Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1849
  • Last Modified:

Cisco ASA Remote Access VPN to DMZ

Hello,

I have a 5520 with 3 physical interfaces - outside, inside, dmz.

The dmz interface has been sub-ed out into 3 other interfaces.

Everything else is working fine,

I would like to know how to configure a remote access vpn to one of the sub-dmz segments from a windows 7 laptop.

Thanks.
0
netcmh
Asked:
netcmh
  • 9
  • 8
1 Solution
 
Ernie BeekCommented:
SImply put, you just configure it like you would using the physical interface. Only now you use the subinterface instead of the real interface.
0
 
netcmhAuthor Commented:
a step by step would be apprecaited.
0
 
Ernie BeekCommented:
Ok, let's see:

ip local pool VPN-pool 192.168.100.1-192.168.100.10 mask 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_28
 subnet 192.168.100.0 255.255.255.240
username ra-user password rauserpass privilege 0
username ra-user attributes
 vpn-group-policy RA-VPN
exit
group-policy RA-VPN internal
group-policy RA-VPN attributes
 vpn-tunnel-protocol ikev1
 dns-server value 192.168.1.1
 default-domain value default.domain.invalid
exit
tunnel-group RA-VPN type remote-access
tunnel-group RA-VPN general-attributes
 default-group-policy RA-VPN
 address-pool  VPN-pool
tunnel-group RA-VPN ipsec-attributes
 ikev1 pre-shared-key mypresharedkey
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  ikev1 transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
nat (inside,outside) 3 source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 destination static NETWORK_OBJ_192.168.100.0_28 NETWORK_OBJ_192.168.100.0_28 no-proxy-arp route-lookup



Of course you'll need to make some changes to fit this to your own situation.

192.168.100.1-192.168.100.10: ip pool for RA clients
username ra-user password rauserpass privilege 0: using a local user for authentication
ikev1 pre-shared-key mypresharedkey: preshared key for RA-PVPN group
nat (inside,outside) etc. : NAT exempt for VPN traffic (replace the interface names with the names of your interfaces, I used default names here).

This is the setup for an RA VPN using the cisco secure VPN client. I created this one for a 9.x ASA. Commands may vary a bit depending on what version your ASA is.

You can also use the wizard in the ASDM to create a similar setup.
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
netcmhAuthor Commented:
Sorry, but can you give me the steps in 8.2? Thanks
0
 
Ernie BeekCommented:
That should be something like:

access-list splitvpn standard permit 10.254.254.0 255.255.255.0
access-list nonat extended permit ip 10.254.254.0 255.255.255.0 10.254.250.0 255.255.255.0
ip local pool VPNPool 10.254.250.1-10.254.250.254 mask 255.255.255.0
nat (inside) 0 access-list nonat
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value 10.254.254.10
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitvpn
split-dns value petenetlive.com
username user1 password IzFIX6IZbh5HBYwq encrypted privilege 0
username user1 attributes
vpn-group-policy remotevpn
sysopt connection tcpmss 1200
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set ESP-3DES-SHA
crypto map outside_map 64553 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group remotevpn type ipsec-ra
tunnel-group remotevpn general-attributes
address-pool vpnpool
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
pre-shared-key thisisthepresharedkey


Of course you have to make some adjustements to reflect your own setup.

I got this from the site of my esteemed expert colleague PeteLong: http://www.petenetlive.com/KB/Article/0000070.htm
Have a look at it, lots of nice examples to be found there.
0
 
netcmhAuthor Commented:
So, the question is how do I get a remote access vpn session inititated from the outside to only talk with the DMZ segment, and not the inside?

Thanks
0
 
Ernie BeekCommented:
Ah, we crossed each other.

You'll need to replace the interface names, so dmz instead of inside.
0
 
netcmhAuthor Commented:
I tried that, and it still will not allow the external laptop to connect to the DMZ server. The Cisco VPN client does get connected, but beyond that it does not allow the connection through.
0
 
Ernie BeekCommented:
Could you show us a sanitized copy of your config as it is now?
0
 
netcmhAuthor Commented:
ip local pool EXT_Pool_Split 10.100.6.1-10.100.6.15 mask 255.255.255.248

access-list EXT_Remote_Split standard permit host 172.16.14.11
access-list EXT_DMZINT_2_NoNAT extended permit ip host 172.16.14.11 10.100.6.0 255.255.255.248

nat (DMZINT_2) 0 access-list EXT_DMZINT_2_NoNAT

group-policy EXT_Remote_Policy internal
group-policy EXT_Remote_Policy attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value EXT_Remote_Split
exit

tunnel-group EXT_Tunnel_Remote_Split type remote-access
tunnel-group EXT_Tunnel_Remote_Split general-attributes
  default-group-policy EXT_Remote_Policy
  address-pool EXT_Pool_Split
  tunnel-group EXT_Tunnel_Remote_Split ipsec-attributes
  pre-shared-key *********
exit

username remoteuser password ********* priv 1

crypto dynamic-map dynmap 10 set transform-set ESP-3DES-SHA
crypto map IPSec_Map 500 ipsec-isakmp dynamic dynmap
crypto map IPSec_Map interface outside

crypto isakmp policy 40
  authentication pre-share
  encryption 3des
  hash sha
  group 1
  lifetime 3600
exit
0
 
Ernie BeekCommented:
Hehehe, that's a bit too sanitized :)

If possible I would like to see a more complete config.
0
 
netcmhAuthor Commented:
Since it's huge, I can't sanitize it enough. What are you looking for, I can get those pieces out comparatively faster.
0
 
netcmhAuthor Commented:
Hello?
0
 
Ernie BeekCommented:
Different timezone?
Time for dinner and putting my son to bed ;)

I'll try to check later this evening.
0
 
netcmhAuthor Commented:
So, I'm attaching an oversimplified picture of my setup. Hoping that someone can give me the entire commands to get this to work.

I have a L3 switch, which has routing configuration for the various segments. I have an ASA 5520 with 8.2 IOS. I have a DMZ segment which has been subinterfaced into 5 different segments and none of them should be able to talk to each other. And, I have the company LAN on the inside.

I was able to, with the config pasted above, get the Cisco VPN client connected. But, I still can't get the VPN-ed in client to talk with the DMZ server.

Thanks
Drawing1.jpg
0
 
Ernie BeekCommented:
Did you have a look at the (ASDM) logs to see if something shows up there what might give you a clue?
0
 
netcmhAuthor Commented:
Got it figured out. Had a route missing on the switch back to the VPN IP pool.

Thank for your help. I'll grant you points for helping, but this was the solution.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 9
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now