Solved

Need to allow VPN thru a Cisco ASA 5510

Posted on 2010-08-18
24
592 Views
Last Modified: 2012-05-10
I have a Cisco ASA 5510 setting between 2 CIsco 2800's. I need to open up a vpn connection from some of our Technicians to VPN into client sites.

{Internet}-------[CISCO 2800]---------<CISCO ASA 5510> -----[Cisco 2800]-------(switch)---Users

Please be detailed in your explanation as I inherited this position from the network admin who left... I am more of a break fix guy
0
Comment
Question by:HB-IT
  • 14
  • 10
24 Comments
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33468126
0
 

Author Comment

by:HB-IT
ID: 33468488
All that just to allow a user inside our network to vpn to a client outside our network.

AARGH - Was hoping it was just a port or setting I needed to change...

Will give it a shot tomorrow
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33468604
in that case u need to allow some port on asa
0
 

Author Comment

by:HB-IT
ID: 33474142
I had guessed as much... Anyone know what port or setting?
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33474221

try

allow any request comming from the user to outside internet on port udp port 500
allow any request comming from the user to outside internet on port udp port 4500
allow any request comming from the user to outside internet on port udp port 10000 UDP
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33474254
for example

access-list acl-in permit udp host <user ip> any eq 500
 access-list acl-in permit udp host <user ip> any eq 4500
access-list acl-in permit udp host <user ip>  eq 4500 any
access-list acl-in permit udp host <user ip> any eq 10000
access-list acl-in permit udp host <user ip>  eq 10000 any
0
 

Author Comment

by:HB-IT
ID: 33477252
and I would find this where exactly...
Told you I was more of a break fix kinda guy
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33477361
sorry man , i didn't get u ?
0
 

Author Comment

by:HB-IT
ID: 33477899
where do i look on the ASA5510 to make these changes
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33477919
just login to ASA  

type
enable

once prompted type the password

then

type
show access-list
show access-group

please provide me the output, so that I can tell u
0
 

Author Comment

by:HB-IT
ID: 33478969
here you go
when I do Access-Group it errors
Access-List.docx
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33479133
can u paste the out put in notepad and upload

if u can type  

show run

it will give all the informatons
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:HB-IT
ID: 33484033
Here you go:



User Access Verification

Password:
Type help or '?' for a list of available commands.
ciscoasa> enable
Password: *************
ciscoasa# show run
: Saved
:
ASA Version 7.1(2)
!
hostname ciscoasa
domain-name hbmcclure.local
enable password BQhulxZLvuLN.tza encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 66.216.163.146 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.1.11 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd /iZ5xDvy1Zd6jqaE encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name hbmcclure.local
dns server-group HBDNS
 domain-name hbmcclure.local
object-group service MOM tcp-udp
 description Microsoft Operations Manager
 port-object range 1270 1270
object-group service NAT-T udp
 description NAT-T
 port-object range 4500 4500
object-group service IPSec_UDP udp
 description IPSec over UDP for Remote Access VPN
 port-object range 10000 10000
access-list in0 extended permit tcp any host 66.216.163.149 eq smtp
access-list in0 extended permit tcp any host 66.216.163.149 eq https
access-list cscin extended permit ip 10.1.1.0 255.255.255.0 any
access-list cscin extended permit ip 10.2.1.0 255.255.255.0 any
access-list hbmcclurevpn_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
access-list natvpn extended permit ip 10.1.1.0 255.255.255.0 10.1.10.0 255.255.2
55.0
access-list OUT extended deny tcp any any eq rtsp inactive
access-list OUT extended deny tcp any any eq pop3 inactive
access-list OUT extended permit ip any any
access-list TEST standard permit host 10.1.1.72
pager lines 24
logging enable
logging buffer-size 8192
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool hbmcclurevpn 10.1.10.2-10.1.10.100 mask 255.255.255.0
ip verify reverse-path interface outside
icmp permit any outside
icmp deny any outside
icmp permit any inside
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list natvpn
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 1 10.2.1.0 255.255.255.0
static (inside,outside) tcp 66.216.163.149 https 10.1.1.17 https netmask 255.255
.255.255
static (inside,outside) tcp 66.216.163.149 smtp 10.1.1.14 smtp netmask 255.255.2
55.255
access-group in0 in interface outside
access-group OUT in interface inside
route outside 0.0.0.0 0.0.0.0 66.216.163.145 1
route inside 10.2.1.0 255.255.255.0 10.1.1.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server hbmcclure protocol radius
aaa-server hbmcclure host 10.1.1.16
 key cisco123
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 70
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry file-access
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not
 been met or due to some specific group policy, you do not have permission to us
e any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy hbmcclurevpn internal
group-policy hbmcclurevpn attributes
 wins-server value 10.1.1.20
 dns-server value 10.1.1.20 10.1.1.16
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value hbmcclurevpn_splitTunnelAcl
 default-domain value hbdomain.local
username gdcllcmin password P2K..irgPV0wbZX0 encrypted
http server enable
http 64.8.50.160 255.255.255.255 outside
http 10.2.1.0 255.255.255.0 outside
http 10.1.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal  20
tunnel-group hbmcclurevpn type ipsec-ra
tunnel-group hbmcclurevpn general-attributes
 address-pool hbmcclurevpn
 authentication-server-group hbmcclure
 default-group-policy hbmcclurevpn
tunnel-group hbmcclurevpn ipsec-attributes
 pre-shared-key *
telnet 10.2.1.0 255.255.255.0 outside
telnet 10.1.1.0 255.255.255.0 inside
telnet 10.2.1.0 255.255.255.0 inside
telnet timeout 5
ssh 64.8.50.160 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map cscmapin
 match access-list cscin
!
!
policy-map cscpolin
 class cscmapin
  csc fail-open
policy-map global-policy
 description CSC SSM Filter
 class class-default
  csc fail-open
!
service-policy global-policy global
service-policy cscpolin interface inside
webvpn
 svc enable
Cryptochecksum:36aa5e0525e1280b2ad37fe7ddf127cb
: end
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33484100
can u tell me the user IP:

i can see FW is already allowed for all the IP traffic .

still the user can't connect ?  
0
 

Author Comment

by:HB-IT
ID: 33484202
I cannot even VPN out to the site
The site we need to connect to is: 208.253.121.146
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33484245
u r trying from which ip ? 10.1.1.0 or 10.2.1.0 ?

how u are accessing the VPN server at 208.x.x. , I mean any vpn client ?

did u diable the firewall client on the PC
0
 

Author Comment

by:HB-IT
ID: 33487346
10.1.1.*
From Windows 7 VPN
yes
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33487734
kindly show me the error that u r getting at PC side ? try to enable the log on the client and give me the output .
0
 

Author Comment

by:HB-IT
ID: 33513503
the txt is attached its a long file
PIX-OUTPUT.txt
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33513740
i will check the config of asa, meanwhile please give me the answer to below question

kindly show me the error that u r getting at PC side ? try to enable the log on the client and give me the output .
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33513775
ur asa config is fine
0
 

Author Comment

by:HB-IT
ID: 33521578
Here is what I do...

Start-Here.docx
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33522222
ur firewall is passing the traffic corectly , thats what u r getting authentication propmpt .

need to check whether ur VPN client config is matching with other end ( vpn server)

.
0
 
LVL 14

Accepted Solution

by:
anoopkmr earned 500 total points
ID: 33522230
cross check ur client config with vpn server > it should match.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now