Solved

Cisco ASA Remote Access VPN to DMZ

Posted on 2013-11-25
17
1,595 Views
Last Modified: 2013-12-02
Hello,

I have a 5520 with 3 physical interfaces - outside, inside, dmz.

The dmz interface has been sub-ed out into 3 other interfaces.

Everything else is working fine,

I would like to know how to configure a remote access vpn to one of the sub-dmz segments from a windows 7 laptop.

Thanks.
0
Comment
Question by:netcmh
  • 9
  • 8
17 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39676876
SImply put, you just configure it like you would using the physical interface. Only now you use the subinterface instead of the real interface.
0
 
LVL 20

Author Comment

by:netcmh
ID: 39677393
a step by step would be apprecaited.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39677427
Ok, let's see:

ip local pool VPN-pool 192.168.100.1-192.168.100.10 mask 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_28
 subnet 192.168.100.0 255.255.255.240
username ra-user password rauserpass privilege 0
username ra-user attributes
 vpn-group-policy RA-VPN
exit
group-policy RA-VPN internal
group-policy RA-VPN attributes
 vpn-tunnel-protocol ikev1
 dns-server value 192.168.1.1
 default-domain value default.domain.invalid
exit
tunnel-group RA-VPN type remote-access
tunnel-group RA-VPN general-attributes
 default-group-policy RA-VPN
 address-pool  VPN-pool
tunnel-group RA-VPN ipsec-attributes
 ikev1 pre-shared-key mypresharedkey
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  ikev1 transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
nat (inside,outside) 3 source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 destination static NETWORK_OBJ_192.168.100.0_28 NETWORK_OBJ_192.168.100.0_28 no-proxy-arp route-lookup



Of course you'll need to make some changes to fit this to your own situation.

192.168.100.1-192.168.100.10: ip pool for RA clients
username ra-user password rauserpass privilege 0: using a local user for authentication
ikev1 pre-shared-key mypresharedkey: preshared key for RA-PVPN group
nat (inside,outside) etc. : NAT exempt for VPN traffic (replace the interface names with the names of your interfaces, I used default names here).

This is the setup for an RA VPN using the cisco secure VPN client. I created this one for a 9.x ASA. Commands may vary a bit depending on what version your ASA is.

You can also use the wizard in the ASDM to create a similar setup.
0
 
LVL 20

Author Comment

by:netcmh
ID: 39677503
Sorry, but can you give me the steps in 8.2? Thanks
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39677650
That should be something like:

access-list splitvpn standard permit 10.254.254.0 255.255.255.0
access-list nonat extended permit ip 10.254.254.0 255.255.255.0 10.254.250.0 255.255.255.0
ip local pool VPNPool 10.254.250.1-10.254.250.254 mask 255.255.255.0
nat (inside) 0 access-list nonat
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value 10.254.254.10
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitvpn
split-dns value petenetlive.com
username user1 password IzFIX6IZbh5HBYwq encrypted privilege 0
username user1 attributes
vpn-group-policy remotevpn
sysopt connection tcpmss 1200
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set ESP-3DES-SHA
crypto map outside_map 64553 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group remotevpn type ipsec-ra
tunnel-group remotevpn general-attributes
address-pool vpnpool
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
pre-shared-key thisisthepresharedkey


Of course you have to make some adjustements to reflect your own setup.

I got this from the site of my esteemed expert colleague PeteLong: http://www.petenetlive.com/KB/Article/0000070.htm
Have a look at it, lots of nice examples to be found there.
0
 
LVL 20

Author Comment

by:netcmh
ID: 39677653
So, the question is how do I get a remote access vpn session inititated from the outside to only talk with the DMZ segment, and not the inside?

Thanks
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39677663
Ah, we crossed each other.

You'll need to replace the interface names, so dmz instead of inside.
0
 
LVL 20

Author Comment

by:netcmh
ID: 39677802
I tried that, and it still will not allow the external laptop to connect to the DMZ server. The Cisco VPN client does get connected, but beyond that it does not allow the connection through.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39677858
Could you show us a sanitized copy of your config as it is now?
0
 
LVL 20

Author Comment

by:netcmh
ID: 39677935
ip local pool EXT_Pool_Split 10.100.6.1-10.100.6.15 mask 255.255.255.248

access-list EXT_Remote_Split standard permit host 172.16.14.11
access-list EXT_DMZINT_2_NoNAT extended permit ip host 172.16.14.11 10.100.6.0 255.255.255.248

nat (DMZINT_2) 0 access-list EXT_DMZINT_2_NoNAT

group-policy EXT_Remote_Policy internal
group-policy EXT_Remote_Policy attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value EXT_Remote_Split
exit

tunnel-group EXT_Tunnel_Remote_Split type remote-access
tunnel-group EXT_Tunnel_Remote_Split general-attributes
  default-group-policy EXT_Remote_Policy
  address-pool EXT_Pool_Split
  tunnel-group EXT_Tunnel_Remote_Split ipsec-attributes
  pre-shared-key *********
exit

username remoteuser password ********* priv 1

crypto dynamic-map dynmap 10 set transform-set ESP-3DES-SHA
crypto map IPSec_Map 500 ipsec-isakmp dynamic dynmap
crypto map IPSec_Map interface outside

crypto isakmp policy 40
  authentication pre-share
  encryption 3des
  hash sha
  group 1
  lifetime 3600
exit
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39678015
Hehehe, that's a bit too sanitized :)

If possible I would like to see a more complete config.
0
 
LVL 20

Author Comment

by:netcmh
ID: 39678108
Since it's huge, I can't sanitize it enough. What are you looking for, I can get those pieces out comparatively faster.
0
 
LVL 20

Author Comment

by:netcmh
ID: 39678573
Hello?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39678731
Different timezone?
Time for dinner and putting my son to bed ;)

I'll try to check later this evening.
0
 
LVL 20

Author Comment

by:netcmh
ID: 39679253
So, I'm attaching an oversimplified picture of my setup. Hoping that someone can give me the entire commands to get this to work.

I have a L3 switch, which has routing configuration for the various segments. I have an ASA 5520 with 8.2 IOS. I have a DMZ segment which has been subinterfaced into 5 different segments and none of them should be able to talk to each other. And, I have the company LAN on the inside.

I was able to, with the config pasted above, get the Cisco VPN client connected. But, I still can't get the VPN-ed in client to talk with the DMZ server.

Thanks
Drawing1.jpg
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 39682968
Did you have a look at the (ASDM) logs to see if something shows up there what might give you a clue?
0
 
LVL 20

Author Comment

by:netcmh
ID: 39689643
Got it figured out. Had a route missing on the switch back to the VPN IP pool.

Thank for your help. I'll grant you points for helping, but this was the solution.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I wrote this article to help simplify the process of combining multiple subnets. This can be used for route summarization also but there are other better ways to summarize routes, This article is a result of questions I participate in here at Ex…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now