Solved

Cisco ASA 5505 VPN - How to configure to browse connected network?

Posted on 2008-10-14
4
1,712 Views
Last Modified: 2012-05-05
Hello. I have a Cisco ASA 5505 device that I recently put into place. I have it up and running and users can get to the Internet just fine. I have recently been asked to try to configure it to allow certain users VPN access from home.

I originally configured the VPN through the wizard and that didn't work, so I found a place online that had some examples and I tried to emulate those. I can successfully connect to the VPN now, but I cannot access any of the resources on the network.

My host network is 192.168.121.x and the VPN network is 192.168.122.x. I would like the .122 network to be able to access resources on the .121 network via VPN.

I have attached a copy of the router's config. Where you see <hidden> I have cleared that info.

If someone could take a quick look and see what I might be missing and let me know, that would be great.
Thanks!
Dave
Result of the command: "sh run"
 
isakmp policy 30 is superceded by identical policy 10
:
ASA Version 7.2(4) 
!
hostname <hidden>
domain-name <hidden>.local
enable password .<hidden> encrypted
passwd <hidden>.<hidden> encrypted
 
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.121.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 71.xx.xx.xx 255.255.255.0 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name <hidden>.local
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
 
access-list Split_Tunnel_List_ACL remark ****** NAT Access List ******
access-list Split_Tunnel_List_ACL remark ****** Split Tunnel Encrypted Traffic ******
access-list Split_Tunnel_List_ACL standard permit 192.168.122.0 255.255.255.0 
 
access-list outside_access_in extended permit tcp any any eq pcanywhere-data 
access-list outside_access_in extended permit tcp any any eq 5632 
access-list outside_access_in extended permit tcp any any eq 3389 
 
access-list inside_access_in extended permit ip any any 
 
access-list privpn_splitTunnelAcl standard permit 192.168.121.0 255.255.255.0 
 
access-list inside_nat0_outside extended permit ip any 192.168.122.0 255.255.255.0 
 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
 
ip local pool vpnpool 192.168.122.180-192.168.122.199 mask 255.255.255.0
 
icmp unreachable rate-limit 1 burst-size 1
 
icmp permit any inside
 
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
 
nat (inside) 0 access-list inside_nat0_outside
nat (inside) 1 0.0.0.0 0.0.0.0
 
static (inside,outside) tcp interface pcanywhere-data 192.168.121.51 pcanywhere-data netmask 255.255.255.255 
static (inside,outside) tcp interface 5632 192.168.121.51 5632 netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 <hidden> 3389 netmask 255.255.255.255 
 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
 
route outside 0.0.0.0 0.0.0.0 71.xx.xx.xx 1
 
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.121.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set myset esp-3des esp-md5-hmac 
crypto ipsec df-bit clear-df outside
 
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map dynmap 10 set pfs 
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set security-association lifetime seconds 86400
 
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
 
crypto isakmp nat-traversal  20
 
telnet timeout 5
ssh 192.168.121.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd dns 4.2.2.1 4.2.2.2 interface inside
!
 
ntp server 129.6.15.29
ntp server 129.6.15.28 source outside prefer
 
group-policy privpn internal
group-policy privpn attributes
 dns-server value 192.168.121.5 192.168.121.4
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List_ACL
 default-domain value pri.local
 
username <hidden> password <hidden> encrypted
username <hidden> password <hidden>  encrypted
 
tunnel-group privpn type ipsec-ra
tunnel-group privpn general-attributes
 address-pool vpnpool
 default-group-policy privpn
 
tunnel-group privpn ipsec-attributes
 pre-shared-key *
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:5cceb29fc0a48efdjcnonweo
: end

Open in new window

0
Comment
Question by:readydave
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 2

Expert Comment

by:CPAsAdmin
ID: 22713243
What lines did you add or change from the original configuration of the firewall before vpn connectivity was attempted. Could you highlight or copy and paste to a separate doc?
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 22713284
Give these a shot.

conf t
access-list remote-vpn extended permit ip any 192.168.122.0 255.255.255.0

no crypto dynamic-map dynmap 10 set pfs
crypto dynamic-map dynmap 10 match address remote-vpn

group-policy privpn attributes
no split-tunnel-network-list value Split_Tunnel_List_ACL
split-tunnel-network-list value remote-vpn
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22713753
Hi,
If you're asking about browsing computers in a Windows network, this simply will not work over VPN.
The protocol used to browse computers is called NetBIOS - NetBIOS is a broadcast protocol and broadcasts do not work over VPN - it is impossible to do.
The alternative is to create a mapped drive using IP addresses or DNS names (this uses a different protocol) - but you won't be able to contact a computer just by typing its name and trying to browse it.
Cheers! Let me know if you have any questions!
0
 
LVL 3

Author Closing Comment

by:readydave
ID: 31505966
This worked for me. Thank you!
0

Featured Post

How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question