Solved

Configure Remote Client VPN on ASA 5520

Posted on 2009-05-14
5
3,983 Views
Last Modified: 2013-11-16
I am trying to configure my ASA for Remote Client VPN Usage thru the CLI.  I am having trouble figuring out where I am going wrong. Here is what I did:  Am I missing an entry somewhere .. not sure as the ASDM seems to junk up my config when I do anything from it..  I am not sure if my NATS, ACLS are correct either.
1- First configure the ASA interface

Interface name

Security level

IP address

Enable crypto isakmp on ASA

2- Configure IP pool

Pool name

Range of IP addresses to be used in pool


3- Configure user accounts

Username

Password

4- First define the ISAKMP Policy.

Authentication

Hash

Encryption

Group

5- Establish IPsec transform set.

 Esp-des

Esp-md5-hmac

Esp-aes

Asp-sha-hmac

6- Configure tunnel group

Group name      

Group policies    

: Saved

:

ASA Version 7.2(2) 

!

hostname WATER-FW

domain-name WATER.local

enable password XXXXXXXXXXXXX encrypted

no names

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 69.30.30.69 255.255.255.0 

!

interface GigabitEthernet0/1

 shutdown

 nameif DMZ1

 security-level 75

 no ip address

!

interface GigabitEthernet0/2

 nameif INSIDE

 security-level 100

 ip address 10.110.5.1 255.255.255.0 

!

interface GigabitEthernet0/3

 nameif DMZ2

 security-level 50

 no ip address

!

interface Management0/0

 shutdown

 nameif management

 security-level 10

 ip address 192.168.1.1 255.255.255.0 

 management-only

!

passwd XXXXXXXXXXXXXXX encrypted

boot system disk0:/asa722-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup DMZ1

dns domain-lookup INSIDE

dns domain-lookup DMZ2

dns server-group DefaultDNS

 name-server 4.2.2.2

 domain-name WATER.local

access-list WATER_Split_TunnelACL remark WATER LAN for Split Tunnel

access-list WATER_Split_TunnelACL standard permit 10.110.5.0 255.255.255.0 

pager lines 24

logging enable

logging timestamp

logging trap informational

logging asdm informational

logging host INSIDE 192.168.1.10

mtu outside 1500

mtu DMZ1 1500

mtu INSIDE 1500

mtu DMZ2 1500

mtu management 1500

ip local pool Users 10.110.5.226-10.110.5.250 mask 255.255.255.0

ip verify reverse-path interface outside

no failover

monitor-interface outside

monitor-interface DMZ1

monitor-interface INSIDE

monitor-interface DMZ2

monitor-interface management

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply outside

icmp permit any outside

icmp permit any DMZ1

icmp permit any echo-reply DMZ1

icmp permit any INSIDE

icmp permit any echo-reply INSIDE

icmp permit any DMZ2

icmp permit any echo-reply DMZ2

icmp permit any management

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (INSIDE) 1 interface

global (DMZ2) 1 interface

nat (DMZ1) 1 0.0.0.0 0.0.0.0

nat (INSIDE) 1 0.0.0.0 0.0.0.0

nat (DMZ2) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 69.30.30.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy WATERVPN internal

group-policy WATERVPN attributes

 wins-server value 10.110.5.50

 dns-server value 10.110.5.50

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value WATER_Split_TunnelACL

 default-domain value WATER.local

username admin password XXXXXXXXXXXXXXXXXX encrypted privilege 15

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 DMZ1

http 0.0.0.0 0.0.0.0 INSIDE

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 30

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

crypto isakmp nat-traversal  21

tunnel-group WATER type ipsec-ra

tunnel-group WATER general-attributes

 address-pool Users

tunnel-group WATER ipsec-attributes

 pre-shared-key *

telnet 0.0.0.0 0.0.0.0 DMZ1

telnet 0.0.0.0 0.0.0.0 INSIDE

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 INSIDE

ssh timeout 60

console timeout 0

management-access INSIDE

dhcpd address 10.110.5.200-10.110.5.225 INSIDE

dhcpd dns 10.110.5.50 interface INSIDE

dhcpd wins 10.110.5.50 interface INSIDE

dhcpd enable INSIDE

!

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

  inspect dns 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:b6f081d6af6a818f2c574fcb012af48f

: end

asdm image disk0:/asdm-522.bin

no asdm history enable

Open in new window

0
Comment
Question by:ssimmons1
  • 4
5 Comments
 
LVL 15

Accepted Solution

by:
bignewf earned 500 total points
Comment Utility
Here is one problem:

this is your inside interface:
interface GigabitEthernet0/2
 nameif INSIDE
 security-level 100
 ip address 10.110.5.1 255.255.255.0

your ip pool for remote vpn users is on the same network as your internal lan:
ip local pool Users 10.110.5.226-10.110.5.250 mask 255.255.255.0  THIS NEEDS TO BE ON A DIFFERENT NETWORK - I.E 10.10.10.0/24  

also, don't see nat0 statements- i.e
access-list nonat extended permit ip 10.110.5.0 255.255.255.0  10.10.10.0 255.255.255.0

then nat (inside) 0 access-lis nonat
the above example suggests 10.10.10.0/24 is your vpn client ip pool as an example

also add:

sysopt connection permit-ipsec (or permit-vpn depending on IOS version)

try these to start, enclosed are pdf's from cisco with a sample cli config and asdm

experience has shown that the cli is better to use for vpn configs, the asdm often produces errors


vpnrmote.pdf
remvpn-b.pdf
asa-remotevpn-asdm.pdf
0
 

Author Comment

by:ssimmons1
Comment Utility
I just reset to factory defaults and I am starting from scratch.  I inherited this box so I suppose this is the best course.  My first goal is to access internet and PAT my internal users.  Then I am going to try the VPN.. bear with me. for a couple.. these are great resources and will let you know my results.

By any chance do you have any initial config docs handy.
I have this:
http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/aclrules.html
However your ASDM guide is much better.
0
 

Author Comment

by:ssimmons1
Comment Utility
quick Q, when you reset factory default do you wipe the VPN license?  I had 750 lic
0
 

Author Closing Comment

by:ssimmons1
Comment Utility
I had to put this down for a bit, but bignewf addressed correclty on both of the issues.  I had to do some followup reading, but that was due to my lack of understanding.  Thanks!
One being the NAT and the other the DHCP scope.  Thanks, sorry for the delay in grading.
0
 

Author Comment

by:ssimmons1
Comment Utility
And to answer my other q, no, it doesnt wipe the license info....
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now