Solved

Allow outgoing VPN connections

Posted on 2013-02-05
3
490 Views
Last Modified: 2013-05-14
Hello,

I have a Cisco ASA 5520 and I need to allow users from within my network to vpn out to another company network but I believe by default the ASA won't allow any outgoing vpn connections.

Is there a particular command or port that I need to configure on the ASA to allow this outbound VPN access?
0
Comment
Question by:dcirona86
  • 2
3 Comments
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38870147
I would presume that you are only allowing specific outbound traffic.

Can you please post a suitably sanitized copy of your config
0
 

Author Comment

by:dcirona86
ID: 38924349
ASA Version 8.0(5)
!
hostname acasa01
domain-name domain.local
enable password p0Zyg0wBQq3w4L55 encrypted
passwd p0Zyg0wBQq3w4L55 encrypted
names

name 10.20.0.101 acmgt02 description Management Server
name 10.20.1.2 DVR_1
name 10.20.1.3 DVR_2
name 10.10.0.25 mdm description MacMini Server
dns-guard
!
interface GigabitEthernet0/0
 nameif outside
 security-level 10
 ip address x.x.x.x 255.255.255.248
!
interface GigabitEthernet0/1
 nameif sonar
 security-level 80
 ip address x.x.x.x 255.255.255.0
!            
interface GigabitEthernet0/2
 nameif servers
 security-level 90
 ip address x.x.x.x 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
 domain-name gilson.vic.edu.au
same-security-traffic permit intra-interface
object-group service RDP tcp
 port-object eq 3389
access-list servers_pnat_outbound extended permit ip 10.20.0.0 255.255.254.0 any
access-list servers_pnat_outbound extended permit tcp any any eq pop3
access-list servers_pnat_outbound extended permit tcp any any eq imap4
access-list servers_pnat_outbound extended permit tcp any any eq 993
access-list servers_pnat_outbound extended permit udp any any eq 3478
access-list servers_pnat_outbound extended permit udp any any eq 3479
access-list servers_pnat_outbound extended permit udp any any eq 3480
access-list servers_pnat_outbound extended permit udp any any eq 3481
access-list servers_pnat_outbound extended permit udp any any eq 3482
access-list servers_pnat_outbound extended permit udp any any eq 3483
access-list servers_pnat_outbound extended permit udp any any eq 3484
access-list servers_pnat_outbound extended permit udp any any eq 3485
access-list servers_pnat_outbound extended permit udp any any eq 3486
access-list servers_pnat_outbound extended permit udp any any eq 3487
access-list servers_pnat_outbound extended permit udp any any eq 3488
access-list servers_pnat_outbound extended permit udp any any eq 3489
access-list servers_pnat_outbound extended permit udp any any eq 3490
access-list servers_pnat_outbound extended permit udp any any eq 3491
access-list servers_pnat_outbound extended permit udp any any eq 3492
access-list servers_pnat_outbound extended permit udp any any eq 3493
access-list servers_pnat_outbound extended permit udp any any eq 3494
access-list servers_pnat_outbound extended permit udp any any eq 3495
access-list servers_pnat_outbound extended permit udp any any eq 3496
access-list servers_pnat_outbound extended permit udp any any eq 3497
access-list servers_pnat_outbound extended permit udp any any eq 16384
access-list servers_pnat_outbound extended permit udp any any eq 16385
access-list servers_pnat_outbound extended permit udp any any eq 16386
access-list servers_pnat_outbound extended permit udp any any eq 16387
access-list servers_pnat_outbound extended permit udp any any eq 16393
access-list servers_pnat_outbound extended permit udp any any eq 16394
access-list servers_pnat_outbound extended permit udp any any eq 16395
access-list servers_pnat_outbound extended permit udp any any eq 16396
access-list servers_pnat_outbound extended permit udp any any eq 16397
access-list servers_pnat_outbound extended permit udp any any eq 16398
access-list servers_pnat_outbound extended permit udp any any eq 16399
access-list servers_pnat_outbound extended permit udp any any eq 16400
access-list servers_pnat_outbound extended permit udp any any eq 16401
access-list servers_pnat_outbound extended permit udp any any eq 16402
access-list servers_pnat_outbound extended permit ip host 10.10.1.23 any
access-list servers_pnat_outbound extended permit ip host 10.10.0.20 any
access-list servers_pnat_outbound extended permit ip host 10.10.0.11 any
access-list servers_pnat_outbound extended permit ip host 10.10.0.23 any
access-list servers_pnat_outbound extended permit ip host 10.10.0.147 any
access-list servers_pnat_outbound extended permit ip host 10.10.1.141 any
access-list servers_pnat_outbound extended permit ip host 10.10.1.143 any
access-list servers_pnat_outbound extended permit ip 10.50.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list servers_pnat_outbound extended permit ip host 10.10.0.21 any
access-list servers_pnat_outbound extended permit ip host mdm any
access-list servers_pnat_outbound extended permit tcp any any eq 2195
access-list servers_pnat_outbound extended permit ip host 10.10.0.40 any
access-list servers_pnat_outbound extended permit ip host 10.10.1.21 any
access-list servers_pnat_outbound extended permit ip host 10.10.1.145 any
access-list servers_pnat_outbound extended permit ip host 10.10.1.22 any
access-list servers_pnat_outbound extended permit ip host 10.10.0.150 any
access-list servers_pnat_outbound extended permit ip host 10.40.16.52 any
access-list servers_pnat_outbound extended permit ip 10.60.0.0 255.255.255.0 any
access-list servers_pnat_outbound extended permit tcp any any eq 2196
access-list servers_pnat_outbound extended permit ip host 10.10.0.146 any
access-list servers_pnat_outbound extended permit ip host 10.10.1.146 any
access-list servers_pnat_outbound extended permit ip host 10.10.1.33 any
access-list servers_pnat_outbound extended permit ip host 10.10.0.33 any
access-list servers_pnat_outbound extended permit ip host 10.10.0.145 any
access-list servers_pnat_outbound extended permit tcp any any eq 587
access-list servers_pnat_outbound extended permit tcp 10.60.0.0 255.255.255.0 any eq smtp
access-list servers_pnat_outbound extended permit tcp 10.60.0.0 255.255.255.0 any eq telnet
access-list servers_pnat_outbound extended permit tcp 10.60.0.0 255.255.255.0 any eq 587
access-list servers_pnat_outbound extended permit ip 172.16.0.0 255.255.255.0 any
access-list servers_pnat_outbound extended permit ip 172.16.1.0 255.255.255.0 any
access-list servers_pnat_outbound extended permit ip host 10.10.1.24 any
access-list servers_pnat_outbound extended permit tcp 10.20.0.0 255.255.0.0 any eq smtp
access-list servers_pnat_outbound extended permit gre 10.0.0.0 255.0.0.0 any
access-list servers_pnat_outbound extended permit tcp 10.10.0.0 255.255.255.0 any eq smtp
access-list servers_pnat_outbound extended permit tcp 10.0.0.0 255.0.0.0 any eq pptp
access-list servers_pnat_outbound extended permit ip 10.10.1.0 255.255.255.0 any
access-list servers_pnat_outbound extended permit ip host 10.40.16.10 any
access-list servers_pnat_outbound extended permit tcp 10.40.16.0 255.255.248.0 any eq smtp
access-list sonar_access_in extended permit ip 192.168.223.0 255.255.255.0 any
access-list outside_access_in_V1 extended permit tcp any eq 3389 interface outside eq 3389
access-list outside_access_in_V1 extended permit tcp any gt 1023 interface outside eq smtp
access-list outside_access_in_V1 extended permit tcp any gt 1023 interface outside eq ssh
access-list outside_access_in_V1 extended permit tcp any gt 1023 interface outside eq https
access-list outside_access_in_V1 extended permit icmp any any echo-reply
access-list outside_access_in_V1 extended permit icmp any any time-exceeded
access-list outside_access_in_V1 extended permit tcp object-group XciteLogic-Support interface outside eq ssh
access-list outside_access_in_V1 extended permit tcp any host mdm eq 2195
access-list outside_access_in_V1 extended permit tcp any host mdm eq 8443
access-list outside_access_in_V1 extended permit tcp object-group BlueReef-Support interface outside eq 222
access-list outside_access_in_V1 extended permit tcp any host 58.27.86.121
access-list outside_access_in_V1 extended permit tcp any host mdm eq 5223
access-list outside_access_in_V1 extended permit tcp host 218.185.233.66 host 10.10.0.33 eq pptp
access-list outside_access_in_V1 extended permit gre host 218.185.233.66 host 10.10.0.33
access-list server_access_in extended permit ip any any
access-list server_access_in extended permit tcp host gcex01 any eq smtp
access-list server_access_in extended permit tcp host gcex01 host x.x.x.x eq https
access-list management_nat0_outbound extended permit ip any 10.50.0.0 255.255.255.240
access-list management_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.69.0 255.255.255.0
access-list VpnTraffic extended permit ip 10.20.0.0 255.255.0.0 10.50.0.0 255.255.0.0
access-list VpnTraffic extended permit ip 10.0.0.0 255.0.0.0 192.168.69.0 255.255.255.0
access-list VpnTraffic extended permit ip 10.50.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list VpnTraffic extended permit ip 192.168.69.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list VpnTraffic extended permit ip 10.10.1.0 255.255.255.0 192.168.69.0 255.255.255.0
access-list VPN_to_HTTP remark Enables VPN connections to access internal resources
access-list VPN_to_HTTP standard permit 10.50.0.0 255.255.255.0
access-list VPN_to_HTTP standard permit 10.10.0.0 255.255.255.0
access-list VPN_to_HTTP standard permit 10.20.0.0 255.255.255.0
access-list outside_access_in_v1 extended permit tcp any host x.x.x.x eq 8443
access-list outside_access_in_v1 extended permit tcp any host 10.10.1.16 eq 993
access-list outside_access_in_v1 extended permit tcp any host 10.10.1.16 eq 587
access-list outside_access_in_v1 extended permit tcp any host 10.10.1.16 eq smtp
access-list outside_access_in_v1 extended permit tcp any eq pptp 10.10.0.0 255.255.0.0 eq pptp
access-list outside_access_in_v1 extended permit udp any eq isakmp 10.10.0.0 255.255.0.0 eq isakmp
access-list outside_access_in_v1 extended permit gre any 10.10.0.0 255.255.0.0
access-list outside_access_in_v1 extended permit esp any 10.10.0.0 255.255.0.0
access-list gilson extended permit ip 172.16.1.0 255.255.255.0 any
access-list servers_pant_outbound extended permit tcp host 10.10.1.11 any eq smtp
access-list servers_pant_outbound extended permit ip host 10.10.1.11 any
access-list REMVPN_ACL remark for rem managment
access-list REMVPN_AC standard permit 10.0.0.0 255.0.0.0
pager lines 24
logging enable
logging timestamp
logging asdm warnings
logging device-id hostname
mtu outside 1500
mtu sonar 1500
mtu servers 1500
mtu management 1500
ip local pool VPNpool 10.50.0.2-10.50.0.12 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any servers
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (sonar) 0 access-list sonar_nat0_outbound
nat (sonar) 10 192.168.223.0 255.255.255.0
nat (servers) 0 access-list VpnTraffic
nat (servers) 10 access-list servers_pnat_outbound
nat (servers) 10 10.20.0.0 255.255.254.0
nat (management) 0 access-list management_nat0_outbound
nat (management) 10 0.0.0.0 0.0.0.0
static (servers,outside) tcp interface 3389 acmgt02 3389 netmask 255.255.255.255
static (servers,outside) tcp x.x.x.x ssh 10.20.0.31 ssh netmask 255.255.255.255
static (servers,outside) tcp x.x.x.x 56789 10.20.0.31 56789 netmask 255.255.255.255
static (servers,outside) tcp x.x.x.x www 10.20.0.31 www netmask 255.255.255.255
static (servers,outside) tcp x.x.x.x https 10.20.0.31 https netmask 255.255.255.255
static (servers,outside) tcp interface 37777 DVR_1 37777 netmask 255.255.255.255
static (servers,outside) tcp interface 37778 DVR_2 37778 netmask 255.255.255.255
static (servers,outside) tcp interface 8443 mdm 8443 netmask 255.255.255.255
static (sonar,outside) tcp interface 222 sonar-svr ssh netmask 255.255.255.255
static (servers,outside) tcp interface smtp gcex01 smtp netmask 255.255.255.255
static (servers,outside) tcp interface https gcex01 https netmask 255.255.255.255
access-group outside_access_in_V1 in interface outside
access-group sonar_access_in in interface sonar
route outside 0.0.0.0 0.0.0.0 sonar-svr 1
route servers 10.0.0.0 255.0.0.0 10.20.0.1 1
route servers 172.16.0.0 255.255.0.0 172.16.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
 http server enable
http 10.20.0.0 255.255.254.0 servers
http 10.10.1.0 255.255.255.0 servers
http 10.10.1.10 255.255.255.255 servers
http 10.0.0.0 255.0.0.0 servers
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 servers
telnet 10.0.0.0 255.0.0.0 servers
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 30
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.20 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
policy-map global_policy
 class class-default
  inspect pptp
!
prompt hostname context
Cryptochecksum:25ccee6bcb314129ae83ce52a18b45b3
: end
0
 
LVL 36

Accepted Solution

by:
ArneLovius earned 500 total points
ID: 38925568
In what subnet are the "clients" that need outbound access ?

you could try adding
policy-map global_policy
  class inspection_default
    inspect ipsec-pass-thru 

Open in new window


But I suspect that you will need to add

access-list servers_pnat_outbound extended permit udp <client subnet> any eq 500
access-list servers_pnat_outbound extended permit udp <client subnet> any eq 4500
access-list servers_pnat_outbound extended permit udp <client subnet> any eq 10000
access-list servers_pnat_outbound extended permit tcp <client subnet> any eq 10000
access-list servers_pnat_outbound extended permit ike <client subnet> any

Open in new window

0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now