Solved

how to configure VPN on ASA5520

Posted on 2009-05-10
5
1,328 Views
Last Modified: 2012-05-06
recently we configure VPN on our firewall ASA5520 to allow some users to access our network from outside but it doesnt work ..
this is the configuration below I think I miss something!!
also as u see i configure RDP on one of our servers located on DMZ with these commands:
static (DMZ,outside) 213.x.x.162 172.x.x.11 netmask 255.255.255.255
access-list DMZ_access_in extended permit tcp any host 213.x.x.162 eq 3389
and also it doesnt work !! any help will be appreciated

ASA5520# sho run

: Saved

:

ASA Version 7.0(7)

!

hostname ASA5520

domain-name mydomain.com

enable password QfuqYHdfatTt3AazcyR encrypted

names

dns-guard

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 213.x.x.109 255.255.255.0

!

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.1.110 255.255.255.0

!

interface GigabitEthernet0/2

 nameif DMZ

 security-level 50

 ip address 172.x.x.1 255.255.255.0

!

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 shutdown

 nameif management

 security-level 100

 ip address 192.168.100.50 255.255.255.0

 management-only

!

passwd bWynhNAxeuWqXNuM encrypted

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns name-server 212.xx.19

dns name-server 212x.x.20

dns name-server 208.67.222.222

dns name-server 208.67.220.220

access-list inside_access_in extended permit ip any any

access-list acl-out extended permit icmp any any

access-list acl-out extended permit tcp any host 213.x.x.163 eq 995

access-list acl-out extended permit tcp any host 213.x.x.163 eq 587

access-list acl-out extended permit tcp any host 213.x.x.163 eq www

access-list acl-out extended permit tcp any host 213.x.x.163 eq citrix-ica

access-list acl-out extended permit tcp any host 213.x.x.163 eq 2598

access-list acl-out extended permit tcp any host 213.x.x.163 eq https

access-list acl-out extended permit tcp any host 213.x.x.163 eq smtp

access-list DMZ_access_in extended permit ip any any

access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq smtp

access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq 50389

access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq 50636

access-list DMZ_access_in extended permit tcp any any

access-list DMZ_access_in extended permit tcp any host 213.x.x.162 eq 3389

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.2

55.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.2

55.255.0

access-list inside_to_DMZ extended permit ip 192.168.1.0 255.255.255.0 172.x.x.

0 255.255.255.0

pager lines 24

logging enable

logging console debugging

logging class ids buffered alerts

logging class session buffered alerts

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

ip local pool testpool 10.10.0.10-10.10.0.20

no failover

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_to_DMZ

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

static (inside,outside) 213.x.x.163 192.168.1.6 netmask 255.255.255.255

static (DMZ,outside) 213.x.x.163 172.x.x.10 netmask 255.255.255.255

static (DMZ,outside) 213.x.x.162 172.x.x.11 netmask 255.255.255.255

access-group acl-out in interface outside

access-group inside_access_in in interface inside

access-group DMZ_access_in in interface DMZ

route outside 0.0.0.0 0.0.0.0 213.x.x.161 1

route inside 192.168.100.0 255.255.255.0 192.168.1.100 1

route inside 192.168.6.0 255.255.255.0 213.x.x.161 1

route inside 192.168.0.0 255.255.255.0 192.168.1.100 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username testuser password IqY6lTColo8VIF24 encrypted

username support password KkVKaDRNAom0ONXd encrypted

username yassin password ZVE6/cqQY.NQNaTX encrypted

username cisco password 3USUcOPFUiMCO4Jk encrypted

http server enable

http 0.0.0.0 0.0.0.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto dynamic-map dyn1 1 set transform-set FirstSet

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 43200

tunnel-group testgroup type ipsec-ra

tunnel-group testgroup general-attributes

 address-pool testpool

tunnel-group testgroup ipsec-attributes

 pre-shared-key *

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

policy-map global-policy

 class inspection_default

!

service-policy global_policy global

Cryptochecksum:b22539fefdbd84a5c07c42dcdb89e3fe

: end

Open in new window

0
Comment
Question by:gakhan
  • 3
5 Comments
 
LVL 7

Accepted Solution

by:
egyptco earned 500 total points
ID: 24352907
hi,

my guess is you are missing the group-policy definition. there should be a default one but even the wizerd configure new one with every remote access configuration. do you use cisco VPN client? it needs group name.http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

 i would add also:

sysopt connection permit-ipsec  <-- permit all decrypted IPSec packets to pass through ASA
access-list nonat extenden permit ip 192.168.1.9 255.255.255.0 10.10.0.0 255.255.255.0

shall check your rdp issue after lunch:)


0
 
LVL 7

Expert Comment

by:egyptco
ID: 24353014
you got to allow rdp on the outside interface instead:

access-list acl-out extended permit tcp any host 213.x.x.162 eq 3389

in my opinion you should get rid of the entire DMZ_access_in. it is pointless in your configuration since it allows every ip traffic to everywhere.

0
 

Author Comment

by:gakhan
ID: 24353818
hi, thanx for your quick reply
for the VPN i think i solve it now its ok but still cant access rdp to  PC's or servers inside my network,
i think it needs some access lists to do that am i right ? if u can provide them to compare them with which i am trying to do it will b appreciated .
for the DMZ_access_in  you are right its pointless since its allowed everything to everywhere but ist secure to keep like this ? cuz i did it for the EDGE exchange server on DMZ ,, can you help how it shuold be to meet the requirement of EDGE server ?
thanx again
0
 
LVL 7

Assisted Solution

by:egyptco
egyptco earned 500 total points
ID: 24354201
oh the above given example is to allow rdp from outside to your dmz server. because dmz has higher security-level than outside you need explicitly to allow this flow on the outside acl. and satatic nat would be needed only if you want to access your server from outside.

1. in your case you want to connect from inside network. bet a dime if rdp is configured correctly on your server, you should be able to reach the server from your inside 192.168.1.0 network. the base concept here is inside is higher security level than dmz so you don't need to specify any security rule to allow connections from inside to dmz. thats why your access-list inside_access_in is rather dublicating now that default behaviour.

it might be a problem however if you want rdp from other inside network e.g. 192.168.100.0. the reason is nat. you should add in similar way nat-exemption rule in your inside_to_DMZ ACL:

access-list inside_to_DMZ extended permit ip 192.168.100.0 255.255.255.0 172.x.x.0 255.255.255.0

2. the only reason you need DMZ_access_in is if servers from dmz need access in inside. the same concept is applied here since inside is higher security level than dmz, explicit permitting acl is required. but to make it secure and making any sense you should permit only the traffic suppose to bypass the default security level concept. in other words only if your exchange server in needs to initiate connection with some inside servers (e.g. AD, database etc) you should permit only this specific flow.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now