Solved

how to configure VPN on ASA5520

Posted on 2009-05-10
5
1,334 Views
Last Modified: 2012-05-06
recently we configure VPN on our firewall ASA5520 to allow some users to access our network from outside but it doesnt work ..
this is the configuration below I think I miss something!!
also as u see i configure RDP on one of our servers located on DMZ with these commands:
static (DMZ,outside) 213.x.x.162 172.x.x.11 netmask 255.255.255.255
access-list DMZ_access_in extended permit tcp any host 213.x.x.162 eq 3389
and also it doesnt work !! any help will be appreciated

ASA5520# sho run
: Saved
:
ASA Version 7.0(7)
!
hostname ASA5520
domain-name mydomain.com
enable password QfuqYHdfatTt3AazcyR encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 213.x.x.109 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.110 255.255.255.0
!
interface GigabitEthernet0/2
 nameif DMZ
 security-level 50
 ip address 172.x.x.1 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.100.50 255.255.255.0
 management-only
!
passwd bWynhNAxeuWqXNuM encrypted
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns name-server 212.xx.19
dns name-server 212x.x.20
dns name-server 208.67.222.222
dns name-server 208.67.220.220
access-list inside_access_in extended permit ip any any
access-list acl-out extended permit icmp any any
access-list acl-out extended permit tcp any host 213.x.x.163 eq 995
access-list acl-out extended permit tcp any host 213.x.x.163 eq 587
access-list acl-out extended permit tcp any host 213.x.x.163 eq www
access-list acl-out extended permit tcp any host 213.x.x.163 eq citrix-ica
access-list acl-out extended permit tcp any host 213.x.x.163 eq 2598
access-list acl-out extended permit tcp any host 213.x.x.163 eq https
access-list acl-out extended permit tcp any host 213.x.x.163 eq smtp
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq smtp
access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq 50389
access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq 50636
access-list DMZ_access_in extended permit tcp any any
access-list DMZ_access_in extended permit tcp any host 213.x.x.162 eq 3389
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.2
55.255.0
access-list inside_to_DMZ extended permit ip 192.168.1.0 255.255.255.0 172.x.x.
0 255.255.255.0
pager lines 24
logging enable
logging console debugging
logging class ids buffered alerts
logging class session buffered alerts
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool testpool 10.10.0.10-10.10.0.20
no failover
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_to_DMZ
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (inside,outside) 213.x.x.163 192.168.1.6 netmask 255.255.255.255
static (DMZ,outside) 213.x.x.163 172.x.x.10 netmask 255.255.255.255
static (DMZ,outside) 213.x.x.162 172.x.x.11 netmask 255.255.255.255
access-group acl-out in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 213.x.x.161 1
route inside 192.168.100.0 255.255.255.0 192.168.1.100 1
route inside 192.168.6.0 255.255.255.0 213.x.x.161 1
route inside 192.168.0.0 255.255.255.0 192.168.1.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username testuser password IqY6lTColo8VIF24 encrypted
username support password KkVKaDRNAom0ONXd encrypted
username yassin password ZVE6/cqQY.NQNaTX encrypted
username cisco password 3USUcOPFUiMCO4Jk encrypted
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
 address-pool testpool
tunnel-group testgroup ipsec-attributes
 pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map global-policy
 class inspection_default
!
service-policy global_policy global
Cryptochecksum:b22539fefdbd84a5c07c42dcdb89e3fe
: end

Open in new window

0
Comment
Question by:gakhan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 7

Accepted Solution

by:
egyptco earned 500 total points
ID: 24352907
hi,

my guess is you are missing the group-policy definition. there should be a default one but even the wizerd configure new one with every remote access configuration. do you use cisco VPN client? it needs group name.http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

 i would add also:

sysopt connection permit-ipsec  <-- permit all decrypted IPSec packets to pass through ASA
access-list nonat extenden permit ip 192.168.1.9 255.255.255.0 10.10.0.0 255.255.255.0

shall check your rdp issue after lunch:)


0
 
LVL 7

Expert Comment

by:egyptco
ID: 24353014
you got to allow rdp on the outside interface instead:

access-list acl-out extended permit tcp any host 213.x.x.162 eq 3389

in my opinion you should get rid of the entire DMZ_access_in. it is pointless in your configuration since it allows every ip traffic to everywhere.

0
 

Author Comment

by:gakhan
ID: 24353818
hi, thanx for your quick reply
for the VPN i think i solve it now its ok but still cant access rdp to  PC's or servers inside my network,
i think it needs some access lists to do that am i right ? if u can provide them to compare them with which i am trying to do it will b appreciated .
for the DMZ_access_in  you are right its pointless since its allowed everything to everywhere but ist secure to keep like this ? cuz i did it for the EDGE exchange server on DMZ ,, can you help how it shuold be to meet the requirement of EDGE server ?
thanx again
0
 
LVL 7

Assisted Solution

by:egyptco
egyptco earned 500 total points
ID: 24354201
oh the above given example is to allow rdp from outside to your dmz server. because dmz has higher security-level than outside you need explicitly to allow this flow on the outside acl. and satatic nat would be needed only if you want to access your server from outside.

1. in your case you want to connect from inside network. bet a dime if rdp is configured correctly on your server, you should be able to reach the server from your inside 192.168.1.0 network. the base concept here is inside is higher security level than dmz so you don't need to specify any security rule to allow connections from inside to dmz. thats why your access-list inside_access_in is rather dublicating now that default behaviour.

it might be a problem however if you want rdp from other inside network e.g. 192.168.100.0. the reason is nat. you should add in similar way nat-exemption rule in your inside_to_DMZ ACL:

access-list inside_to_DMZ extended permit ip 192.168.100.0 255.255.255.0 172.x.x.0 255.255.255.0

2. the only reason you need DMZ_access_in is if servers from dmz need access in inside. the same concept is applied here since inside is higher security level than dmz, explicit permitting acl is required. but to make it secure and making any sense you should permit only the traffic suppose to bypass the default security level concept. in other words only if your exchange server in needs to initiate connection with some inside servers (e.g. AD, database etc) you should permit only this specific flow.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
PIM sparse mode question 1 21
What is an ASP Table on a Cisco ASA? 3 70
pptp through Cisco ASA5505 V7 5 48
Cisco Meraki Alert - Client IP Detected 1 41
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question