HB-IT
asked on
Need to allow VPN thru a Cisco ASA 5510
I have a Cisco ASA 5510 setting between 2 CIsco 2800's. I need to open up a vpn connection from some of our Technicians to VPN into client sites.
{Internet}-------[CISCO 2800]---------<CISCO ASA 5510> -----[Cisco 2800]-------(switch)---Use rs
Please be detailed in your explanation as I inherited this position from the network admin who left... I am more of a break fix guy
{Internet}-------[CISCO 2800]---------<CISCO ASA 5510> -----[Cisco 2800]-------(switch)---Use
Please be detailed in your explanation as I inherited this position from the network admin who left... I am more of a break fix guy
ASKER
All that just to allow a user inside our network to vpn to a client outside our network.
AARGH - Was hoping it was just a port or setting I needed to change...
Will give it a shot tomorrow
AARGH - Was hoping it was just a port or setting I needed to change...
Will give it a shot tomorrow
in that case u need to allow some port on asa
ASKER
I had guessed as much... Anyone know what port or setting?
try
allow any request comming from the user to outside internet on port udp port 500
allow any request comming from the user to outside internet on port udp port 4500
allow any request comming from the user to outside internet on port udp port 10000 UDP
for example
access-list acl-in permit udp host <user ip> any eq 500
access-list acl-in permit udp host <user ip> any eq 4500
access-list acl-in permit udp host <user ip> eq 4500 any
access-list acl-in permit udp host <user ip> any eq 10000
access-list acl-in permit udp host <user ip> eq 10000 any
access-list acl-in permit udp host <user ip> any eq 500
access-list acl-in permit udp host <user ip> any eq 4500
access-list acl-in permit udp host <user ip> eq 4500 any
access-list acl-in permit udp host <user ip> any eq 10000
access-list acl-in permit udp host <user ip> eq 10000 any
ASKER
and I would find this where exactly...
Told you I was more of a break fix kinda guy
Told you I was more of a break fix kinda guy
sorry man , i didn't get u ?
ASKER
where do i look on the ASA5510 to make these changes
just login to ASA
type
enable
once prompted type the password
then
type
show access-list
show access-group
please provide me the output, so that I can tell u
type
enable
once prompted type the password
then
type
show access-list
show access-group
please provide me the output, so that I can tell u
ASKER
can u paste the out put in notepad and upload
if u can type
show run
it will give all the informatons
if u can type
show run
it will give all the informatons
ASKER
Here you go:
User Access Verification
Password:
Type help or '?' for a list of available commands.
ciscoasa> enable
Password: *************
ciscoasa# show run
: Saved
:
ASA Version 7.1(2)
!
hostname ciscoasa
domain-name hbmcclure.local
enable password BQhulxZLvuLN.tza encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 66.216.163.146 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.11 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd /iZ5xDvy1Zd6jqaE encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name hbmcclure.local
dns server-group HBDNS
domain-name hbmcclure.local
object-group service MOM tcp-udp
description Microsoft Operations Manager
port-object range 1270 1270
object-group service NAT-T udp
description NAT-T
port-object range 4500 4500
object-group service IPSec_UDP udp
description IPSec over UDP for Remote Access VPN
port-object range 10000 10000
access-list in0 extended permit tcp any host 66.216.163.149 eq smtp
access-list in0 extended permit tcp any host 66.216.163.149 eq https
access-list cscin extended permit ip 10.1.1.0 255.255.255.0 any
access-list cscin extended permit ip 10.2.1.0 255.255.255.0 any
access-list hbmcclurevpn_splitTunnelAc l standard permit 10.1.1.0 255.255.255.0
access-list natvpn extended permit ip 10.1.1.0 255.255.255.0 10.1.10.0 255.255.2
55.0
access-list OUT extended deny tcp any any eq rtsp inactive
access-list OUT extended deny tcp any any eq pop3 inactive
access-list OUT extended permit ip any any
access-list TEST standard permit host 10.1.1.72
pager lines 24
logging enable
logging buffer-size 8192
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool hbmcclurevpn 10.1.10.2-10.1.10.100 mask 255.255.255.0
ip verify reverse-path interface outside
icmp permit any outside
icmp deny any outside
icmp permit any inside
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list natvpn
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 1 10.2.1.0 255.255.255.0
static (inside,outside) tcp 66.216.163.149 https 10.1.1.17 https netmask 255.255
.255.255
static (inside,outside) tcp 66.216.163.149 smtp 10.1.1.14 smtp netmask 255.255.2
55.255
access-group in0 in interface outside
access-group OUT in interface inside
route outside 0.0.0.0 0.0.0.0 66.216.163.145 1
route inside 10.2.1.0 255.255.255.0 10.1.1.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server hbmcclure protocol radius
aaa-server hbmcclure host 10.1.1.16
key cisco123
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 70
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-t imeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry file-access
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not
been met or due to some specific group policy, you do not have permission to us
e any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy hbmcclurevpn internal
group-policy hbmcclurevpn attributes
wins-server value 10.1.1.20
dns-server value 10.1.1.20 10.1.1.16
split-tunnel-policy tunnelspecified
split-tunnel-network-list value hbmcclurevpn_splitTunnelAc l
default-domain value hbdomain.local
username gdcllcmin password P2K..irgPV0wbZX0 encrypted
http server enable
http 64.8.50.160 255.255.255.255 outside
http 10.2.1.0 255.255.255.0 outside
http 10.1.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal 20
tunnel-group hbmcclurevpn type ipsec-ra
tunnel-group hbmcclurevpn general-attributes
address-pool hbmcclurevpn
authentication-server-grou p hbmcclure
default-group-policy hbmcclurevpn
tunnel-group hbmcclurevpn ipsec-attributes
pre-shared-key *
telnet 10.2.1.0 255.255.255.0 outside
telnet 10.1.1.0 255.255.255.0 inside
telnet 10.2.1.0 255.255.255.0 inside
telnet timeout 5
ssh 64.8.50.160 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map cscmapin
match access-list cscin
!
!
policy-map cscpolin
class cscmapin
csc fail-open
policy-map global-policy
description CSC SSM Filter
class class-default
csc fail-open
!
service-policy global-policy global
service-policy cscpolin interface inside
webvpn
svc enable
Cryptochecksum:36aa5e0525e 1280b2ad37 fe7ddf127c b
: end
User Access Verification
Password:
Type help or '?' for a list of available commands.
ciscoasa> enable
Password: *************
ciscoasa# show run
: Saved
:
ASA Version 7.1(2)
!
hostname ciscoasa
domain-name hbmcclure.local
enable password BQhulxZLvuLN.tza encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 66.216.163.146 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.11 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd /iZ5xDvy1Zd6jqaE encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name hbmcclure.local
dns server-group HBDNS
domain-name hbmcclure.local
object-group service MOM tcp-udp
description Microsoft Operations Manager
port-object range 1270 1270
object-group service NAT-T udp
description NAT-T
port-object range 4500 4500
object-group service IPSec_UDP udp
description IPSec over UDP for Remote Access VPN
port-object range 10000 10000
access-list in0 extended permit tcp any host 66.216.163.149 eq smtp
access-list in0 extended permit tcp any host 66.216.163.149 eq https
access-list cscin extended permit ip 10.1.1.0 255.255.255.0 any
access-list cscin extended permit ip 10.2.1.0 255.255.255.0 any
access-list hbmcclurevpn_splitTunnelAc
access-list natvpn extended permit ip 10.1.1.0 255.255.255.0 10.1.10.0 255.255.2
55.0
access-list OUT extended deny tcp any any eq rtsp inactive
access-list OUT extended deny tcp any any eq pop3 inactive
access-list OUT extended permit ip any any
access-list TEST standard permit host 10.1.1.72
pager lines 24
logging enable
logging buffer-size 8192
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool hbmcclurevpn 10.1.10.2-10.1.10.100 mask 255.255.255.0
ip verify reverse-path interface outside
icmp permit any outside
icmp deny any outside
icmp permit any inside
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list natvpn
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 1 10.2.1.0 255.255.255.0
static (inside,outside) tcp 66.216.163.149 https 10.1.1.17 https netmask 255.255
.255.255
static (inside,outside) tcp 66.216.163.149 smtp 10.1.1.14 smtp netmask 255.255.2
55.255
access-group in0 in interface outside
access-group OUT in interface inside
route outside 0.0.0.0 0.0.0.0 66.216.163.145 1
route inside 10.2.1.0 255.255.255.0 10.1.1.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server hbmcclure protocol radius
aaa-server hbmcclure host 10.1.1.16
key cisco123
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 70
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry file-access
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not
been met or due to some specific group policy, you do not have permission to us
e any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy hbmcclurevpn internal
group-policy hbmcclurevpn attributes
wins-server value 10.1.1.20
dns-server value 10.1.1.20 10.1.1.16
split-tunnel-policy tunnelspecified
split-tunnel-network-list value hbmcclurevpn_splitTunnelAc
default-domain value hbdomain.local
username gdcllcmin password P2K..irgPV0wbZX0 encrypted
http server enable
http 64.8.50.160 255.255.255.255 outside
http 10.2.1.0 255.255.255.0 outside
http 10.1.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal 20
tunnel-group hbmcclurevpn type ipsec-ra
tunnel-group hbmcclurevpn general-attributes
address-pool hbmcclurevpn
authentication-server-grou
default-group-policy hbmcclurevpn
tunnel-group hbmcclurevpn ipsec-attributes
pre-shared-key *
telnet 10.2.1.0 255.255.255.0 outside
telnet 10.1.1.0 255.255.255.0 inside
telnet 10.2.1.0 255.255.255.0 inside
telnet timeout 5
ssh 64.8.50.160 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map cscmapin
match access-list cscin
!
!
policy-map cscpolin
class cscmapin
csc fail-open
policy-map global-policy
description CSC SSM Filter
class class-default
csc fail-open
!
service-policy global-policy global
service-policy cscpolin interface inside
webvpn
svc enable
Cryptochecksum:36aa5e0525e
: end
can u tell me the user IP:
i can see FW is already allowed for all the IP traffic .
still the user can't connect ?
i can see FW is already allowed for all the IP traffic .
still the user can't connect ?
ASKER
I cannot even VPN out to the site
The site we need to connect to is: 208.253.121.146
The site we need to connect to is: 208.253.121.146
u r trying from which ip ? 10.1.1.0 or 10.2.1.0 ?
how u are accessing the VPN server at 208.x.x. , I mean any vpn client ?
did u diable the firewall client on the PC
how u are accessing the VPN server at 208.x.x. , I mean any vpn client ?
did u diable the firewall client on the PC
ASKER
10.1.1.*
From Windows 7 VPN
yes
From Windows 7 VPN
yes
kindly show me the error that u r getting at PC side ? try to enable the log on the client and give me the output .
ASKER
the txt is attached its a long file
PIX-OUTPUT.txt
PIX-OUTPUT.txt
i will check the config of asa, meanwhile please give me the answer to below question
kindly show me the error that u r getting at PC side ? try to enable the log on the client and give me the output .
kindly show me the error that u r getting at PC side ? try to enable the log on the client and give me the output .
ur asa config is fine
ASKER
ur firewall is passing the traffic corectly , thats what u r getting authentication propmpt .
need to check whether ur VPN client config is matching with other end ( vpn server)
.
need to check whether ur VPN client config is matching with other end ( vpn server)
.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://blogs.techrepublic.com.com/networking/?p=1201