Link to home
Start Free TrialLog in
Avatar of smccurnin
smccurninFlag for United States of America

asked on

RRAS behind Cisco AS505 ASA V8.2(5)

Can anyone explain setting this up through the ASA interface? I'm trying to tunnel through this router to my RRAS box for VPN connections. I'm not a Cisco command line expert so I haven't tried to use the one's out there. A step by step through the ASA setup steps would be greatly appreciated.

I'm aware I need to forward GRE and IP port 1723 to my RRAS box. Seems like I keep losing internet connectivity when I do this.

Thanks in advance....
Avatar of ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image

Avatar of smccurnin


Found that pretty early on, was looking for instructions on using the web interface. Thanks though.
It is simpler to go through the steps on the command line than it is to do it in ASDM.

There is no "web interface" for the ASA firewall.

It would be easier to help you if you posted a suitably sanitised copy of your config

this might be of help in sanitising your config
I'll run some stuff I've found already through the CLI and if it doesn't work I'll post the config output if needed. I was hoping to avoid the command line.

take a backup first, either  tools | backup in ASDM

or in a console "copy run backup<date/time/otheridentifier>"

or to copy it off the ASA "copy run tftp"
Ok here's the output of show running-config. Hopefully it's sanitized properly.
Thanks in advance :)

ASA Version 8.2(5)
hostname ciscoasa
domain-name EXAMPLE.local
enable password XXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXX encrypted
name Gateway description Public Gateway
name InternalGateway
name XXXHosting
name Internal_Network_XXXHosting
name EXAMPLE-Ras-Norfolk description Ras VPN Server
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address InternalGateway
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name EXAMPLE.local
object-group service L2TP tcp
 port-object eq 1701

object-group service PPTP tcp
 port-object eq 47
access-list outside_1_cryptomap extended permit ip Internal_Network_XXXHosting
access-list outside_1_cryptomap extended permit ip Internal_Network_XXXHosting
access-list inside_nat0_outbound extended permit ip Internal_Network_XXXHosting
access-list inside_nat0_outbound extended permit ip Internal_Network_XXXHosting
access-list outside_access_in extended permit tcp any interface outside eq 1701
access-list outside_access_in extended permit udp any interface outside eq isakmp
access-list outside_access_in extended permit gre any host EXAMPLE-Ras-Norfolk
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
access-group outside_access_in in interface outside
route outside Gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer XX.140.60.100 <XX redacted>
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside

dhcpd address inside
dhcpd dns interface inside
dhcpd lease 86400 interface inside
dhcpd domain EXAMPLE.Local interface inside
dhcpd option 3 ip interface inside
dhcpd option 6 ip interface inside
dhcpd option 15 ascii EXAMPLE.Local interface inside
dhcprelay server inside
dhcprelay enable outside
dhcprelay timeout 60

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server source inside prefer
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1 null-sha1
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec
username USER password  XXXXXXXX encrypted privilege 15
username USER password XXXXXXX  encrypted privilege 15
tunnel-group XX.140.60.100 type ipsec-l2l <XX redacted>
tunnel-group XX.140.60.100 ipsec-attributes <"XX"redacted>
 pre-shared-key *****
class-map global-class
 match any
policy-map global-policy
 class global-class
  inspect pptp
  set connection random-sequence-number disable
service-policy global-policy global
prompt hostname context
call-home reporting anonymous
 contact-name Isis
 phone-number 804-762-4200
 sender from
 street-address 2727 Enterprise Parkway, Suite 100 Richmond VA 23294
 mail-server priority 1
 profile CiscoTAC-1
  no active
  destination address http
  destination address email
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end
Avatar of ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks! That was fast. I'll try this later after hours and report back.
Great clear explanation! Thanks again. We're up and running. :)