cameljoe121
asked on
Cisco ASA 5505 unable to authenicate against Raduis, NT or other remote server
I have a ASA 5505 which I recently upgraded our other server system I am not a Cisco guy. I set up the VPN to authenticate against a remote server I have tried radius, NT and when you test them the network credentials work. However the only way I can give users access is to add them as a local user. Secondly the remote user can not access the internet via browsers on their laptops where they could before they can access internal resources mail files etc. So if someone can help point me to activating remote authentication being able to have users internet access when connected to the VPN.
ASKER
I'll have to get the config on Monday. But I configured both a Radius and NT server per Cisco and in Asdm you can test authenticate against both servers successfully but when you login the ASA will only authenticated against the AAA local users. Now I am not sure what step I am missing previously there was a group name along with the username and password when you logged in now it's just the username and password fields the previous server was 2003 sbs where we are on server 2012. I will post the config as soon as I can.
Did your VPN require xauth I.e. after the two phase VPN connection was established, does it prompt the user for additional credentials and is that group configured to use tacacs+
Look at the example configuration in the link to see whether your configuration is similar.
aaa authentication login xauth_list group radius|tacacs+
Look at the example configuration in the link to see whether your configuration is similar.
aaa authentication login xauth_list group radius|tacacs+
ASKER
I am able to authenticate via radius now but I can not access any resources fileserver, mail our outside internet via the VPN. Below is the running config I am sure I screwed something up.
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name mi.local
enable password DJfn1p/lab/RLlCL encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.10.10.0 MWAVE_VPN_SUBNET
name 192.168.100.141 VMServer01 description VMserver01
name 192.168.100.125 Chris
name 192.168.100.54 MIEX1
name 192.168.100.5 SERVER01
name 192.168.100.52 MIDC1.mi.local description MIDC1
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 72.94.51.31 255.255.255.0
!
regex domainlist1 ".\pameganslaw\.state.pa.u s"
regex denied_http_domains "pameganslaw.state.pa\.us"
regex applicationheader "application/.*"
regex contenttype "content-type"
boot system disk0:/asa825-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server MIDC1.mi.local
name-server 192.168.100.53
domain-name mi.local
object-group service Server01-Services
service-object tcp eq www
service-object tcp eq smtp
service-object tcp eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit object-group Server01-Services any interface outside
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 MWAVE_VPN_SUBNET 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.100.128 255.255.255.128
access-list inside-network\24 standard permit MWAVE_VPN_SUBNET 255.255.255.0
access-list inside-network\24 standard permit any
access-list inside_access_in extended deny ip host 192.168.100.113 any inactive
access-list inside_access_in extended deny ip host Chris any inactive
access-list inside_access_in extended permit ip 192.168.100.0 255.255.255.0 any
access-list inside_mpc extended permit object-group TCPUDP any any eq www
access-list Inside standard permit any
access-list Inside standard permit 192.168.100.0 255.255.255.0
access-list Inside standard permit MWAVE_VPN_SUBNET 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool MWAVE-VPN-IP-Assignment 10.10.10.10-10.10.10.30 mask 255.255.255.0
ip local pool MIPOOL 192.168.254.1-192.168.254. 10 mask 255.255.255.0
ip local pool MWAVE_VPN_POOL 192.168.100.190-192.168.10 0.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp MIEX1 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www MIEX1 www netmask 255.255.255.255
static (inside,outside) tcp interface https MIEX1 https netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.94.51.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco rd DfltAccessPolicy
webvpn
file-browsing enable
file-entry enable
http-proxy enable
url-entry enable
svc ask enable default svc
aaa-server MIVPN protocol radius
aaa-server MIVPN (inside) host 192.168.100.53
key *****
radius-common-pw *****
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable 8080
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca certificate map DefaultCertificateMap 10
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no vpn-addr-assign dhcp
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd domain mi.local
dhcpd update dns both
!
dhcpd address 192.168.100.190-192.168.10 0.200 inside
dhcpd domain mi.local interface inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
port 444
enable inside
enable outside
dtls port 444
svc image disk0:/anyconnect-win-2.3. 0254-k9.pk g 1
svc profiles MIProfile disk0:/miprofile.xml
svc enable
tunnel-group-list enable
tunnel-group-preference group-url
certificate-group-map DefaultCertificateMap 10 MIVPN2
group-policy DfltGrpPolicy attributes
wins-server value 192.168.100.52 192.168.100.53
dns-server value 192.168.100.52 192.168.100.53
dhcp-network-scope 192.168.100.1
vpn-simultaneous-logins 5
vpn-filter value inside-network\24
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
re-xauth enable extended
split-tunnel-policy tunnelspecified
split-tunnel-network-list value inside-network\24
default-domain value mi.local
split-dns value 192.168.100.52
address-pools value MWAVE_VPN_POOL
webvpn
svc rekey method ssl
svc ask enable default webvpn
group-policy NEWGROUP internal
group-policy NEWGROUP attributes
wins-server value 192.168.100.52 192.168.100.53
dns-server value 192.168.100.52 192.168.100.53
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-lock value MIVPN2
split-tunnel-policy tunnelall
split-tunnel-network-list value Inside
default-domain value mi.local
split-dns value mi.local
split-tunnel-all-dns disable
nac-settings none
address-pools value MWAVE_VPN_POOL
webvpn
url-list none
svc ask enable
username miadmin password 15
username miadmin attributes
vpn-group-policy DfltGrpPolicy
username d.whitenack password username d.whitenack attributes
vpn-group-policy DfltGrpPolicy
username r.siegal password
username r.siegal attributes
vpn-group-policy DfltGrpPolicy
username c.vilfort password username c.vilfort attributes
vpn-group-policy DfltGrpPolicy
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group DefaultL2LGroup general-attributes
default-group-policy NEWGROUP
tunnel-group DefaultRAGroup general-attributes
address-pool MWAVE-VPN-IP-Assignment
authentication-server-grou p MIVPN
dhcp-server MIDC1.mi.local
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool (inside) MWAVE_VPN_POOL
address-pool MWAVE-VPN-IP-Assignment
authentication-server-grou p MIVPN LOCAL
authentication-server-grou p (inside) MIVPN LOCAL
authorization-server-group MIVPN
authorization-server-group (inside) MIVPN
dhcp-server MIDC1.mi.local
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication ms-chap-v2
tunnel-group MIVPN2 type remote-access
tunnel-group MIVPN2 general-attributes
address-pool (inside) MWAVE-VPN-IP-Assignment
address-pool MWAVE_VPN_POOL
authentication-server-grou p MIVPN LOCAL
authentication-server-grou p (inside) MIVPN LOCAL
authorization-server-group MIVPN
authorization-server-group (inside) MIVPN
default-group-policy NEWGROUP
dhcp-server MIDC1.mi.local
tunnel-group MIVPN2 webvpn-attributes
group-alias MIVPN1 enable
group-url enable
!
class-map type regex match-any Domianblocklist
match regex domainlist1
class-map type regex match-any URLBlockList
match regex domainlist1
class-map type inspect http match-all BlockUrlClass
match request header regex contenttype regex applicationheader
match request uri regex class URLBlockList
match request header host regex class Domianblocklist
class-map type regex match-any DomainDenyList
match regex denied_http_domains
class-map type inspect http match-all DenyDomainClass
match request header host regex class DomainDenyList
class-map inside-class
match access-list inside_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http http_inspection_policy
description DenyDomainClass
parameters
protocol-violation action drop-connection
class DenyDomainClass
reset log
class BlockUrlClass
drop-connection log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map inside-policy
description httptraffic
class inside-class
inspect http http_inspection_policy
!
service-policy global_policy global
service-policy inside-policy interface inside
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:fc7492a7a72 a699a4db0e c5af172da2 8
: end
asdm image disk0:/asdm-649-103.bin
asdm location MWAVE_VPN_SUBNET 255.255.255.0 inside
asdm location VMServer01 255.255.255.255 inside
asdm location Chris 255.255.255.255 inside
asdm location MIEX1 255.255.255.255 inside
asdm location SERVER01 255.255.255.255 inside
asdm location MIDC1.mi.local 255.255.255.255 inside
no asdm history enable
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name mi.local
enable password DJfn1p/lab/RLlCL encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.10.10.0 MWAVE_VPN_SUBNET
name 192.168.100.141 VMServer01 description VMserver01
name 192.168.100.125 Chris
name 192.168.100.54 MIEX1
name 192.168.100.5 SERVER01
name 192.168.100.52 MIDC1.mi.local description MIDC1
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 72.94.51.31 255.255.255.0
!
regex domainlist1 ".\pameganslaw\.state.pa.u
regex denied_http_domains "pameganslaw.state.pa\.us"
regex applicationheader "application/.*"
regex contenttype "content-type"
boot system disk0:/asa825-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server MIDC1.mi.local
name-server 192.168.100.53
domain-name mi.local
object-group service Server01-Services
service-object tcp eq www
service-object tcp eq smtp
service-object tcp eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit object-group Server01-Services any interface outside
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 MWAVE_VPN_SUBNET 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.100.128 255.255.255.128
access-list inside-network\24 standard permit MWAVE_VPN_SUBNET 255.255.255.0
access-list inside-network\24 standard permit any
access-list inside_access_in extended deny ip host 192.168.100.113 any inactive
access-list inside_access_in extended deny ip host Chris any inactive
access-list inside_access_in extended permit ip 192.168.100.0 255.255.255.0 any
access-list inside_mpc extended permit object-group TCPUDP any any eq www
access-list Inside standard permit any
access-list Inside standard permit 192.168.100.0 255.255.255.0
access-list Inside standard permit MWAVE_VPN_SUBNET 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool MWAVE-VPN-IP-Assignment 10.10.10.10-10.10.10.30 mask 255.255.255.0
ip local pool MIPOOL 192.168.254.1-192.168.254.
ip local pool MWAVE_VPN_POOL 192.168.100.190-192.168.10
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp MIEX1 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www MIEX1 www netmask 255.255.255.255
static (inside,outside) tcp interface https MIEX1 https netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.94.51.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
webvpn
file-browsing enable
file-entry enable
http-proxy enable
url-entry enable
svc ask enable default svc
aaa-server MIVPN protocol radius
aaa-server MIVPN (inside) host 192.168.100.53
key *****
radius-common-pw *****
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable 8080
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca certificate map DefaultCertificateMap 10
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no vpn-addr-assign dhcp
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd domain mi.local
dhcpd update dns both
!
dhcpd address 192.168.100.190-192.168.10
dhcpd domain mi.local interface inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
port 444
enable inside
enable outside
dtls port 444
svc image disk0:/anyconnect-win-2.3.
svc profiles MIProfile disk0:/miprofile.xml
svc enable
tunnel-group-list enable
tunnel-group-preference group-url
certificate-group-map DefaultCertificateMap 10 MIVPN2
group-policy DfltGrpPolicy attributes
wins-server value 192.168.100.52 192.168.100.53
dns-server value 192.168.100.52 192.168.100.53
dhcp-network-scope 192.168.100.1
vpn-simultaneous-logins 5
vpn-filter value inside-network\24
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
re-xauth enable extended
split-tunnel-policy tunnelspecified
split-tunnel-network-list value inside-network\24
default-domain value mi.local
split-dns value 192.168.100.52
address-pools value MWAVE_VPN_POOL
webvpn
svc rekey method ssl
svc ask enable default webvpn
group-policy NEWGROUP internal
group-policy NEWGROUP attributes
wins-server value 192.168.100.52 192.168.100.53
dns-server value 192.168.100.52 192.168.100.53
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-lock value MIVPN2
split-tunnel-policy tunnelall
split-tunnel-network-list value Inside
default-domain value mi.local
split-dns value mi.local
split-tunnel-all-dns disable
nac-settings none
address-pools value MWAVE_VPN_POOL
webvpn
url-list none
svc ask enable
username miadmin password 15
username miadmin attributes
vpn-group-policy DfltGrpPolicy
username d.whitenack password username d.whitenack attributes
vpn-group-policy DfltGrpPolicy
username r.siegal password
username r.siegal attributes
vpn-group-policy DfltGrpPolicy
username c.vilfort password username c.vilfort attributes
vpn-group-policy DfltGrpPolicy
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group DefaultL2LGroup general-attributes
default-group-policy NEWGROUP
tunnel-group DefaultRAGroup general-attributes
address-pool MWAVE-VPN-IP-Assignment
authentication-server-grou
dhcp-server MIDC1.mi.local
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool (inside) MWAVE_VPN_POOL
address-pool MWAVE-VPN-IP-Assignment
authentication-server-grou
authentication-server-grou
authorization-server-group
authorization-server-group
dhcp-server MIDC1.mi.local
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication ms-chap-v2
tunnel-group MIVPN2 type remote-access
tunnel-group MIVPN2 general-attributes
address-pool (inside) MWAVE-VPN-IP-Assignment
address-pool MWAVE_VPN_POOL
authentication-server-grou
authentication-server-grou
authorization-server-group
authorization-server-group
default-group-policy NEWGROUP
dhcp-server MIDC1.mi.local
tunnel-group MIVPN2 webvpn-attributes
group-alias MIVPN1 enable
group-url enable
!
class-map type regex match-any Domianblocklist
match regex domainlist1
class-map type regex match-any URLBlockList
match regex domainlist1
class-map type inspect http match-all BlockUrlClass
match request header regex contenttype regex applicationheader
match request uri regex class URLBlockList
match request header host regex class Domianblocklist
class-map type regex match-any DomainDenyList
match regex denied_http_domains
class-map type inspect http match-all DenyDomainClass
match request header host regex class DomainDenyList
class-map inside-class
match access-list inside_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http http_inspection_policy
description DenyDomainClass
parameters
protocol-violation action drop-connection
class DenyDomainClass
reset log
class BlockUrlClass
drop-connection log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map inside-policy
description httptraffic
class inside-class
inspect http http_inspection_policy
!
service-policy global_policy global
service-policy inside-policy interface inside
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:fc7492a7a72
: end
asdm image disk0:/asdm-649-103.bin
asdm location MWAVE_VPN_SUBNET 255.255.255.0 inside
asdm location VMServer01 255.255.255.255 inside
asdm location Chris 255.255.255.255 inside
asdm location MIEX1 255.255.255.255 inside
asdm location SERVER01 255.255.255.255 inside
asdm location MIDC1.mi.local 255.255.255.255 inside
no asdm history enable
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0
Look at the client side network mapping see what it has for interesting traffic and what is allowed
I think your nat0 and your inside-network/24 is where.
Do you want to exclude all IPSEC/VPN traffic from going through ACL rules?
If yes, add the networks to the nat0 rule.
If you want to control what VPN users can and can not access, make sure to setup the ACL rules for VPN ips to the various locations.
Look at the client side network mapping see what it has for interesting traffic and what is allowed
I think your nat0 and your inside-network/24 is where.
Do you want to exclude all IPSEC/VPN traffic from going through ACL rules?
If yes, add the networks to the nat0 rule.
If you want to control what VPN users can and can not access, make sure to setup the ACL rules for VPN ips to the various locations.
ASKER
There are only a few VPN users and they will have access to all of the network resources so should I just leave the ACL blank?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check whether the radius servers are configured to respond to the VPN type request.
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094848.shtml