Solved

ASA 5505 VPN/Routing setup

Posted on 2011-03-14
14
904 Views
Last Modified: 2012-05-11
Attached is a quickly thrown together Visio Diagram of my Network/Lab environment I am trying to setup.

What I can do-

Connect to the VPN and get a 10.10.10.10-.15 address with subnet mask of 255.0.0.0

What I want to do-

Connect to VPN and be able to connect to the 10.10.10.0/25 subnet via the Router address 10.10.10.1 (Connected to a switch that would allow access to other hardware on the 10. subnet

What I don't know-

Can I have and inside address space of 10.10.10.x and have VPN users assigned a part of that space and still route to the 10.10.10.1 router from the ASA?

Should I have the VPN subnet be different from the 10.10.10.0 network and route the VPN subnet to the 10.?

I am new to the ASA and routing/vpn to begin with but I am not a total moron.

My Running Config:
ciscoasa# show run
: Saved
:
ASA Version 8.2(4)
!
hostname ciscoasa
enable password 01CutRdzkZafqWMy encrypted
passwd 01CutRdzkZafqWMy encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.x.x.66 255.255.255.192
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list nonat extended permit ip host 10.10.10.0 255.255.255.0 255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vtcpool 10.10.10.10-10.10.10.15
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 65.x.x.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vtctransform esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map vtcdynam 1 set transform-set vtctransform
crypto dynamic-map vtcdynam 1 set reverse-route
crypto map vtcmap 1 ipsec-isakmp dynamic vtcdynam
crypto map vtcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet timeout 5
ssh 65.x.x.0 255.255.255.192 outside
ssh 65.x.x.2 255.255.255.255 outside
ssh 173.x.x.77 255.255.255.255 outside
ssh 98.x.x.210 255.255.255.255 outside
ssh 69.x.x.214 255.255.255.255 outside
ssh 98.x.x.30 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username Mike password mf8ElptroezNx3bK encrypted
username Jonathan password UM/CkdFwlaWoMPMZ encrypted
username Steve password 4gTDvFtw2Ug04PWk encrypted
username Lawrence password UqxtX.iTNtwfRyZn encrypted
tunnel-group vtctunnelgroup type remote-access
tunnel-group vtctunnelgroup general-attributes
 address-pool vtcpool
tunnel-group vtctunnelgroup ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:df59d22cc546a072ca4a8f9804be856c
: end



 Visio-VTC-Lab.vsd
0
Comment
Question by:agruber85
  • 9
  • 4
14 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 35133272
I don't think the diagram matches the config.    Your ASA inside interface is on a 192.168. subnet.   This is not reflected in the Visio.  

If your network looks like the VISIO, then this placement would work ok.    

If your network looks like the ASA config above, this will not work since any traffic in the ASA that matches the ip local pool pattern would not get routed, but encapsulated for the tunnel.  

I always try to make the ip local pools different than internal subnets for my own sanity...  others might debate me on that.   Usually, there is no harm in reusing IPs from a connected interface as part of the local pool .
0
 
LVL 9

Assisted Solution

by:gavving
gavving earned 500 total points
ID: 35133353
It's always a good idea to specify the netmask when allocating your local pools.  

ip local pool vtcpool 10.10.10.10-10.10.10.15 mask 255.255.255.128

I'm not sure if you can add the mask to an existing pool, or if you'll have to delete it and readd it.  If you delete it make sure you put it back in your tunnel-group.  

Yes you can allocate VPN users into the same IP block as the internal network interface.   Just make sure not to duplicate IPs with something else on your network.
0
 

Author Comment

by:agruber85
ID: 35133896
MikeKane,

You are correct ! Lets change the VPN ip address scheme to 192.168.1.10-.15. and using "mask" allowed me to put a subnet mask of 255.255.255.128.

Now how do I route the VPN users to 10.10.10.1?
Route inside 192.168.1.0 255.255.255.0 10.10.10.1, tells me the route already exists.

I also took out..
Access-list nonat extended permit ip host 10.10.10.0 255.255.255.0 255.255.255.192 and can still connect to the VPN.
0
 

Author Comment

by:agruber85
ID: 35133924
Actually I need to change that entirely. Hold on for a min and I will change the ASA inside address to the 10. subet as well as the vpn group.

How do I turn off the inside DHCP? The asa guide code doesn't work.
0
 
LVL 9

Assisted Solution

by:gavving
gavving earned 500 total points
ID: 35134074
no dhcpd address 192.168.1.5-192.168.1.36 inside
no dhcpd enable inside
no dhcpd auto_config outside


0
 

Author Comment

by:agruber85
ID: 35134129
no dhcpd address 192.168.1.5-192.168.1.36 inside did the trick.

Back to working on the vpn setup... i will post the running config when im done.


0
 

Author Comment

by:agruber85
ID: 35134305
Gavving,

Question, what is the best way to connect my VPN group to the 10.10.10.0 network running on the 2900?

My thought was to make the VPN users part of that 10.10.10.0 subnet and route them to the 10.10.10.1 gateway. What I don't understand is how do I route the VPN group to the 10.10.10.1 2900 router?

Do I even need to configure the inside interface IP address?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 9

Assisted Solution

by:gavving
gavving earned 500 total points
ID: 35134318
Assuming that your 2900 is on the same LAN that your inside interface is connected to, then yes you want your inside interface to be on the 10.10.10.0/25 network.  Pick an available number and configure your inside interface on that IP network.  

If the ASA is going to function as the Internet firewall for the network, then you'll want your default gateway on the network to be the inside IP of the ASA.  
0
 

Author Comment

by:agruber85
ID: 35134355
So make Vlan 2 on the ASA 10.10.10.1
Make the 2900 10.10.10.2 (instead of 10.10.10.1)
My VPN group IP 10.10.10.3-.x

Do I then make my Ethernet int 0/2 switchport access vlan 2? (0/0 being outside, 0/1 being inside, and 0/2 being the link to the 2900)?
0
 

Author Comment

by:agruber85
ID: 35134374
substitute vlan 1 for vlan 2 ( 1 is inside and 2 is outside)
0
 
LVL 9

Accepted Solution

by:
gavving earned 500 total points
ID: 35134391
I'm not completely sure what the end goal here is.  Do you need to have 192.168.1.0/24?  If not then make vlan1 10.10.10.1, and move the 2900 to 10.10.10.2.  We could configure a vlan2 and put it on there, but unless you have the Security Plus license you can't get full communications between all 3 vlans.  
0
 

Author Comment

by:agruber85
ID: 35134511
Right now am using over 10 external IP's by natting out my voice lab.

I want to setup VPN on the ASA and put it in place to access the 10. subnet by either routing all data through the 2900 or by connecting the asa to the switch with all of the 10. hardware.

my asa is now 10.10.10.1 (inside)
the 2900 is 10.10.10.2
The vpn group is still .10-.15

The asa port 0/2 is hooked up to a switch which has my voice gear attached. Each lab component is running the high end 10.

so hopefully the asa can route my vpn users to the switch so I can access all of the voice hardware.
0
 

Author Comment

by:agruber85
ID: 35134649
I can establish a VPN connection and ping the ASA Gateway (10.10.10.1) But I cannot ping or connect to any other 10.10.10.X ip address (AKA my Lab Gear).

My link to the other hardware at the moment is a cisco switch. The ASA Ethernet port 0/2 is directly connected to the switch along with all the lab gear.

Thanks
0
 

Author Comment

by:agruber85
ID: 35134799
Good news! I added this with my ip scheme of course, not sure if it is needed but im able to connect and browse to my lab gear.

ip local pool vpnippool 192.168.15.200-192.168.15.250 mask 255.255.255.0
access-list inside_nat0_outbound permit ip any 192.168.15.0 255.255.255.0
crypto isakmp nat-traversal
nat (inside) 0 access-list inside_nat0_outbound
group-policy GroupPolicy attributes
 address-pools value vpnippool

Thanks for the help, I was a mess and you lead me to my end goal.

Off to split tunneling now. Hope that is easier.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now