Solved

Cisco ASA 5505 VPN - How to configure to browse connected network?

Posted on 2008-10-14
4
1,687 Views
Last Modified: 2012-05-05
Hello. I have a Cisco ASA 5505 device that I recently put into place. I have it up and running and users can get to the Internet just fine. I have recently been asked to try to configure it to allow certain users VPN access from home.

I originally configured the VPN through the wizard and that didn't work, so I found a place online that had some examples and I tried to emulate those. I can successfully connect to the VPN now, but I cannot access any of the resources on the network.

My host network is 192.168.121.x and the VPN network is 192.168.122.x. I would like the .122 network to be able to access resources on the .121 network via VPN.

I have attached a copy of the router's config. Where you see <hidden> I have cleared that info.

If someone could take a quick look and see what I might be missing and let me know, that would be great.
Thanks!
Dave
Result of the command: "sh run"
 

isakmp policy 30 is superceded by identical policy 10

:

ASA Version 7.2(4) 

!

hostname <hidden>

domain-name <hidden>.local

enable password .<hidden> encrypted

passwd <hidden>.<hidden> encrypted
 

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.121.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 71.xx.xx.xx 255.255.255.0 

!

interface Vlan3

 no forward interface Vlan1

 nameif dmz

 security-level 50

 ip address dhcp 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

 domain-name <hidden>.local

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp
 

access-list Split_Tunnel_List_ACL remark ****** NAT Access List ******

access-list Split_Tunnel_List_ACL remark ****** Split Tunnel Encrypted Traffic ******

access-list Split_Tunnel_List_ACL standard permit 192.168.122.0 255.255.255.0 
 

access-list outside_access_in extended permit tcp any any eq pcanywhere-data 

access-list outside_access_in extended permit tcp any any eq 5632 

access-list outside_access_in extended permit tcp any any eq 3389 
 

access-list inside_access_in extended permit ip any any 
 

access-list privpn_splitTunnelAcl standard permit 192.168.121.0 255.255.255.0 
 

access-list inside_nat0_outside extended permit ip any 192.168.122.0 255.255.255.0 
 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500
 

ip local pool vpnpool 192.168.122.180-192.168.122.199 mask 255.255.255.0
 

icmp unreachable rate-limit 1 burst-size 1
 

icmp permit any inside
 

asdm image disk0:/asdm-524.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface
 

nat (inside) 0 access-list inside_nat0_outside

nat (inside) 1 0.0.0.0 0.0.0.0
 

static (inside,outside) tcp interface pcanywhere-data 192.168.121.51 pcanywhere-data netmask 255.255.255.255 

static (inside,outside) tcp interface 5632 192.168.121.51 5632 netmask 255.255.255.255 

static (inside,outside) tcp interface 3389 <hidden> 3389 netmask 255.255.255.255 
 

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside
 

route outside 0.0.0.0 0.0.0.0 71.xx.xx.xx 1
 

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.121.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart
 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set myset esp-3des esp-md5-hmac 

crypto ipsec df-bit clear-df outside
 

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5

crypto dynamic-map dynmap 10 set pfs 

crypto dynamic-map dynmap 10 set transform-set myset

crypto dynamic-map dynmap 10 set security-association lifetime seconds 86400
 

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside
 

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400
 

crypto isakmp nat-traversal  20
 

telnet timeout 5

ssh 192.168.121.0 255.255.255.0 inside

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd dns 4.2.2.1 4.2.2.2 interface inside

!
 

ntp server 129.6.15.29

ntp server 129.6.15.28 source outside prefer
 

group-policy privpn internal

group-policy privpn attributes

 dns-server value 192.168.121.5 192.168.121.4

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value Split_Tunnel_List_ACL

 default-domain value pri.local
 

username <hidden> password <hidden> encrypted

username <hidden> password <hidden>  encrypted
 

tunnel-group privpn type ipsec-ra

tunnel-group privpn general-attributes

 address-pool vpnpool

 default-group-policy privpn
 

tunnel-group privpn ipsec-attributes

 pre-shared-key *
 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:5cceb29fc0a48efdjcnonweo

: end

Open in new window

0
Comment
Question by:readydave
4 Comments
 
LVL 2

Expert Comment

by:CPAsAdmin
Comment Utility
What lines did you add or change from the original configuration of the firewall before vpn connectivity was attempted. Could you highlight or copy and paste to a separate doc?
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
Comment Utility
Give these a shot.

conf t
access-list remote-vpn extended permit ip any 192.168.122.0 255.255.255.0

no crypto dynamic-map dynmap 10 set pfs
crypto dynamic-map dynmap 10 match address remote-vpn

group-policy privpn attributes
no split-tunnel-network-list value Split_Tunnel_List_ACL
split-tunnel-network-list value remote-vpn
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Hi,
If you're asking about browsing computers in a Windows network, this simply will not work over VPN.
The protocol used to browse computers is called NetBIOS - NetBIOS is a broadcast protocol and broadcasts do not work over VPN - it is impossible to do.
The alternative is to create a mapped drive using IP addresses or DNS names (this uses a different protocol) - but you won't be able to contact a computer just by typing its name and trying to browse it.
Cheers! Let me know if you have any questions!
0
 
LVL 3

Author Closing Comment

by:readydave
Comment Utility
This worked for me. Thank you!
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now