ASA5505 AD authentication
Hello
I'm trying to get the domain users to authenticate to my network via Active directory, but I can't get this working. local user on the SAA accounts properly.
I have a group of tunnel with policy, but I fight with him to talk to AD.
This is the configuration I made a demand for it:
RADIUS Protocol RADIUS AAA server
reactivation-mode timed
AAA-server host winserver RADIUS (inside)
Ray keys
RADIUS RADIUS-common-pw
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
Enable http server
http 192.168.16.0 255.255.255.0 inside
internal RemoteAccessVPN group strategy
attributes of Group Policy RemoteAccessVPN
value of 192.168.16.1 WINS server
Server DNS 192.168.16.1 value
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value RemoteAccessVPN-splitTunnelACL
AMCs.local value by default-field
the address value asaVPNPool pools
attributes global-tunnel-group DefaultRAGroup
address asaVPNPool pool
Group-LOCAL RADIUS authentication server
Server RADIUS authorization-group
Group accountant-Server RADIUS
Group Policy - by default-RemoteAccessVPN
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
Do you use the Radius protocol to communicate with your ad? you use IAS server on your ad for authentication? or you want to authenticate natively via AD?
If you use native AD, then I suggest you use aaa-server with the LDAP protocol.
Here is an example configuration for authentication LDAP AD:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808c3c45.shtml
However, if you are using Radius, authentication of the IAS server on your ad, then you can check if the IAS server has any policy that could block the authentication of the ASA.
I also notice that you have authorization and accounting configured. You use these 2, if not, then you can remove the following lines:
Server RADIUS authorization-group
Group accountant-Server RADIUS
Finally, I also noticed that you have not set access remote vpn that you actually use, and that it has not been activated. You need to configure "vpn-tunnel-Protocol" under the Group Policy "RemoteAccessVPN." You must enable "ipsec" or "svc" or both if you plan to use both.
Tags: Cisco Security
Similar Questions
-
Try to set up authentication RADIUS on ASA5505 8.3
I set up my firewall with local authentication for a regular dynamic VPN put in place, but I need to change it to authenticate with the server. The server is configured and ready to go, but I want to make sure that the firewall will also be.
Here is my config:
ASA # sh run
: Saved
:
ASA Version 8.3 (1)ASA host name
mydomain.local domain name
activate the encrypted password of GmSL9emLLUC2J7jz
2KFQnbNIdI.2KYOU encrypted passwd
names ofinterface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0interface Vlan2
nameif outside
security-level 0
PPPoE client vpdn group pppoe_group
IP address pppoe setrouteinterface Ethernet0/0
switchport access vlan 2interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system Disk0: / asa831 - k8.bin
passive FTP modeclock timezone CST - 6
clock to summer time recurring CDTDNS server-group DefaultDNS
mydomain.local domain namepermit same-security-traffic inter-interface
permit same-security-traffic intra-interfacenetwork obj_any object
subnet 0.0.0.0 0.0.0.0object obj-vpnPool network
192.168.101.0 subnet 255.255.255.0the SERVER01 object network
the host 192.168. *. *object obj-internal network - 192.168.1.0
subnet 192.168.1.0 255.255.255.0network of the SERVER02 object
the host 192.168. *. *network of the SERVER03 object
the host 192.168. *. *object obj-OutsideIP network
Home 74.164.148.6splittunnel list standard access allowed 192.168.1.0 255.255.255.0
access extensive list ip 192.168.101.0 outside_in allow 255.255.255.0 192.168.1.0 255.255.255.0
access extensive list ip 192.168.1.0 outside_in allow 255.255.255.0 192.168.101.0 255.255.255.0outside_in list extended access permit tcp any host 192.168. *. * eq www
outside_in list extended access permit tcp any host 192.168. *. * eq https
outside_in list extended access permit tcp any host 192.168. *. * eq smtppager lines 24
asdm of logging of informationWithin 1500 MTU
Outside 1500 MTUIP local pool vpnpool 192.168.101.50 - 192.168.101.100
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 524.bin
don't allow no asdm history
ARP timeout 14400NAT (inside, outside) source static obj-internal - 192.168.1.0 obj-internal - destination 192.168.1.0 static obj-vpnPool obj-vpnPool
network obj_any object
NAT dynamic interface (indoor, outdoor)the SERVER01 object network
NAT (inside, outside) interface static tcp smtp smtp servicenetwork of the SERVER02 object
NAT (inside, outside) interface static tcp www www servicenetwork of the SERVER03 object
NAT (inside, outside) interface static tcp https https serviceAccess-group outside_in in external interface
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL consoleEnable http server
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 insideNo snmp server location
No snmp Server contactCommunity SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown cold startCrypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map-RA - VPN 1 set of transformation-ESP-3DES-MD5
Crypto dynamic-map-RA - VPN 1 set of security association lifetime seconds 28800
cryptographic kilobytes 4608000 life of the set - the association of security of VPN - RA 1 dynamic-map
Crypto than VPN-RA - dynamic-map 1jeu reverse-road
Crypto map 65535 ipsec-isakmp dynamic VPN - RA RA - VPN
RA - VPN interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow inside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400ISAKMP crypto 10 nat-traversal
crypto ISAKMP ipsec-over-tcp port 1000Telnet 0.0.0.0 0.0.0.0 inside
Telnet 0.0.0.0 0.0.0.0 outdoors
Telnet timeout 60SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 60Console timeout 0
management-access inside
VPDN group pppoe_group request dialout pppoe
VPDN group pppoe_group localname [email protected] / * /
VPDN group ppp authentication pap pppoe_group
VPDN username [email protected] / * / password *.dhcpd dns 192.168. *. * 4.2.2.2
dhcpd lease 8400
dhcpd ping_timeout 750
dhcpd mydomain.local domain
dhcpd outside auto_configdhcpd address 192.168.1.2 - 192.168.1.33 inside
dhcpd allow insidepriority queue inside
priority-queue outdoorsa basic threat threat detection
Statistics-list of access threat detectionno statistical threat detection tcp-interception
WebVPNinternal examplevpn group policy
attributes of the strategy of group examplevpn
value of server DNS 192.168. *. * 4.2.2.2
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list splittunnel
mydomain.local value by default-fieldvicky 9fO.vlLc77pAFoHp of encrypted privilege 15 password username
username otherusers encrypted password privilege 10 hhckff6QokyoRdar
examplevpn IKg0RMHfprF6Ya3u username encrypted passwordadmin DwCTJcBn.Q0dDe9z encrypted privilege 15 password username
attributes of user admin name
VPN-group-policy examplevpntype tunnel-group RA - VPN remote access
type tunnel-group examplevpn remote access
tunnel-group examplevpn General-attributes
address vpnpool pool
authorization-server-group (outside LOCAL)
Group Policy - by default-examplevpnexamplevpn group of tunnel ipsec-attributes
pre-shared key *.Global class-card class
match default-inspection-trafficclass-map class_sip_tcp
sip port tcp eq gameclass-map inspection_default
match default-inspection-traffictype of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect the skinny
inspect sqlnet
inspect the tftp
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the icmp
inspect the amp-ipsec
Review the ip options
class class_sip_tcp
inspect the sipglobal service-policy global_policy
context of prompt hostname
Cryptochecksum:3edb25d4a550f0394e8c1936ab3326adDid I all I have to add / is this correct?
RADIUS protocol AAA-server RADIUSvpn
Max - a attempts failed 5
AAA-server vpn (DMZ) host 172.16.1.1
interval before new attempt-1
timeout 30
key cisco123type tunnel-group RA - VPN remote access
General-attributes of RA - VPN Tunnel-group
address vpnpool pool
authentication-server-group RADIUSvpnI'm still relatively new to firewalls and find the overwhelming online help sometimes. Help, please
Vicky
Can you comapre the config with the doc and see if something may be missing?
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808c3c45.shtml
Use the troubleshooting area in the doc to find the DN, I think that you are missing a part of the DN string. Sorry for the late response
-
AnyConnect VPN client authentication using certificates
Guys, I'm trying to configure my ASA5505 to authenticate the AnyConnect VPN clients using certificates. I have 'Certificates' defined as my method of authentication in my AnyConnect connection profile (see screenshot), but I get 'Certificate Validation failure' whenever I try to connect. The certificate I want to use is a computer issued by my CA certificate company root (Windows Server 2008 running Active Directory Certificate Services). Screenshot of certificate is attached. I added the root certificate on the SAA, and I tried all kinds of combinations by using the corresponding certificate in the AnyConnect Client profile. Each attempt failed, and I'm having no luck finding documentation on how to proceed. Any help would be greatly appreciated!
Hello Shaun,
The problem you're describing, not be able to authenticate through certificate through Microsoft Internet Explorer, is the fact that the certificate is in the computer store. You do not want to confirm with Microsoft, but, I understand that only Microsoft Internet users explore the user store, this certificate is not available to attend the ASA via the Internet browser.
-Craig
-
Problem of static-dynamic ASA5505 L2L
The two ASA5505 using version 9.2.3 tried ikev1 and ikev2, it worked before, but I don't know what the problem is now...
I can read dynamic end tunnel ASA (default behavior), I mean that I have to ping asa (DynASA (config) # ping inside the 172.22.82.5).
When I try to ping resources or access for all clients behind DynamicASA to StaticASA, it appears in the log:
6 June 25, 2015 21:40:50 302020 192.168.11.7 1 172.22.22.21 0 Built of outbound ICMP connection for faddr gaddr laddr 192.168.11.7/1 88.114.6.163/1 172.22.82.21/0 After the tunnel is mounted I can connect clients behind StaticASA to resources behind DynamicASA, but not the other way around (clients behind DynamicASA behind StaticASA, a little two-way remedies does not?)
I tried with DefaultL2L and DYNL2L-policies and both work in a sense...
StaticASA config
interface Vlan1
nameif outside
security-level 0
IP 1.2.3.4 address 255.255.255.0
!
interface Vlan2
nameif inside
security-level 100
IP 172.22.22.1 255.255.255.0
!network of the ASA2_LAN object
subnet 192.168.11.0 255.255.255.0
network of the ASA1_LAN object
172.22.22.0 subnet 255.255.255.0access-list tunneli-ASA2 allowed extended ip ASA1_LAN object ASA2_LAN
NAT (inside, outside) static source ASA1_LAN ASA1_LAN ASA2_LAN ASA2_LAN non-proxy-arp-search of route static destinationDynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA trans1 ikev1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 ipsec-proposal
Crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 the value reverse-road
DYNL2L-ASA2 4 crypto dynamic-map correspondence address tunneli-ASA2
Crypto dynamic-map DYNL2L-ASA2 4 set transform-set ESP-AES-256-SHA ikev1
Crypto dynamic-map DYNL2L-ASA2 4 set DYNL2L VPN-ipsec-ikev2 proposal
Crypto dynamic-map DYNL2L-ASA2 4 the value reverse-road
card crypto OUTSIDE_MAP 65534-isakmp dynamic ipsec DYNL2L-ASA2
card crypto OUTSIDE_MAP 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
OUTSIDE_MAP interface card crypto outside
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAPinternal GroupPolicy_ASA2 group strategy
attributes of Group Policy GroupPolicy_ASA2
VPN-tunnel-Protocol ikev1, ikev2IPSec-attributes tunnel-group DefaultL2LGroup
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.IPSec-l2l type tunnel-group DYNL2L-ASA2
attributes global-tunnel-group DYNL2L-ASA2
Group Policy - by default-GroupPolicy_ASA2
IPSec-attributes tunnel-group DYNL2L-ASA2
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.DynamicASA config
interface Vlan1
nameif inside
security-level 100
192.168.11.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroutenetwork of the ASA1_LAN object
172.22.22.0 subnet 255.255.255.0
network of the ASA2_LAN object
subnet 192.168.11.0 255.255.255.0access-list tunneli-ASA1 allowed extended ip ASA2_LAN object ASA1_LAN
NAT (inside, outside) source Dynamics one interface
NAT (inside, outside) static source ASA2_LAN ASA2_LAN ASA1_LAN ASA1_LAN non-proxy-arp-search of route static destinationcard crypto mymap 10 correspondence address tunneli-ASA1
card crypto mymap 10 peer set 1.2.3.4
card crypto mymap 10 set transform-set ESP-AES-256-SHA ikev1
card crypto mymap 10 set ikev2 AES256 AES192 AES OF DYNL2L-VPN-3DES ipsec-proposal
crypto mymap 10 card value reverse-roadinternal GroupPolicy_1.2.3.4 group strategy
attributes of Group Policy GroupPolicy_1.2.3.4
VPN-tunnel-Protocol ikev1, ikev2
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 General attributes
Group - default policy - GroupPolicy_1.2.3.4
tunnel-group 1.2.3.4 ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!WBR,
Mr.O
Hello
Looks like you have dynamic nat above static nat exempt on-side dynamic IP ASA
NAT (inside, outside) source Dynamics one interface
NAT (inside, outside) static source ASA2_LAN ASA2_LAN ASA1_LAN ASA1_LAN non-proxy-arp-search of route static destinationchange the order to move the static nat over the dynamic nat
no nat source (indoor, outdoor) public static ASA2_LAN ASA2_LAN ASA1_LAN ASA1_LAN non-proxy-arp-search of route static destination
NAT (inside, outside) 1 static source ASA2_LAN ASA2_LAN ASA1_LAN ASA1_LAN non-proxy-arp-search of route static destination
HTH
Averroès.
-
I currently have clients VPN ASA5505 authentication via the local database (which I consider a simple typo machine :)
I am obliged for users to change their pwd to conform to the complexity and the min length, which, to my knowledge, cannot be done directly on ASA
I install an IAS that uses RADIUS Standard for customer ASA5505
now I have 2 groups of users using the same tunnel with the local database:
users who are also users of the domain-> for users, I guess that IAS will solve the problem of synchronization with AD
users who are NOT users of the domain-> how to apply these rules on these users?
How do I configure the aaa on ASA server and what should I change in the Group of the tunnel in order to make all this work?
Your AAA server should be a type of RADIUS with well sure the correct settings, ip key and so on. After this change has been done, you should enter the Group of tunnel mode (General attributes) and call your AAA server for authentication: LOCAL authentication server group
Local will be there only for relief.
After this change is made, and your IAS connects to the AD correctly, you should be able to authenticate. NOTE made this change on the config, will force all users to have a valid username on the schema of the ICD/AD, local database will be used only when the RADIUS fails.
Now, to set the ability to change the password via the vpn clients, you need go ahead and activate "ms-chap v2" under the attributes PPP tunnel-group and at the moment it's done, the domain field will be displayed on the prompt of the vpn client XAUTH. For example, the keyword "password management" must be enabled under global attributes.
-
I have 2 tunnel-groups:
tunnel-group test type ipsec-ra
tunnel-group test general attributes
address pool VPN_Pool
LOCAL authority-server-group
authorization-server-group (inside) LOCAL
authorization-server-group (outside LOCAL)
Group Policy - by default-test
authorization required
IPSec-attributes of tunnel-group test
pre-shared-key *.
and
tunnel-group users type ipsec-ra
attributes global-tunnel-group users
address pool VPN_Pool
Users by default-group-policy
tunnel-group users ipsec-attributes
pre-shared-key *.
USAERS is access vpn production group, it uses the LOCAL authentication database and the most important for that matter - it works well.
test as you can guess, is a group of tests that has been created in the time that I have configured ASA5505 for the first time. He also works.
both groups use the same database LACAL, BUT as you can see it the users group has nothing to show.
I need to change the authentication from the LOCAL RADIUS (I tested this ASA and works very well). I want to start by testing the test group and if it's all good - apply to the users group.
How can I do?
How can I make primary source with fall to the LOCAL RADIUS authentication if RADIUS is down?
You'd go into your settings of tunnel group and change the settings as a result like this:
tunnel-group test general attributes
Group of LOCAL authentication server
This will cause the tunnel group first use the RADIUS and the Local if radishes fails. Note You can remove the part of the authorization of your configuration.
-
Configuration VPN from Site to Site on two ASA5505
I have two ASA5505 ver 8.4 (6) and ver 9.0 (2) configured for a laboratory site to site vpn, but without success. I could do everything outside address from two ASA ping, but could not ping the LAN on the other end of the ASA. Here is the error message when you try to check if the VPN tunnel is established. For reference, the configurations are provided below. Any help is very appreciated.
ASA1 # show crypto isakmp his
There are no SAs IKEv1
There are no SAs IKEv2
ASA1 # show crypto ipsec his
There is no ipsec security associations
ASA1:
crypto ISAKMP allow outside
the local object of net network
subnet 192.168.1.0 255.255.255.0
net remote object network
Subnet 192.168.2.0 255.255.255.0
!
outside_1_cryptomap list of allowed ip object local net net access / remote
tunnel-group 200.200.200.1 type ipsec-l2l
IPSec-attributes tunnel-group 200.200.200.1
pre-shared-key pass1234
ISAKMP retry threshold 10 keepalive 2
!
part of pre authentication isakmp crypto policy 10
crypto ISAKMP policy 10 3des encryption
crypto ISAKMP policy 10 sha hash
10 crypto isakmp policy group 2
crypto ISAKMP policy life 10 86400
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
peer set card crypto outside_map 1 200.200.200.1
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
!
NAT (inside, outside) 1 local static source net net-local destination static remote net net / remote
output
ASA2:
crypto ISAKMP allow outside
the local object of net network
Subnet 192.168.2.0 255.255.255.0
net remote object network
subnet 192.168.1.0 255.255.255.0
!
outside_1_cryptomap list of allowed ip object local net net access / remote
tunnel-group 100.100.100.1 type ipsec-l2l
IPSec-attributes tunnel-group 100.100.100.1
pre-shared-key pass1234
ISAKMP retry threshold 10 keepalive 2
!
part of pre authentication isakmp crypto policy 10
crypto ISAKMP policy 10 3des encryption
crypto ISAKMP policy 10 sha hash
10 crypto isakmp policy group 2
crypto ISAKMP policy life 10 86400
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
peer set card crypto outside_map 1 100.100.100.1
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
!
NAT (inside, outside) 1 local static source net net-local destination static remote net net / remote
output
ASA1 # sh run int
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
ASA1 #.
ASA1 # ping 192.168.2.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes 192.168.2.1, time-out is 2 seconds:
?????
Success rate is 0% (0/5)
ASA1 # ping google.com
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 173.194.46.71, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 12/10/20 ms
ASA1 #.
ASA2 # sh run int
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
Shutdown
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
ASA2 # ping 192.168.1.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.1.1, time-out is 2 seconds:
?????
Success rate is 0% (0/5)
!
ASA2 # ping google.com
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 173.194.46.64, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 14/10/20 ms
ASA2 #.
If you see any debugs the SAA, there is no encryption of any kind negoiations.
The problem may be that you need to generate an interesting to match the ACL traffic. I don't know if you on a physical laboratory or on GNS3. If you use a physical laboratory, attach a laptop computer inside the interface and configure an IP address for this subnet. You may need to do this for the other ASA. Then iniatiate a ping to the other network.
-
ASA5505 with 2 VPN tunnels failing to implement the 2nd tunnel
Hello
I have an ASA5505 that currently connects a desktop remotely for voip and data. I added a 2nd site VPN tunnel to a vendor site. It's this 2nd VPN tunnel that I have problems with. It seems that the PHASE 1 negotiates well. However, I'm not a VPN expert! So, any help would be greatly appreciated. I have attached the running_config on my box, debug (ipsec & isakmp) information and information about the provider they gave me today. They use an ASA5510.
My existing VPN tunnel (which works) is marked 'outside_1_cryptomap '. It has the following as interesting traffic:
192.168.1.0/24-> 192.168.3.0/24
192.168.2.0/24-> 192.168.3.0/24
10.1.1.0/24-> 192.168.3.0/24
-> 192.168.3.0/24 10.1.2.0/24
10.1.10.0/24-> 192.168.3.0/24
10.2.10.0/24-> 192.168.3.0/24
The new VPN tunnel (does not work) is labeled "eInfomatics_1_cryptomap". It has the following as interesting traffic:
192.168.1.25/32-> 10.10.10.83/32
192.168.1.25/32-> 10.10.10.47/32
192.168.1.26/32-> 10.10.10.83/32
192.168.1.26/32-> 10.10.10.47/32
Here's the info to other VPN (copy & pasted from the config)
permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.83
permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.83
permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.47
permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.47
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
peer set card crypto outside_map 1 24.180.14.50
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
card crypto outside_map 2 match address eInfomatics_1_cryptomap
peer set card crypto outside_map 2 66.193.183.170
card crypto outside_map 2 game of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
tunnel-group 24.180.14.50 type ipsec-l2l
IPSec-attributes tunnel-group 24.180.14.50
pre-shared key *.
tunnel-group 66.193.183.170 type ipsec-l2l
IPSec-attributes tunnel-group 66.193.183.170
pre-shared key *.
Thanks in advance
-Matt
Hello
The seller put a parameter group2 PFS (Perfect Forward Secrecy) of Phase 2, so that you don't have it.
So you can probalby try adding the following
card crypto outside_map 2 pfs group2 set
I think he'll simply enter as
card crypto outside_map 2 set pfs
Given that the 'group 2' is the default
-Jouni
-
Site to site VPN router-ASA5505
Hello
I have a problem with the VPN between ASA5505 and 3825 router.
behind the ASA, we have a server that serves the specific port. If for any reason any link is disconnected assets if the VPN will become not we do not generate traffic to this server. After generating even a ping VPN immediately become active and communication starts. another case is when you reboot ASA the VPn is not created without ping server behind this ASA.
How we could solve this problem without sending a traffing who serve?
How remote access to this ASA, I can access internal interface? If I open access on port 443 on the external interface of asa could I access it? or I must also exclude this traffic VPN
I used the VPN Wizard to configure on asa and CLI on router
some troubleshootingand configuration commands, if this is not enough please let me know what you otherwise.
Thanks in advance for your help
ciscoasa # sh crypto isakmp his
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 11 peer IKE: 10.10.10.1
Type: L2L role: initiator
Generate a new key: no State: AM_ACTIVEConfiguration of the SAA.
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
card crypto outside_map 1 set counterpart 10.10.10.1
map outside_map 1 set of transformation-ESP-DES-MD5 crypto
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400the main router configuration
crypto ISAKMP policy 1
preshared authentication
!
crypto ISAKMP policy 5
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 10
preshared authentication
Group 2
crypto ISAKMP key 6 _JQfe [BeRGNBCGfbGxxxxxxxxx address 10.10.10.10Crypto ipsec transform-set esp - esp-md5-hmac xxxxx
ETH0 2696 ipsec-isakmp crypto map
defined peer 10.10.10.10
Set transform-set xxxxx
match address 2001access-list 2001 permit ip any 192.168.26.96 0.0.0.7
Post edited by: adriatikb
I just read somewhere that might change the type VPN "bi-direcitonal' two 'initiator' or 'answering machine' could help me but I test and no results.I had the same problem last week, and told the TAC engineer on our service ticket downgrade from IOS 8.2 (3) 8.2 (1). Since then, it works fine.
-
Hello everyone,
I have problems to make IPsec VPN remote access work.
The goal is to be able to connect to our internal network from home or elsewhere.
When I try to connect to my home virtual private network, I will no further than Phase 1.
My architecture is a Cisco ASA5505 behind a router-modem router from ISP. The IP address of the modem is 192.168.1.1 for outside.
The IP address of the ASA is 192.168.1.254 for outdoor and 10.0.0.1 for indoors. I put the ASA in a demilitarized zone of the ISP modem to be able to reach it through the Internet (I wanted to use the ISP modem-router-bridge just as a simple gateway and handle other things with the ASA).
So my problem is that I can't seem to connect to the VPN through the public IP address.
Here is my config:
: Saved
:
ASA Version 8.2(5)
!
hostname Cisco-ASA-5505
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.254 255.255.255.0
!
ftp mode passive
clock timezone GMT 1
access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.1.1-10.0.1.50
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 10.0.0.42 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA-TS esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN-MAP 10 set transform-set RA-TS
crypto map VPN-MAP 30 ipsec-isakmp dynamic DYN-MAP
crypto map VPN-MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.10-10.0.0.40 inside
dhcpd dns 81.253.149.9 80.10.246.1 interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 10.0.0.42 /srv/tftp/cisco-rtr-01-config
webvpn
username admin password 4RdDnLO1w2ilihWc encrypted
username test password zGOnThs6HPdiZhqs encrypted
tunnel-group testvpn type remote-access
tunnel-group testvpn general-attributes
address-pool VPNpool
tunnel-group testvpn ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c3d233f44e742110aa0ce1f81173d47c
: end
My config to the client is attached.
When I look at what happened during the connectin with Wireshark, I see 'Port Unreachable '. I have to do something on my ISP router? Because I read that it is not necessary to use NAT if the device is in the demilitarized zone.
Can you help me please?
Because you have the address on your external interface, you will need to tell your router to forward traffic to ASA. So you can do NAT or port forward to ASA.
I guess you don't have a single address public IP assigned by your ISP.
Kind regards
Jan
-
VPN site-to-site does not not between PIX515e and ASA5505
Hello
I was hoping that someone could help me to get this vpn to work. IPSec tunnels are not and I noticed the error:
3 August 9, 2011 05:13:26 IP = 39.188.41.188, error during load processing: payload ID: 1 Read on this it seems that this could be a problem of IKE, but I am struggling to find the cause (not helped by the News 8.4 orders).
The configuration is as follows: -.
Head office
PIX515e v6.3 (4)
IP LAN 10.0.160.254/24
Branch
ASA5505 v8.4 (1)
IP LAN 192.168.47.254/24
I have attached the configs - can someone help me with this?
See you soon,.
Huw
Huw,
1. you do not have an ISAKMP policy that corresponds to the remote site (BTW, you do not have a lot of policies of serving, you may want to consider cleaning your config before adding a new policy)
HQ you have this:
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
You need this on remote sites:
IKEv1 crypto policy xx
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
2. your interesting traffic is not appropriate:
At the remote sites, you must
the DM_INLINE_NETWORK_1 object-group network
object-network 10.0.160.0 255.255.255.0
object-network 192.168.1.0 255.255.255.0
access extensive list ip 192.168.47.0 outside_cryptomap allow 255.255.255.0 DM_INLINE_NETWORK_1 object-group
On the AC:
name 10.0.160.0 ENO_LAN
name 192.168.47.0 EASTMOORS_LAN
outside_cryptomap_20 ENO_LAN 255.255.255.0 ip access list allow EASTMOORS_LAN 255.255.255.0
Need to add this:
inside_outbound_nat0_acl ENO_DMZ 255.255.255.0 ip access list allow EASTMOORS_LAN 255.255.255.0
Once you have applied these changes try to ping through the tunnel. If this still does not please take a show crypto isa's and see the crypto ipsec its on both sites.
Thank you.
Raga
-
I invested more than 60 hours trying to understand this.
I have an ASA5505 which does not connect to my 3825.
Its 'sister' running the same config (except inside subnets and outside ip addresses which is) connects very well.
Here is the config on the ASA:
ZAKASA # sh run
: Saved
:
ASA Version 8.0 (4)
!
hostname ZAKASA
domain name *.
activate the password * encrypted
passwd * encrypted
names of
!
interface Vlan1
nameif inside
security-level 100
IP 172.16.64.254 255.255.240.0
!
interface Vlan2
nameif outside
security-level 0
address IP * *.9 255.255.255.0
!
interface Vlan5
nameif VLAN5
security-level 100
IP 192.168.12.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport trunk allowed vlan 1-2 5, 1002-1005
switchport trunk vlan 1 native
!
interface Ethernet0/3
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
switchport trunk allowed vlan 1-2 5, 1002-1005
switchport trunk vlan 1 native
switchport mode trunk
!
passive FTP mode
clock timezone IS - 5
DNS lookup field inside
DNS server-group DefaultDNS
Server name 172.16.18.10
Server name 172.16.18.11
Name-Server 4.2.2.2
domain name *.
access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 172.16.16.0 255.255.240.0
access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 172.16.32.0 255.255.240.0
access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 172.16.48.0 255.255.240.0
access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 172.16.96.0 255.255.240.0
access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 10.2.2.0 255.255.255.0
access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 10.3.3.0 255.255.255.0
access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 10.4.4.0 255.255.255.0
access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 10.12.12.0 255.255.255.0
access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 10.13.13.0 255.255.255.0
access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 10.14.14.0 255.255.255.0
access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 172.16.80.0 255.255.240.0
access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 10.5.5.0 255.255.255.0
access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 10.7.7.0 255.255.255.0
access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 10.1.1.0 255.255.255.0
access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 10.2.2.0 255.255.255.0
access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 10.3.3.0 255.255.255.0
access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 10.4.4.0 255.255.255.0
access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 10.5.5.0 255.255.255.0
access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 10.7.7.0 255.255.255.0
access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 10.12.12.0 255.255.255.0
access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 10.13.13.0 255.255.255.0
access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 172.16.16.0 255.255.240.0
access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 172.16.32.0 255.255.240.0
access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 172.16.48.0 255.255.240.0
access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 172.16.80.0 255.255.240.0
access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 172.16.96.0 255.255.240.0
access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 172.16.112.0 255.255.240.0
access-list extended capout allowed host ip * *.162 host * *.9
access-list extended capout allowed host ip * *.9 host * *.162
access-list extended capout permit udp host * *.9 4500 host eq * *.162
access-list extended capout permit udp host * *.9 isakmp host eq * *.162
access-list extended capout permit udp host * *.162 host * *.9 eq isakmp
access-list extended capout permit udp host * *.162 host * *.9 eq 4500
VoIp-Traffic_out extended permitted ip 172.16.16.0 access list 255.255.240.0 172.16.64.0 255.255.240.0
VoIp-Traffic_out extended permitted ip 172.16.64.0 access list 255.255.240.0 172.16.16.0 255.255.240.0
list of access VoIP-Traffic_IN extended permitted tcp 172.16.16.0 255.255.240.0 172.16.64.0 255.255.240.0 eq h323
list of access VoIP-Traffic_IN extended permitted tcp 172.16.16.0 255.255.240.0 172.16.64.0 255.255.240.0 eq sip
list of access VoIP-Traffic_IN extended permitted tcp 172.16.16.0 255.255.240.0 172.16.64.0 255.255.240.0 eq 2000
vl5_nat to access extended list ip 192.168.12.0 allow 255.255.255.0 any
pager lines 24
Within 1500 MTU
Outside 1500 MTU
MTU 1500 VLAN5
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (VLAN5) 1 192.168.12.0 255.255.255.0
Route outside 0.0.0.0 0.0.0.0 * *.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
Enable http server
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac Myset1
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 peer set * *.162
map outside_map 1 transform-set Myset1 crypto
outside_map map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map 1 set security-association life kilobytes 4608000
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 10
preshared authentication
aes encryption
sha hash
Group 5
life 86400
Telnet timeout 60
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 VLAN5
SSH timeout 60
Console timeout 0
management-access inside
dhcpd lease 14400
dhcpd field *.
!
dhcpd address 172.16.64.101 - 172.16.64.200 inside
dhcpd 172.16.18.11 dns 4.2.2.2 interface inside
lease interface 14400 dhcpd inside
interface ping_timeout 750 dhcpd inside
dhcpd field * inside the interface
dhcpd allow inside
!
dhcpd address 192.168.12.101 - 192.168.12.200 VLAN5
dhcpd 172.16.18.11 dns 4.2.2.2 interface VLAN5
14400 VLAN5 dhcpd lease interface
dhcpd ping_timeout 750 interface VLAN5
dhcpd field * interface VLAN5
enable VLAN5 dhcpd
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
username * password * encrypted privilege 15
tunnel-group * *.162 type ipsec-l2l
tunnel-group * *.162 ipsec-attributes
pre-shared-key *.
!
class-map Voice_OUT
match dscp ef
class-map Voice_IN
match dscp ef
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect the netbios
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect xdmcp
Policy-map VoicePolicy
class Voice_OUT
priority
class Voice_IN
priority
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum: *.
: end
ZAKASA #.The 3825 is set up even for the other 5505, 891, 3825 and 2621 who connect.
Any help would be most appreciated.
Hello
Glad to hear it's upward and running
Please check the question as answered so future users can learn from your answer
Concerning
-
Configuration VPN Cisco ASA5505 new 800
I have 2 office buildings using routers Cisco 800 series with a L2L VPN between the two. I'm upgrading from the router to an ASA5505 at one of the offices but cannot understand the L2L VPN on the SAA. Specifically, may not know how to set the pre-shared key. On the Cisco 800 there:
ISAKMP crypto key
address This doesn't seem to work on the SAA. Can anyone help this? Here is my current config on the Cisco 800...
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key
address !
!
Crypto ipsec transform-set esp-3des esp-md5-hmac DUMAC3
Crypto ipsec df - bit clear
!
MYmap 10 ipsec-isakmp crypto map
defined by peer 75.148.153.217
Set security-association second life 36000
game of transformation-DUMAC3
match address 101
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
in your crypto-maps, the '10' and '65535' are the sequence numbers. A CM handset might look like this:
address for correspondence primaryisp_map 10 101 crypto card
peer set card crypto primaryisp_map 10 99.119.80.165
primaryisp_map 10 set transform-set DUMAC3 ikev1 crypto card
primaryisp_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
card crypto primaryisp_map interface primaryisp
-
ASA5505-Site-Site &; RA on the same device
Howdy all,
I am trying to set one up for a VPN site to site and remote access. Site-to-site works fine, however when I connect using the Cisco client, after the password and the initial connection calls I get a State "not connected". The log shows that a political card match is not found. I have successfully set the unit for remote access with any site-to-site and has faced another set of issues when adding the website-site for the configuration of remote access to work, so I started during the implementation of site to site first. I tried this through ADSM (hate) - the current configuration is a cli. Any thoughts would be appreciated, I am sure that Miss just a piece or two.
ASA Version 8.2 (5)
!
ASA5505 hostname
activate the encrypted password of XXXXXXXXX
passwd encrypted XXXXXXXXX
names of
192.168.0.0 MainOffice name
name 192.168.251.0 RAAddresses
name of 10.10.10.0 MainSiteIP
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 192.168.250.147 255.255.255.0
!
passive FTP mode
access-list 101 extended allow ip 192.168.1.0 255.255.255.0 255.255 MainOffice.
255.0
access-list 101 extended allow MainOffice 255.255.255.0 ip 192.168.1.0 255.255.
255.0
access-list 102 scope ip allow a whole
access-list 102 extended allow MainOffice 255.255.255.0 ip 192.168.1.0 255.255.
255.0
access-list 103 extended allow ip RAAddresses 255.255.255.0 192.168.1.0 255.255
. 255.0
access-list 103 extended allow ip 192.168.1.0 255.255.255.0 255.255 RAAddresses
. 255.0
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP pool local RAPool 192.168.251.100 - 192.168.251.120
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
(Inside) NAT 0-list of access 101
NAT (inside) - 0 103 access list
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group 102 in the interface inside
Route outside 0.0.0.0 0.0.0.0 192.168.250.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
MainOffice 255.255.255.0 inside http
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-aes-256 CryptoSet, esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac RA
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dyn1 1jeu transform-set RA
correspondence address 1 card crypto outsidemap0 101
outsidemap0 card crypto 1jeu peer MainSiteIP
outsidemap0 card crypto 1jeu transform-set CryptoSet
outsidemap0 interface card crypto outside
dynamic mymap 100 dyn1 ipsec-isakmp crypto map
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 3600
crypto ISAKMP policy 100
preshared authentication
3des encryption
sha hash
Group 2
life 43200
VPN-addr-assign local reuse / time 5
Telnet 192.168.1.0 255.255.255.0 inside
Telnet timeout 60
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.254 inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
attributes of Group Policy DfltGrpPolicy
value of VPN-filter 101
encrypted user user1 password IQM/O64OATR4zXx7 name
tunnel-group MainSiteIP type ipsec-l2l
IPSec-attributes tunnel-group MainSiteIP
pre-shared key *.
type tunnel-group RAGroup remote access
attributes global-tunnel-group RAGroup
address pool RAPool
IPSec-attributes tunnel-group RAGroup
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:07120668869a94278df931162ae4d7a5
: endHello Robert,.
IP pool local RAPool 192.168.251.100 - 192.168.251.120
permit 192.168.1.0 ip access list No_NAT_RA 255.255.255.0 192.168.251.0 255.255.255.0
no nat (inside) - 0 103 access list
NAT (inside) 0-list of access No_NAT_RA
attributes of Group Policy DfltGrpPolicy
no value of vpn-filter 101
access-list standard Split allow 192.168.1.0 255.255.255.0
internal group R_A strategy
value of group-lock RAGroup
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value Split
Kind regards
Julio
-
Need help to access the internal network via VPN on ASA5505 8.4 (1)
Recently, I upgraded my ASA5055 from 8.02 to 8.4 and since I have updated to the new version I can access my home network is no longer through the VPN. I can connect to the VPN with no problems however I can no longer ping or you connect to my network of 10.0. Someone would be kind enough to look at my config and tell me what needs to be added to make it work? In my old config, I had a statement of NAT for VPN that is no longer here.
I also wanted to configure WebVPN to work as well, and this is something that I've never been able to understand. Is it also possible that I can be on my 20.0 network and connect to the VPN and access 10.0 as well? When it is connected to my network of 20.0 I'm not received credentials to connect to the VPN. I would be grateful if someone can help out me. The major part of this is the first part of this question.
My configuration:
ASA Version 8.4 (1)
!
ASA5505 hostname
domain xxxxxxxx.dyndns.org
enable encrypted password xxxxxxxxxxxx
xxxxxxxxxxxxxxx encrypted passwd
names of
nameserver 192.168.10.2
Office of name 192.168.10.3
name Canon 192.168.10.5
name 192.168.10.6 mvix
name 192.168.10.7 xbox
name 192.168.10.8 dvr
name 192.168.10.9 bluray
name 192.168.10.10 lcd
name 192.168.10.11 mp620
name 192.168.10.12 kayla
name 192.168.1.1 asa5505
name 192.168.1.2 ap1
name 192.168.10.4 mvix2
name 192.168.10.13 lcd2
name 192.168.10.14 dvr2
!
interface Vlan1
nameif management
security-level 100
IP address asa5505 255.255.255.248
management only
!
interface Vlan2
0050.8db6.8287 Mac address
nameif outside
security-level 0
IP address dhcp setroute
!
interface Vlan10
nameif private
security-level 100
IP 192.168.10.1 255.255.255.224
!
interface Vlan20
nameif Public
security-level 100
IP 192.168.20.1 255.255.255.224
!
interface Ethernet0/0
Description pointing to WAN
switchport access vlan 2
!
interface Ethernet0/1
Uplink port Linksys 12 description
switchport access vlan 10
!
interface Ethernet0/2
Description Server 192.168.10.2/27
switchport access vlan 10
!
interface Ethernet0/3
Uplink Eth1 management description
!
interface Ethernet0/4
switchport access vlan 30
!
interface Ethernet0/5
switchport access vlan 30
!
interface Ethernet0/6
switchport access vlan 30
!
interface Ethernet0/7
Description of Cisco 1200 Access Point
switchport trunk allowed vlan 1,10,20
switchport trunk vlan 1 native
switchport mode trunk
!
Banner motd users only, all others must disconnect now!
boot system Disk0: / asa841 - k8.bin
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS server-group DefaultDNS
domain xxxxxxx.dyndns.org
network object obj - 192.168.50.0
192.168.50.0 subnet 255.255.255.0
Server network objects
host 192.168.10.2
network object obj - 192.168.10.0
192.168.10.0 subnet 255.255.255.224
network object obj - 192.168.20.0
subnet 192.168.20.0 255.255.255.224
network server-01 object
host 192.168.10.2
network server-02 object
host 192.168.10.2
xbox network object
Home 192.168.10.7
xbox-01 network object
Home 192.168.10.7
xbox-02 network object
Home 192.168.10.7
xbox-03 network object
Home 192.168.10.7
xbox-04 network object
Home 192.168.10.7
network server-03 object
host 192.168.10.2
network server-04 object
host 192.168.10.2
network server-05 object
host 192.168.10.2
Desktop Network object
host 192.168.10.3
kayla network object
Home 192.168.10.12
Home_VPN_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.224
outside_access_in list extended access permit tcp any any eq 3389
outside_access_in list extended access permit tcp any any eq 2325
outside_access_in list extended access permit tcp any eq ftp server object
outside_access_in list extended access permit tcp any any eq 5851
outside_access_in list extended access udp allowed any any eq 5850
outside_access_in list extended access permit tcp any any eq pptp
outside_access_in list extended access udp allowed any any eq syslog
outside_access_in list extended access udp allowed any any eq 88
outside_access_in list extended access udp allowed any any eq 3074
outside_access_in list extended access permit tcp any any eq 3074
outside_access_in list extended access permit tcp any any eq field
outside_access_in list extended access udp allowed any any eq field
outside_access_in list extended access permitted tcp everything any https eq
outside_access_in list extended access permit tcp any eq ssh server object
outside_access_in list extended access permit tcp any any eq 2322
outside_access_in list extended access permit tcp any any eq 5900
outside_access_in list extended access permit icmp any any echo response
outside_access_in list extended access permit icmp any any source-quench
outside_access_in list extended access allow all unreachable icmp
outside_access_in list extended access permit icmp any one time exceed
outside_access_in list extended access udp allowed any any eq 5852
KaileY_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.224
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 36000
logging warnings put in buffered memory
recording of debug trap
asdm of logging of information
address record [email protected] / * /
exploitation forest-address recipient [email protected] / * / level of errors
Management Server host forest
MTU 1500 management
Outside 1500 MTU
MTU 1500 private
MTU 1500 Public
local pool IPPOOL 192.168.50.2 - 192.168.50.10 255.255.255.0 IP mask
local pool VPN_POOL 192.168.100.2 - 192.168.100.10 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
ASDM image disk0: / asdm - 641.bin
don't allow no asdm history
ARP timeout 14400
!
Server network objects
NAT (private, foreign) static tcp ftp 5851 service interface
network object obj - 192.168.10.0
NAT (private, foreign) dynamic interface
network object obj - 192.168.20.0
NAT (outside) dynamic public interface
network server-01 object
NAT (private, outside) interface static 2325 2325 tcp service
network server-02 object
NAT (private, outside) interface static udp syslog syslog service
xbox network object
NAT (private, outside) interface static service udp 88 88
xbox-01 network object
NAT (private, outside) interface static service udp 3074-3074
xbox-02 network object
NAT (private, outside) interface static service tcp 3074-3074
xbox-03 network object
NAT (private, outside) interface static tcp domain domain service
xbox-04 network object
field of the udp NAT (private, foreign) of the static interface function
network server-03 object
NAT (private, outside) interface static tcp https https service
network server-04 object
Static NAT (private, outside) interface service tcp ssh 2322
network server-05 object
NAT (private, outside) interface static 5900 5900 tcp service
Desktop Network object
NAT (private, outside) interface static service tcp 3389 3389
kayla network object
NAT (private, outside) interface static service udp 5852 5852
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
Enable http server
http 192.168.1.0 255.255.255.248 management
redirect http outside 80
location of SNMP server on the Office floor
SNMP Server contact [email protected] / * /
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown cold start
No vpn sysopt connection permit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map pfs set 20 Group1
Crypto-map dynamic outside_dyn_map 20 set transform-set ESP-3DES-SHA ikev1
life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds
Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 192.168.1.0 255.255.255.248 management
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
Console timeout 30
access to administration management
dhcpd dns 24.205.1.14 66.215.64.14
dhcpd ping_timeout 750
dhcpd field xxxxxxxx.dyndns.org
dhcpd outside auto_config
!
dhcpd manage 192.168.1.4 - 192.168.1.5
dhcpd enable management
!
dhcpd address private 192.168.10.20 - 192.168.10.30
enable private dhcpd
!
dhcpd 192.168.20.2 public address - 192.168.20.30
dhcpd enable Public
!
a basic threat threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Server NTP 192.43.244.18
Server NTP 129.6.15.28
WebVPN
internal Home_VPN group strategy
attributes of Group Policy Home_VPN
value of 8.8.8.8 DNS Server 4.2.2.2
Ikev1 VPN-tunnel-Protocol without ssl-client
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Home_VPN_splitTunnelAcl
value by default-field www.xxxxxx.com
the address value IPPOOL pools
WebVPN
the value of the URL - list ClientlessBookmark
political group internal kikou
group attributes political kikou
value of 8.8.8.8 DNS Server 4.2.2.2
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list KaileY_splitTunnelAcl
XXXXXXX.dyndns.org value by default-field
username scottrog encrypted password privilege 0 xxxxxxxxxxxxxx
user_name john encrypted password privilege 0 xxxxxxxxxxxxxxx
username joek encrypted password privilege 0 xxxxxxxxxxxx
eostrike encrypted xxxxxxxxxxxx privilege 15 password username
username almostsi encrypted password privilege 0 xxxxxxxxxxxxxx
username ezdelarosa password xxxxxxxxxxxxxxencrypted privilege 0
type tunnel-group Home_VPN remote access
attributes global-tunnel-group Home_VPN
IPPOOL address pool
LOCAL authority-server-group
authorization-server-group (outside LOCAL)
Group Policy - by default-Home_VPN
authorization required
IPSec-attributes tunnel-group Home_VPN
IKEv1 pre-shared-key *.
type tunnel-group SSLClientProfile remote access
tunnel-group SSLClientProfile webvpn-attributes
enable SSLVPNClient group-alias
tunnel-group type ClientLESS remote access
tunnel-group kanazoé type remote access
attributes global-tunnel-group kanazoé
address VPN_POOL pool
by default-group-policy kikou
tunnel-group KaileY ipsec-attributes
IKEv1 pre-shared-key *.
by default-group Home_VPN tunnel-Group-map
!
!
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:438ed6084bb3dc956574b1ce83f52b86
: end
ASA5505 #.
Here are the declarations of NAT for your first question:
network object obj - 192.168.100.0
255.255.255.0 subnet 192.168.100.0
NAT (private, foreign) source static obj - 192.168.10.0 obj - 192.168.10.0 destination static obj - 192.168.50.0 obj - 192.168.50.0
NAT (private, foreign) source static obj - 192.168.10.0 obj - 192.168.10.0 destination static obj - 192.168.100.0 obj - 192.168.100.0
And 'clear xlate' after the above and that should fix your first question.
I would check your second question and get back to you shortly.
Maybe you are looking for
-
Greetings, I am in a bind and need help to repair disk hard "do-it-yourself". My fault ID: 9C353G-GLV870-QFPJWJ-60E703 I am no longer under warranty and have no funds currently to be considered in a service center (if it is still available for my loc
-
Refresh Windows 8.1 on TBT2
Hello My Thinkpad Tablet 2 has acted in a variety of ways, and I think about refreshing or repair the operating system. Question is though: this will restore Windows 8 again? Or I will always keep Windows 8.1? Thanks in advance.
-
Stuck on a black screen on startup in normal mode.
Vista Home Premium 32 bit SP2 Every time I start up in normal mode I meet the dreaded black screen with cursor. I do ctrl alt delete to get the Manager of tasks and processes, I end explorer.exe and then start a new explorer.exe task that happens to
-
Vista - Error Code: 643 (cannot install KB2416447)
I tried to install the update of security for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista and Windows Server 2008 x 86 (KB2416447) and get error Code 643... I'm not sure what to do to fix this problem - please advise...
-
8900 of the XPS hard drive upgrade
Hello I recently bought a desktop computer Dell XPS 8900 running Windows 10. I would like to replace the original 1 TB harddrive with a 6 TB drive. Both are Seagate disks. My plan was to copy all of the original content of drive to the new drive. Thi