With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!
Course Of The Month
7 days, 23 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
ASA IPSec VPN from Windows to ASA 5510
Posted on 2011-03-07
Hi,
Today I setup a IPSec VPN on a ASA 5510. I was able to setup the DHCP for the client and get the client (Windows XP) to connect via the Cisco VPN Software. I'm having two general problems and was wondering if you could point me in the right direction. Unfortunately, I don't have the configure and left work with this problem on my mind.
1) Everytime I establish a VPN connection from the client and do an 'ipconfig' I see that my default gateway is the dhcp address assigned. So, I manually changed the default gatewa on the laptop to what should be the proper gateway.
2) I can ping the VPN client via the assigned DHCP address from my internal LAN but my client VPN PC can't ping anything internally.
I did try to setup a default tunneled gateway, but that didn't help. I know for a fact I didn't get to setting up any NAT or anything else. I had no other directions and time was running short.
Do you have any suggestions or step by step configuration settings I could follow for setting up IPSEC VPN that will allow for internal DNS to be used, proper routing to internal LAN, general setup,etc?
Thanks. I can't wait to get back to work tomorrow and get back to the grind.
Today I setup a IPSec VPN on a ASA 5510. I was able to setup the DHCP for the client and get the client (Windows XP) to connect via the Cisco VPN Software. I'm having two general problems and was wondering if you could point me in the right direction. Unfortunately, I don't have the configure and left work with this problem on my mind.
1) Everytime I establish a VPN connection from the client and do an 'ipconfig' I see that my default gateway is the dhcp address assigned. So, I manually changed the default gatewa on the laptop to what should be the proper gateway.
2) I can ping the VPN client via the assigned DHCP address from my internal LAN but my client VPN PC can't ping anything internally.
I did try to setup a default tunneled gateway, but that didn't help. I know for a fact I didn't get to setting up any NAT or anything else. I had no other directions and time was running short.
Do you have any suggestions or step by step configuration settings I could follow for setting up IPSEC VPN that will allow for internal DNS to be used, proper routing to internal LAN, general setup,etc?
Thanks. I can't wait to get back to work tomorrow and get back to the grind.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2-
2
4 Comments
Active 2 days ago
Hi,
It seems that you need to configure split-tunnel on cisco:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml
It seems that you need to configure split-tunnel on cisco:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml
I tried to enable split-tunnel, but i'm still having no luck with accessing the internet via the tunnel or local resources across the VPN. When I do a route print from the command line of the XP client using the VPN all the routes for the VPN network point back to the IP of the XP client.
172.20.2.x range is my private range on the LAN side of my firewall.
I'm uploading a my 'route print' display from my client PC when the VPN is connected. Also, i'm uploading my ASA configuration.
All my ACL are set to ANY ANY for testing purposes.
172.20.2.x range is my private range on the LAN side of my firewall.
I'm uploading a my 'route print' display from my client PC when the VPN is connected. Also, i'm uploading my ASA configuration.
All my ACL are set to ANY ANY for testing purposes.
: Saved
:
ASA Version 8.3(2)
!
hostname ASA
domain-name 1234
names
dns-guard
!
interface Ethernet0/0
nameif dmz
security-level 100
ip address 172.20.0.10 255.255.255.0 standby 172.20.0.11
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.101
vlan 101
nameif FIOS
security-level 100
ip address 173.71.x.x 255.255.255.0 standby 173.71.x.x
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 172.20.2.10 255.255.255.0 standby 172.20.2.11
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.10 255.255.255.0 standby 192.168.1.11
management-only
!
banner exec This is a private network.
banner exec Access beyond this point is for authorized personell only.
banner exec Unauthorized access will be prosecuted to the full extent of the law.
banner exec We thank you for respecting our privacy.
banner login This is a private network.
banner login Access beyond this point is for authorized personell only.
banner login Unauthorized access will be prosecuted to the full extent of the law.
banner login We thank you for respecting our privacy.
banner asdm This is a private network.
banner asdm Access beyond this point is for authorized personell only.
banner asdm Unauthorized access will be prosecuted to the full extent of the law.
banner asdm We thank you for respecting our privacy.
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 4.2.2.2
domain-name xxxx
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside
subnet 172.20.2.0 255.255.255.0
object network NETWORK_OBJ_172.20.2.192_27
subnet 172.20.2.192 255.255.255.224
access-list inside_access_in extended permit ip 10.35.208.0 255.255.240.0 10.35.208.0 255.255.240.0
access-list inside_access_in extended permit ip 172.20.0.0 255.255.255.0 172.20.0.0 255.255.255.0
access-list inside_access_in extended permit ip 172.20.2.0 255.255.255.0 172.20.2.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip interface FIOS interface inside
access-list global_access extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list test extended permit ip host 172.30.0.8 host 172.30.0.9
access-list test extended permit ip host 172.30.0.9 host 172.30.0.8
access-list FIOS_access_in extended permit ip any any
access-list cap1 extended permit ip host 10.35.209.70 any
access-list cap1 extended permit ip any host 10.35.209.70
pager lines 24
logging enable
logging monitor warnings
logging buffered critical
logging asdm informational
mtu dmz 1500
mtu FIOS 1500
mtu inside 1500
mtu management 1500
ip local pool Inside-VPN-IP 172.20.2.200-172.20.2.220 mask 255.255.255.0
ip verify reverse-path interface dmz
ip verify reverse-path interface FIOS
ip verify reverse-path interface management
ip audit name ATTACK attack action alarm drop reset
ip audit name INFO info action alarm drop reset
failover
failover lan unit secondary
failover lan interface failover Ethernet0/3
failover polltime unit msec 200 holdtime 15
failover polltime interface msec 500 holdtime 25
failover key *****
failover replication http
failover link failover Ethernet0/3
failover interface ip failover 172.20.3.11 255.255.255.0 standby 172.20.3.10
monitor-interface FIOS
icmp unreachable rate-limit 1 burst-size 1
icmp permit any FIOS
icmp permit any inside
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (inside,FIOS) source dynamic obj_any interface
nat (FIOS,FIOS) source static any any destination static NETWORK_OBJ_172.20.2.192_27 NETWORK_OBJ_172.20.2.192_27
!
nat (inside,FIOS) after-auto source dynamic any interface
access-group FIOS_access_in in interface FIOS
access-group inside_access_in in interface inside
access-group global_access global
route FIOS 0.0.0.0 0.0.0.0 173.71.64.1 1
route inside 10.35.208.0 255.255.240.0 172.20.2.1 1
route FIOS 0.0.0.0 0.0.0.0 172.20.2.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DC protocol ldap
aaa-server DC (inside) host 10.35.208.9
timeout 5
server-type auto-detect
url-server (inside) vendor websense host 10.35.209.190 timeout 10 protocol TCP version 4 connections 100
url-cache dst 128
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow proxy-block longurl-truncate
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
auth-prompt prompt Hello.
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map FIOS_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map FIOS_map interface FIOS
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable FIOS
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
vpn-addr-assign local reuse-delay 5
telnet timeout 1440
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
url-block url-mempool 2
url-block url-size 2
url-block block 1
ntp authenticate
ntp server 10.35.208.5 source inside prefer
webvpn
enable FIOS
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
url-list value Bookmark
group-policy NEW internal
group-policy NEW attributes
dns-server value 10.35.208.9 10.35.208.8
vpn-tunnel-protocol svc
default-domain value new.local
group-policy IPSecVPN internal
group-policy IPSecVPN attributes
dns-server value 10.35.208.9 10.35.208.8
vpn-idle-timeout 30
vpn-filter value FIOS_access_in
ipv6-vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelall
split-tunnel-network-list value outside_access_in
default-domain value new.local
split-dns value 10.35.208.9 10.35.208.8
msie-proxy method no-proxy
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
authentication-server-group DC
tunnel-group NEW type remote-access
tunnel-group NEW general-attributes
address-pool Inside-VPN-IP
default-group-policy NEW
tunnel-group NEW ipsec-attributes
pre-shared-key *****
tunnel-group IPSecVPN type remote-access
tunnel-group IPSecVPN general-attributes
address-pool Inside-VPN-IP
default-group-policy IPSecVPN
tunnel-group IPSecVPN ipsec-attributes
pre-shared-key *****
!
class-map FIOS-class
match default-inspection-traffic
!
!
policy-map type inspect im IM-Inspect-Map
parameters
match protocol msn-im yahoo-im
drop-connection log
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map FIOS-policy
class FIOS-class
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
!
service-policy FIOS-policy interface FIOS
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:106e6d0260f4f6cc66cd3c33134ce7e8
: end
asdm image disk0:/asdm-635.bin
no asdm history enable
C:\Documents and Settings\Administrator>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 14 22 f7 8b 55 ...... Broadcom NetXtreme 57xx Gigabit Controller - Pac
ket Scheduler Miniport
0x100003 ...00 16 ce 45 59 c9 ...... Dell Wireless 1390 WLAN Mini-Card - Packet
Scheduler Miniport
0x130005 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Schedule
r Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.20.2.213 172.20.2.213 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.20.2.0 255.255.255.0 172.20.2.213 172.20.2.213 25
172.20.2.213 255.255.255.255 127.0.0.1 127.0.0.1 25
172.20.255.255 255.255.255.255 172.20.2.213 172.20.2.213 25
173.71.64.133 255.255.255.255 192.168.1.1 192.168.1.7 1
192.168.1.0 255.255.255.0 192.168.1.7 192.168.1.7 25
192.168.1.0 255.255.255.0 172.20.2.213 172.20.2.213 25
192.168.1.1 255.255.255.255 192.168.1.7 192.168.1.7 1
192.168.1.7 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.7 192.168.1.7 25
224.0.0.0 240.0.0.0 172.20.2.213 172.20.2.213 25
224.0.0.0 240.0.0.0 192.168.1.7 192.168.1.7 25
255.255.255.255 255.255.255.255 172.20.2.213 172.20.2.213 1
255.255.255.255 255.255.255.255 192.168.1.7 2 1
255.255.255.255 255.255.255.255 192.168.1.7 192.168.1.7 1
Default Gateway: 172.20.2.213
===========================================================================
Active 2 days ago
Hi,
there is a problem with ip pool, you need to create individual subnet for VPN users:
no ip local pool Inside-VPN-IP 172.20.2.200-172.20.2.220 mask 255.255.255.0
ip local pool Inside-VPN-IP 172.20.4.200-172.20.4.220 mask 255.255.255.0
you need to create acl for vpn
access-list VPN_ACL standard permit 172.20.0.0 255.255.255.0
access-list VPN_ACL standard permit 172.20.2.0 255.255.255.0
group-policy NEW attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_ACL
group-policy IPSecVPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_ACL
after that you need to create nonat statatement:
object network obj-172.20.0.0
subnet 172.20.0.10 255.255.255.0
object network obj-172.20.2.0
subnet 172.20.2.10 255.255.255.0
object network obj-172.20.4.0
subnet 172.20.4.10 255.255.255.0
nat (inside,any) source static obj-172.20.2.0 obj-172.20.2.0 destination static obj-172.20.4.0 obj-172.20.4.0
nat (dmz,any) source static obj-172.20.0.0 obj-172.20.0.0 destination static obj-172.20.4.0 obj-172.20.4.0
there is a problem with ip pool, you need to create individual subnet for VPN users:
no ip local pool Inside-VPN-IP 172.20.2.200-172.20.2.220 mask 255.255.255.0
ip local pool Inside-VPN-IP 172.20.4.200-172.20.4.220 mask 255.255.255.0
you need to create acl for vpn
access-list VPN_ACL standard permit 172.20.0.0 255.255.255.0
access-list VPN_ACL standard permit 172.20.2.0 255.255.255.0
group-policy NEW attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_ACL
group-policy IPSecVPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_ACL
after that you need to create nonat statatement:
object network obj-172.20.0.0
subnet 172.20.0.10 255.255.255.0
object network obj-172.20.2.0
subnet 172.20.2.10 255.255.255.0
object network obj-172.20.4.0
subnet 172.20.4.10 255.255.255.0
nat (inside,any) source static obj-172.20.2.0 obj-172.20.2.0 destination static obj-172.20.4.0 obj-172.20.4.0
nat (dmz,any) source static obj-172.20.0.0 obj-172.20.0.0 destination static obj-172.20.4.0 obj-172.20.4.0
Thank you! I did notice a few minor problems, but I was able to fix them.
1) With the "objects" you had a .10 for the third octet. It should be a .0
2) By default the nat was added to the end of my nat list. In the ASDM i moved those two NAT commands to the top.
Thankfully now I can ping across in both directions! I do have some issues regarding why I can only PING and HTTP, but not RDP or File Share. I'll figure those out on my own. Thank you again.
1) With the "objects" you had a .10 for the third octet. It should be a .0
2) By default the nat was added to the end of my nat list. In the ASDM i moved those two NAT commands to the top.
Thankfully now I can ping across in both directions! I do have some issues regarding why I can only PING and HTTP, but not RDP or File Share. I'll figure those out on my own. Thank you again.
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty.
Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Powerful tools can do wonders, but only in the right hands. Nowhere is this more obvious than with the cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month7 days, 23 hours left to enroll
Earn Certification
Cisco CCNA R&S: ICND2 v3
$197.00$177.30
Earn Certification
Cisco CCNA Collaboration: CIVND2
$197.00$177.30
728 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.