Solved

Cisco ASA SSL VPN not able to reach my network

Posted on 2011-02-16
24
1,319 Views
Last Modified: 2012-05-11
I currently have a cisco router and a cisco asa.  The cisco asa is only used for ssl vpn only, nothing more.  I have onyl 1 static IP to work with and I so far configred the asa so I can login from the outside using the ssl vpn, however after I login I cannot access anything on the remote network I am trying to connect to.  Attached is my config, please let me know if I am missing something.

Thanks
ciscoasa# sh run
: Saved
:
ASA Version 8.2(3)
!
hostname ciscoasa

names
!
interface Ethernet0/0
 switchport access vlan 50
!
interface Ethernet0/1
 switchport access vlan 50
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan50
 nameif inside
 security-level 100
 ip address 50.0.0.100 255.255.255.0
!
ftp mode passive
access-list NONAT extended permit ip 50.0.0.0 255.255.255.0 70.0.0.0 255.255.255.0
access-list split-tunnel standard permit 50.0.0.0 255.255.255.0
pager lines 24
mtu inside 1500
ip local pool WebVPNPool 70.0.0.50-70.0.0.60 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route inside 0.0.0.0 0.0.0.0 50.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable inside
 svc image disk0:/anyconnect-dart-win-2.5.2017-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy WebVPNPolicy internal
group-policy WebVPNPolicy attributes
 dns-server value 50.0.0.1 4.2.2.2
 vpn-tunnel-protocol svc
 group-lock value WebVPNAccessProfile
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel

 address-pools value WebVPNPool
 webvpn
  svc ask none default svc
  hidden-shares none
  file-entry disable
  file-browsing disable
  url-entry disable

username aaaaa attributes
 service-type remote-access
tunnel-group WebVPNAccessProfile type remote-access
tunnel-group WebVPNAccessProfile general-attributes
 default-group-policy WebVPNPolicy
tunnel-group WebVPNAccessProfile webvpn-attributes
 group-alias WebVPN enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:73bed0bc5d7f5219a105ea5d7034be00
: end
ciscoasa#

Open in new window

0
Comment
Question by:mmercaldi
  • 11
  • 8
  • 4
  • +1
24 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Well, it looks like you defined the outside as being the inside (public address).

AND

I don't see an inside network........... (the real inside private network).
0
 

Author Comment

by:mmercaldi
Comment Utility
what is the best way to do this, again do not forget this is vpn only not really any NATTING is going on this ASA
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Well you still need an outside and inside interface. How else do you want to connect to you internal network?

Here is an example of an ASA with webvpn (also have a look at how the interfaces are set up):

ASA Version 7.2(1)
hostname ciscoasa
domain-name cisco.com
enable password 9jNfZuG3TC5tCVH0 encrypted
names
dns-guard
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 172.22.1.160 255.255.255.0
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.2.2.1 255.255.255.0
interface Ethernet0/2
 nameif DMZ1
 security-level 50
 no ip address
interface Management0/0
 description For Mgt only
 shutdown
 nameif Mgt
 security-level 0
 ip address 10.10.10.1 255.255.255.0
 management-only
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name cisco.com
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu Mgt 1500
icmp permit any outside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.2.2.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 172.22.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
!

!--- group policy configurations
!

group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 webvpn
  functions url-entry file-access file-entry file-browsing mapi port-forward filter
   http-proxy auto-download citrix
username cisco password 53QNetqK.Kqqfshe encrypted
!

!--- asdm configurations
!

http server enable
http 10.2.2.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!

!--- tunnel group configurations
!

tunnel-group DefaultWEBVPNGroup general-attributes
 default-group-policy GroupPolicy1
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server 10.2.2.2 master timeout 2 retry 2
!
telnet timeout 5
ssh 172.22.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
!

!--- webvpn configurations
!

webvpn
 enable outside
 url-list ServerList "WSHAWLAP" cifs://10.2.2.2 1
 url-list ServerList "FOCUS_SRV_1" https://10.2.2.3 2
 url-list ServerList "FOCUS_SRV_2" http://10.2.2.4 3
!
prompt hostname context
 !
 end


For the complete story, go to: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Wait a sec.

I've been thinking (I sometimes do ;).

You have one public ip? So your router holds that ip and the ASA is behind it (and behind nat)?
0
 

Author Comment

by:mmercaldi
Comment Utility
when I do that I get this message
ciscoasa(config)# int e0/3
ciscoasa(config-if)# nameif outside
ERROR: This command can only be configured on VLAN interfaces
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
0
 

Author Comment

by:mmercaldi
Comment Utility
erniebeek: yes I only have 1 static ip, the client is too cheap to buy a second for whatever reason
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
My wrong, 5505 works with vlans, something like this:


ASA Version 7.2(2)
!
hostname yourASA
domain-name yourdomain.com
enable password yourpassword
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 111.111.111.111 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd yourpassword
ftp mode passive
dns server-group DefaultDNS
 domain-name yourdomain.com
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 111.111.111.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp nat-traversal  20
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
0
 

Author Comment

by:mmercaldi
Comment Utility
right but my router is controlling all vlans, which I could get a vlan mismatch and if I have 2 vlan 50's wouldnt that cause a bunch of errors?
0
 

Author Comment

by:mmercaldi
Comment Utility
PeteLong:
I attempted to do this however again I do not have an outside interface
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
So, how is your router setp up?

Perhaps it's an idea to change the router so it bridges, that way the ASA gets the public ip and you would be able to set up everything from there.
0
 
LVL 1

Accepted Solution

by:
alex_firewall_guy earned 250 total points
Comment Utility
Here is a working config that hits a Microsoft AD server via LDAP for user authentication and pushes down the ip address to the vpn client from AD as well.  

It uses the vpn on a stick model that you were initially looking at.  You aren't required to have two interfaces on the ASA to get it to allow vpn.  Try this out and hit me up for any questions you have and I will do what I can to assist.

Hope it helps.

ASA Version 8.3(2)4
!
terminal width 200
hostname <yourhostname>
domain-name <yourdomain>
enable password <yourenablepassword>
passwd <yourtelnetpassword>
names
dns-guard
!
interface GigabitEthernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 description vlan xxxx single interface (vpn on a stick)
 nameif <yourinterfacename>
 security-level 100
 ip address 10.10.10.205 255.255.255.240
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa832-4-k8.bin
boot system disk1:/asa832-4-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup <yourinterfacename>
dns server-group DefaultDNS
 retries 3
 timeout 5
 name-server <yourdnsserverip>
 domain-name <yourdnssuffix>
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list <yourinterfacename>ACL extended permit icmp any any
access-list <yourinterfacename>ACL extended permit ip any any
access-list http-list2 extended permit ip any any
!
tcp-map mss-map
!
pager lines 20
logging enable
logging timestamp
logging buffer-size 1048576
logging asdm-buffer-size 512
logging console errors
logging monitor errors
logging buffered informational
logging trap informational
logging history errors
logging asdm errors
logging facility 16
logging queue 0
logging device-id hostname
logging host <yourinterfacename> 10.10.10.196
logging permit-hostdown
mtu <yourinterfacename> 1500
ipv6 access-list denyipv6ACL deny ip any any
ipv6 access-list ipv6captureACL permit ip any any
no failover
failover lan unit primary
failover replication http
icmp unreachable rate-limit 1 burst-size 1
icmp permit any <yourinterfacename>
asdm image disk0:/asdm-641.bin
asdm history enable
arp timeout 14400
access-group <yourinterfacename>ACL in interface <yourinterfacename>
access-group denyipv6ACL in interface <yourinterfacename>
route <yourinterfacename> 0.0.0.0 0.0.0.0 10.10.10.193 1
timeout xlate 3:00:00
timeout conn 8:00:00 half-closed 0:45:00 udp 0:10:00 icmp 0:00:05
timeout sunrpc 0:10:00 h323 5:00:00 h225 5:00:00 mgcp 0:10:00 mgcp-pat 0:10:00
timeout sip 0:30:00 sip_media 0:10:00 sip-invite 0:10:00 sip-disconnect 0:10:00
timeout sip-provisional-media 0:02:00 uauth 0:10:00 absolute
timeout tcp-proxy-reassembly 0:01:00
ldap attribute-map aaa-assign-Map
  map-name  msRADIUSFramedIPAddress IETF-Radius-Framed-IP-Address
dynamic-access-policy-record DfltAccessPolicy
 webvpn
  url-list none
  port-forward disable
  file-browsing disable
  file-entry disable
  http-proxy disable
  url-entry disable
  svc ask none default svc
aaa-server LDAP-SRVR-GRP protocol ldap
 reactivation-mode depletion deadtime 1
 max-failed-attempts 2
aaa-server LDAP-SRVR-GRP (<yourinterfacename>) host 10.10.10.11
 server-port 636
 ldap-base-dn dc=<domain>, dc=<domain>, dc=<domain>
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password <passwordforldapaccount>
 ldap-login-dn CN=<ldapaccount>,OU=<yourOU>,OU=<yourOU>,OU=<yourOU>,OU=<yourOU>,ou=<yourOU>,DC=<yourdomain>,DC=<yourdomain>,DC=<yourdomain>
 ldap-over-ssl enable
 server-type microsoft
 ldap-attribute-map aaa-assign-Map
eou allow none
sysopt connection tcpmss 1200
sysopt connection preserve-vpn-flows
service resetinbound
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
 <insert certificates here>
crypto ca trustpoint ASDM_TrustPoint1
 <insert certificates here>
crypto ca trustpoint ASDM_TrustPoint2
 <insert certificates here>
crypto ca certificate chain ASDM_TrustPoint0
 <insert certificates here>
crypto ca certificate chain ASDM_TrustPoint1
 <insert certificates here>
crypto ca certificate chain ASDM_TrustPoint2
 <insert certificates here>
crypto isakmp identity address
no crypto isakmp nat-traversal
no vpn-addr-assign dhcp
no vpn-addr-assign local
vpn-sessiondb max-session-limit 5000
vpn-sessiondb max-webvpn-session-limit 500
!
tls-proxy maximum-session 1000
!
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint0
ssl trust-point ASDM_TrustPoint0 <yourinterfacename>
webvpn
 enable <yourinterfacename>
 default-idle-timeout 1200
 csd image disk0:/csd_3.5.841-k9.pkg
 svc image disk0:/anyconnect-win-2.5.2006-k9.pkg 1
 svc image disk0:/anyconnect-linux-2.5.2006-k9.pkg 2
 svc image disk0:/anyconnect-linux-64-2.5.2006-k9.pkg 3
 svc image disk0:/anyconnect-macosx-i386-2.5.2006-k9.pkg 4
 svc image disk0:/anyconnect-macosx-powerpc-2.5.2006-k9.pkg 5
 svc image disk0:/anyconnect-wince-ARMv4I-2.5.2006-k9.pkg 6
 svc image disk0:/anyconnect-dart-win-2.5.2006-k9.pkg 7
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 dns-server value 10.10.10.10 10.10.10.11
 vpn-simultaneous-logins 2
 vpn-idle-timeout 20
 vpn-session-timeout 1080
 vpn-tunnel-protocol svc
 ip-comp enable
 re-xauth enable extended
 default-domain value <domain.com>
 user-authentication-idle-timeout 20
 nem enable
 webvpn
  svc keepalive none
  svc rekey time 20
  svc rekey method ssl
  svc dpd-interval client 600
  svc dpd-interval gateway 600
  svc compression deflate
  svc ask none default svc
  keep-alive-ignore 10
  activex-relay disable
  file-entry disable
  file-browsing disable
  url-entry disable
  svc df-bit-ignore enable
  svc routing-filtering-ignore enable
tunnel-group OurWebVpnGrp type remote-access
tunnel-group OurWebVpnGrp general-attributes
 authentication-server-group LDAP-SRVR-GRP
tunnel-group OurWebVpnGrp webvpn-attributes
 group-alias <DOMAIN TAG Here> enable
!
class-map inspection_default
 match default-inspection-traffic
class-map http-map1
 match access-list http-list2
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect sqlnet
 class http-map1
  set connection advanced-options mss-map
 class class-default
  set connection random-sequence-number disable
  set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context

0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:mmercaldi
Comment Utility
thanks, I will be able to try this tonight
0
 

Author Comment

by:mmercaldi
Comment Utility
here is what i have now, and I am still getting the same issue

hostname ciscoasa                                                                              
enable password 8Ry2YjIyt7RRXU24 encrypted                                                      
passwd 2KFQnbNIdI.2KYOU encrypted                                                              
names                                                                                          
!                                                                                              
interface Ethernet0/0                                                                          
 switchport access vlan 50                                                                      
!                                                                                              
interface Ethernet0/1                                                                          
 shutdown                                                                                      
!                                                                                              
interface Ethernet0/2                                                                          
 shutdown                                                                                      
!                                                                                              
interface Ethernet0/3                                                                          
 shutdown                                                                                      
!                                                                                              
interface Ethernet0/4                                                                          
 shutdown                                                                                      
!                                                                                              
interface Ethernet0/5                                                                          
 shutdown                                                                                      
!                                                                                              
interface Ethernet0/6                                                                          
 shutdown                                                                                      
!                                                                                              
interface Ethernet0/7                                                                          
 shutdown                                                                                      
!                                                                                              
interface Vlan1                                                                                
 no nameif                                                                                      
 no security-level                                                                              
 no ip address                                                                                  
!                                                                                              
interface Vlan50                                                                                
 nameif outside                                                                                
 security-level 0                                                                              
 ip address 50.0.0.200 255.255.255.0                                                            
!                                                                                              
ftp mode passive                                                                                
access-list outsideACL extended permit icmp any any                                            
access-list outsideACL extended permit ip any any                                              
access-list http-list2 extended permit ip any any                                              
access-list Split_Tunnel_List standard permit 50.0.0.0 255.255.255.0                            
pager lines 24                                                                                  
mtu outside 1500                                                                                
ip local pool SSLClientPool 70.0.0.10-70.0.0.20 mask 255.255.255.0                              
icmp unreachable rate-limit 1 burst-size 1                                                      
no asdm history enable                                                                          
arp timeout 14400                                                                              
access-group outsideACL in interface outside                                                    
route outside 0.0.0.0 0.0.0.0 50.0.0.1 1                                                        
timeout xlate 3:00:00                                                                          
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                              
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                  
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute                                    
timeout tcp-proxy-reassembly 0:01:00                                                            
dynamic-access-policy-record DfltAccessPolicy                                                  
no snmp-server location                                                                        
no snmp-server contact                                                                          
snmp-server enable traps snmp authentication linkup linkdown coldstart                          
crypto ipsec security-association lifetime seconds 28800                                        
crypto ipsec security-association lifetime kilobytes 4608000                                    
telnet timeout 5                                                                                
ssh timeout 5                                                                                  
console timeout 0                                                                              
                                                                                               
threat-detection basic-threat                                                                  
threat-detection statistics access-list                                                        
no threat-detection statistics tcp-intercept                                                    
webvpn                                                                                          
 enable outside                                                                                
 svc image disk0:/anyconnect-dart-win-2.5.2017-k9.pkg 1                                        
 svc enable                                                                                    
 tunnel-group-list enable                                                                      
group-policy DfltGrpPolicy attributes                                                          
 dns-server value 50.0.0.1 4.2.2.2                                                              
 vpn-tunnel-protocol svc                                                                        
 split-tunnel-policy tunnelspecified                                                            
 split-tunnel-network-list value Split_Tunnel_List                                              
 address-pools value SSLClientPool                                                              
username mercxi password o0zmZzwk0jklo95r encrypted                                            
username mercxi attributes                                                                      
 service-type remote-access                                                                    
tunnel-group SSLClientProfile type remote-access                                                
tunnel-group SSLClientProfile webvpn-attributes                                                
 group-alias SSLVPNCLIENT enable                                                                
!                                                                                              
class-map inspection_default                                                                    
 match default-inspection-traffic                                                              
!                                                                                              
!                                                                                              
policy-map type inspect dns preset_dns_map                                                      
 parameters                                                                                    
  message-length maximum client auto                                                            
  message-length maximum 512                                                                    
policy-map global_policy                                                                        
 class inspection_default                                                                      
  inspect dns preset_dns_map                                                                    
  inspect ftp                                                                                  
  inspect h323 h225                                                                            
  inspect h323 ras                                                                              
  inspect ip-options                                                                            
  inspect netbios                                                                              
  inspect rsh                                                                                  
  inspect rtsp                                                                                  
  inspect skinny                                                                                
  inspect esmtp                                                                                
  inspect sqlnet                                                                                
  inspect sunrpc                                                                                
  inspect tftp                                                                                  
  inspect sip                                                                                  
  inspect xdmcp                                                                                
  inspect icmp                                                                                  
!                                                                                              
service-policy global_policy global                                                            
prompt hostname context                                                                        
call-home                                                                                      
 profile CiscoTAC-1                                                                            
  no active                                                                                    
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService      
  destination address email callhome@cisco.com                                                  
  destination transport-method http                                                            
  subscribe-to-alert-group diagnostic                                                          
  subscribe-to-alert-group environment                                                          
  subscribe-to-alert-group inventory periodic monthly                                          
  subscribe-to-alert-group configuration periodic monthly                                      
  subscribe-to-alert-group telemetry periodic daily                                            
Cryptochecksum:3ba021f51e11b7e3d2bb3267f071035f                                                
: end            
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 250 total points
Comment Utility
Finally got what you want to do (duh). Looks like I need same practise on my english again.

The vpn is terminated on the asa's interface and then routed out again. In that case you atleast need: same-security-traffic permit intra-interface in your config.

Also, the clients in your network need to know where to find the 70.0.0.10-70.0.0.20 network so the need a route to that network via the 50.0.0.200.

This might also interest you: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml
0
 
LVL 1

Expert Comment

by:alex_firewall_guy
Comment Utility
I agree with erniebeek on this one.  These two commands should be added to your config.

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

I also agree that your network will need a route propagated through it directing traffic destined for your vpn pool address range back to your ASA.

If those two tidbits don't help any, maybe you can get us a little more info on the error you get when you attempt to connect to a device after connecting to your vpn.  Debug log info from the ASA might be helpful too.
0
 

Author Comment

by:mmercaldi
Comment Utility
thanks ernie and alex, I will be able to try this tonight after the client office move
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Good luck. I you need any more assistance, let us know.
0
 
LVL 1

Expert Comment

by:alex_firewall_guy
Comment Utility
I'll be logged on again later this evening and through the weekend too so if you need more assistance over the weekend, post up and I'll see what I can do.
0
 

Author Comment

by:mmercaldi
Comment Utility
I added the 2 lines, I can ping the asa which is 50.0.0.200 but I cannot ping anything else on the network, am I doing something else wrong?  below is my router config
mercrouter#sh run

Building configuration...



Current configuration : 6444 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname mercrouter

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

!

aaa new-model

!

!

aaa authentication login MYVPN local

aaa authorization network myvpnnetwork local 

!

!

aaa session-id common

memory-size iomem 10

service-module wlan-ap 0 bootimage autonomous

!

crypto pki trustpoint TP-self-signed-1180740580

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1180740580

 revocation-check none

 rsakeypair TP-self-signed-1180740580

!

!

crypto pki certificate chain TP-self-signed-1180740580

 certificate self-signed 01

  30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030 

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 

  69666963 6174652D 31313830 37343035 3830301E 170D3131 30313239 30323130 

  30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31383037 

  34303538 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 

  8100B1EB 6CDBB205 DDFDD5ED CE0B6830 99F62E28 7CC7B540 2C55CA39 9C550A5C 

  A6425AA8 15587DF4 F0DB8F91 D1DD5365 865F081C BB200B6D 22EE005B 7BF4E532 

  112FA528 F4046AF6 4F708E05 6CAB3E17 D00C608C BEAAC94C 2EFCE6E2 2C563E8D 

  6656A291 98AC4132 59A33002 DBFFB89C 905D17A3 BD03E09F 767C094D 04403168 

  68410203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603 

  551D1104 0E300C82 0A6D6572 63726F75 74657230 1F060355 1D230418 30168014 

  3908E4CF A30572BB C3AB5B41 2270B5C9 25EDCFAA 301D0603 551D0E04 16041439 

  08E4CFA3 0572BBC3 AB5B4122 70B5C925 EDCFAA30 0D06092A 864886F7 0D010104 

  05000381 81000E1D 2F01E667 360FD4AA FC197F5F F42B2B6D E6B162A3 730CB229 

  DECE8ACE 96CF1367 B990E1E9 42DC3CB4 04BCDC92 C6DFEAE1 2460D519 A064BD04 

  3F44CB3A 0D05FA9B 11549D81 23DCCAF4 D1D4E92F 88869C8E AA410919 225C4296 

  74246005 E5994F37 EBB07738 6F99FE0F 8156EADD 7E633A09 3C1851DC 81B753CE 

  C166F6DD 86A8

  	quit

ip source-route

!

!

!         

ip dhcp pool mypool

   network 50.0.0.0 255.255.255.0

   default-router 50.0.0.1 

   dns-server 50.0.0.1 4.2.2.2 

!

ip dhcp pool tvpool

   network 10.10.10.0 255.255.255.0

   default-router 10.10.10.1 

   dns-server 10.10.10.1 4.2.2.2 

!

ip dhcp pool vlan80pool

   network 80.0.0.0 255.255.255.0

   default-router 80.0.0.1 

   dns-server 80.0.0.1 4.2.2.2 

!

!

ip cef

ip name-server 4.2.2.1


!

no ipv6 cef

!

!

multilink bundle-name authenticated

license boot module c880-data level advipservices

!


!

crypto isakmp policy 1

 encr aes

 authentication pre-share

 group 2

!

crypto isakmp client configuration group XXXXXXXX

 key merc84

 dns 50.0.0.1

 domain xxxxxxxxxxx
 pool myvpnpool

 acl myvpnacl

 netmask 255.255.255.0

!

!

crypto ipsec transform-set myset esp-aes esp-sha-hmac 

!

crypto dynamic-map DYN_MAP 1

 set transform-set myset 

!

!

crypto map mymap client authentication list MYVPN

crypto map mymap isakmp authorization list myvpnnetwork

crypto map mymap client configuration address respond

crypto map mymap 65535 ipsec-isakmp dynamic DYN_MAP 

!

archive

 log config

  hidekeys

!

!

!

!

!

interface FastEthernet0

 switchport access vlan 50

 switchport trunk allowed vlan 1,2,10,50,80,1002-1005

 switchport mode trunk

!

interface FastEthernet1

 switchport access vlan 10

!

interface FastEthernet2

 switchport access vlan 50

!

interface FastEthernet3

 switchport access vlan 80

!

interface FastEthernet4


 ip address xxx
 ip nat outside

 ip virtual-reassembly

 duplex auto

 speed auto

 crypto map mymap

!

interface wlan-ap0

 description Service module interface to manage the embedded AP

 ip address 51.0.0.1 255.255.255.0

 arp timeout 0

!

interface Wlan-GigabitEthernet0

 description Internal switch interface connecting to the embedded AP

 switchport access vlan 50

!

interface Vlan1

 no ip address

!

interface Vlan10

 ip address 10.10.10.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

!

interface Vlan50

 ip address 50.0.0.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

!

interface Vlan80

 ip address 80.0.0.1 255.255.255.0

 ip access-group 112 in

 ip nat inside

 ip virtual-reassembly

!

ip local pool myvpnpool 65.0.0.10 65.0.0.20

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 dhcp

ip http server

ip http authentication local

no ip http secure-server

!

!

ip dns server

ip nat inside source static tcp 50.0.0.200 1000 interface FastEthernet4 1000

ip nat inside source static tcp 50.0.0.200 443 interface FastEthernet4 443

ip nat inside source route-map ISP1 interface FastEthernet4 overload

!

ip access-list extended aclblock1

 deny   ip 50.0.0.0 0.0.0.255 80.0.0.0 0.0.0.255

 deny   ip 80.0.0.0 0.0.0.255 50.0.0.0 0.0.0.255

 permit ip any any

ip access-list extended myvpnacl

 permit ip 50.0.0.0 0.0.0.255 65.0.0.0 0.0.0.255

!

access-list 101 deny   ip 80.0.0.0 0.0.0.255 65.0.0.0 0.0.0.255

access-list 101 deny   ip 10.10.10.0 0.0.0.255 65.0.0.0 0.0.0.255

access-list 101 deny   ip 50.0.0.0 0.0.0.255 65.0.0.0 0.0.0.255

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 101 permit ip 50.0.0.0 0.0.0.255 any

access-list 101 permit ip 80.0.0.0 0.0.0.255 any

access-list 110 permit ip 80.0.0.0 0.0.0.255 host 50.0.0.1

access-list 110 deny   ip 80.0.0.0 0.0.0.255 50.0.0.0 0.0.0.255

access-list 110 permit ip any any

access-list 111 deny   ip 50.0.0.0 0.0.0.255 80.0.0.0 0.0.0.255

access-list 111 permit ip any any

access-list 112 deny   ip 80.0.0.0 0.0.0.255 50.0.0.0 0.0.0.255

access-list 112 permit ip any any

!

!

!

!

route-map ISP1 permit 10

 match ip address 101

 match interface FastEthernet4

!

!

control-plane

!

!

line con 0

 no modem enable

line aux 0

line 2

 no activation-character

 no exec

 transport preferred none

 transport input all

line vty 0 4

 privilege level 15

!

scheduler max-task-time 5000

end

Open in new window

0
 

Author Comment

by:mmercaldi
Comment Utility
it finally worked
I had to add the 2 lines
global (outside) 10 interface
nat (outside) 10 70.0.0.0 255.255.255.0
0
 

Author Comment

by:mmercaldi
Comment Utility
for anyone's knowledge below is the working config
ASA Version 8.2(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 50
!
interface Ethernet0/1
 shutdown
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan50
 nameif outside
 security-level 0
 ip address 50.0.0.200 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outsideACL extended permit icmp any any
access-list outsideACL extended permit ip any any
access-list http-list2 extended permit ip any any
access-list Split_Tunnel_List standard permit 50.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
ip local pool SSLClientPool 70.0.0.10-70.0.0.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (outside) 10 70.0.0.0 255.255.255.0
access-group outsideACL in interface outside
route outside 0.0.0.0 0.0.0.0 50.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 svc image disk0:/anyconnect-dart-win-2.5.2017-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 dns-server value 50.0.0.1 4.2.2.2
 vpn-tunnel-protocol svc
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 address-pools value SSLClientPool
username mercxi password o0zmZzwk0jklo95r encrypted
username mercxi attributes
 service-type remote-access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile webvpn-attributes
 group-alias SSLVPNCLIENT enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ac438d718f03c06d7b590baa7c0fbe52
: end
ciscoasa#

Open in new window

0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Good job! glad you got it working. And also great you posted the compete solution here. And last but not least: thx for the points.
0
 
LVL 1

Expert Comment

by:alex_firewall_guy
Comment Utility
Sweet.  Glad we were able to help.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
VPN Client  - Windows 10 11 136
catalyst 6500 - recover from corrupted IOS 4 34
Quick cusco 2091 setup 5 17
stacking Catalyst 3650 11 5
There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now