Solved

VPN configuration on ASA 5505

Posted on 2008-10-20
5
1,498 Views
Last Modified: 2012-05-05
I am trying to configure VPN on ASA 5505. I can establish a VPN connection, but cannot connect to any hosts inside. I have tried IP address pool outside of LAN IP range, but it doesn't make any difference. What have I missed?
Thank you.
: Saved

: Written by enable_15 at 18:31:25.678 PDT Mon Oct 20 2008

!

ASA Version 8.0(4) 

!

hostname asa

domain-name domain.local

enable password 91k//o6Nbagsq/eI encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 67.11.53.131 vweb-outside

name 192.168.10.40 vweb-inside

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.10.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 67.11.53.130 255.255.255.224 

!

interface Vlan3

 no forward interface Vlan1

 nameif dmz

 security-level 50

 ip address 192.168.11.1 255.255.255.0 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

 switchport access vlan 3

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa804-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 192.168.10.31

 name-server 192.168.10.32

 domain-name domain.local

access-list inside_nat_outbound extended permit ip 192.168.10.0 255.255.255.0 any 

access-list outside_access_in extended permit tcp any host vweb-outside eq www 

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool vpnippool2 192.168.10.200-192.168.10.250 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

asdm location vweb-outside 255.255.255.255 inside

asdm location vweb-inside 255.255.255.255 inside

asdm history enable

arp timeout 14400

nat-control

global (outside) 2 interface

nat (inside) 2 access-list inside_nat_outbound dns

static (inside,outside) tcp vweb-outside www vweb-inside www netmask 255.255.255.255 

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 67.11.53.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.10.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

http redirect outside 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

auth-prompt prompt For Authorized Users Only! 

auth-prompt accept Logged in. 

auth-prompt reject Logging failed. 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!
 

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 216.184.20.82 source outside

ntp server 98.172.32.171 source outside prefer

ntp server 65.255.217.202 source outside

webvpn

 enable inside

 enable outside

 enable dmz

 svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1

 svc enable

 tunnel-group-list enable

 internal-password enable

group-policy GroupPolicy internal

group-policy GroupPolicy attributes

 banner value For Authorized Users Only!

 wins-server none

 dns-server value 192.168.10.31 192.168.10.32

 dhcp-network-scope none

 vpn-tunnel-protocol svc webvpn

 default-domain value domain.local

 address-pools value vpnippool2

 webvpn

  svc dtls enable

  svc mtu 1406

  svc keep-installer installed

  svc keepalive 60

  svc compression deflate

  svc modules value vpngina

  svc profiles none

  svc ask enable default svc timeout 10

username user1 password eNGvCP8Kw0H3r9XBYrYMsw== nt-encrypted

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

 address-pool vpnippool2

 default-group-policy GroupPolicy

tunnel-group VPN webvpn-attributes

 group-alias SPVPN enable

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:930e225464821730f1be7d51ed74d645

: end

Open in new window

0
Comment
Question by:goneclimbing
5 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
Comment Utility
I would still go with a VPN pool of addresses outside the range of your internal network.  You should also add the following statements in addition to that:

ip local pool vpnippool 192.168.15.200-192.168.15.250 mask 255.255.255.0
access-list inside_nat0_outbound permit ip any 192.168.15.0 255.255.255.0
crypto isakmp nat-traversal
nat (inside) 0 access-list inside_nat0_outbound
group-policy GroupPolicy attributes
 address-pools value vpnippool

See if that helps...if it doesn't fix it, post your running config after you make the above changes so I can check it.
0
 
LVL 4

Expert Comment

by:yurisk
Comment Utility
1st what VPN are you referring to - VPN client or WebVPN ?
Regarding client VPN, it indeed lacks few configs as batry_boy wrote.
NOTE The best practice is to assign to VPN clients pool that is different from LAN pool, but
assigning overlapping pools  works  just fine, just make sure IPs used in VPN pool are not used
in the LAN, as it would make LAN IPs unaccessible. When VPN client connects to VPN gateway
it (gateway)  assigns IP from the pool and enters this IP into routing table with bitmask /32 and located at
the interface to which VPN client connects (usually WAN interface) , so if there is identical LAN IP
to be found on inside (LAN) interface it would be listed in route table with bitmask of the entire network
and thus less specific than IP from VPN client pool.
0
 
LVL 2

Expert Comment

by:JimmyLarsson
Comment Utility
Hello:

An additional note: Another reason to the problem that one can connect and authenticate but not get any traffic thru the VPN-tunnel can be the fact that the client is behind a firewall that doesnt allow the data traffic to come thru. Then try to use nat-traversal or try to connect thru another port like tcp/10000.

Br Jimmy
0
 

Author Comment

by:goneclimbing
Comment Utility
Thank you batry_boy. It works now. One side note. What do I need to configure single-sign-on (with Windows AD) and split tunnel?

Thanks for your help.
0
 

Author Closing Comment

by:goneclimbing
Comment Utility
Excellent  and accurate answer. Thank you.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now