Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cisco ASA Remote Access VPN to DMZ

Posted on 2013-11-25
17
1,659 Views
Last Modified: 2013-12-02
Hello,

I have a 5520 with 3 physical interfaces - outside, inside, dmz.

The dmz interface has been sub-ed out into 3 other interfaces.

Everything else is working fine,

I would like to know how to configure a remote access vpn to one of the sub-dmz segments from a windows 7 laptop.

Thanks.
0
Comment
Question by:netcmh
  • 9
  • 8
17 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39676876
SImply put, you just configure it like you would using the physical interface. Only now you use the subinterface instead of the real interface.
0
 
LVL 20

Author Comment

by:netcmh
ID: 39677393
a step by step would be apprecaited.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39677427
Ok, let's see:

ip local pool VPN-pool 192.168.100.1-192.168.100.10 mask 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_28
 subnet 192.168.100.0 255.255.255.240
username ra-user password rauserpass privilege 0
username ra-user attributes
 vpn-group-policy RA-VPN
exit
group-policy RA-VPN internal
group-policy RA-VPN attributes
 vpn-tunnel-protocol ikev1
 dns-server value 192.168.1.1
 default-domain value default.domain.invalid
exit
tunnel-group RA-VPN type remote-access
tunnel-group RA-VPN general-attributes
 default-group-policy RA-VPN
 address-pool  VPN-pool
tunnel-group RA-VPN ipsec-attributes
 ikev1 pre-shared-key mypresharedkey
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  ikev1 transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
nat (inside,outside) 3 source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 destination static NETWORK_OBJ_192.168.100.0_28 NETWORK_OBJ_192.168.100.0_28 no-proxy-arp route-lookup



Of course you'll need to make some changes to fit this to your own situation.

192.168.100.1-192.168.100.10: ip pool for RA clients
username ra-user password rauserpass privilege 0: using a local user for authentication
ikev1 pre-shared-key mypresharedkey: preshared key for RA-PVPN group
nat (inside,outside) etc. : NAT exempt for VPN traffic (replace the interface names with the names of your interfaces, I used default names here).

This is the setup for an RA VPN using the cisco secure VPN client. I created this one for a 9.x ASA. Commands may vary a bit depending on what version your ASA is.

You can also use the wizard in the ASDM to create a similar setup.
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 20

Author Comment

by:netcmh
ID: 39677503
Sorry, but can you give me the steps in 8.2? Thanks
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39677650
That should be something like:

access-list splitvpn standard permit 10.254.254.0 255.255.255.0
access-list nonat extended permit ip 10.254.254.0 255.255.255.0 10.254.250.0 255.255.255.0
ip local pool VPNPool 10.254.250.1-10.254.250.254 mask 255.255.255.0
nat (inside) 0 access-list nonat
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value 10.254.254.10
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitvpn
split-dns value petenetlive.com
username user1 password IzFIX6IZbh5HBYwq encrypted privilege 0
username user1 attributes
vpn-group-policy remotevpn
sysopt connection tcpmss 1200
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set ESP-3DES-SHA
crypto map outside_map 64553 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group remotevpn type ipsec-ra
tunnel-group remotevpn general-attributes
address-pool vpnpool
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
pre-shared-key thisisthepresharedkey


Of course you have to make some adjustements to reflect your own setup.

I got this from the site of my esteemed expert colleague PeteLong: http://www.petenetlive.com/KB/Article/0000070.htm
Have a look at it, lots of nice examples to be found there.
0
 
LVL 20

Author Comment

by:netcmh
ID: 39677653
So, the question is how do I get a remote access vpn session inititated from the outside to only talk with the DMZ segment, and not the inside?

Thanks
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39677663
Ah, we crossed each other.

You'll need to replace the interface names, so dmz instead of inside.
0
 
LVL 20

Author Comment

by:netcmh
ID: 39677802
I tried that, and it still will not allow the external laptop to connect to the DMZ server. The Cisco VPN client does get connected, but beyond that it does not allow the connection through.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39677858
Could you show us a sanitized copy of your config as it is now?
0
 
LVL 20

Author Comment

by:netcmh
ID: 39677935
ip local pool EXT_Pool_Split 10.100.6.1-10.100.6.15 mask 255.255.255.248

access-list EXT_Remote_Split standard permit host 172.16.14.11
access-list EXT_DMZINT_2_NoNAT extended permit ip host 172.16.14.11 10.100.6.0 255.255.255.248

nat (DMZINT_2) 0 access-list EXT_DMZINT_2_NoNAT

group-policy EXT_Remote_Policy internal
group-policy EXT_Remote_Policy attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value EXT_Remote_Split
exit

tunnel-group EXT_Tunnel_Remote_Split type remote-access
tunnel-group EXT_Tunnel_Remote_Split general-attributes
  default-group-policy EXT_Remote_Policy
  address-pool EXT_Pool_Split
  tunnel-group EXT_Tunnel_Remote_Split ipsec-attributes
  pre-shared-key *********
exit

username remoteuser password ********* priv 1

crypto dynamic-map dynmap 10 set transform-set ESP-3DES-SHA
crypto map IPSec_Map 500 ipsec-isakmp dynamic dynmap
crypto map IPSec_Map interface outside

crypto isakmp policy 40
  authentication pre-share
  encryption 3des
  hash sha
  group 1
  lifetime 3600
exit
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39678015
Hehehe, that's a bit too sanitized :)

If possible I would like to see a more complete config.
0
 
LVL 20

Author Comment

by:netcmh
ID: 39678108
Since it's huge, I can't sanitize it enough. What are you looking for, I can get those pieces out comparatively faster.
0
 
LVL 20

Author Comment

by:netcmh
ID: 39678573
Hello?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39678731
Different timezone?
Time for dinner and putting my son to bed ;)

I'll try to check later this evening.
0
 
LVL 20

Author Comment

by:netcmh
ID: 39679253
So, I'm attaching an oversimplified picture of my setup. Hoping that someone can give me the entire commands to get this to work.

I have a L3 switch, which has routing configuration for the various segments. I have an ASA 5520 with 8.2 IOS. I have a DMZ segment which has been subinterfaced into 5 different segments and none of them should be able to talk to each other. And, I have the company LAN on the inside.

I was able to, with the config pasted above, get the Cisco VPN client connected. But, I still can't get the VPN-ed in client to talk with the DMZ server.

Thanks
Drawing1.jpg
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 39682968
Did you have a look at the (ASDM) logs to see if something shows up there what might give you a clue?
0
 
LVL 20

Author Comment

by:netcmh
ID: 39689643
Got it figured out. Had a route missing on the switch back to the VPN IP pool.

Thank for your help. I'll grant you points for helping, but this was the solution.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 3560 Switch with Multiple Gateways 10 74
Help with a subnetting question 7 58
Cisco Router Security Commands. 2 31
cisco asa proxy arp 2 13
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question