Link to home
Start Free TrialLog in
Avatar of Wibble_
Wibble_

asked on

Cisco ASA 5510 VPN configuration


I have an ASA5510 in production with 4 active VPN tunnels.

I am looking to add a couple of roadwarrior users using the cisco VPN client - just the user bob is set up below

I did my cisco certs a long time ago :-(

I've gotten myself stuck, and I don't want to make a mistake and kill the current branch office sessions

This config is a mess (I know, my predecessor loved the ASDM)

Any help would really be appreciated!  

    
: Saved
: Written by enable_15 at 08:19:11.171 UTC Tue Apr 19 2011
!
ASA Version 7.2(1) 
!
hostname hola-01
domain-name bar1.foo.internal
enable password xxxx encrypted
names
!
interface Ethernet0/0
 description ISP 100mbps connection for Admin internet
 nameif Outside
 security-level 0
 ip address nnn.nnn.nnn.133 255.255.255.0 
!
interface Ethernet0/1
 description bar site 1 Administrative Network
 nameif bar1-admin
 security-level 50
 ip address 10.0.16.1 255.255.255.0 
!
interface Ethernet0/2
 description Testing purposes only
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.4 255.255.255.0 
 management-only
!
passwd xxxx encrypted
banner exec Temp Access, bob close soon.
banner exec bar ASA5510
ftp mode passive
dns server-group DefaultDNS
 domain-name bar1.foo.internal
same-security-traffic permit intra-interface
access-list Outside_access_in extended permit tcp any interface Outside eq smtp 
access-list Outside_access_in extended permit tcp any interface Outside eq www 
access-list Outside_access_in extended permit tcp any interface Outside eq https 
access-list Outside_access_in extended permit tcp any interface Outside eq 3389 
access-list Outside_access_in extended permit tcp any interface Outside eq 26120 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.67 eq www 
access-list Outside_access_in extended permit tcp any interface Outside eq 54600 
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.70 eq 3389 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.65 eq 3389 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.69 eq www 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.66 eq www 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.67 eq ftp log 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.67 eq ftp-data log 
access-list Outside_access_in extended permit tcp any interface Outside eq ftp 
access-list Outside_access_in extended permit tcp any interface Outside eq ftp-data 
access-list Outside_access_in extended permit tcp any interface Outside eq domain 
access-list Outside_access_in extended permit udp any interface Outside eq domain 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.64 eq www 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.64 eq 3389 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.70 eq 3389 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.70 eq www 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.66 eq 3389 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.70 eq smtp 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.64 eq 5003 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.64 eq 5090 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.65 eq 5003 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.65 eq 5090 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.65 eq telnet 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.65 eq www 
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.71 eq 3389 
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.71 eq www 
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.71 eq https 
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.71 eq 5003 
access-list Outside_access_in extended permit udp any host ooo.ooo.ooo.71 eq 5003 
access-list Outside_access_in extended permit tcp any interface Outside eq imap4 
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.70 eq https 
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.70 eq www 
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.65 eq www 
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.65 eq 3389 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.68 eq www 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.67 eq 3389 
access-list Outside_access_in extended permit gre any host ooo.ooo.ooo.70 
access-list Outside_120_cryptomap extended permit ip 10.0.0.0 255.255.0.0 10.0.20.0 255.255.255.0 
access-list bar1-admin_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.41.0 255.255.255.0 
access-list bar1-admin_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.40.0 255.255.255.0 
access-list bar1-admin_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.32.0 255.255.255.0 
access-list bar1-admin_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.20.0 255.255.255.0 
access-list bar1-admin_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.24.0 255.255.255.0 
access-list bar1-admin_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.24.0 255.255.255.0 
access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.0.24.0 255.255.255.0 
access-list management_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.32.0 255.255.255.0 
access-list management_nat0_outbound extended permit ip host 10.0.16.1 host 10.0.41.1 
access-list management_nat0_outbound extended permit ip host nnn.nnn.nnn.133 host 4.4.4.4 
access-list Outside_140_cryptomap extended permit ip 10.0.0.0 255.255.0.0 10.0.40.0 255.255.255.0 
access-list management_20_cryptomap extended permit ip host 10.0.16.1 host 10.0.41.1 
access-list Outside_140_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.0.41.0 255.255.255.0 
pager lines 24
logging enable
logging buffered errors
logging asdm errors
mtu Outside 1500
mtu bar1-admin 1500
mtu management 1500
no failover
asdm image disk0:/asdm-521.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (bar1-admin) 0 access-list bar1-admin_nat0_outbound
nat (bar1-admin) 1 10.0.16.0 255.255.255.0
nat (management) 0 access-list management_nat0_outbound
nat (management) 0 0.0.0.0 0.0.0.0
static (bar1-admin,Outside) tcp interface 26120 10.0.16.98 26120 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.67 www 10.0.16.22 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp interface 3389 10.0.16.98 3389 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp interface 54600 10.0.16.232 54600 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.66 www 10.0.16.234 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.69 www 10.0.16.24 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.67 ftp 10.0.16.249 ftp netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.67 ftp-data 10.0.16.249 ftp-data netmask 255.255.255.255 
static (bar1-admin,Outside) tcp interface www 10.0.16.247 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp interface smtp 10.0.16.247 smtp netmask 255.255.255.255 
static (bar1-admin,Outside) tcp interface https 10.0.16.247 https netmask 255.255.255.255 
static (bar1-admin,Outside) tcp interface ftp 10.0.16.98 ftp netmask 255.255.255.255 
static (bar1-admin,Outside) tcp interface ftp-data 10.0.16.98 ftp-data netmask 255.255.255.255 
static (bar1-admin,Outside) tcp interface domain 10.0.16.231 domain netmask 255.255.255.255 
static (bar1-admin,Outside) udp interface domain 10.0.16.231 domain netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.64 3389 10.0.16.25 3389 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.64 www 10.0.16.25 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.70 3389 10.0.16.27 3389 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.70 www 10.0.16.27 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.66 3389 10.0.16.24 3389 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp ooo.ooo.ooo.70 3389 10.0.16.201 3389 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.70 smtp 10.0.16.27 smtp netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.64 5003 10.0.16.208 5003 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.64 5090 10.0.16.208 5090 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.65 5003 10.0.16.209 5003 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.65 5090 10.0.16.209 5090 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.65 5050 10.0.16.209 telnet netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.65 www 10.0.16.249 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp ooo.ooo.ooo.71 www 10.0.16.26 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp ooo.ooo.ooo.71 https 10.0.16.26 https netmask 255.255.255.255 
static (bar1-admin,Outside) udp ooo.ooo.ooo.71 5003 10.0.16.26 5003 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp ooo.ooo.ooo.71 5003 10.0.16.26 5003 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp ooo.ooo.ooo.71 3389 10.0.16.26 3389 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp ooo.ooo.ooo.70 https 10.0.16.248 https netmask 255.255.255.255 
static (bar1-admin,Outside) tcp ooo.ooo.ooo.70 www 10.0.16.248 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp ooo.ooo.ooo.65 3389 10.0.16.235 3389 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp ooo.ooo.ooo.65 www 10.0.16.235 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.68 www 10.0.16.28 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.67 3389 10.0.16.99 3389 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp ooo.ooo.ooo.65 https 10.0.16.31 https netmask 255.255.255.255 
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 nnn.nnn.nnn.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy roadwarrior internal
group-policy roadwarrior attributes
 vpn-simultaneous-logins 3
 ip-comp enable
 default-domain value foo.internal
username root password xxxx encrypted privilege 15
username bob password xxxx encrypted
username bob attributes
 vpn-group-policy roadwarrior
aaa authentication ssh console LOCAL 
http 10.0.0.0 255.255.0.0 bar1-admin
http 10.0.24.0 255.255.255.0 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set roadwarrior esp-aes-256 esp-sha-hmac 
crypto map Outside_map 1 match address Outside_cryptomap_1
crypto map Outside_map 1 set peer 1.1.1.1 
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 40 match address Outside_140_cryptomap
crypto map Outside_map 40 set peer 2.2.2.2 
crypto map Outside_map 40 set transform-set ESP-AES-128-SHA
crypto map Outside_map 120 match address Outside_120_cryptomap
crypto map Outside_map 120 set peer 3.3.3.3 
crypto map Outside_map 120 set transform-set ESP-AES-128-SHA
crypto map Outside_map 140 match address Outside_140_cryptomap_1
crypto map Outside_map 140 set peer 4.4.4.4 
crypto map Outside_map 140 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp enable management
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 7
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 99
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
tunnel-group 4.4.4.4 type ipsec-l2l
tunnel-group 4.4.4.4 ipsec-attributes
 pre-shared-key key
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
 pre-shared-key key
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key key
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key key
tunnel-group roadwarrior type ipsec-ra
tunnel-group roadwarrior general-attributes
 dhcp-server 10.0.16.12
tunnel-group roadwarrior ipsec-attributes
 pre-shared-key key
telnet timeout 600
ssh 10.0.16.1 255.255.255.255 bar1-admin
ssh 10.0.16.0 255.255.255.0 bar1-admin
ssh timeout 60
ssh version 2
console timeout 0
dhcpd address 10.0.16.101-10.0.16.199 bar1-admin
dhcpd dns 10.0.16.12 10.0.32.11 interface bar1-admin
dhcpd wins 10.0.16.12 10.0.32.11 interface bar1-admin
dhcpd domain bar1.foo.internal interface bar1-admin
dhcpd enable bar1-admin
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect pptp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:3b7dbe6dc64c23431eceacc91fe4abf4
: end

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Ken Boone
Ken Boone
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of fritz5150
fritz5150
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Wibble_
Wibble_

ASKER

That's great, thanks guys.

Can I use the normal windows (7) ipsec vpn client with this config? I have a copy of the cisco vpn client, bu can't see where to put the PSK...
Do I point it at eth0/0's address? (nnn.nnn.nnn.133)

I guess I should start another question for these questions really. I wont ask any more I promise :-)
Avatar of fritz5150
fritz5150
Flag of United States of America image
I would use the Cisco client. Less of a headache. Yes your destination will be the address of your outside interface.

Avatar of Wibble_
Wibble_

ASKER

Thank you!