan-mycompany 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound
static (inside,outside) tcp interface 3389 192.168.0.2 3389 netmask 255.255.255.255  dns 
static (inside,outside) tcp interface smtp exchange server smtp netmask 255.255.255.255  dns 
static (inside,outside) tcp interface https exchange server https netmask 255.255.255.255  dns 
static (inside,outside) tcp interface ftp 192.168.0.2 ftp netmask 255.255.255.255 
static (inside,inside) my public ip exchange server netmask 255.255.255.255 dns 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 90.152.15.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server RADIUS protocol radius
aaa-server RADIUS host 192.168.0.2
 timeout 5
 key tn156yt
group-policy RASVPN internal
group-policy RASVPN attributes
 dns-server value 192.168.0.2
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RASVPN_splitTunnelAcl
 default-domain value mycompany.co.uk
http server enable 8443
http public ip 255.255.255.255 outside
http  puiblic ip 255.255.255.255 outside
http lan-mycompany 255.255.255.0 inside
http public ip 255.255.255.255 outside
http LEASED 255.255.255.255 outside
http ADSL2 255.255.255.255 outside
http ADSL1 255.255.255.255 outside
http publicip 255.255.255.255 outside
http publicip01 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_65535.20
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs 
crypto map outside_map 20 set peer publicip01 
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set peer publicip 
crypto map outside_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map inside_map 10 match address outside_cryptomap_3
crypto map inside_map 10 set pfs 
crypto map inside_map 10 set peer LAN-RASVPN 
crypto map inside_map 10 set transform-set ESP-3DES-SHA
crypto map inside_map 20 match address outside_cryptomap_2
crypto map inside_map 20 set peer publicip01 
crypto map inside_map 20 set transform-set ESP-3DES-SHA
crypto map inside_map 30 match address outside_cryptomap_1
crypto map inside_map 30 set peer publicip
crypto map inside_map 30 set transform-set ESP-3DES-SHA
crypto map inside_map 70 match address outside_70_cryptomap
crypto map inside_map 70 set pfs 
crypto map inside_map 70 set peer wan-remotecompany06 
crypto map inside_map 70 set transform-set ESP-3DES-SHA
crypto map inside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group RASVPN type ipsec-ra
tunnel-group RASVPN general-attributes
 address-pool RASVPNPOOL
 authentication-server-group RADIUS
 default-group-policy RASVPN
tunnel-group RASVPN ipsec-attributes
 pre-shared-key *
tunnel-group publicip01 type ipsec-l2l
tunnel-group publicip01 ipsec-attributes
 pre-shared-key *
tunnel-group publicip02 type ipsec-l2l
tunnel-group publicip02 ipsec-attributes
 pre-shared-key *
tunnel-group ipremote06 type ipsec-l2l
tunnel-group ipremote06 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.100-192.168.0.149 inside
dhcpd dns 192.168.0.2 interface inside
dhcpd domain mycompany.co.uk interface inside
dhcpd enable inside
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
  inspect icmp 
  inspect icmp error 
!
service-policy global_policy global
tftp-server inside 192.168.0.2 tftp-root
prompt hostname context 
Cryptochecksum:0cccae6b5faef4b853e9c92f0463336d
: end
asdm image disk0:/asdm-522.bin
no asdm history enable

Open in new window

ASKER CERTIFIED SOLUTION
Dan560
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Plans and Pricing
Resources
Product
Podcasts
Careers
Contact Us
Teams
Certified Expert Program
Credly Partnership
Udemy Partnership
Privacy Policy
Terms of Use

© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent