Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 510
  • Last Modified:

Configure Cisco ASA for VPN on specific interface

Last week I received some help on configuring our ASA to allow a specific VPN tunnel to come in on a specific interface.  
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24162544.html 
Everything worked fine but I had to clean up some ACL's  and reloaded the router.
I would like to have our vpn tunnel for  vendors come in on our interface dsl.  All other vpn tunnels will come in on interface outside.  

Please tell me the commands to allow vendors vpn to come in on interface dsl.
hostname ciscoasa
domain-name ourdomain
enable password --------- encrypted
names
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.34 255.255.255.0
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.100.100.1 255.255.255.0
interface Ethernet0/2
 description dsl connection
 nameif dsl
 security-level 0
 ip address xxx.xxx.xxx.208 255.255.255.0
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
passwd 1yFYzpCfFeDvXC83 encrypted
time-range Harris
 periodic Monday 7:00 to Friday 20:00
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.100.100.16
 domain-name ourdomain
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.34 eq smtp
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.34 eq pop3
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.34 eq www
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.34 eq https
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.34 eq 6001
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.34 eq 6002
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.34 eq 6004
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended permit icmp any any source-quench
access-list OUTSIDE extended permit icmp any any unreachable
access-list OUTSIDE extended permit icmp any any time-exceeded
access-list inside_nat0_outbound extended permit ip any 10.100.90.0 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 10.100.80.0 255.255.255.240
access-list vendors_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0
access-list wwtp_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0
access-list DSLOUTSIDE extended permit tcp any host xxx.xxx.xxx.208 eq smtp
access-list DSLOUTSIDE extended permit tcp any host xxx.xxx.xxx.208 eq pop3
access-list DSLOUTSIDE extended permit tcp any host xxx.xxx.xxx.208 eq www
access-list DSLOUTSIDE extended permit tcp any host xxx.xxx.xxx.208 eq https
access-list DSLOUTSIDE extended permit tcp any host xxx.xxx.xxx.208 eq 6001
access-list DSLOUTSIDE extended permit tcp any host xxx.xxx.xxx.208 eq 6002
access-list DSLOUTSIDE extended permit tcp any host xxx.xxx.xxx.208 eq 6004
access-list DSLOUTSIDE extended permit icmp any any echo-reply
access-list DSLOUTSIDE extended permit icmp any any source-quench
access-list DSLOUTSIDE extended permit icmp any any unreachable
access-list DSLOUTSIDE extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging list Events level informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dsl 1500
mtu management 1500
ip local pool vendors 10.100.90.1-10.100.90.5 mask 255.255.255.0
ip local pool wwtp 10.100.80.2-10.100.80.10 mask 255.255.255.0
asdm image disk0:/asdm512-k8.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (outside) 1 10.100.80.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 10.100.100.19 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.100.100.19 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.100.100.19 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 10.100.100.19 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 6001 10.100.100.19 6001 netmask 255.255.255.255
static (inside,outside) tcp interface 6002 10.100.100.19 6002 netmask 255.255.255.255
static (inside,outside) tcp interface 6004 10.100.100.19 6004 netmask 255.255.255.255
static (inside,dsl) tcp interface www 10.100.100.19 www netmask 255.255.255.255
static (inside,dsl) tcp interface https 10.100.100.19 https netmask 255.255.255.255
static (inside,dsl) tcp interface smtp 10.100.100.19 smtp netmask 255.255.255.255
static (inside,dsl) tcp interface pop3 10.100.100.19 pop3 netmask 255.255.255.255
static (inside,dsl) tcp interface 6001 10.100.100.19 6001 netmask 255.255.255.255
static (inside,dsl) tcp interface 6002 10.100.100.19 6002 netmask 255.255.255.255
static (inside,dsl) tcp interface 6004 10.100.100.19 6004 netmask 255.255.255.255
access-group OUTSIDE in interface outside
access-group DSLOUTSIDE in interface dsl
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.34 1
route dsl 0.0.0.0 0.0.0.0 xxx.xxx.xxx.208 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vendors internal
group-policy vendors attributes
 wins-server none
 dns-server value 10.100.100.16 10.100.100.17
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vendors_splitTunnelAcl
 default-domain value ourdomain
group-policy WasteWaterTreamentPlant internal
group-policy WasteWaterTreamentPlant attributes
 wins-server none
 dns-server value 10.100.100.16
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value wwtp_splitTunnelAcl
 default-domain value ourdomain
 user-authentication-idle-timeout none
 webvpn
  svc keepalive 60
username WWTP password ---------- encrypted privilege 0
username WWTP attributes
 vpn-group-policy WasteWaterTreamentPlant
username Harris password --------- encrypted privilege 0
username Harris attributes
 vpn-group-policy vendors
 password-storage enable
http server enable
http 10.100.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 220 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 240 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 260 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 280 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 300 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 320 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 340 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 360 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group vendors type ipsec-ra
tunnel-group vendors general-attributes
 address-pool vendors
 default-group-policy vendors
tunnel-group vendors ipsec-attributes
 pre-shared-key *
tunnel-group WasteWaterTreamentPlant type ipsec-ra
tunnel-group WasteWaterTreamentPlant general-attributes
 address-pool wwtp
 default-group-policy WasteWaterTreamentPlant
tunnel-group WasteWaterTreamentPlant ipsec-attributes
 pre-shared-key *
telnet 10.100.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.100.100.16
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain ourdomain
dhcprelay timeout 60
class-map global-class
 match any
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map global-policy
 class global-class
  csc fail-open
 class class-default
  csc fail-close
service-policy global-policy global
ntp server 192.35.82.50 source outside
smtp-server 10.100.100.19
client-update enable

Open in new window

0
Zorniac
Asked:
Zorniac
  • 4
  • 2
  • 2
2 Solutions
 
billwhartonCommented:
You seem to have all the vendor configuration intact. Do this

isakmp enable dsl
crypto map outside_map interface dsl
0
 
ZorniacAuthor Commented:
I added those commands, but I still can't connect.
I noticed everytime I attempt to connect I get a message on my cisco
MSG ID: 106006 Deny inbound UDP from SRC IP/1390 to xxx.xxx.xxx.208/500 on interface dsl
0
 
ZorniacAuthor Commented:
I also added these commands per my earlier post.  These commands allowed the vpn to work prior to me adjusting the ACL's
Try this:

route dsl x.x.x.x 255.255.255.255 y.y.y.y

Where x.x.x.x is the public IP address of the vendor PC and y.y.y.y is the DSL next hop (gateway).

Add this also:

route dsl 10.100.90.0 255.255.255.0 y.y.y.y

But I still can't connect and I still see in the ASA logs at every attempt to connect
MSG ID: 106006 Deny inbound UDP from SRC IP/1390 to xxx.xxx.xxx.208/500 on interface dsl
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
JFrederick29Commented:
Enabling ISAKMP should resolve that issue.

As long as you added:

isakmp enable dsl
crypto map outside_map interface dsl

And:



Where x.x.x.x is the public IP address of the vendor PC and y.y.y.y is the DSL next hop (gateway).

Add this also:

route dsl 10.100.90.0 255.255.255.0 y.y.y.y

After adding the isakmp/crypto and route commands, do a "wr mem" and then a "reload" to reboot the ASA if possible.
0
 
JFrederick29Commented:
Sorry, typo:

Add this:

conf t
crypto isakmp enable dsl
0
 
ZorniacAuthor Commented:
cool.  Now it's working
I also had to add
global (dsl) 1 interface
0
 
billwhartonCommented:
I did know the global command was missing but it shouldn't be necessary if all you are trying to do is terminate inbound remote access VPN connections on the dsl interface. It's working though now and i'm glad

thanks
0
 
ZorniacAuthor Commented:
Your right.  I didn't need the global command to connect the vpn.
 I am testing the connection by RDP'ing into a remote computer and testing the vpn client.  Without the global command I wasn't able to RDP into an external computer.  

Thanks for your help
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now