Wibble_
asked on
Cisco ASA 5510 VPN configuration
I have an ASA5510 in production with 4 active VPN tunnels.
I am looking to add a couple of roadwarrior users using the cisco VPN client - just the user bob is set up below
I did my cisco certs a long time ago :-(
I've gotten myself stuck, and I don't want to make a mistake and kill the current branch office sessions
This config is a mess (I know, my predecessor loved the ASDM)
Any help would really be appreciated!
: Saved
: Written by enable_15 at 08:19:11.171 UTC Tue Apr 19 2011
!
ASA Version 7.2(1)
!
hostname hola-01
domain-name bar1.foo.internal
enable password xxxx encrypted
names
!
interface Ethernet0/0
description ISP 100mbps connection for Admin internet
nameif Outside
security-level 0
ip address nnn.nnn.nnn.133 255.255.255.0
!
interface Ethernet0/1
description bar site 1 Administrative Network
nameif bar1-admin
security-level 50
ip address 10.0.16.1 255.255.255.0
!
interface Ethernet0/2
description Testing purposes only
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.4 255.255.255.0
management-only
!
passwd xxxx encrypted
banner exec Temp Access, bob close soon.
banner exec bar ASA5510
ftp mode passive
dns server-group DefaultDNS
domain-name bar1.foo.internal
same-security-traffic permit intra-interface
access-list Outside_access_in extended permit tcp any interface Outside eq smtp
access-list Outside_access_in extended permit tcp any interface Outside eq www
access-list Outside_access_in extended permit tcp any interface Outside eq https
access-list Outside_access_in extended permit tcp any interface Outside eq 3389
access-list Outside_access_in extended permit tcp any interface Outside eq 26120
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.67 eq www
access-list Outside_access_in extended permit tcp any interface Outside eq 54600
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.70 eq 3389
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.65 eq 3389
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.69 eq www
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.66 eq www
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.67 eq ftp log
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.67 eq ftp-data log
access-list Outside_access_in extended permit tcp any interface Outside eq ftp
access-list Outside_access_in extended permit tcp any interface Outside eq ftp-data
access-list Outside_access_in extended permit tcp any interface Outside eq domain
access-list Outside_access_in extended permit udp any interface Outside eq domain
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.64 eq www
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.64 eq 3389
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.70 eq 3389
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.70 eq www
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.66 eq 3389
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.70 eq smtp
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.64 eq 5003
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.64 eq 5090
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.65 eq 5003
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.65 eq 5090
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.65 eq telnet
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.65 eq www
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.71 eq 3389
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.71 eq www
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.71 eq https
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.71 eq 5003
access-list Outside_access_in extended permit udp any host ooo.ooo.ooo.71 eq 5003
access-list Outside_access_in extended permit tcp any interface Outside eq imap4
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.70 eq https
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.70 eq www
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.65 eq www
access-list Outside_access_in extended permit tcp any host ooo.ooo.ooo.65 eq 3389
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.68 eq www
access-list Outside_access_in extended permit tcp any host nnn.nnn.nnn.67 eq 3389
access-list Outside_access_in extended permit gre any host ooo.ooo.ooo.70
access-list Outside_120_cryptomap extended permit ip 10.0.0.0 255.255.0.0 10.0.20.0 255.255.255.0
access-list bar1-admin_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.41.0 255.255.255.0
access-list bar1-admin_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.40.0 255.255.255.0
access-list bar1-admin_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.32.0 255.255.255.0
access-list bar1-admin_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.20.0 255.255.255.0
access-list bar1-admin_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.24.0 255.255.255.0
access-list bar1-admin_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.24.0 255.255.255.0
access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.0.24.0 255.255.255.0
access-list management_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.32.0 255.255.255.0
access-list management_nat0_outbound extended permit ip host 10.0.16.1 host 10.0.41.1
access-list management_nat0_outbound extended permit ip host nnn.nnn.nnn.133 host 4.4.4.4
access-list Outside_140_cryptomap extended permit ip 10.0.0.0 255.255.0.0 10.0.40.0 255.255.255.0
access-list management_20_cryptomap extended permit ip host 10.0.16.1 host 10.0.41.1
access-list Outside_140_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.0.41.0 255.255.255.0
pager lines 24
logging enable
logging buffered errors
logging asdm errors
mtu Outside 1500
mtu bar1-admin 1500
mtu management 1500
no failover
asdm image disk0:/asdm-521.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (bar1-admin) 0 access-list bar1-admin_nat0_outbound
nat (bar1-admin) 1 10.0.16.0 255.255.255.0
nat (management) 0 access-list management_nat0_outbound
nat (management) 0 0.0.0.0 0.0.0.0
static (bar1-admin,Outside) tcp interface 26120 10.0.16.98 26120 netmask 255.255.255.255
static (bar1-admin,Outside) tcp nnn.nnn.nnn.67 www 10.0.16.22 www netmask 255.255.255.255
static (bar1-admin,Outside) tcp interface 3389 10.0.16.98 3389 netmask 255.255.255.255
static (bar1-admin,Outside) tcp interface 54600 10.0.16.232 54600 netmask 255.255.255.255
static (bar1-admin,Outside) tcp nnn.nnn.nnn.66 www 10.0.16.234 www netmask 255.255.255.255
static (bar1-admin,Outside) tcp nnn.nnn.nnn.69 www 10.0.16.24 www netmask 255.255.255.255
static (bar1-admin,Outside) tcp nnn.nnn.nnn.67 ftp 10.0.16.249 ftp netmask 255.255.255.255
static (bar1-admin,Outside) tcp nnn.nnn.nnn.67 ftp-data 10.0.16.249 ftp-data netmask 255.255.255.255
static (bar1-admin,Outside) tcp interface www 10.0.16.247 www netmask 255.255.255.255
static (bar1-admin,Outside) tcp interface smtp 10.0.16.247 smtp netmask 255.255.255.255
static (bar1-admin,Outside) tcp interface https 10.0.16.247 https netmask 255.255.255.255
static (bar1-admin,Outside) tcp interface ftp 10.0.16.98 ftp netmask 255.255.255.255
static (bar1-admin,Outside) tcp interface ftp-data 10.0.16.98 ftp-data netmask 255.255.255.255
static (bar1-admin,Outside) tcp interface domain 10.0.16.231 domain netmask 255.255.255.255
static (bar1-admin,Outside) udp interface domain 10.0.16.231 domain netmask 255.255.255.255
static (bar1-admin,Outside) tcp nnn.nnn.nnn.64 3389 10.0.16.25 3389 netmask 255.255.255.255
static (bar1-admin,Outside) tcp nnn.nnn.nnn.64 www 10.0.16.25 www netmask 255.255.255.255
static (bar1-admin,Outside) tcp nnn.nnn.nnn.70 3389 10.0.16.27 3389 netmask 255.255.255.255
static (bar1-admin,Outside) tcp nnn.nnn.nnn.70 www 10.0.16.27 www netmask 255.255.255.255
static (bar1-admin,Outside) tcp nnn.nnn.nnn.66 3389 10.0.16.24 3389 netmask 255.255.255.255
static (bar1-admin,Outside) tcp ooo.ooo.ooo.70 3389 10.0.16.201 3389 netmask 255.255.255.255
static (bar1-admin,Outside) tcp nnn.nnn.nnn.70 smtp 10.0.16.27 smtp netmask 255.255.255.255
static (bar1-admin,Outside) tcp nnn.nnn.nnn.64 5003 10.0.16.208 5003 netmask 255.255.255.255
static (bar1-admin,Outside) tcp nnn.nnn.nnn.64 5090 10.0.16.208 5090 netmask 255.255.255.255
static (bar1-admin,Outside) tcp nnn.nnn.nnn.65 5003 10.0.16.209 5003 netmask 255.255.255.255
static (bar1-admin,Outside) tcp nnn.nnn.nnn.65 5090 10.0.16.209 5090 netmask 255.255.255.255
static (bar1-admin,Outside) tcp nnn.nnn.nnn.65 5050 10.0.16.209 telnet netmask 255.255.255.255
static (bar1-admin,Outside) tcp nnn.nnn.nnn.65 www 10.0.16.249 www netmask 255.255.255.255
static (bar1-admin,Outside) tcp ooo.ooo.ooo.71 www 10.0.16.26 www netmask 255.255.255.255
static (bar1-admin,Outside) tcp ooo.ooo.ooo.71 https 10.0.16.26 https netmask 255.255.255.255
static (bar1-admin,Outside) udp ooo.ooo.ooo.71 5003 10.0.16.26 5003 netmask 255.255.255.255
static (bar1-admin,Outside) tcp ooo.ooo.ooo.71 5003 10.0.16.26 5003 netmask 255.255.255.255
static (bar1-admin,Outside) tcp ooo.ooo.ooo.71 3389 10.0.16.26 3389 netmask 255.255.255.255
static (bar1-admin,Outside) tcp ooo.ooo.ooo.70 https 10.0.16.248 https netmask 255.255.255.255
static (bar1-admin,Outside) tcp ooo.ooo.ooo.70 www 10.0.16.248 www netmask 255.255.255.255
static (bar1-admin,Outside) tcp ooo.ooo.ooo.65 3389 10.0.16.235 3389 netmask 255.255.255.255
static (bar1-admin,Outside) tcp ooo.ooo.ooo.65 www 10.0.16.235 www netmask 255.255.255.255
static (bar1-admin,Outside) tcp nnn.nnn.nnn.68 www 10.0.16.28 www netmask 255.255.255.255
static (bar1-admin,Outside) tcp nnn.nnn.nnn.67 3389 10.0.16.99 3389 netmask 255.255.255.255
static (bar1-admin,Outside) tcp ooo.ooo.ooo.65 https 10.0.16.31 https netmask 255.255.255.255
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 nnn.nnn.nnn.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy roadwarrior internal
group-policy roadwarrior attributes
vpn-simultaneous-logins 3
ip-comp enable
default-domain value foo.internal
username root password xxxx encrypted privilege 15
username bob password xxxx encrypted
username bob attributes
vpn-group-policy roadwarrior
aaa authentication ssh console LOCAL
http 10.0.0.0 255.255.0.0 bar1-admin
http 10.0.24.0 255.255.255.0 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set roadwarrior esp-aes-256 esp-sha-hmac
crypto map Outside_map 1 match address Outside_cryptomap_1
crypto map Outside_map 1 set peer 1.1.1.1
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 40 match address Outside_140_cryptomap
crypto map Outside_map 40 set peer 2.2.2.2
crypto map Outside_map 40 set transform-set ESP-AES-128-SHA
crypto map Outside_map 120 match address Outside_120_cryptomap
crypto map Outside_map 120 set peer 3.3.3.3
crypto map Outside_map 120 set transform-set ESP-AES-128-SHA
crypto map Outside_map 140 match address Outside_140_cryptomap_1
crypto map Outside_map 140 set peer 4.4.4.4
crypto map Outside_map 140 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp enable management
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 7
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 99
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
tunnel-group 4.4.4.4 type ipsec-l2l
tunnel-group 4.4.4.4 ipsec-attributes
pre-shared-key key
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
pre-shared-key key
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key key
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key key
tunnel-group roadwarrior type ipsec-ra
tunnel-group roadwarrior general-attributes
dhcp-server 10.0.16.12
tunnel-group roadwarrior ipsec-attributes
pre-shared-key key
telnet timeout 600
ssh 10.0.16.1 255.255.255.255 bar1-admin
ssh 10.0.16.0 255.255.255.0 bar1-admin
ssh timeout 60
ssh version 2
console timeout 0
dhcpd address 10.0.16.101-10.0.16.199 bar1-admin
dhcpd dns 10.0.16.12 10.0.32.11 interface bar1-admin
dhcpd wins 10.0.16.12 10.0.32.11 interface bar1-admin
dhcpd domain bar1.foo.internal interface bar1-admin
dhcpd enable bar1-admin
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:3b7dbe6dc64c23431eceacc91fe4abf4
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would use the Cisco client. Less of a headache. Yes your destination will be the address of your outside interface.
ASKER
Thank you!
ASKER
Can I use the normal windows (7) ipsec vpn client with this config? I have a copy of the cisco vpn client, bu can't see where to put the PSK...
Do I point it at eth0/0's address? (nnn.nnn.nnn.133)
I guess I should start another question for these questions really. I wont ask any more I promise :-)