Solved

ASA IPSec VPN from Windows to ASA 5510

Posted on 2011-03-07
4
1,090 Views
Last Modified: 2012-05-11
Hi,

Today I setup a IPSec VPN on a ASA 5510. I was able to setup the DHCP for the client and get the client (Windows XP) to connect via the Cisco VPN Software. I'm having two general problems and was wondering if you could point me in the right direction. Unfortunately, I don't have the configure and left work with this problem on my mind.

1) Everytime I establish a VPN connection from the client and do an 'ipconfig' I see that my default gateway is the dhcp address assigned. So, I manually changed the default gatewa on the laptop to what should be the proper gateway.

2) I can ping the VPN client via the assigned DHCP address from my internal LAN but my client VPN PC can't ping anything internally.

I did try to setup a default tunneled gateway, but that didn't help. I know for a fact I didn't get to setting up any NAT or anything else. I had no other directions and time was running short.

Do you have any suggestions or step by step configuration settings I could follow for setting up IPSEC VPN that will allow for internal DNS to be used, proper routing to internal LAN, general setup,etc?

Thanks. I can't wait to get back to work tomorrow and get back to the grind.
0
Comment
Question by:First Last
  • 2
  • 2
4 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35068280
Hi,

It seems that you need to configure split-tunnel on cisco:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml
0
 
LVL 1

Author Comment

by:First Last
ID: 35070671
I tried to enable split-tunnel, but i'm still having no luck with accessing the internet via the tunnel or local resources across the VPN. When I do a route print from the command line of the XP client using the VPN all the routes for the VPN network point back to the IP of the XP client.

172.20.2.x range is my private range on the LAN side of my firewall.

I'm uploading a my 'route print' display from my client PC when the VPN is connected. Also, i'm uploading my ASA configuration.

All my ACL are set to ANY ANY for testing purposes.
: Saved
:
ASA Version 8.3(2) 
!
hostname ASA
domain-name 1234
names
dns-guard
!
interface Ethernet0/0
 nameif dmz
 security-level 100
 ip address 172.20.0.10 255.255.255.0 standby 172.20.0.11 
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1.101
 vlan 101
 nameif FIOS
 security-level 100
 ip address 173.71.x.x 255.255.255.0 standby 173.71.x.x
!
interface Ethernet0/2
 nameif inside
 security-level 100
 ip address 172.20.2.10 255.255.255.0 standby 172.20.2.11 
!
interface Ethernet0/3
 description LAN/STATE Failover Interface
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.10 255.255.255.0 standby 192.168.1.11 
 management-only
!
banner exec This is a private network.
banner exec Access beyond this point is for authorized personell only.
banner exec Unauthorized access will be prosecuted to the full extent of the law.
banner exec We thank you for respecting our privacy.
banner login This is a private network.
banner login Access beyond this point is for authorized personell only.
banner login Unauthorized access will be prosecuted to the full extent of the law.
banner login We thank you for respecting our privacy.
banner asdm This is a private network.
banner asdm Access beyond this point is for authorized personell only.
banner asdm Unauthorized access will be prosecuted to the full extent of the law.
banner asdm We thank you for respecting our privacy.
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 4.2.2.2
 domain-name xxxx
same-security-traffic permit inter-interface
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network Inside 
 subnet 172.20.2.0 255.255.255.0
object network NETWORK_OBJ_172.20.2.192_27 
 subnet 172.20.2.192 255.255.255.224
access-list inside_access_in extended permit ip 10.35.208.0 255.255.240.0 10.35.208.0 255.255.240.0 
access-list inside_access_in extended permit ip 172.20.0.0 255.255.255.0 172.20.0.0 255.255.255.0 
access-list inside_access_in extended permit ip 172.20.2.0 255.255.255.0 172.20.2.0 255.255.255.0 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit ip interface FIOS interface inside 
access-list global_access extended permit ip any any 
access-list outside_access_in extended permit ip any any 
access-list test extended permit ip host 172.30.0.8 host 172.30.0.9 
access-list test extended permit ip host 172.30.0.9 host 172.30.0.8 
access-list FIOS_access_in extended permit ip any any 
access-list cap1 extended permit ip host 10.35.209.70 any 
access-list cap1 extended permit ip any host 10.35.209.70 
pager lines 24
logging enable
logging monitor warnings
logging buffered critical
logging asdm informational
mtu dmz 1500
mtu FIOS 1500
mtu inside 1500
mtu management 1500
ip local pool Inside-VPN-IP 172.20.2.200-172.20.2.220 mask 255.255.255.0
ip verify reverse-path interface dmz
ip verify reverse-path interface FIOS
ip verify reverse-path interface management
ip audit name ATTACK attack action alarm drop reset
ip audit name INFO info action alarm drop reset
failover
failover lan unit secondary
failover lan interface failover Ethernet0/3
failover polltime unit msec 200 holdtime 15
failover polltime interface msec 500 holdtime 25
failover key *****
failover replication http
failover link failover Ethernet0/3
failover interface ip failover 172.20.3.11 255.255.255.0 standby 172.20.3.10
monitor-interface FIOS
icmp unreachable rate-limit 1 burst-size 1
icmp permit any FIOS
icmp permit any inside
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (inside,FIOS) source dynamic obj_any interface
nat (FIOS,FIOS) source static any any destination static NETWORK_OBJ_172.20.2.192_27 NETWORK_OBJ_172.20.2.192_27
!
nat (inside,FIOS) after-auto source dynamic any interface
access-group FIOS_access_in in interface FIOS
access-group inside_access_in in interface inside
access-group global_access global
route FIOS 0.0.0.0 0.0.0.0 173.71.64.1 1
route inside 10.35.208.0 255.255.240.0 172.20.2.1 1
route FIOS 0.0.0.0 0.0.0.0 172.20.2.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DC protocol ldap
aaa-server DC (inside) host 10.35.208.9
 timeout 5
 server-type auto-detect
url-server (inside) vendor websense host 10.35.209.190 timeout 10 protocol TCP version 4 connections 100
url-cache dst 128
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
aaa authentication telnet console LOCAL 
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow proxy-block longurl-truncate 
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow 
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
auth-prompt prompt Hello. 
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map FIOS_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map FIOS_map interface FIOS
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable FIOS
crypto isakmp enable inside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000 
vpn-addr-assign local reuse-delay 5
telnet timeout 1440
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
url-block url-mempool 2
url-block url-size 2
url-block block 1
ntp authenticate
ntp server 10.35.208.5 source inside prefer
webvpn
 enable FIOS
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 webvpn
  url-list value Bookmark
group-policy NEW internal
group-policy NEW attributes
 dns-server value 10.35.208.9 10.35.208.8
 vpn-tunnel-protocol svc 
 default-domain value new.local
group-policy IPSecVPN internal
group-policy IPSecVPN attributes
 dns-server value 10.35.208.9 10.35.208.8
 vpn-idle-timeout 30
 vpn-filter value FIOS_access_in
 ipv6-vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall
 split-tunnel-network-list value outside_access_in
 default-domain value new.local
 split-dns value 10.35.208.9 10.35.208.8 
 msie-proxy method no-proxy
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
 authentication-server-group DC
tunnel-group NEW type remote-access
tunnel-group NEW general-attributes
 address-pool Inside-VPN-IP
 default-group-policy NEW
tunnel-group NEW ipsec-attributes
 pre-shared-key *****
tunnel-group IPSecVPN type remote-access
tunnel-group IPSecVPN general-attributes
 address-pool Inside-VPN-IP
 default-group-policy IPSecVPN
tunnel-group IPSecVPN ipsec-attributes
 pre-shared-key *****
!
class-map FIOS-class
 match default-inspection-traffic
!
!
policy-map type inspect im IM-Inspect-Map
 parameters
 match protocol msn-im yahoo-im 
  drop-connection log
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map FIOS-policy
 class FIOS-class
  inspect dns 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect icmp 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect sip  
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
!
service-policy FIOS-policy interface FIOS
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:106e6d0260f4f6cc66cd3c33134ce7e8
: end
asdm image disk0:/asdm-635.bin
no asdm history enable

Open in new window

C:\Documents and Settings\Administrator>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 14 22 f7 8b 55 ...... Broadcom NetXtreme 57xx Gigabit Controller - Pac
ket Scheduler Miniport
0x100003 ...00 16 ce 45 59 c9 ...... Dell Wireless 1390 WLAN Mini-Card - Packet
Scheduler Miniport
0x130005 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Schedule
r Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     172.20.2.213    172.20.2.213       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
       172.20.2.0    255.255.255.0     172.20.2.213    172.20.2.213       25
     172.20.2.213  255.255.255.255        127.0.0.1       127.0.0.1       25
   172.20.255.255  255.255.255.255     172.20.2.213    172.20.2.213       25
    173.71.64.133  255.255.255.255      192.168.1.1     192.168.1.7       1
      192.168.1.0    255.255.255.0      192.168.1.7     192.168.1.7       25
      192.168.1.0    255.255.255.0     172.20.2.213    172.20.2.213       25
      192.168.1.1  255.255.255.255      192.168.1.7     192.168.1.7       1
      192.168.1.7  255.255.255.255        127.0.0.1       127.0.0.1       25
    192.168.1.255  255.255.255.255      192.168.1.7     192.168.1.7       25
        224.0.0.0        240.0.0.0     172.20.2.213    172.20.2.213       25
        224.0.0.0        240.0.0.0      192.168.1.7     192.168.1.7       25
  255.255.255.255  255.255.255.255     172.20.2.213    172.20.2.213       1
  255.255.255.255  255.255.255.255      192.168.1.7               2       1
  255.255.255.255  255.255.255.255      192.168.1.7     192.168.1.7       1
Default Gateway:      172.20.2.213
===========================================================================

Open in new window

0
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 500 total points
ID: 35071198
Hi,

there is a problem with ip pool, you need to create individual subnet for VPN users:

no ip local pool Inside-VPN-IP 172.20.2.200-172.20.2.220 mask 255.255.255.0
ip local pool Inside-VPN-IP 172.20.4.200-172.20.4.220 mask 255.255.255.0

you need to create acl for vpn

access-list VPN_ACL standard permit 172.20.0.0 255.255.255.0
access-list VPN_ACL standard permit 172.20.2.0 255.255.255.0


group-policy NEW attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_ACL
group-policy IPSecVPN attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_ACL

after that you need to create nonat statatement:

object network obj-172.20.0.0
   subnet 172.20.0.10 255.255.255.0
object network obj-172.20.2.0
   subnet 172.20.2.10 255.255.255.0
object network obj-172.20.4.0
   subnet 172.20.4.10 255.255.255.0


nat (inside,any) source static obj-172.20.2.0 obj-172.20.2.0 destination static obj-172.20.4.0 obj-172.20.4.0
nat (dmz,any) source static obj-172.20.0.0 obj-172.20.0.0 destination static obj-172.20.4.0 obj-172.20.4.0

0
 
LVL 1

Author Comment

by:First Last
ID: 35073635
Thank you! I did notice a few minor problems, but I was able to fix them.

1) With the "objects" you had a .10 for the third octet. It should be a .0
2) By default the nat was added to the end of my nat list. In the ASDM i moved those two NAT commands to the top.

Thankfully now I can ping across in both directions! I do have some issues regarding why I can only PING and HTTP, but not RDP or File Share. I'll figure those out on my own. Thank you again.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now