• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1160
  • Last Modified:

Cisco ASA 5510 VPN configuration


I have an ASA5510 in production with 4 active VPN tunnels.

I am looking to add a couple of roadwarrior users using the cisco VPN client - just the user bob is set up below

I did my cisco certs a long time ago :-(

I've gotten myself stuck, and I don't want to make a mistake and kill the current branch office sessions

This config is a mess (I know, my predecessor loved the ASDM)

Any help would really be appreciated!  

   
: Saved
: Written by enable_15 at 08:19:11.171 UTC Tue Apr 19 2011
!
ASA Version 7.2(1) 
!
hostname hola-01
domain-name bar1.foo.internal
enable password xxxx encrypted
names
!
interface Ethernet0/0
 description ISP 100mbps connection for Admin internet
 nameif Outside
 security-level 0
 ip address nnn.nnn.nnn.133 255.255.255.0 
!
interface Ethernet0/1
 description bar site 1 Administrative Network
 nameif bar1-admin
 security-level 50
 ip address 10.0.16.1 255.255.255.0 
!
interface Ethernet0/2
 description Testing purposes only
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.4 255.255.255.0 
 management-only
!
passwd xxxx encrypted
banner exec Temp Access, bob close soon.
banner exec bar ASA5510
ftp mode passive
dns server-group DefaultDNS
 domain-name bar1.foo.internal
same-security-traffic permit intra-interface
access-list Outside_access_in extended permit tcp any interface Outside eq smtp 
access-list Outside_access_in extended permit tcp any interface Outside eq www 
access-list Outside_access_in extended permit tcp any interface Outside eq https 
access-list Outside_access_in extended permit tcp any interface Outside eq 3389 
access-list Outside_access_in extended permit tcp any interface Outside eq 26120 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.67 eq www 
access-list Outside_access_in extended permit tcp any interface Outside eq 54600 
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.70 eq 3389 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.65 eq 3389 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.69 eq www 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.66 eq www 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.67 eq ftp log 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.67 eq ftp-data log 
access-list Outside_access_in extended permit tcp any interface Outside eq ftp 
access-list Outside_access_in extended permit tcp any interface Outside eq ftp-data 
access-list Outside_access_in extended permit tcp any interface Outside eq domain 
access-list Outside_access_in extended permit udp any interface Outside eq domain 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.64 eq www 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.64 eq 3389 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.70 eq 3389 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.70 eq www 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.66 eq 3389 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.70 eq smtp 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.64 eq 5003 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.64 eq 5090 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.65 eq 5003 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.65 eq 5090 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.65 eq telnet 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.65 eq www 
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.71 eq 3389 
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.71 eq www 
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.71 eq https 
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.71 eq 5003 
access-list Outside_access_in extended permit udp any host ooo.ooo.ooo.71 eq 5003 
access-list Outside_access_in extended permit tcp any interface Outside eq imap4 
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.70 eq https 
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.70 eq www 
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.65 eq www 
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.65 eq 3389 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.68 eq www 
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.67 eq 3389 
access-list Outside_access_in extended permit gre any host ooo.ooo.ooo.70 
access-list Outside_120_cryptomap extended permit ip 10.0.0.0 255.255.0.0 10.0.20.0 255.255.255.0 
access-list bar1-admin_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.41.0 255.255.255.0 
access-list bar1-admin_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.40.0 255.255.255.0 
access-list bar1-admin_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.32.0 255.255.255.0 
access-list bar1-admin_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.20.0 255.255.255.0 
access-list bar1-admin_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.24.0 255.255.255.0 
access-list bar1-admin_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.24.0 255.255.255.0 
access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.0.24.0 255.255.255.0 
access-list management_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.32.0 255.255.255.0 
access-list management_nat0_outbound extended permit ip host 10.0.16.1 host 10.0.41.1 
access-list management_nat0_outbound extended permit ip host nnn.nnn.nnn.133 host 4.4.4.4 
access-list Outside_140_cryptomap extended permit ip 10.0.0.0 255.255.0.0 10.0.40.0 255.255.255.0 
access-list management_20_cryptomap extended permit ip host 10.0.16.1 host 10.0.41.1 
access-list Outside_140_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.0.41.0 255.255.255.0 
pager lines 24
logging enable
logging buffered errors
logging asdm errors
mtu Outside 1500
mtu bar1-admin 1500
mtu management 1500
no failover
asdm image disk0:/asdm-521.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (bar1-admin) 0 access-list bar1-admin_nat0_outbound
nat (bar1-admin) 1 10.0.16.0 255.255.255.0
nat (management) 0 access-list management_nat0_outbound
nat (management) 0 0.0.0.0 0.0.0.0
static (bar1-admin,Outside) tcp interface 26120 10.0.16.98 26120 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.67 www 10.0.16.22 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp interface 3389 10.0.16.98 3389 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp interface 54600 10.0.16.232 54600 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.66 www 10.0.16.234 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.69 www 10.0.16.24 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.67 ftp 10.0.16.249 ftp netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.67 ftp-data 10.0.16.249 ftp-data netmask 255.255.255.255 
static (bar1-admin,Outside) tcp interface www 10.0.16.247 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp interface smtp 10.0.16.247 smtp netmask 255.255.255.255 
static (bar1-admin,Outside) tcp interface https 10.0.16.247 https netmask 255.255.255.255 
static (bar1-admin,Outside) tcp interface ftp 10.0.16.98 ftp netmask 255.255.255.255 
static (bar1-admin,Outside) tcp interface ftp-data 10.0.16.98 ftp-data netmask 255.255.255.255 
static (bar1-admin,Outside) tcp interface domain 10.0.16.231 domain netmask 255.255.255.255 
static (bar1-admin,Outside) udp interface domain 10.0.16.231 domain netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.64 3389 10.0.16.25 3389 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.64 www 10.0.16.25 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.70 3389 10.0.16.27 3389 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.70 www 10.0.16.27 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.66 3389 10.0.16.24 3389 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp ooo.ooo.ooo.70 3389 10.0.16.201 3389 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.70 smtp 10.0.16.27 smtp netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.64 5003 10.0.16.208 5003 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.64 5090 10.0.16.208 5090 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.65 5003 10.0.16.209 5003 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.65 5090 10.0.16.209 5090 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.65 5050 10.0.16.209 telnet netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.65 www 10.0.16.249 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp ooo.ooo.ooo.71 www 10.0.16.26 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp ooo.ooo.ooo.71 https 10.0.16.26 https netmask 255.255.255.255 
static (bar1-admin,Outside) udp ooo.ooo.ooo.71 5003 10.0.16.26 5003 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp ooo.ooo.ooo.71 5003 10.0.16.26 5003 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp ooo.ooo.ooo.71 3389 10.0.16.26 3389 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp ooo.ooo.ooo.70 https 10.0.16.248 https netmask 255.255.255.255 
static (bar1-admin,Outside) tcp ooo.ooo.ooo.70 www 10.0.16.248 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp ooo.ooo.ooo.65 3389 10.0.16.235 3389 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp ooo.ooo.ooo.65 www 10.0.16.235 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.68 www 10.0.16.28 www netmask 255.255.255.255 
static (bar1-admin,Outside) tcp nnn.nnn.nnn.67 3389 10.0.16.99 3389 netmask 255.255.255.255 
static (bar1-admin,Outside) tcp ooo.ooo.ooo.65 https 10.0.16.31 https netmask 255.255.255.255 
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 nnn.nnn.nnn.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy roadwarrior internal
group-policy roadwarrior attributes
 vpn-simultaneous-logins 3
 ip-comp enable
 default-domain value foo.internal
username root password xxxx encrypted privilege 15
username bob password xxxx encrypted
username bob attributes
 vpn-group-policy roadwarrior
aaa authentication ssh console LOCAL 
http 10.0.0.0 255.255.0.0 bar1-admin
http 10.0.24.0 255.255.255.0 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set roadwarrior esp-aes-256 esp-sha-hmac 
crypto map Outside_map 1 match address Outside_cryptomap_1
crypto map Outside_map 1 set peer 1.1.1.1 
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 40 match address Outside_140_cryptomap
crypto map Outside_map 40 set peer 2.2.2.2 
crypto map Outside_map 40 set transform-set ESP-AES-128-SHA
crypto map Outside_map 120 match address Outside_120_cryptomap
crypto map Outside_map 120 set peer 3.3.3.3 
crypto map Outside_map 120 set transform-set ESP-AES-128-SHA
crypto map Outside_map 140 match address Outside_140_cryptomap_1
crypto map Outside_map 140 set peer 4.4.4.4 
crypto map Outside_map 140 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp enable management
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 7
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 99
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
tunnel-group 4.4.4.4 type ipsec-l2l
tunnel-group 4.4.4.4 ipsec-attributes
 pre-shared-key key
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
 pre-shared-key key
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key key
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key key
tunnel-group roadwarrior type ipsec-ra
tunnel-group roadwarrior general-attributes
 dhcp-server 10.0.16.12
tunnel-group roadwarrior ipsec-attributes
 pre-shared-key key
telnet timeout 600
ssh 10.0.16.1 255.255.255.255 bar1-admin
ssh 10.0.16.0 255.255.255.0 bar1-admin
ssh timeout 60
ssh version 2
console timeout 0
dhcpd address 10.0.16.101-10.0.16.199 bar1-admin
dhcpd dns 10.0.16.12 10.0.32.11 interface bar1-admin
dhcpd wins 10.0.16.12 10.0.32.11 interface bar1-admin
dhcpd domain bar1.foo.internal interface bar1-admin
dhcpd enable bar1-admin
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect pptp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:3b7dbe6dc64c23431eceacc91fe4abf4
: end

Open in new window

0
Wibble_
Asked:
Wibble_
  • 2
  • 2
2 Solutions
 
Ken BooneNetwork ConsultantCommented:
First you need to setup a local pool of IP addresses for the VPN users:

ip local pool VPN-Pool 172.16.1.10-172.16.1.20

Then you need to setup a no nat rule so that devices on the inside can reach the vpn pool:

access-list bar1-admin_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 172.16.1.0 255.255.255.0


Then add these crypto statements to enable the ipsec components of the vpn tunnel:

crypto dynamic-map outside_dyn_map 5 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map Outside_map interface outside


Update your group policy to include DNS

group-policy roadwarrior attributes
  dns-server value x.x.x.x x.x.x.x

Update your tunnel group to include the following:

tunnel-group roadwarrior type ipsec-ra
tunnel-group roadwarrior general-attributes
 address-pool VPN-Pool
 authentication-server-group LOCAL
 default-group-policy roadwarrior
tunnel-group roadwarrior ipsec-attributes
 pre-shared-key key

0
 
fritz5150Commented:
...and you almost forgot

username bob password xxxx encrypted
username bob attributes
 vpn-group-policy roadwarrior

set each user up as above. Changing the username and password as required for each user.
0
 
Wibble_Author Commented:
That's great, thanks guys.

Can I use the normal windows (7) ipsec vpn client with this config? I have a copy of the cisco vpn client, bu can't see where to put the PSK...
Do I point it at eth0/0's address? (nnn.nnn.nnn.133)

I guess I should start another question for these questions really. I wont ask any more I promise :-)
0
 
fritz5150Commented:
I would use the Cisco client. Less of a headache. Yes your destination will be the address of your outside interface.

0
 
Wibble_Author Commented:
Thank you!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now