8.3 ASA VPN access rules

Hi, I recently bought an ASA 5520 to use as a VPN gateway for several tunnells site to site VPN. I've upgraded to version 8.3, and set up a lab environment. I implemented a simple VPN with a rule of intellectual property general permit to stert with and everything works fine. I'm having trouble tightenign access now, if I change the access on the SAA for ICMP I can ping both directions, if I add tcp I can telnet from a computer at the other end of the VPN, but if I change the tcp protocol to telnet, I can't connect. the other end on the VPN is a cisco 2620XM and I match the lists of access for each of the changes. I also do not understand the meaning of the ASA access list, it seems that if I want to allow the remote tcp host behind the ASA access I have the host behind the ASA as the source, it appears backward? Anyone can shed some light on this? very much appreciated.

Yes, you are supposed to only configure 'IP' to your ACL (ACL applied to your crypto card) crypto and crypto ACL supposed to mirror image on each peer, so when you change to specific TCP/UDP ports, is not mirror image of the other side/peer more.

I thought that you use ACL applied to "vpn-filter".

But in the previous post, actually configure you ACL on each interface.

The above is 3 different ACL you have applied differently (crypto ACL--> apply to the card crypto, vpn ACL--> apply to vpn-filter and your normal ACL interface).

Tags: Cisco Security

Similar Questions

Only way ASA Vpn access

Hello:

I have configured ASA 5505 to acept Cisco VPN Clients on IP-SEC and access internal subnet of tuneling (added a rule exempt NAT too) and the VPN Clients can connect and work without problems.

But no internal network or the ASA I can ping or conect to the VPN Clients.

My configuration:

Internal network: 172.26.1.0 255.255.255.0

The VPN Clients network 172.26.2.0 255.255.255.0

Can you help me?

Here is my configuration:

: Saved : ASA Version 7.2(4) ! hostname ciscoasa domain-name ftf.es enable password xxxxxxx encrypted passwd xxxxx encrypted names name 217.125.44.23 IP_publica name 172.26.1.100 Servidor name 192.168.1.3 IP_externa name 192.168.2.3 IP_Externa2 name 172.26.2.0 VPN_Clients ! interface Vlan1 nameif inside security-level 100 ip address 172.26.1.89 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address IP_externa 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 switchport access vlan 12 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 switchport access vlan 13 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name ftf.es same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group service terminal-server tcp port-object eq 3389 object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list FTFVPN_splitTunnelAcl standard permit 172.26.1.0 255.255.255.0 access-list FTFVPN_Group_splitTunnelAcl standard permit 172.26.1.0 255.255.255.0 access-list outside_access_in extended permit tcp any host IP_externa eq 3389 access-list outside_access_in extended permit object-group TCPUDP any host IP_externa eq www access-list FTF_ADSL2_splitTunnelAcl standard permit any access-list inside_nat0_outbound extended permit ip 172.26.1.0 255.255.255.0 VPN_Clients 255.255.255.0 access-list inside_nat0_outbound extended permit ip 172.26.1.0 255.255.255.0 host 172.26.1.199 access-list outside_nat0_outbound extended permit ip VPN_Clients 255.255.255.0 172.26.1.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool vpn 172.26.1.180-172.26.1.200 mask 255.255.255.0 ip local pool vpn2 172.26.2.100-172.26.2.200 mask 255.255.255.0 ip local pool vpn3 172.26.3.100-172.26.4.150 mask 255.255.255.0 ip local pool vpn4 172.26.1.240-172.26.1.250 mask 255.255.255.0 ip local pool FTFVPN_Pool 176.26.1.150-176.26.1.170 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface 3389 Servidor 3389 netmask 255.255.255.255 static (inside,outside) tcp interface www Servidor www netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute http server enable http 172.26.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs group1 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 40 set pfs group1 crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA crypto dynamic-map outside_dyn_map 60 set pfs group1 crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 80 set pfs group1 crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_3DES_SHA crypto dynamic-map outside_dyn_map 100 set pfs group1 crypto dynamic-map outside_dyn_map 100 set transform-set TRANS_ESP_3DES_SHA crypto dynamic-map outside_dyn_map 120 set pfs group1 crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal  20 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 172.26.1.90-172.26.1.217 inside ! webvpn enable outside url-list FTFVLC "DYNAMICS" cifs://172.26.1.100 1 port-forward TEST 3389 172.26.1.100 3389 Terminal Server group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes banner value Bienvenido a la red de FTF dns-server value 172.26.1.100 80.58.32.97 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn split-tunnel-policy tunnelall default-domain value ftf.es group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools value vpn2 smartcard-removal-disconnect enable client-firewall none client-access-rule none webvpn   functions url-entry   html-content-filter none   homepage none   keep-alive-ignore 4   http-comp gzip   filter none   url-list none   customization value DfltCustomization   port-forward value TEST   port-forward-name value Acceso a aplicaciones   sso-server none   deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information   svc none   svc keep-installer installed   svc keepalive none   svc rekey time none   svc rekey method none   svc dpd-interval client none   svc dpd-interval gateway none   svc compression deflate group-policy FTFVPN_Group internal group-policy FTFVPN_Group attributes dns-server value 172.26.1.100 vpn-tunnel-protocol IPSec l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value FTFVPN_Group_splitTunnelAcl default-domain value ftf.es address-pools value vpn2 group-policy VPNSSL internal group-policy VPNSSL attributes vpn-tunnel-protocol IPSec l2tp-ipsec webvpn webvpn   functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy auto-download citrix username raul password xxxxxx encrypted privilege 0 username raul attributes vpn-group-policy FTFVPN_Group tunnel-group DefaultRAGroup general-attributes address-pool vpn2 default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group DefaultWEBVPNGroup general-attributes default-group-policy VPNSSL tunnel-group DefaultWEBVPNGroup webvpn-attributes nbns-server Servidor master timeout 5 retry 3 tunnel-group FTFVPN_Group type ipsec-ra tunnel-group FTFVPN_Group general-attributes address-pool vpn2 default-group-policy FTFVPN_Group tunnel-group FTFVPN_Group ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters   message-length maximum 512 policy-map global_policy class inspection_default   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny   inspect sunrpc   inspect xdmcp   inspect sip   inspect netbios   inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:f5e713652d4a2e2623248d7e49086105 : end asdm image disk0:/asdm-524.bin asdm location Servidor 255.255.255.255 inside asdm location IP_publica 255.255.255.255 inside asdm location IP_externa 255.255.255.255 inside asdm location IP_Externa2 255.255.255.255 inside asdm location VPN_Clients 255.255.255.0 inside no asdm history enable

Raul,

I don't see to apply ACLs inside the interface or as vpn-filter that will prevent the PING of the SAA within the intellectual property to the VPN client.

Are you sure that the VPN client does not have the Windows Firewall on or antivirus software that prevents to respond to PING?

Federico.

ASDM conc (ASA) VPN access

I have the script like this:

an ASA, which is the FW, TR making static NAT from the public to the private IP and private IP address add is add conc (another ASA) VPN. I am accessing these devices via the VPN client and I get the address IP of VPN pool set on VPN conc. VPN conc. is in a DMZ VLAN, but it also has connection to the local network segment. Purposes of mgmt, I connect to this VPN through SSH conc via a switch in the local network segment. To use the http access, I have to be on one of the servers that are in the local network segment. Since then, when I set up the VPN connection, I'm sure VPN conc., what can do to access http directly from my PC?

This sets up on the conc VPN:
```
management-access inside
After that you should be able to use ASDM over the VPN tunnel, by connecting to its inside ip address.
hth

    Herbert

    (note, I assume the name of the interface connected to the LAN is named "inside", if not adapt at will )
```

Unable to connect to other remote access (ASA) VPN clients

Hello

I have a cisco ASA 5510 appliance configured with remote VPN access

I can connect all hosts on the INSIDE and DMZ network, but not able to access other clients connected to the same VPN.

For example, if I have 2 clients connected to the VPN, customer and CustomerB, with a pool of vpn IP addresses such as 10.40.170.160 and 10.40.170.161 respectively, these two clients are not able to communicate with each other.

Any help is welcome.

Thanks in advance.

Hello

I'm a little rusty on the old format NAT, but would be what I would personally try to configure NAT0 on the 'outer' interface.

It seems to me that you currently have dynamic PAT configured for the VPN users you have this

NAT (outside) 1 10.40.170.0 255.255.255.0

If your traffic is probably corresponding to it.

The only thing I can think of at the moment would be to configure

Note of VPN-CLIENT-NAT0-access-list NAT0 for traffic between VPN Clients

list of access VPN-CLIENT-NAT0 permit ip 10.40.170.0 255.255.255.0 10.40.170.0 255.255.255.0

NAT (outside) 0-list of access VPN-CLIENT-NAT0

I don't know if it works. I did not really have to configure it on any ASAs running older software. There was some similar questions here on the forums for the new format.

-Jouni

Remote RDP client VPN access on ASA 5510

Hello.

We have configured the VPN tunnel from site of offshore to the location of the customer using ASA5510 and access to RDP to the location of the customer. Also been configured remote VPN access in offshore location. But using the remote VPN client, we are able to get the RDP of officeshore location but not able to access to the location of the RDP client. Are there any additional changes required?

Thank you

Hi Salsrinivas,

so to summarize:

the VPN client connects to the ASA offshore

the VPN client can successfully RDP on a server at the offshore location

the VPN client cannot NOT RDP on a server at the location of the customer

offshore and the location of the customer are connected by a tunnel L2L

(and between the 2 sites RDP works very well)

is that correct?

Things to check:

-the vpn in the ACL crypto pool?

-you're exemption nat for traffic between the vpn pool and 'customer' LAN? is the exemption outside (vpn clients are coming from the outside)?

-you have "same-security-traffic permitted intra-interface" enabled (traffic will appear outside and go back outside)?

If you need help more could you put a config (sterilized) Please?

HTH
Herbert

RV042 VPN group & access rules

I have install a GroupVPN and connect to the RV042 with the client VPN Shrewsoft, works like a charm as opposed to QuickVPN ;-)

The firewall is configured with an explicit deny for RDP access rule to an internal server, can also be used to explicitly a rule is created for certain numbers of IP as a source. I noticed that I need to create an explicit allow rule for the subnet of the client Shrewsoft is using the virtual adapter or I won't be able to access the internal server via RDP through the tunnel of GroupVPN.

Is it normal? I think that establishing a tunnel defies the rules created for a direct access to the WAN port.

Peter

Sorry, I got my signals crossed with my previous suggestion. Your answer has cleared up my misunderstanding. My rule was for a different purpose and it does not work for your situation, I thought it would be.

redirect port (UPnP or redirection) replaced the firewall rules, but does not completely bypass their. He must work around the default rules for work, but don't not past rules customized. The trick is to know the translation of transfer goes first, then when it is processed by the firewall, the destination is the IP and the port internal. In addition, it would seem that VPN works the same way - allows to bypass default firewall but not custom rules.

Since you want to double your security and have a non-standard port MORE limit access to specific IPs through the rules of firewall, then you are set up correctly.

The VPN to bypass the firewall completely? Maybe, but then you wouldn't have the opportunity to clients VPN filter with custom (without a separate section in Firewall VPN) rules. Given that you have created a custom block rule, you must add an allow rule for everything that comes through the WAN (same VPN) port. I agree it's annoying, but that's just the way the program is written.

I didn't test the VPN rules, but I think you can handle this - the only variable would be you allow the public IP address of the remote network or remote LAN subnet range? I expect the LAN subnet.

----------------------

Other thoughts - I personally just use the non-standard port and leave the RDP Security to take care of himself. My clients are very small, so the exposure and risk are fairly low. For a client of profile higher or more secure, I would either put everything inside a VPN connection, or configure as you. Of course, if the security is so important, maybe you should be on a more expensive (and capable) device?

Remote access ASA, VPN and NAT

Hello

I try to get access to remote VPN work using a Cisco VPN client and ASA with no split tunneling. The VPN works a little, I can access devices inside when I connect, but I can't access the Internet. I don't see any errors in the log ASA except these:

1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/137 dst outside:192.168.47.255/137
1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/54918 dst outsidexx.xxx.xxx.xxx/53

There is only one address public IP that is assigned to the external interface of DHCP. The Interior is 192.168.1.0/24 network which is PAT'ed to the external interface and the VPN network is 192.168.47.X.

I think my problem is that the net.47 is not NAT'ed out properly and I don't know how to put in place exactly. I can't understand how this is supposed to work since the net VPN technically provenance from the outside already.

Here are all the relevant config:

list of vpn access extended permits all ip 192.168.47.0 255.255.255.0
Within 1500 MTU
Outside 1500 MTU
IP local pool vpnpool 192.168.47.200 - 192.168.47.220 mask 255.255.255.0
IP verify reverse path to the outside interface
IP audit info alarm drop action
IP audit attack alarm drop action
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
Global interface (2 inside)
Global 1 interface (outside)
NAT (inside) 0-list of access vpn
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 2 192.168.47.0 255.255.255.0 outside
static (inside, outside) tcp 3074 XBOX360 3074 netmask 255.255.255.255 interface
static (inside, outside) udp 3074 XBOX360 3074 netmask 255.255.255.255 interface
public static (inside, outside) udp interface 88 88 XBOX360 netmask 255.255.255.255
public static tcp (indoor, outdoor) https someids netmask 255.255.255.255 https interface

I can post more of the configuration if necessary.

Change ' nat (outside) 2 192.168.47.0 255.255.255.0 apart ' "NAT (2-list of vpn access outdoors outside)" gives these:

1 Jul 06:18:35 % gatekeeper ASA-3-305005: no group of translation not found for udp src outside:192.168.47.200/56003 dst outside:66.174.95.44/53

So, how I do right NAT VPN traffic so it can access the Internet?

A few things that needs to be changed:

(1) NAT exemption what ACL must be modified to be more specific while the traffic between the internal subnets and subnet pool vpn is not coordinated. NAT exemption takes precedence over all other statements of NAT, so your internet traffic from the vpn does not work.

This ACL:

list of vpn access extended permits all ip 192.168.47.0 255.255.255.0

Should be changed to:

extensive list of access vpn ip 192.168.47.0 255.255.255.0 allow

(2) you don't need statement "overall (inside) 2. Here's what to be configured:

no nat (outside) 2 192.168.47.0 255.255.255.0 outside

no global interface (2 inside)

NAT (outside) 1 192.168.47.0 255.255.255.0

(3) and finally, you must activate the following allow traffic back on the external interface:

permit same-security-traffic intra-interface

And don't forget to clear xlate after the changes described above and connect to your VPN.

Hope that helps.

ASA 5505: VPN access to different subnets

Hi All-

I'm trying to understand how to configure our ASA so that remote users can have VPN access to two different subnets (Office LAN and LAN phone). Currently I have 3 VLAN configuration - VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN). Essentially, remote users must be able to access their PC (192.168.1.0/24) and also have access to the office phone system (192.168.254.0/24). Is it still possible? Here are the configurations on our ASA,

Thanks in advance:

ASA Version 8.2 (5)

!

names of

name 10.0.1.0 Net-10

name 20.0.1.0 Net-20

name phone 192.168.254.0

name 192.168.254.250 PBX

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 13

!

interface Vlan1

nameif inside

security-level 100

192.168.1.98 IP address 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

address IP X.X.139.79 255.255.255.224

!

interface Vlan3

No nameif

security-level 50

192.168.5.1 IP address 255.255.255.0

!

interface Vlan13

nameif phones

security-level 100

192.168.254.200 IP address 255.255.255.0

!

passive FTP mode

object-group service RDP - tcp

EQ port 3389 object

object-group service DM_INLINE_SERVICE_1

the purpose of the ip service

EQ-ssh tcp service object

vpn_nat_inside of access list extensive ip Net-10 255.255.255.224 allow 192.168.1.0 255.255.255.0

access-list extended vpn_nat_inside allowed ip Net-10 255.255.255.224 phones 255.255.255.0

inside_nat0_outbound list extended access permits all ip Net-10 255.255.255.224

inside_access_in of access allowed any ip an extended list

Split_Tunnel_List list standard access allowed Net-10 255.255.255.224

phones_nat0_outbound list extended access permits all ip Net-10 255.255.255.224

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 Mac host everything

pager lines 24

Enable logging

timestamp of the record

record monitor errors

record of the mistakes of history

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

MTU 1500 phones

mask IP local pool SSLClientPool-10 10.0.1.1 - 10.0.1.20 255.255.255.128

no failover

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global interface (10 Interior)

Global 1 interface (outside)

global interface (phones) 20

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

NAT (10 vpn_nat_inside list of outdoor outdoor access)

NAT (phones) 0-list of access phones_nat0_outbound

NAT (phones) 1 0.0.0.0 0.0.0.0

inside_access_in access to the interface inside group

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 X.X.139.65 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

AAA authentication enable LOCAL console

the ssh LOCAL console AAA authentication

LOCAL AAA authorization command

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

Crypto ca trustpoint ASDM_TrustPoint0

registration auto

name of the object CN = not - asa .null

pasvpnkey key pair

Configure CRL

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

lifetime 28800

VPN-sessiondb max-session-limit 10

Telnet timeout 5

SSH 192.168.1.100 255.255.255.255 inside

SSH 192.168.1.0 255.255.255.0 inside

SSH Mac 255.255.255.255 outside

SSH timeout 60

Console timeout 0

dhcpd auto_config inside

!

dhcpd address 192.168.1.222 - 192.168.1.223 inside

dhcpd dns 64.238.96.12 66.180.96.12 interface inside

!

a basic threat threat detection

host of statistical threat detection

Statistics-list of access threat detection

a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

SSL-trust outside ASDM_TrustPoint0 point

WebVPN

allow outside

AnyConnect essentials

SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 image

enable SVC

tunnel-group-list activate

internal SSLClientPolicy group strategy

attributes of Group Policy SSLClientPolicy

WINS server no

value of 64.238.96.12 DNS server 66.180.96.12

VPN-access-hour no

VPN - connections 3

VPN-idle-timeout no

VPN-session-timeout no

IPv6-vpn-filter no

VPN-tunnel-Protocol svc

group-lock value NO-SSL-VPN

by default no

VLAN no

NAC settings no

WebVPN

SVC mtu 1200

SVC keepalive 60

client of dpd-interval SVC no

dpd-interval SVC bridge no

SVC compression no

attributes of Group Policy DfltGrpPolicy

value of 64.238.96.12 DNS server 66.180.96.12

Protocol-tunnel-VPN IPSec svc webvpn

attributes global-tunnel-group DefaultRAGroup

address-pool SSLClientPool-10

IPSec-attributes tunnel-group DefaultRAGroup

pre-shared key *.

NO-SSL-VPN Tunnel-group type remote access

General-attributes of the NO-SSL-VPN Tunnel-group

address-pool SSLClientPool-10

Group Policy - by default-SSLClientPolicy

NO-SSL-VPN Tunnel - webvpn-attributes group

enable PAS_VPN group-alias

allow group-url https://X.X.139.79/PAS_VPN

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

privilege level 3 mode exec cmd command perfmon

privilege level 3 mode exec cmd ping command

mode privileged exec command cmd level 3

logging of the privilege level 3 mode exec cmd commands

privilege level 3 exec command failover mode cmd

privilege level 3 mode exec command packet cmd - draw

privilege show import at the level 5 exec mode command

privilege level 5 see fashion exec running-config command

order of privilege show level 3 exec mode reload

privilege level 3 exec mode control fashion show

privilege see the level 3 exec firewall command mode

privilege see the level 3 exec mode command ASP.

processor mode privileged exec command to see the level 3

privilege command shell see the level 3 exec mode

privilege show level 3 exec command clock mode

privilege exec mode level 3 dns-hosts command show

privilege see the level 3 exec command access-list mode

logging of orders privilege see the level 3 exec mode

privilege, level 3 see the exec command mode vlan

privilege show level 3 exec command ip mode

privilege, level 3 see fashion exec command ipv6

privilege, level 3 see the exec command failover mode

privilege, level 3 see fashion exec command asdm

exec mode privilege see the level 3 command arp

command routing privilege see the level 3 exec mode

privilege, level 3 see fashion exec command ospf

privilege, level 3 see the exec command in aaa-server mode

AAA mode privileged exec command to see the level 3

privilege, level 3 see fashion exec command eigrp

privilege see the level 3 exec mode command crypto

privilege, level 3 see fashion exec command vpn-sessiondb

privilege level 3 exec mode command ssh show

privilege, level 3 see fashion exec command dhcpd

privilege, level 3 see the vpnclient command exec mode

privilege, level 3 see fashion exec command vpn

privilege level see the 3 blocks from exec mode command

privilege, level 3 see fashion exec command wccp

privilege see the level 3 exec command mode dynamic filters

privilege, level 3 see the exec command in webvpn mode

privilege control module see the level 3 exec mode

privilege, level 3 see fashion exec command uauth

privilege see the level 3 exec command compression mode

level 3 for the show privilege mode configure the command interface

level 3 for the show privilege mode set clock command

level 3 for the show privilege mode configure the access-list command

level 3 for the show privilege mode set up the registration of the order

level 3 for the show privilege mode configure ip command

level 3 for the show privilege mode configure command failover

level 5 mode see the privilege set up command asdm

level 3 for the show privilege mode configure arp command

level 3 for the show privilege mode configure the command routing

level 3 for the show privilege mode configure aaa-order server

level mode 3 privilege see the command configure aaa

level 3 for the show privilege mode configure command crypto

level 3 for the show privilege mode configure ssh command

level 3 for the show privilege mode configure command dhcpd

level 5 mode see the privilege set privilege to command

privilege level clear 3 mode exec command dns host

logging of the privilege clear level 3 exec mode commands

clear level 3 arp command mode privileged exec

AAA-server of privilege clear level 3 exec mode command

privilege clear level 3 exec mode command crypto

privilege clear level 3 exec command mode dynamic filters

level 3 for the privilege cmd mode configure command failover

clear level 3 privilege mode set the logging of command

privilege mode clear level 3 Configure arp command

clear level 3 privilege mode configure command crypto

clear level 3 privilege mode configure aaa-order server

context of prompt hostname

no remote anonymous reporting call

Hello

Loss of connectivity to the LAN is not really supposed all remove this command UNLESS your network is using another device as their gateway to the Internet. In this case configuration dynamic PAT or political dynamics PAT (as you) would make sense because the LAN hosts would see your VPN connection from the same directly connected network users and would be know to traffic before the ASA rather than their default gateway.

So is this just for VPN usage and NOT the gateway on the LAN?

If it is just the VPN device I'd adding this

global interface (phones) 10

He would do the same translation for 'phones' as he does on 'inside' (of course with different PAT IP)

-Jouni

Wacky VPN access problem of ASA

Hi people,

I am currenty a situation, and I am in real need of advice...

The situation is that, if ASA helps my remote branches to access my home network and its allowing people to visit Internet inside, its not allowing the remote VPN client VPN access... R V to aid VPN client version of Cisco 4.6...

See a presentation of basic network that illustrates our network and configuration of the ASA...

Advice to solve this problem will be greatly appreciated...

Kind regards

Noman Bari

I see what rou are... Please see my attchement...

Please rate if it helps!

asa himself through site to site vpn access server

Hello

I have problem with access to the servers through site to site vpn to ASA that makes this vpn site-to-site and Clientless VPN enablerd.

Reason why I need it / what I do:

ASA 5510 enabled Clientless VPN and on this Portal allows users to access internal servers through bookmars URL. We use it when someone wouldn't access IPSec VPN or in an internet café. If this user connects to clientless vpn and click on the bookmark to access for example mail server. But there is problem, asa cannot access this server through VPN site-to-site.

Network:

Here's a quick design of my network.

I don't have server access to the problem in the VLAN 159 of VLAN 10, or 100. But I need to be able to access the server in Vlan 159 of ASA 5510, who owns the IP 192.168.1.4.

I have this subnet ASA owned by FRONT-NAT object in the same place that VLAN 10 to 100 are and vpn Site-to-Site profile.

What I makeover or how can I solve it?

Thank you

Clientless VPN when accessing internal servers, it will use the closest to the source of the connection interface and if you connect to via clientless SSL VPN ASA5510 and need access ASA5505 LAN via the site to site VPN, the interface closest to the ASA5510 to ASA5505 LAN is ASA5510 outside interface, therefore, the vpn of site-to-site crypto ACL must match on ASA5510 outside the ip address of the interface.

Here's what you need on each ASA:

ASA5510:

permit same-security-traffic intra-interface

ip 192.168.159.0 external interface allowed access list 255.255.255.0

ASA5505:

ip 192.168.159.0 access list allow 255.255.255.0 host

In addition, also need to add the same ACL for access-list of exemptions on ASA5505 NAT:

ip 192.168.159.0 access list allow 255.255.255.0 host

Hope that helps.

Device behind a Firewall other, ASA VPN

I have a client who wants to put their VPN / behind the ASA ASA main connected to the Internet. Both devices have an inside leg for the internal network, but the ASA VPN connects directly to the Internet ASA.

Topology:

Outisde FW: Internet transfer Procedure > ASA/FW > leg DMZ to ASA/VPN

ASA VPN: Outside the L3 Interface interface DMZ of ASA/FW link

On the outside NAT FW I would be the external address of the VPN / ASA outside the public IP address is available and I have a rule that allows all IP from outside to outside the private IP VPN. Inside = 192.168.254.1 outside = public IP address.

Configured on the VPN / ASA, ASA standard SSL Remote Access.

When I hit the NAT public IP address, nothing happens. I've run packet - trace on the FW outside, and everything seems good.

Someone at - it a sampling plan / config for a similar topology? Internet > ASA/FW > dmz-leg > ASA/VPN

Thanks in advance,
Bob

Can share you your NAT and routing configuration? Of these two ASAs

ASA vpn client

Hello world

I would like to ask for help in order to correct a customer vpn tunnel. I'm not familiar with the AAS, so please do not laugh if I write something stupid

So I inherit one asa, which has two interface used physical and vlan more. Outdoors, office, management and management. I use my computer on the vlan management, and I can reach the computers on the desktop (192.168.12.0/24) and the branch (192.168.10.0/24). I would realize that I connect to thrught houses a vpn, and I should reach the 12.x and 10.x network as I was in these networks (due to the microsoft allowed wirewall to the local network traffic).

I inherited a vpn configuration which I added my user.

I'm trying to cite only the relevant portion of config:

SSH 192.168.99.0 255.255.255.0 management

access extensive list ip 192.168.99.0 nonat_management allow 255.255.255.0 192.168.99.0 255.255.255.0

access extensive list ip 192.168.99.0 nat_management_branch allow 255.255.255.0 192.168.10.0 255.255.255.0
access extensive list ip 192.168.99.0 nat_management_office allow 255.255.255.0 192.168.12.0 255.255.255.0

IP local pool ippool 192.168.99.100 - 192.168.99.200

NAT-control
Global 1 interface (outside)

NAT (management) - access list 0 nonat_management
nat_management_office list of access 5 NAT (management)
nat_management_branch list of Access 10 NAT (management)

192.168.99.50 management - dhcpd addresses 192.168.99.79
enable dhcpd management

L2TP strategy of Group internal
monty password username * == encrypted nt
monty username attributes
Protocol-tunnel-VPN l2tp ipsec
VPN-framed-ip-address 192.168.99.99 255.255.255.0
attributes global-tunnel-group DefaultRAGroup
ippool address pool
Group Policy - by default-l2tp
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authentication

I quote the encryption settings, because I can connect to asa, I think that I have problems with the nat or access rules.

I have an ip local pool 192.168.99.100 - 192.168.99.200, but I have the fixed ip with the vpn-framed-ip-address 192.168.99.99 255.255.255.0

Happened when I connect and try to reach the following computers:

I can reach only a freenas 192.168.12.2, and I see in his journal that I have connected with 192.168.99.99 (vpn-framed-ip-address)

I can't reach the computers on networks, however I have two nat rules, working when I'm in the office network 99.0

access extensive list ip 192.168.99.0 nat_management_branch allow 255.255.255.0 192.168.10.0 255.255.255.0
access extensive list ip 192.168.99.0 nat_management_office allow 255.255.255.0 192.168.12.0 255.255.255.0

It seems that these two nat rules do not work with my vpn client.

And it is very important to arrive at the asa with ssh through the tunnel, but I can't.

I don't know if that is the ip address of the vpn client is in the management network, perhaps one should change to another network:

for example 192.168.95.0/24

A vpn asa for Dummies or any help is appreciated.

Thank you very much

Hi Chris,

The following should help:

access-list allowed 192.168.12.0 nonat_office 255.255.255.0 192.168.90.0 255.255.255.0

In this way, returning office subnet pool VPN traffic is exempt from nat. And so you will not get the failure of RPF checking.

In addition, you must change this:

nat_vpn_office to access extended list ip 10.10.10.0 allow 255.255.255.0 192.168.12.0 255.255.255.0

(incoming traffic on the VPN remote access would come from the VPN pool.) Not your home network.)

You must have:

No nat_vpn_office access list extended ip 10.10.10.0 allow 255.255.255.0 192.168.12.0 255.255.255.0

access extensive list ip 192.168.90.0 nat_vpn_office allow 255.255.255.0 192.168.12.0 255.255.255.0

NAT (outside) 5 nat_vpn_office list of outdoor access

Hope this helps, and sorry for the delay.

-Shrikant

P.S.: Please check the question as answered if it was resolved. Do rates all useful messages. Thank you.

ASA VPN

Hello

I have a question concerning the VPN, is it possible to configure the two IPsec VPN site-to-site and remote access vpn on the same ASA and working at the same time, does require one or two different public ip addresses?

I have cisco ASA 5540 - version 9.1

Best regards

Hello

Yes, you can with 1 single public ip address. You need to activate the same-security-traffic allow intra-interface functionality to allow a customer vpn site-to-site vpn access if you need.

Take a look at the Cisco documentation;

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

Thank you

PS: Please do not forget to rate and score as good response if this solves your problem

ASA VPN - allow user based on LDAP Group

Hello friends

I have create a configuration to allow connection based on LDAP Group.

I m not specialize in the firewall and I tried to follow the links above, but both seem old, commanded several is not available.

http://www.tunnelsup.com/Cisco-ASA-VPN-authorize-user-based-on-LDAP-group

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

Anyone know how I can do?

Thank you

Marcio

I like to use the Protocol DAP (dynamic access policies) to control this. Follow this guide:

https://supportforums.Cisco.com/document/7691/ASA-8X-dynamic-access-policies-DAP-deployment-guide

Problems to make the access rule for a NAT device work

I am new to Cisco routers so light easy on me.

Our company has just purchased a RV042G so that we can start using VPN for some of our sales representatives. There is always a need to access the RDC to configure our WAN1 port access rule to the internal server. However, it does not work.

I have install this type of rule on Sonicwalls before, but I don't have much experience with Cisco. I'm a bit confused as to why it doesn't work anymore. Any advice would be great.

Service = DRC (3389)

Source port = WAN1

Source IP = our static IP address

Destination IP = 192.168.0.250.

What I am doing wrong?

Hello Eric,

Looks like you got the first step made so fare. How access lists works on this devices is actually just control/allow certain traffic but does not in fact of NAT/port forwarding. What you need to do is then go into the setup and go under transfer. Next, you will create your port forwarding it. You click on service management again to set up which port you must sent (it may be already there for when you have configured your access list). Some of them should be similar on how you implemented in the access list, but if you want more information let me know and I can give more details.

Hope that helps out.

Thank you
Clayton Sill

8.3 ASA VPN access rules

Similar Questions

Maybe you are looking for