ASDM conc (ASA) VPN access

I have the script like this:

an ASA, which is the FW, TR making static NAT from the public to the private IP and private IP address add is add conc (another ASA) VPN. I am accessing these devices via the VPN client and I get the address IP of VPN pool set on VPN conc. VPN conc. is in a DMZ VLAN, but it also has connection to the local network segment. Purposes of mgmt, I connect to this VPN through SSH conc via a switch in the local network segment. To use the http access, I have to be on one of the servers that are in the local network segment. Since then, when I set up the VPN connection, I'm sure VPN conc., what can do to access http directly from my PC?

This sets up on the conc VPN:

management-access inside

After that you should be able to use ASDM over the VPN tunnel, by connecting to its inside ip address.

hth
Herbert
(note, I assume the name of the interface connected to the LAN is named "inside", if not adapt at will )

Tags: Cisco Security

Similar Questions

Only way ASA Vpn access

Hello:

I have configured ASA 5505 to acept Cisco VPN Clients on IP-SEC and access internal subnet of tuneling (added a rule exempt NAT too) and the VPN Clients can connect and work without problems.

But no internal network or the ASA I can ping or conect to the VPN Clients.

My configuration:

Internal network: 172.26.1.0 255.255.255.0

The VPN Clients network 172.26.2.0 255.255.255.0

Can you help me?

Here is my configuration:

: Saved : ASA Version 7.2(4) ! hostname ciscoasa domain-name ftf.es enable password xxxxxxx encrypted passwd xxxxx encrypted names name 217.125.44.23 IP_publica name 172.26.1.100 Servidor name 192.168.1.3 IP_externa name 192.168.2.3 IP_Externa2 name 172.26.2.0 VPN_Clients ! interface Vlan1 nameif inside security-level 100 ip address 172.26.1.89 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address IP_externa 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 switchport access vlan 12 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 switchport access vlan 13 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name ftf.es same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group service terminal-server tcp port-object eq 3389 object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list FTFVPN_splitTunnelAcl standard permit 172.26.1.0 255.255.255.0 access-list FTFVPN_Group_splitTunnelAcl standard permit 172.26.1.0 255.255.255.0 access-list outside_access_in extended permit tcp any host IP_externa eq 3389 access-list outside_access_in extended permit object-group TCPUDP any host IP_externa eq www access-list FTF_ADSL2_splitTunnelAcl standard permit any access-list inside_nat0_outbound extended permit ip 172.26.1.0 255.255.255.0 VPN_Clients 255.255.255.0 access-list inside_nat0_outbound extended permit ip 172.26.1.0 255.255.255.0 host 172.26.1.199 access-list outside_nat0_outbound extended permit ip VPN_Clients 255.255.255.0 172.26.1.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool vpn 172.26.1.180-172.26.1.200 mask 255.255.255.0 ip local pool vpn2 172.26.2.100-172.26.2.200 mask 255.255.255.0 ip local pool vpn3 172.26.3.100-172.26.4.150 mask 255.255.255.0 ip local pool vpn4 172.26.1.240-172.26.1.250 mask 255.255.255.0 ip local pool FTFVPN_Pool 176.26.1.150-176.26.1.170 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface 3389 Servidor 3389 netmask 255.255.255.255 static (inside,outside) tcp interface www Servidor www netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute http server enable http 172.26.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs group1 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 40 set pfs group1 crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA crypto dynamic-map outside_dyn_map 60 set pfs group1 crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 80 set pfs group1 crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_3DES_SHA crypto dynamic-map outside_dyn_map 100 set pfs group1 crypto dynamic-map outside_dyn_map 100 set transform-set TRANS_ESP_3DES_SHA crypto dynamic-map outside_dyn_map 120 set pfs group1 crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal  20 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 172.26.1.90-172.26.1.217 inside ! webvpn enable outside url-list FTFVLC "DYNAMICS" cifs://172.26.1.100 1 port-forward TEST 3389 172.26.1.100 3389 Terminal Server group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes banner value Bienvenido a la red de FTF dns-server value 172.26.1.100 80.58.32.97 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn split-tunnel-policy tunnelall default-domain value ftf.es group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools value vpn2 smartcard-removal-disconnect enable client-firewall none client-access-rule none webvpn   functions url-entry   html-content-filter none   homepage none   keep-alive-ignore 4   http-comp gzip   filter none   url-list none   customization value DfltCustomization   port-forward value TEST   port-forward-name value Acceso a aplicaciones   sso-server none   deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information   svc none   svc keep-installer installed   svc keepalive none   svc rekey time none   svc rekey method none   svc dpd-interval client none   svc dpd-interval gateway none   svc compression deflate group-policy FTFVPN_Group internal group-policy FTFVPN_Group attributes dns-server value 172.26.1.100 vpn-tunnel-protocol IPSec l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value FTFVPN_Group_splitTunnelAcl default-domain value ftf.es address-pools value vpn2 group-policy VPNSSL internal group-policy VPNSSL attributes vpn-tunnel-protocol IPSec l2tp-ipsec webvpn webvpn   functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy auto-download citrix username raul password xxxxxx encrypted privilege 0 username raul attributes vpn-group-policy FTFVPN_Group tunnel-group DefaultRAGroup general-attributes address-pool vpn2 default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group DefaultWEBVPNGroup general-attributes default-group-policy VPNSSL tunnel-group DefaultWEBVPNGroup webvpn-attributes nbns-server Servidor master timeout 5 retry 3 tunnel-group FTFVPN_Group type ipsec-ra tunnel-group FTFVPN_Group general-attributes address-pool vpn2 default-group-policy FTFVPN_Group tunnel-group FTFVPN_Group ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters   message-length maximum 512 policy-map global_policy class inspection_default   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny   inspect sunrpc   inspect xdmcp   inspect sip   inspect netbios   inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:f5e713652d4a2e2623248d7e49086105 : end asdm image disk0:/asdm-524.bin asdm location Servidor 255.255.255.255 inside asdm location IP_publica 255.255.255.255 inside asdm location IP_externa 255.255.255.255 inside asdm location IP_Externa2 255.255.255.255 inside asdm location VPN_Clients 255.255.255.0 inside no asdm history enable

Raul,

I don't see to apply ACLs inside the interface or as vpn-filter that will prevent the PING of the SAA within the intellectual property to the VPN client.

Are you sure that the VPN client does not have the Windows Firewall on or antivirus software that prevents to respond to PING?

Federico.

8.3 ASA VPN access rules

Hi, I recently bought an ASA 5520 to use as a VPN gateway for several tunnells site to site VPN. I've upgraded to version 8.3, and set up a lab environment. I implemented a simple VPN with a rule of intellectual property general permit to stert with and everything works fine. I'm having trouble tightenign access now, if I change the access on the SAA for ICMP I can ping both directions, if I add tcp I can telnet from a computer at the other end of the VPN, but if I change the tcp protocol to telnet, I can't connect. the other end on the VPN is a cisco 2620XM and I match the lists of access for each of the changes. I also do not understand the meaning of the ASA access list, it seems that if I want to allow the remote tcp host behind the ASA access I have the host behind the ASA as the source, it appears backward? Anyone can shed some light on this? very much appreciated.

Yes, you are supposed to only configure 'IP' to your ACL (ACL applied to your crypto card) crypto and crypto ACL supposed to mirror image on each peer, so when you change to specific TCP/UDP ports, is not mirror image of the other side/peer more.

I thought that you use ACL applied to "vpn-filter".

But in the previous post, actually configure you ACL on each interface.

The above is 3 different ACL you have applied differently (crypto ACL--> apply to the card crypto, vpn ACL--> apply to vpn-filter and your normal ACL interface).

ASA 5505: VPN access to different subnets

Hi All-

I'm trying to understand how to configure our ASA so that remote users can have VPN access to two different subnets (Office LAN and LAN phone). Currently I have 3 VLAN configuration - VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN). Essentially, remote users must be able to access their PC (192.168.1.0/24) and also have access to the office phone system (192.168.254.0/24). Is it still possible? Here are the configurations on our ASA,

Thanks in advance:

ASA Version 8.2 (5)

!

names of

name 10.0.1.0 Net-10

name 20.0.1.0 Net-20

name phone 192.168.254.0

name 192.168.254.250 PBX

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 13

!

interface Vlan1

nameif inside

security-level 100

192.168.1.98 IP address 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

address IP X.X.139.79 255.255.255.224

!

interface Vlan3

No nameif

security-level 50

192.168.5.1 IP address 255.255.255.0

!

interface Vlan13

nameif phones

security-level 100

192.168.254.200 IP address 255.255.255.0

!

passive FTP mode

object-group service RDP - tcp

EQ port 3389 object

object-group service DM_INLINE_SERVICE_1

the purpose of the ip service

EQ-ssh tcp service object

vpn_nat_inside of access list extensive ip Net-10 255.255.255.224 allow 192.168.1.0 255.255.255.0

access-list extended vpn_nat_inside allowed ip Net-10 255.255.255.224 phones 255.255.255.0

inside_nat0_outbound list extended access permits all ip Net-10 255.255.255.224

inside_access_in of access allowed any ip an extended list

Split_Tunnel_List list standard access allowed Net-10 255.255.255.224

phones_nat0_outbound list extended access permits all ip Net-10 255.255.255.224

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 Mac host everything

pager lines 24

Enable logging

timestamp of the record

record monitor errors

record of the mistakes of history

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

MTU 1500 phones

mask IP local pool SSLClientPool-10 10.0.1.1 - 10.0.1.20 255.255.255.128

no failover

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global interface (10 Interior)

Global 1 interface (outside)

global interface (phones) 20

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

NAT (10 vpn_nat_inside list of outdoor outdoor access)

NAT (phones) 0-list of access phones_nat0_outbound

NAT (phones) 1 0.0.0.0 0.0.0.0

inside_access_in access to the interface inside group

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 X.X.139.65 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

AAA authentication enable LOCAL console

the ssh LOCAL console AAA authentication

LOCAL AAA authorization command

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

Crypto ca trustpoint ASDM_TrustPoint0

registration auto

name of the object CN = not - asa .null

pasvpnkey key pair

Configure CRL

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

lifetime 28800

VPN-sessiondb max-session-limit 10

Telnet timeout 5

SSH 192.168.1.100 255.255.255.255 inside

SSH 192.168.1.0 255.255.255.0 inside

SSH Mac 255.255.255.255 outside

SSH timeout 60

Console timeout 0

dhcpd auto_config inside

!

dhcpd address 192.168.1.222 - 192.168.1.223 inside

dhcpd dns 64.238.96.12 66.180.96.12 interface inside

!

a basic threat threat detection

host of statistical threat detection

Statistics-list of access threat detection

a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

SSL-trust outside ASDM_TrustPoint0 point

WebVPN

allow outside

AnyConnect essentials

SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 image

enable SVC

tunnel-group-list activate

internal SSLClientPolicy group strategy

attributes of Group Policy SSLClientPolicy

WINS server no

value of 64.238.96.12 DNS server 66.180.96.12

VPN-access-hour no

VPN - connections 3

VPN-idle-timeout no

VPN-session-timeout no

IPv6-vpn-filter no

VPN-tunnel-Protocol svc

group-lock value NO-SSL-VPN

by default no

VLAN no

NAC settings no

WebVPN

SVC mtu 1200

SVC keepalive 60

client of dpd-interval SVC no

dpd-interval SVC bridge no

SVC compression no

attributes of Group Policy DfltGrpPolicy

value of 64.238.96.12 DNS server 66.180.96.12

Protocol-tunnel-VPN IPSec svc webvpn

attributes global-tunnel-group DefaultRAGroup

address-pool SSLClientPool-10

IPSec-attributes tunnel-group DefaultRAGroup

pre-shared key *.

NO-SSL-VPN Tunnel-group type remote access

General-attributes of the NO-SSL-VPN Tunnel-group

address-pool SSLClientPool-10

Group Policy - by default-SSLClientPolicy

NO-SSL-VPN Tunnel - webvpn-attributes group

enable PAS_VPN group-alias

allow group-url https://X.X.139.79/PAS_VPN

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

privilege level 3 mode exec cmd command perfmon

privilege level 3 mode exec cmd ping command

mode privileged exec command cmd level 3

logging of the privilege level 3 mode exec cmd commands

privilege level 3 exec command failover mode cmd

privilege level 3 mode exec command packet cmd - draw

privilege show import at the level 5 exec mode command

privilege level 5 see fashion exec running-config command

order of privilege show level 3 exec mode reload

privilege level 3 exec mode control fashion show

privilege see the level 3 exec firewall command mode

privilege see the level 3 exec mode command ASP.

processor mode privileged exec command to see the level 3

privilege command shell see the level 3 exec mode

privilege show level 3 exec command clock mode

privilege exec mode level 3 dns-hosts command show

privilege see the level 3 exec command access-list mode

logging of orders privilege see the level 3 exec mode

privilege, level 3 see the exec command mode vlan

privilege show level 3 exec command ip mode

privilege, level 3 see fashion exec command ipv6

privilege, level 3 see the exec command failover mode

privilege, level 3 see fashion exec command asdm

exec mode privilege see the level 3 command arp

command routing privilege see the level 3 exec mode

privilege, level 3 see fashion exec command ospf

privilege, level 3 see the exec command in aaa-server mode

AAA mode privileged exec command to see the level 3

privilege, level 3 see fashion exec command eigrp

privilege see the level 3 exec mode command crypto

privilege, level 3 see fashion exec command vpn-sessiondb

privilege level 3 exec mode command ssh show

privilege, level 3 see fashion exec command dhcpd

privilege, level 3 see the vpnclient command exec mode

privilege, level 3 see fashion exec command vpn

privilege level see the 3 blocks from exec mode command

privilege, level 3 see fashion exec command wccp

privilege see the level 3 exec command mode dynamic filters

privilege, level 3 see the exec command in webvpn mode

privilege control module see the level 3 exec mode

privilege, level 3 see fashion exec command uauth

privilege see the level 3 exec command compression mode

level 3 for the show privilege mode configure the command interface

level 3 for the show privilege mode set clock command

level 3 for the show privilege mode configure the access-list command

level 3 for the show privilege mode set up the registration of the order

level 3 for the show privilege mode configure ip command

level 3 for the show privilege mode configure command failover

level 5 mode see the privilege set up command asdm

level 3 for the show privilege mode configure arp command

level 3 for the show privilege mode configure the command routing

level 3 for the show privilege mode configure aaa-order server

level mode 3 privilege see the command configure aaa

level 3 for the show privilege mode configure command crypto

level 3 for the show privilege mode configure ssh command

level 3 for the show privilege mode configure command dhcpd

level 5 mode see the privilege set privilege to command

privilege level clear 3 mode exec command dns host

logging of the privilege clear level 3 exec mode commands

clear level 3 arp command mode privileged exec

AAA-server of privilege clear level 3 exec mode command

privilege clear level 3 exec mode command crypto

privilege clear level 3 exec command mode dynamic filters

level 3 for the privilege cmd mode configure command failover

clear level 3 privilege mode set the logging of command

privilege mode clear level 3 Configure arp command

clear level 3 privilege mode configure command crypto

clear level 3 privilege mode configure aaa-order server

context of prompt hostname

no remote anonymous reporting call

Hello

Loss of connectivity to the LAN is not really supposed all remove this command UNLESS your network is using another device as their gateway to the Internet. In this case configuration dynamic PAT or political dynamics PAT (as you) would make sense because the LAN hosts would see your VPN connection from the same directly connected network users and would be know to traffic before the ASA rather than their default gateway.

So is this just for VPN usage and NOT the gateway on the LAN?

If it is just the VPN device I'd adding this

global interface (phones) 10

He would do the same translation for 'phones' as he does on 'inside' (of course with different PAT IP)

-Jouni

Unable to connect to other remote access (ASA) VPN clients

Hello

I have a cisco ASA 5510 appliance configured with remote VPN access

I can connect all hosts on the INSIDE and DMZ network, but not able to access other clients connected to the same VPN.

For example, if I have 2 clients connected to the VPN, customer and CustomerB, with a pool of vpn IP addresses such as 10.40.170.160 and 10.40.170.161 respectively, these two clients are not able to communicate with each other.

Any help is welcome.

Thanks in advance.

Hello

I'm a little rusty on the old format NAT, but would be what I would personally try to configure NAT0 on the 'outer' interface.

It seems to me that you currently have dynamic PAT configured for the VPN users you have this

NAT (outside) 1 10.40.170.0 255.255.255.0

If your traffic is probably corresponding to it.

The only thing I can think of at the moment would be to configure

Note of VPN-CLIENT-NAT0-access-list NAT0 for traffic between VPN Clients

list of access VPN-CLIENT-NAT0 permit ip 10.40.170.0 255.255.255.0 10.40.170.0 255.255.255.0

NAT (outside) 0-list of access VPN-CLIENT-NAT0

I don't know if it works. I did not really have to configure it on any ASAs running older software. There was some similar questions here on the forums for the new format.

-Jouni

Remote RDP client VPN access on ASA 5510

Hello.

We have configured the VPN tunnel from site of offshore to the location of the customer using ASA5510 and access to RDP to the location of the customer. Also been configured remote VPN access in offshore location. But using the remote VPN client, we are able to get the RDP of officeshore location but not able to access to the location of the RDP client. Are there any additional changes required?

Thank you

Hi Salsrinivas,

so to summarize:

the VPN client connects to the ASA offshore

the VPN client can successfully RDP on a server at the offshore location

the VPN client cannot NOT RDP on a server at the location of the customer

offshore and the location of the customer are connected by a tunnel L2L

(and between the 2 sites RDP works very well)

is that correct?

Things to check:

-the vpn in the ACL crypto pool?

-you're exemption nat for traffic between the vpn pool and 'customer' LAN? is the exemption outside (vpn clients are coming from the outside)?

-you have "same-security-traffic permitted intra-interface" enabled (traffic will appear outside and go back outside)?

If you need help more could you put a config (sterilized) Please?

HTH
Herbert

Remote access ASA, VPN and NAT

Hello

I try to get access to remote VPN work using a Cisco VPN client and ASA with no split tunneling. The VPN works a little, I can access devices inside when I connect, but I can't access the Internet. I don't see any errors in the log ASA except these:

1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/137 dst outside:192.168.47.255/137
1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/54918 dst outsidexx.xxx.xxx.xxx/53

There is only one address public IP that is assigned to the external interface of DHCP. The Interior is 192.168.1.0/24 network which is PAT'ed to the external interface and the VPN network is 192.168.47.X.

I think my problem is that the net.47 is not NAT'ed out properly and I don't know how to put in place exactly. I can't understand how this is supposed to work since the net VPN technically provenance from the outside already.

Here are all the relevant config:

list of vpn access extended permits all ip 192.168.47.0 255.255.255.0
Within 1500 MTU
Outside 1500 MTU
IP local pool vpnpool 192.168.47.200 - 192.168.47.220 mask 255.255.255.0
IP verify reverse path to the outside interface
IP audit info alarm drop action
IP audit attack alarm drop action
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
Global interface (2 inside)
Global 1 interface (outside)
NAT (inside) 0-list of access vpn
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 2 192.168.47.0 255.255.255.0 outside
static (inside, outside) tcp 3074 XBOX360 3074 netmask 255.255.255.255 interface
static (inside, outside) udp 3074 XBOX360 3074 netmask 255.255.255.255 interface
public static (inside, outside) udp interface 88 88 XBOX360 netmask 255.255.255.255
public static tcp (indoor, outdoor) https someids netmask 255.255.255.255 https interface

I can post more of the configuration if necessary.

Change ' nat (outside) 2 192.168.47.0 255.255.255.0 apart ' "NAT (2-list of vpn access outdoors outside)" gives these:

1 Jul 06:18:35 % gatekeeper ASA-3-305005: no group of translation not found for udp src outside:192.168.47.200/56003 dst outside:66.174.95.44/53

So, how I do right NAT VPN traffic so it can access the Internet?

A few things that needs to be changed:

(1) NAT exemption what ACL must be modified to be more specific while the traffic between the internal subnets and subnet pool vpn is not coordinated. NAT exemption takes precedence over all other statements of NAT, so your internet traffic from the vpn does not work.

This ACL:

list of vpn access extended permits all ip 192.168.47.0 255.255.255.0

Should be changed to:

extensive list of access vpn ip 192.168.47.0 255.255.255.0 allow

(2) you don't need statement "overall (inside) 2. Here's what to be configured:

no nat (outside) 2 192.168.47.0 255.255.255.0 outside

no global interface (2 inside)

NAT (outside) 1 192.168.47.0 255.255.255.0

(3) and finally, you must activate the following allow traffic back on the external interface:

permit same-security-traffic intra-interface

And don't forget to clear xlate after the changes described above and connect to your VPN.

Hope that helps.

Wacky VPN access problem of ASA

Hi people,

I am currenty a situation, and I am in real need of advice...

The situation is that, if ASA helps my remote branches to access my home network and its allowing people to visit Internet inside, its not allowing the remote VPN client VPN access... R V to aid VPN client version of Cisco 4.6...

See a presentation of basic network that illustrates our network and configuration of the ASA...

Advice to solve this problem will be greatly appreciated...

Kind regards

Noman Bari

I see what rou are... Please see my attchement...

Please rate if it helps!

asa himself through site to site vpn access server

Hello

I have problem with access to the servers through site to site vpn to ASA that makes this vpn site-to-site and Clientless VPN enablerd.

Reason why I need it / what I do:

ASA 5510 enabled Clientless VPN and on this Portal allows users to access internal servers through bookmars URL. We use it when someone wouldn't access IPSec VPN or in an internet café. If this user connects to clientless vpn and click on the bookmark to access for example mail server. But there is problem, asa cannot access this server through VPN site-to-site.

Network:

Here's a quick design of my network.

I don't have server access to the problem in the VLAN 159 of VLAN 10, or 100. But I need to be able to access the server in Vlan 159 of ASA 5510, who owns the IP 192.168.1.4.

I have this subnet ASA owned by FRONT-NAT object in the same place that VLAN 10 to 100 are and vpn Site-to-Site profile.

What I makeover or how can I solve it?

Thank you

Clientless VPN when accessing internal servers, it will use the closest to the source of the connection interface and if you connect to via clientless SSL VPN ASA5510 and need access ASA5505 LAN via the site to site VPN, the interface closest to the ASA5510 to ASA5505 LAN is ASA5510 outside interface, therefore, the vpn of site-to-site crypto ACL must match on ASA5510 outside the ip address of the interface.

Here's what you need on each ASA:

ASA5510:

permit same-security-traffic intra-interface

ip 192.168.159.0 external interface allowed access list 255.255.255.0

ASA5505:

ip 192.168.159.0 access list allow 255.255.255.0 host

In addition, also need to add the same ACL for access-list of exemptions on ASA5505 NAT:

ip 192.168.159.0 access list allow 255.255.255.0 host

Hope that helps.

VPN access to the not directly connected networks

Hello

I have a 5510 which is used for Client VPN access and there is something simple that I can't work.

The VPN part works very well with AAA on a CBS.

But what does not is access to networks that are not directly connected to the inside interface.

That is to say the VPN users can connect to the network within the Interface (say 192.168.0.0/24) but not a 10.0.0.0/8 network which is connected through 192.168.0.1 router.

I have the static routes in Routing and firewall all showing the way back to the firewall on all the other networks, but I don't get more far the 192.168.0.1 router...

I use split tunneling and pass all of the private over the VPN - internet networks is used through the own local access to clients.

Can someone help me out here?

Thank you.

Fraser

PS: have the same type of access on a 7206VXR and soft, everything can be consulted and which is necessary - but I would like to move this service to the ASA.

Fraser

I don't understand the ASDM parts as you suggest. The code would be great.

I would also recommend control ACL applied to the inside interface (if any) that it allows traffic as

inside_access_in list of permitted access 10.0.0.0 255.0.0.0 vpnsubnet vpnnetmask

If still no joy, attach your config sanitized, would be useful for me to diagnose.

Concerning

VPN access to several local networks virtual asa8.3

you are looking for assistance. This one goes batty.

I have ASA 5510 8.3 running

It serves as a router, firewall and vpn.

the underlying network works fine.

When I connect via VPN, I can only access my reseau.41 and not on the reseau.42. When I try to do a ping.42 I get this error:

5 October 18, 2010 00:33:13 192.168.42.11 3389 rules asymmetrical NAT matched for flows forward and backward; Connection for tcp src Outside:192.168.43.200/2916 dst servers:192.168.42.11/3389 refused due to path failure reverse that of NAT

If I flip through these rules in order to config then I can acceder.42 through the vpn but pas.41

NAT (servers, all) static source any any destination static obj-vpnpool obj-vpnpool
NAT (iscsimgmt, any) static source any any destination static obj-vpnpool obj-vpnpool

I'm confused because it's all a new config and I used the wizard in asdm and couldn't access squat (perhaps he does not know how to manage the VLAN)?

the ASA may well ping of all networks.

devices on the network can ping each other fine

just via ipsec vpn, I can't access both networks.

thoughts?

Please configure a more specific NAT statements as follows:

object obj-iscsimgmt network
192.168.42.0 subnet 255.255.255.0

NAT (servers, Outside) source static obj-servers obj-servers destination static obj-vpnpool obj-vpnpool
NAT (iscsimgmt, Outside) source static obj-iscsimgmt obj-iscsimgmt destination static obj-vpnpool obj-vpnpool

And pls Remove the following:

NAT (servers, all) static source any any destination static obj-vpnpool obj-vpnpool
NAT (iscsimgmt, any) static source any any destination static obj-vpnpool obj-vpnpool

Then "clear xlate" after the changes described above.

Hope that helps.

ASA VPN

Hello

I have a question concerning the VPN, is it possible to configure the two IPsec VPN site-to-site and remote access vpn on the same ASA and working at the same time, does require one or two different public ip addresses?

I have cisco ASA 5540 - version 9.1

Best regards

Hello

Yes, you can with 1 single public ip address. You need to activate the same-security-traffic allow intra-interface functionality to allow a customer vpn site-to-site vpn access if you need.

Take a look at the Cisco documentation;

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

Thank you

PS: Please do not forget to rate and score as good response if this solves your problem

ASA VPN - allow user based on LDAP Group

Hello friends

I have create a configuration to allow connection based on LDAP Group.

I m not specialize in the firewall and I tried to follow the links above, but both seem old, commanded several is not available.

http://www.tunnelsup.com/Cisco-ASA-VPN-authorize-user-based-on-LDAP-group

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

Anyone know how I can do?

Thank you

Marcio

I like to use the Protocol DAP (dynamic access policies) to control this. Follow this guide:

https://supportforums.Cisco.com/document/7691/ASA-8X-dynamic-access-policies-DAP-deployment-guide

Data capture ASA VPN

Hello

We have an asa 5585 on the network and it is configured for remote access VPN with RSA.

When a VPN user connects to their VPN, he is invited for a PIN followed their secure ID token code.

We want to simplify our VPN configuration if we starting from a perspective of support and management, users use a hard chips. Currently, many lose their chips or have a connection problem, so I would like to know what simple VPN solution, we have in place.

Then is it possible on the ASA when I check my VPN traffic to determine what users are using the VPN for, since the purpose is if they only use it for email, so we can advise them to use webmail rather and can disable VPN access.

With respect to the VPN, I see only two options; you either empty tokens to make life easier or you keep them and put up with it.

Assign the static IP address by ISE, ASA VPN clients

We will integrate the remote access ASA VPN service with a new 1.2 ISE.

Authentication is performed in Active directory. After authentication, can address assigned to a specific user of VPN by ISE IP?

This means that the same VPN user will always get the same IP address. Thank you.

Daniel,

You can override the IETF-RADIUS-Framed-IP-Address in the authorization policy.

However if I may make a suggestion:

Unless you have only a handful of users to do so, it may be appropriate to assign the address of ISE pool or perform the mapping of LDAP attributes on ASA itself.

In the latter case, the IP addresses are kept on the server as LDAP attributes and ASA will map the IP address. You don't want to keep address IP DB in several places.

M.

ASDM conc (ASA) VPN access

Similar Questions

Maybe you are looking for