Cisco ASA tunnel access list question
We have created a site to IPSec tunnel. Initially, only two IP address were allowed access to the tunnel. They ask now addresses. My question is, if I use access-list extended inside_access_in permit ip any host 10.60.55.10, I also have to make a statement of NAT that allows this?
And when we change the VPN Site to Site connection profile, I have to allow all through this tunnel as well, correct?
I thank you and I hope this makes sense. We were originally political thought based routing on the nearest core of the source.
Dwane
Hi Sylvie,.
If you use NAT so I say yes you must consider from... Normally, in a private LAN on L2L scenario, you might have used no. - NAT... If you have LAN identical at both ends, then you might have using a NAT to a diff of subnets at both ends... If you use the NAT public IP then it will be on the public IP based L2L address... So it depends on your current configuration.
If you use one to 10.60.55.10 (then your site any subnet which flows through the VPN Firewall to 10.60.55.10 is allowed... here you may need to modify NAT as a source...)
But the problem comes from the other end... for them the source will be 10.60.55.10 and destination would... then all traffic from host 10.60.55.10 is taken through the tunnel...
So instead of making a statement as any visit its respective great nets 172.16.0/16 for example...
Concerning
Knockaert
Tags: Cisco Security
Similar Questions
-
A possible bug related to the Cisco ASA "show access-list"?
We had a strange problem in our configuration of ASA.
In the "show running-config:
Inside_access_in access-list CM000067 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:http_access
Inside_access_in access-list CM000458 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:https_access
Note to inside_access_in to access test 11111111111111111111111111 EXP:1/16/2014 OWN list: IT_Security BZU:Network_Security
access-list extended inside_access_in permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 Journal
access-list inside_access_in note CM000260 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - dgm
access-list inside_access_in note CM006598 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - ns
access-list inside_access_in note CM000220 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - ssn
access-list inside_access_in note CM000223 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:tcp / 445
inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 any eq www log
inside_access_in allowed extended access list tcp 172.31.254.0 255.255.255.0 any https eq connect
inside_access_in list extended access permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log
inside_access_in list extended access permit udp 172.31.254.0 255.255.255.0 connect any eq netbios-ns
inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log
inside_access_in list extended access permitted tcp 172.31.254.0 connect any EQ 445 255.255.255.0
Inside_access_in access-list CM000280 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:domain
inside_access_in list extended access permitted tcp object 172.31.254.2 any newspaper domain eq
inside_access_in list extended access permitted udp object 172.31.254.2 any newspaper domain eq
Inside_access_in access-list CM000220 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:catch_all
inside_access_in list extended access permitted ip object 172.31.254.2 any newspaper
Inside_access_in access-list CM0000086 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:SSH_internal
inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 interface inside the eq ssh log
Inside_access_in access-list CM0000011 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange
inside_access_in list extended access allow object TCPPortRange 172.31.254.0 255.255.255.0 host log 192.168.20.91
Inside_access_in access-list CM0000012 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:FTP
access-list extended inside_access_in permitted tcp object inside_range 1024 45000 192.168.20.91 host range eq ftp log
Inside_access_in access-list CM0000088 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange
inside_access_in access list extended ip 192.168.20.0 255.255.255.0 allow no matter what paper
Inside_access_in access-list CM0000014 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:DropIP
inside_access_in list extended access permitted ip object windowsusageVM any newspaper
inside_access_in list of allowed ip extended access any object testCSM
inside_access_in access list extended ip 172.31.254.0 255.255.255.0 allow no matter what paper
Inside_access_in access-list CM0000065 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:IP
inside_access_in list extended access permit ip host 172.31.254.2 any log
Inside_access_in access-list CM0000658 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security
inside_access_in list extended access permit tcp host 192.168.20.95 any log eq www
In the "show access-list":
access-list inside_access_in line 1 comment CM000067 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:http_access
access-list inside_access_in line 2 Note CM000458 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:https_access
Line note 3 access-list inside_access_in test 11111111111111111111111111 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security
4 extended access-list inside_access_in line allowed tcp host 1.1.1.1 host 192.168.20.86 eq newsletter interval 300 (hitcnt = 0) 81 0x0a 3bacc1
line access list 5 Note CM000260 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - dgm
line access list 6 Note CM006598 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - ns
line access list 7 Note CM000220 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - ssn
line access list 8 Note CM000223 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:tcp / 445
allowed to Access-list inside_access_in line 9 extended tcp 172.31.254.0 255.255.255.0 any interval information eq www journal 300 (hitcnt = 0) 0 x 06 85254 has
allowed to Access-list inside_access_in 10 line extended tcp 172.31.254.0 255.255.255.0 any https eq log of information interval 300 (hitcnt = 0) 0 x7e7ca5a7
allowed for line access list 11 extended udp 172.31.254.0 inside_access_in 255.255.255.0 any netbios-dgm eq log of information interval 300 (hitcn t = 0) 0x02a111af
allowed to Access-list inside_access_in line 12 extended udp 172.31.254.0 255.255.255.0 any netbios-ns eq log of information interval 300 (hitcnt = 0) 0 x 19244261
allowed for line access list 13 extended tcp 172.31.254.0 inside_access_in 255.255.255.0 any netbios-ssn eq log of information interval 300 (hitcn t = 0) 0x0dbff051
allowed to Access-list inside_access_in line 14 extended tcp 172.31.254.0 255.255.255.0 no matter what eq 445 300 (hitcnt = 0) registration information interval 0 x 7 b798b0e
access-list inside_access_in 15 Note CM000280 EXP:1/16/2014 OWN line: IT_Security BZU:Network_Security JST:domain
allowed to Access-list inside_access_in line 16 extended tcp object 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 0x6c416 81 b
allowed to Access-list inside_access_in line 16 extended host tcp 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 0x6c416 81 b
allowed to Access-list inside_access_in line 17 extended udp object 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 227 0xc53bf
allowed to Access-list inside_access_in line 17 extended udp host 172.31.254.2 all interval information journal field eq 300 (hitcnt = 0) 227 0xc53bf
access-list inside_access_in 18 Note CM000220 EXP:1/16/2014 OWN line: IT_Security BZU:Network_Security JST:catch_all
allowed to Access-list inside_access_in line 19 scope ip object 172.31.254.2 no matter what information recording interval 300 (hitcnt = 0) 0xd063707c
allowed to Access-list inside_access_in line 19 scope ip host 172.31.254.2 any which information recording interval 300 (hitcnt = 0) 0xd063707c
access-list inside_access_in line 20 note CM0000086 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:SSH_internal
permit for line access list extended 21 tcp 172.31.254.0 inside_access_in 255.255.255.0 interface inside the eq ssh information recording interval 300 (hitcnt = 0) 0x4951b794
access-list inside_access_in line 22 NOTE CM0000011 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:PortRange
permit for access list 23 inside_access_in line scope object TCPPortRange 172.31.254.0 255.255.255.0 192.168.20.91 host registration information interval 300 (hitcnt = 0) 0x441e6d68
allowed for line access list 23 extended tcp 172.31.254.0 inside_access_in 255.255.255.0 192.168.20.91 host range ftp smtp log information interval 300 (hitcnt = 0) 0x441e6d68
access-list inside_access_in line 24 Note CM0000012 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:FTP
25 extended access-list inside_access_in line allowed tcp object inside_range Beach 1024 45000 host 192.168.20.91 eq ftp interval 300 0xe848acd5 newsletter
allowed for access list 25 extended range tcp 12.89.235.2 inside_access_in line 12.89.235.5 range 1024 45000 host 192.168.20.91 eq ftp interval 300 (hitcnt = 0) newsletter 0xe848acd5
permit for access list 26 inside_access_in line scope ip 192.168.20.0 255.255.255.0 no interval 300 (hitcnt = 0) newsletter 0xb6c1be37
access-list inside_access_in line 27 Note CM0000014 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:DropIP
allowed to Access-list inside_access_in line 28 scope ip object windowsusageVM no matter what information recording interval 300 (hitcnt = 0) 0 x 22170368
allowed to Access-list inside_access_in line 28 scope ip host 172.31.254.250 any which information recording interval 300 (hitcnt = 0) 0 x 22170368
allowed to Access-list inside_access_in line 29 scope ip testCSM any object (hitcnt = 0) 0xa3fcb334
allowed to Access-list inside_access_in line 29 scope ip any host 255.255.255.255 (hitcnt = 0) 0xa3fcb334
permit for access list 30 inside_access_in line scope ip 172.31.254.0 255.255.255.0 no interval 300 (hitcnt = 0) newsletter 0xe361b6ed
access-list inside_access_in line 31 Note CM0000065 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:IP
allowed to Access-list inside_access_in line 32 scope ip host 172.31.254.2 any which information recording interval 300 (hitcnt = 0) 0xed7670e1
access-list inside_access_in line 33 note CM0000658 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security
allowed to Access-list inside_access_in line 34 extended host tcp 192.168.20.95 any interval information eq www 300 newspapers (hitcnt = 0) 0x8d07d70b
There is a comment in the running configuration: (line 26)
Inside_access_in access-list CM0000088 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange
This comment is missing in 'display the access-list '. In the access list, for all lines after this comment, the line number is more correct. This poses problems when trying to use the line number to insert a new rule.
Everyone knows about this problem before? Is this a known issue? I am happy to provide more information if necessary.
Thanks in advance.
See the version:
Cisco Adaptive Security Appliance Software Version 4,0000 1
Version 7.1 Device Manager (3)
Updated Friday, June 14, 12 and 11:20 by manufacturers
System image file is "disk0: / asa844-1 - k8.bin.
The configuration file to the startup was "startup-config '.
fmciscoasa up to 1 hour 56 minutes
Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
Internal ATA Compact Flash, 128 MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)
Start firmware: CN1000-MC-BOOT - 2.00
SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03
Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.06
Number of Accelerators: 1
Could be linked to the following bug:
CSCtq12090: ACL note line is missing when the object range is set to ACL
The 8.4 fixed (6), so update to a newer version and observe again.
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
I have a hand router Cisco 871 and 5 remote sites using the Cisco 850. The tunnel comes up fine and can ping back from the 850 to the 871. However, I think that I have a problem of access list because I can't open the main database which is on the main site of any of the 5 locations nor do I get on the internet that the proxy server get no not at other sites. I can ping these remote sites, but cannot use them in fact. These rules are very different, and then the PIX.
192.168.1x
* THE REMOTE SITE
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
not run cdp
sheep allowed 10 route map
corresponds to the IP 101
192.168.0.X
HAND ROUTER
recording of debug trap
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 103 allow ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 104. allow ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
not run cdp
sheep allowed 10 route map
corresponds to the IP 101
!
IP tcp mss<68-10000>
Hope this helps,
Gilbert
68-10000> -
Hi all
Sorry if my question sounds stupid, but I had a lot of problems with the syntax of the access list, especially to remove a line in an access list, for example:
Here is my list of access
access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 120 allow ip 192.168.6.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 120 allow ip 192.168.6.0 0.0.0.255 172.17.0.0 0.0.255.255
If I want to delete only this line
access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255
I do not know how, I if do:
no access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255
all the access-list 120 is removed!
Help, please!
Olivier
Hi, this is the usual behavior, if you delete the access list of the entire statement with sequence number is deleted.
You can create a named extended access-list and have the sequence number for each statements.
!
Standard IP access list note
permit 172.10.0.0 0.0.255.255
10.1.1.0 permit 0.0.0.255
permit 192.168.1.0 0.0.0.255
deny all
!
and if you want to delete something in between, or any particular line, you can run the command like this that will remove this line instead of the entire ACL itself...
Standard note of access-list (config) #ip
(config-std-nacl) #no 3
This configuration lines will remove the third line only (which is to allow the 192.168.1.0 0.0.0.255, leaving the other statements)
regds
-
PIX 501 ICMP access list Question
According to the book, I have the pix and firewall that I know of dealing with routers and switches access lists define what traffic is allowed outside the network. With pix access lists can only be applied one way, to the interface they enter, not leaving. It's my understanding, but when I do an ICMP command:
PIX1 (config) # access - list ethernet1 permit icmp any any echo response
PIX1 (config) # access - list icmp permitted ethernet1 everything all inaccessible
Access-group ethernet1 PIX1 (config) # interface inside
This does not work, but if I apply the access group to the external interface it works. I understand why it is like that.
Thank you
This works because the pix is not aware of session state for the way icmp traffic that it does for tcp and udp.
By default, less access to a high to an interface is allowed, unless you have an acl applies to the interface of higer - then only what the acl permits will be allowed. So you can send outbound icmp echo request. However, for the response to be returned, you must allow that explicitly in an acl that is applied on the external interface, because the pix won't allow any outside traffic by default.
Even for icmp unreachable, although I want to put in custody to be part of the config. Allow only the unattainable due to the ttl expired to facilitate detection of mtu path, not all unachievable.
Let me know if it helps.
-
Restrictions of ASA Anyconnect for Split Tunneling network list
Hello
I have a question. We use Cisco ASA 5520 9.1.1 firmware version with configure SSL VPN Anyconnect(Anyconnect client version 2.5.605).)
We use the big Split Tunneling access-list with 200 ACEs.
If I add more than 200 entries in the list of access and then I connect to the VPN, and after that, we will see that only 200 entries have been added to the routing table.
So my question is... There is a limit for Split Tunneling ACL when you use the Anyconnect client?
Thank you
Hello
This is very well document in one of internal bug at Cisco . Unfortunately, as it is internal I will not be able to share the same with you. The only workaround available as of now is to combine your networks and make the list as small as possible covering all the required network you need which is less than or equal to 200
Thank you
Jeet Kumar
-
Question of access list for Cisco 1710 performing the 3DES VPN tunnel
I have a question about the use of access lists in the configuration of a router Cisco 1710 that uses access lists to control traffic through the VPN tunnel.
For example the following lines in a configuration on the remote router. My question is whether or not the traffic that matches the definition of list access-130 (something other than 192.168.100.0/24), cross the VPN tunnel or go directly to the Ethernet0 interface.
My understanding is that traffic that matches the access list 120 would be encrypted and sent through the IPSec tunnel. If there was "ban" set out in the statements of 120 access-list, the traffic for those would be sent through the IPSec tunnel but not encrypted (if possible). And finally, given that the definition of crypto card reference only "adapt to 120", any traffic that matches 130 access list would be sent Ethernet0 but not associated with the card encryption and thus not sent through the IPSec tunnel. "
Any input or assistance would be greatly appreciated.
Map Test 11 ipsec-isakmp crypto
..
match address 120
Interface Ethernet0
..
card crypto Test
IP nat inside source overload map route sheep interface Ethernet0
access-list 120 allow ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 130 refuse ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 130 allow ip 192.168.100.0 0.0.0.255 any
sheep allowed 10 route map
corresponds to the IP 130
He would go through the interface e0 to the Internet in clear text without going above the tunnel
Jean Marc
-
Cisco ASA VPN tunnel question - DMZ interface
I am trying to build a tunnel to a customer with NAT and I'm able to get 3 of the 4 networks to communicate. The 1 that is not responding is a DMZ network. Excerpts from config below. What am I doing wrong with the 10.0.87.0/24 network? The error in the log is "routing cannot locate the next hop.
interface Ethernet0/1
Speed 100
half duplex
nameif inside
security-level 100
the IP 10.0.0.1 255.255.255.0
OSPF cost 10
send RIP 1 version
!
interface Ethernet0/2
nameif DMZ
security-level 4
IP 172.16.1.1 255.255.255.0
OSPF cost 10network object obj - 172.16.1.0
subnet 172.16.1.0 255.255.255.0object network comm - 10.240.0.0
10.240.0.0 subnet 255.255.0.0
network object obj - 10.0.12.0
10.0.12.0 subnet 255.255.255.0
network object obj - 10.0.14.0
10.0.14.0 subnet 255.255.255.0
network of the DNI-NAT1 object
10.0.84.0 subnet 255.255.255.0
network of the DNI-NAT2 object
10.0.85.0 subnet 255.255.255.0
network of the DNI-VIH3 object
10.0.86.0 subnet 255.255.255.0
network of the DNI-NAT4 object
10.0.87.0 subnet 255.255.255.0the DNI_NAT object-group network
network-object DNI-NAT1
network-object DNI-NAT2
network-object ID-VIH3
network-object NAT4 DNIDNI_VPN_NAT1 to access ip 10.0.0.0 scope list allow 255.255.255.0 object comm - 10.240.0.0
Access extensive list ip 10.0.12.0 DNI_VPN_NAT2 allow 255.255.255.0 object comm - 10.240.0.0
Access extensive list ip 10.0.14.0 DNI_VPN_NAT3 allow 255.255.255.0 object comm - 10.240.0.0
Access extensive list ip 172.16.1.0 DNI_VPN_NAT4 allow 255.255.255.0 object comm - 10.240.0.0
access-list extended DNI-VPN-traffic permit ip object-group, object DNI_NAT comm - 10.240.0.0NAT (inside, outside) source static obj - 10.0.12.0 DNI-NAT2 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp
NAT (inside, outside) source static obj - 10.0.14.0 DNI-VIH3 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp
NAT (inside, outside) source static obj - 172.16.1.0 DNI-NAT4 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arpHello
I see that the issue here is the declaration of NAT:
NAT (inside, outside) source static obj - 172.16.1.0 DNI-NAT4 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp
The correct statement would be:
NAT (DMZ, external) source static obj - 172.16.1.0 DNI-NAT4 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp
Go ahead and do a tracer of packages:
Packet-trace entry DMZ 172.16.1.15 tcp 443 detailed 10.240.X.X
Thus, you will see the exempt NAT works now.
I would like to know how it works!
Please don't forget to rate and score as correct the helpful post!
Kind regards
David Castro,
-
NAT before going on a VPN Tunnel Cisco ASA or SA520
I have a friend who asked me to try to help. We are established VPN site to site with a customer. Our camp is a Cisco sa520 and side there is a control point. The tunnel is up, we checked the phase 1 and 2 are good. The question is through the tunnel to traffic, our LAN ip address are private addresses 10.10.1.0/24 but the client says must have a public IP address for our local network in order to access that server on local network there. So, in all forums, I see that you cannot NAT before crossing the VPN tunnel, but our problem is that our site has only 6 assigned IP addresses and the comcast router, on the side of the firewall SA520 WAN. So we were wondering was there a way we can use the WAN on the SA520 interface or use another available 6 who were assigned to the NAT traffic and passes through the tunnel. That sounds confusing to you? Sorry, but it's rarely have I a customer say that I must have a public IP address on my side of the LAN. Now, I say this is a SA520 firewall, but if it is not possible to do with who he is a way were able with an ASA5505?
Help or direction would be very useful.
Hello
I guess I could quickly write a basic configuration. Can't be sure I remember all correctly. But should be the biggest part of it.
Some of the course settings may be different depending on the type of VPN L2L connection settings, you have chosen.
Naturally, there are also a lot of the basic configuration which is not mentioned below.
For example
- Configurations management and AAA
- DHCP for LAN
- Logging
- Interface "nonstop."
- etc.
Information for parameters below
- x.x.x.x = ASA 'outside' of the public IP interface
- y.y.y.y = ASA "outside" network mask
- z.z.z.z = ASA "outside" IP address of the default gateway
- a.a.a.a = the address of the remote site VPN L2L network
- b.b.b.b = mask of network to the remote site VPN L2L
- c.c.c.c = IP address of the public peer device VPN VPN L2L remote site
- PSK = The Pre Shared Key to connect VPN L2L
Interfaces - Default - Access-list Route
interface Vlan2
WAN description
nameif outside
security-level 0
Add IP x.x.x.x y.y.y.y
Route outside 0.0.0.0 0.0.0.0 z.z.z.z
interface Ethernet0
Description WAN access
switchport access vlan 2
- All interfaces are on default Vlan1 so their ' switchport access vlan x "will not need to be configured
interface Vlan1
LAN description
nameif inside
security-level 100
10.10.1.0 add IP 255.255.255.0
Note to access the INSIDE-IN list allow all local network traffic
access to the INTERIOR-IN ip 10.10.1.0 list allow 255.255.255.0 any
group-access INTERIOR-IN in the interface inside
Configuring NAT and VPN L2L - ASA 8.2 software and versions prior
Global 1 interface (outside)
NAT (inside) 1 10.10.1.0 255.255.255.0
Crypto ipsec transform-set AES-256 aes-256-esp esp-sha-hmac
crypto ISAKMP policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
lifetime 28800
L2L-VPN-CRYPTOMAP of the access list allow ip x.x.x.x a.a.a.a b.b.b.b host
card crypto WAN-CRYPTOMAP 10 matches L2L-VPN-CRYPTOMAP address
card crypto WAN-CRYPTOMAP 10 set peer c.c.c.c
card crypto WAN-CRYPTOMAP 10 the value transform-set AES-256
card crypto WAN-CRYPTOMAP 10 set security-association second life 3600
CRYPTOMAP WAN interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
tunnel-group c.c.c.c type ipsec-l2l
tunnel-group c.c.c.c ipsec-attributes
pre-shared key, PSK
NAT and VPN L2L - ASA 8.3 software configuration and after
NAT source auto after (indoor, outdoor) dynamic one interface
Crypto ipsec transform-set ikev1 AES-256 aes-256-esp esp-sha-hmac
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
lifetime 28800
L2L-VPN-CRYPTOMAP of the access list allow ip x.x.x.x a.a.a.a b.b.b.b host
card crypto WAN-CRYPTOMAP 10 matches L2L-VPN-CRYPTOMAP address
card crypto WAN-CRYPTOMAP 10 set peer c.c.c.c
card crypto WAN-CRYPTOMAP 10 set transform-set AES-256 ikev1
card crypto WAN-CRYPTOMAP 10 set security-association second life 3600
CRYPTOMAP WAN interface card crypto outside
crypto isakmp identity address
Crypto ikev1 allow outside
tunnel-group c.c.c.c type ipsec-l2l
tunnel-group c.c.c.c ipsec-attributes
IKEv1 pre-shared key, PSK
I hope that the above information was useful please note if you found it useful
If it boils down to the configuration of the connection with the ASA5505 and does not cut the above configuration, feel free to ask for more
-Jouni
-
Newbie question route-map/access-list
I am quite new to the thing whole cisco here. I'm very hesitant to make changes as I am not sure that I take down the entire network of 200%. (We are a very small company)
We have a router cisco 1811 (yes I know its old)
We now have a road map and I'm trying to understand it to make it work the way we want. Basically, we have a few servers and we do not want some servers to use our cable internet connection, we want to use our T1. Our T1 uses an ASA5505 as a router. I don't know why, I know its not the best practice but I was just hired and that's all I have to say on this subject. I am doing as a result. Web traffic currently out our interface cable, everything, including the speed of transfer on speedtest.net out our T1. This makes the bad, bad VoIP phone calls. We also have a tunnel punch in Q1 of our other offices as well as our server Exchange2010 using T1. If our cable goes down, everything for the T1 (by design). We have a long list of defined access our route map - use corresponding ip. I want to change the access list to not allow local network IP addresses. I know that if I put in a whole ip allow it break our network and nothing comes out of the T1 line, and no one can get to our mail server more. So, I was thinking of adding some statements, but I was wondering if someone could help me with logic, so I know not if I will break the network. I wouldn't pull the laminated cord and use the console. (I really need get a USB serial interface). Now, you understand a little more about my situation now for all numbers, etc.
Network internal 90.0.0.0/24, 192.168.0.0/24 192.168.30.0/24, 172.20.0.0/16 (we use only 40 addresses, why they chose 16 is beyond me, stupid really)
PTP VPN: 192.168.116.0/24 comes and goes out our T1.
1811 router: 90.0.0.254/192.168.30.254/192.168.0.254
ASA: 90.0.0.50
!
follow the accessibility of ALS 40 ip 40
delay the decline 90 60
!
interface Vlan1
Description * INTERFACE LAN 90.0.0.x network * $FW_INSIDE$
IP 90.0.0.254 255.255.255.0
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
route WEBPBR card intellectual property policy
!
interface Vlan10
Description * INTERFACE LAN NET 192.168.0.x * $FW_INSIDE$
IP 192.168.0.254 255.255.255.0
IP nat inside
IP helper 90.0.0.2
IP virtual-reassembly
route WEBPBR card intellectual property policy
!
! Static routes
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 90.0.0.50 track 20
IP route 0.0.0.0 0.0.0.0 197.164.245.109 200
IP route 8.8.8.8 255.255.255.255 197.164.245.109 permanent
IP route 10.250.10.0 255.255.255.0 90.0.0.50 permanent
IP route 172.20.0.0 255.255.0.0 90.0.0.50 permanent
IP route 208.67.220.220 255.255.255.255 197.164.245.109 permanent
WEBTRAFFIC extended IP access list
deny ip any host 208.67.222.222
deny ip any 172.20.0.0 0.0.255.255
refuse the host tcp 90.0.0.2 any eq www
refuse 90.0.0.14 tcp host any eq www
refuse 90.0.0.235 tcp host any eq www
refuse the host ip 192.168.0.40 everything
deny ip any host 192.168.0.40
refuse the host ip 192.168.0.41 all
deny ip any host 192.168.0.41
deny ip any host 192.168.0.221
refuse the host ip 192.168.0.221 all
refuse the host ip 192.168.0.225 all
refuse 90.0.0.10 tcp host any eq www
deny ip any host 192.168.0.225
refuse 90.0.0.11 tcp host any eq www
refuse 90.0.0.9 tcp host any eq www
refuse 90.0.0.8 tcp host any eq www
refuse 90.0.0.7 tcp host any eq www
refuse 90.0.0.6 tcp host any eq www
refuse the 90.0.0.1 tcp host any eq www
refuse 90.0.0.13 tcp host any eq www
refuse 90.0.0.200 tcp host any eq www
permit tcp any any eq www
allow the host ip 192.168.0.131 one
allow the host ip 192.168.0.130 one
allow the host ip 192.168.0.132 one
allow the host ip 192.168.0.133 one
allow the host ip 192.168.0.134 one
allow the host ip 192.168.0.135 one
allow the host ip 192.168.0.136 one
allow the host ip 192.168.0.137 one
allow the host ip 192.168.0.138 one
allow the host ip 192.168.0.139 one
allow the host ip 192.168.0.140 one
allow the host ip 192.168.0.141 one
allow the host ip 192.168.0.142 one
allow the host ip 192.168.0.143 one
allow the host ip 192.168.0.144 a
allow the host ip 192.168.0.145 one
allow the host ip 192.168.0.146 one
allow the host ip 192.168.0.147 one
allow the host ip 192.168.0.148 one
allow the host ip 192.168.0.149 one
allow the host ip 192.168.0.150 one
allow the host ip 90.0.0.80 one
allow the host ip 90.0.0.81 one
allow the host ip 90.0.0.82 one
allow the host ip 90.0.0.83 one
allow the host ip 90.0.0.84 one
allow the host ip 90.0.0.85 one
allow the host ip 90.0.0.86 one
allow the host ip 90.0.0.87 one
allow the host ip 90.0.0.88 one
allow the host ip 90.0.0.89 one
allow the host ip 90.0.0.90 one
allow the host ip 90.0.0.91 one
allow the host ip 90.0.0.92 one
allow the host ip 90.0.0.93 one
allow the host ip 90.0.0.94 one
allow the host ip 90.0.0.95 one
refuse the host tcp 90.0.0.3 any eq wwwALS IP 40
208.67.220.220 ICMP echo source interface Vlan1
Timeout 6000
frequency 20
ALS annex IP 40 life never start-time now
allowed WEBPBR 2 route map
corresponds to the IP WEBTRAFFIC
set ip next-hop to check the availability of the 197.164.245.109 1 track 40
That is how we have it set up right now. If I put in a few lines above WEBTRAFFIC with:
deny ip any 192.168.0.0 0.0.0.255
deny ip any 90.0.0.0 0.0.0.255
deny ip any 192.168.116.0 0.0.0.255
! Etc with all internal networks
* And then put at the bottom:
allow an ip
who will ALL break so we can not communicate with anything? Or is that what I did to do this, we get internal routing etc.? Also, I guess I'd put in 15 IP addresses that are coming in the SAA as well? (We have public IPS 14 (one for the T1 gateway) that would go as well?) I don't want to try to put in those at the top and make sure no one can do anything. I hope I made clear what I'm doing...
Post edited by: Ryan Young
I have not read this thread well enough to be able to talk to the intricacies of the issue whether this access will make what you want. But I can answer the specific question you are asking. Yes - the access list is top-down, transformed and if a few more top line in the access list matches, then treatment for this package will not get the license at the bottom of the access list.
HTH
Rick
-
Cisco ASA 5505 - capable to connect to VPN - access forbidden inside
Hello
I tried to set up a virtual private network for weeks, I can connect to the public IP address of the ASA, but I can't reach anything behind Cisco.
I give you my config:
ASA Version 8.2 (5)
!
host name asa
sarg domain name * .net
activate the encrypted password of Z4K16OvBr0J5Dj/2
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
passive FTP mode
DNS server-group DefaultDNS
domain sargicisco.net
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.1.0 255.255.255.0
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.254.0 255.255.255.240
Remote_Sargi_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
sheep - in extended access-list permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
mask 192.168.254.1 - 192.168.254.10 255.255.255.0 IP local pool SAVPN_Pool
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
crypto ISAKMP allow outside
crypto ISAKMP allow inside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
VPN-addr-assign local reuse / time 5
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.36 inside
Wis field dhcpd * .net interface inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
allow inside
SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image
enable SVC
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
internal Remote_Sargi group strategy
attributes of Group Policy Remote_Sargi
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Remote_Sargi_splitTunnelAcl
sargicisco.NET value by default-field
username kevin mz6JxJib/sQqvsw9 password encrypted privilege 0
username kevin attributes
VPN-group-policy DfltGrpPolicy
type tunnel-group SAVPN remote access
attributes global-tunnel-group SAVPN
address pool SAVPN_Pool
tunnel-group SAVPN webvpn-attributes
enable SAVPN group-alias
allow group-url https://82.228.XXX.XXX/SAVPN
type tunnel-group Remote_Sargi remote access
attributes global-tunnel-group Remote_Sargi
address pool SAVPN_Pool
Group Policy - by default-Remote_Sargi
IPSec-attributes tunnel-group Remote_Sargi
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:387a6e260247a545f4df0d3f28ba58c5
: endThank you
Hello
Could you remove this statement and add the last:
no nat (inside) 0-list of access inside_nat0_outbound
ADD: nat (inside) 0 access-list sheep - in
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
Cisco ASA, connect an IP address on the OUTSIDE of the VPN remote access
Hello
I tried to find resources on the net but could not find a solution, then post it here. Maybe someone can help.
So the problem is that I'm trying to access a server on the cloud for remote VPN access (cisco asa 5510).
The server on the cloud (54.54.54.54) is only accessible from the outside interface (192.168.11.2) NY Firewall (cisco asa 5510)
I added some ACE for this in the ACL of VPN tunnel to divide.
NY-standard host allowed fw # access - list vpn_remote-customer 54.54.54.54
And I see the road added to my cliet machine after the VPN connection, but still it cannot connect to this server.
The network INTERIOR, I can connect to the server.
Thanks in advance.
Hello
This is most likely a problem with NAT hair/U-turn hairpin.
Will need to see the configurations or you would need to check yourself
I don't know what your version of the Software ASA is to be like who determines what is the format of NAT configuration.
So far, you have confirmed that the ASA VPN configuration provides the VPN Client with the route to the remote server. Then in circulation should be tunnel to the ASA.
Then, you will need to check the output of this command
See the race same-security-traffic
You should see the command in the output below
permit same-security-traffic intra-interface
If you do not, you will need to add it. This effect of controls is to allow traffic to enter an interface and exit through the same interface. In your case this applies to Internet VPN Client traffic to the remote server as it between ' outside ' and spell through the 'outside'.
Then, should ensure that dynamic PAT is configured for the VPN Clients.
8.2 software (and below)
You most likely have a dynamic configuration PAT like that on the firewall, if levels of above running software version
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
In this situation if we wanted to add dynamic PAT for a pool of VPN, we would add
NAT (outside) 1
This would allow users to use the same public IP address as LAN users, when accessing the remote VPN server
Software 8.3 (and above)
Because the NAT configuration format is completely different in the latest software, you could probably just add a new configuration of NAT completely without adding a
network of the VPN-PAT object
subnet
dynamic NAT interface (outdoors, outdoor)
Of course, its possible that there could be some configuration NAT already on the device which could cause problems for this configuration. If this does not work then that we would have to look at the actual configurations on the ASA.
Hope this helps
Let me know how it goes
-Jouni
-
I have problems to access the resources within the network when connecting with the Cisco VPN client for a version of 8.4 (3) operation of the IOS Cisco ASA 5510. I tried all new NAT 8.4 orders but cannot access the network interior. I can see traffic in newspapers when ping. I can only assume I have NAT evil or it's because the inside interface of the ASA is on the 24th of the same subnet as the network interior? Please see config below, any suggestion would be appreciated. I configured a VPN site to another in this same 5510 and it works well
Thank you
interface Ethernet0/0
Speed 100
full duplex
nameif outside
security-level 0
IP x.x.x.x 255.255.255.240
!
interface Ethernet0/1
Speed 100
full duplex
nameif inside
security-level 100
IP 10.88.10.254 255.255.255.0
!
interface Management0/0
Shutdown
nameif management
security-level 0
no ip address
!
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the PAT_to_Outside_ClassA object
10.88.0.0 subnet 255.255.0.0
network of the PAT_to_Outside_ClassB object
subnet 172.16.0.0 255.240.0.0
network of the PAT_to_Outside_ClassC object
Subnet 192.168.0.0 255.255.240.0
network of the LocalNetwork object
10.88.0.0 subnet 255.255.0.0
network of the RemoteNetwork1 object
Subnet 192.168.0.0 255.255.0.0
network of the RemoteNetwork2 object
172.16.10.0 subnet 255.255.255.0
network of the RemoteNetwork3 object
10.86.0.0 subnet 255.255.0.0
network of the RemoteNetwork4 object
10.250.1.0 subnet 255.255.255.0
network of the NatExempt object
10.88.10.0 subnet 255.255.255.0
the Site_to_SiteVPN1 object-group network
object-network 192.168.4.0 255.255.254.0
object-network 172.16.10.0 255.255.255.0
object-network 10.0.0.0 255.0.0.0
outside_access_in deny ip extended access list a whole
inside_access_in of access allowed any ip an extended list
11 extended access-list allow ip 10.250.1.0 255.255.255.0 any
outside_1_cryptomap to access extended list ip 10.88.0.0 255.255.0.0 allow object-group Site_to_SiteVPN1
mask 10.250.1.1 - 10.250.1.254 255.255.255.0 IP local pool Admin_Pool
NAT static NatExempt NatExempt of the source (indoor, outdoor)
NAT (inside, outside) static source any any static destination RemoteNetwork4 RemoteNetwork4-route search
NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork1 RemoteNetwork1
NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork2 RemoteNetwork2
NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork3 RemoteNetwork3
NAT (inside, outside) static source LocalNetwork LocalNetwork static destination RemoteNetwork4 RemoteNetwork4-route search
!
network of the PAT_to_Outside_ClassA object
NAT dynamic interface (indoor, outdoor)
network of the PAT_to_Outside_ClassB object
NAT dynamic interface (indoor, outdoor)
network of the PAT_to_Outside_ClassC object
NAT dynamic interface (indoor, outdoor)
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
dynamic-access-policy-registration DfltAccessPolicy
Sysopt connection timewait
Service resetoutside
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-ikev1 esp-md5-hmac bh-series
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto-map dynamic dynmap 10 set pfs
Crypto-map dynamic dynmap 10 set transform-set bh - set ikev1
life together - the association of security crypto dynamic-map dynmap 10 28800 seconds
Crypto-map dynamic dynmap 10 kilobytes of life together - the association of safety 4608000
Crypto-map dynamic dynmap 10 the value reverse-road
card crypto mymap 1 match address outside_1_cryptomap
card crypto mymap 1 set counterpart x.x.x.x
card crypto mymap 1 set transform-set ESP-AES-256-SHA ikev1
card crypto mymap 86400 seconds, 1 lifetime of security association set
map mymap 1 set security-association life crypto kilobytes 4608000
map mymap 100-isakmp ipsec crypto dynamic dynmap
mymap outside crypto map interface
crypto isakmp identity address
Crypto isakmp nat-traversal 30
Crypto ikev1 allow outside
IKEv1 crypto ipsec-over-tcp port 10000
IKEv1 crypto policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 1
life 86400
IKEv1 crypto policy 50
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
preshared authentication
aes-256 encryption
sha hash
Group 1
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
Telnet timeout 5
Console timeout 0
management-access inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal BACKDOORVPN group policy
BACKDOORVPN group policy attributes
value of VPN-filter 11
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelall
BH.UK value by default-field
type tunnel-group BACKDOORVPN remote access
attributes global-tunnel-group BACKDOORVPN
address pool Admin_Pool
Group Policy - by default-BACKDOORVPN
IPSec-attributes tunnel-group BACKDOORVPN
IKEv1 pre-shared-key *.
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
Excellent.
Evaluate the useful ticket.
Thank you
Rizwan James
-
Enable ASA 9.1 problems with tunnel-group-list
Hello!
I try to get a working configuration where the Cisco VPN / DTLS phones VPN connect, while allowing access remotely via client AnyConnect of PCs. I have two groups of tunnel and configured for this purpose of group policy and use Group-URL.
Phones are connect very well, but I don't get the drop down menu to choose between the two groups of tunnel when connecting to a remote computer.
An excerpt from the config.
Moreover, I had the menu work previously when I used group instead of group-URL aliases. However, the phones seem to require the URL group. Now that I have those configured, the menu does not work. If I get the full URL in the AnyConnect window, both URLs work, and I can connect.
Thank you in advance for any suggestions you may have!
Deb
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
AnyConnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
AnyConnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
AnyConnect enable
tunnel-group-list activate
ABC Group-Policy internal
ABC Group Policy attributes
value of server WINS 10.10.16.17 10.10.16.12
value of 10.10.16.17 DNS server 10.10.16.12
VPN - connections 3
SSL VPN-tunnel-Protocol l2tp ipsec client ssl clientless
Split-tunnel-policy tunnelall
field default value abc.com
the address value AnyConnectPool pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
time to generate a new key ssl AnyConnect 1440
AnyConnect ssl generate a new method ssl key
AnyConnect client of dpd-interval 5
dpd-interval gateway AnyConnect 30
AnyConnect ask none
internal strategy of group ABC - STG
ABC - STG group policy attributes
value of server DNS 8.8.8.8
VPN - connections 3
SSL VPN-tunnel-Protocol l2tp ipsec client ssl clientless
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value Split-Tunnel-encrypt-ACL
field default value abc.com
the address value AnyConnectPool pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
time to generate a new key ssl AnyConnect 1440
AnyConnect ssl generate a new method ssl key
AnyConnect client of dpd-interval 5
dpd-interval gateway AnyConnect 30
AnyConnect ask none
type tunnel-group Split-Tunnel-Group remote access
attributes global-tunnel-group Split-Tunnel-Group
address pool AnyConnectPool
Group Policy - by default-ABC-STG
tunnel-group Split-Tunnel-Group webvpn-attributes
allow group-url https://asa.abc.com/ABC-STG
tunnel-group ABC - Tunnel - type remote access Group
attributes global-tunnel-group ABC - Tunnel - Group
address pool AnyConnectPool
Group-ACTIVE DIRECTORY authentication server
Group Policy - by default-ABC
password-management
ABC - Tunnel tunnel-group - webvpn-attributes Group
allow group-url https://asa.abc.com/ABC
Hello
You can have group-alias and group-url at the same time in the configuration so that the phones can connnect with Group-url and users can click on the drop down menu to select the right connection profile.
tunnel-group
webvpn-attributes
Group-aliasenable
Group-urlhelp Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Cisco ASA vpn site to site with access internet, error
Hello
I have two offises, Central and removed, with the external IP addresses. They are connected to the site to site vpn, LAN works fine, then NAT is disable, but then there is no internet access, then I Internet in NAT is working well, but then there is no access to the local network.
Where would be the problem?There's config:
ASA Version 8.4(4)1
!
hostname SalSK-ASA
domain-name ld.lt
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 81.X.X.X 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.204.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EET 2
dns server-group DefaultDNS
domain-name lietuvosdujos.lt
object network LAN
subnet 192.168.204.0 255.255.255.0
description Local Area Network
object network LD_Lanai
subnet 192.168.0.0 255.255.0.0
description LD lanai
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list vpn extended permit ip any 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 any
access-list vpn extended permit ip object LD_Lanai 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 object LD_Lanai
access-list outside_cryptomap_1 extended permit ip object LAN any
access-list outside extended permit ip any any
pager lines 24
logging enable
logging list VPN_events level informational class auth
logging list VPN_events level informational class vpdn
logging list VPN_events level informational class vpn
logging list VPN_events level informational class vpnc
logging list VPN_events_ID message 713120
logging list VPN_events_ID message 713167
logging list VPN_events_ID message 602303
logging list VPN_events_ID message 713228
logging list VPN_events_ID message 113012
logging list VPN_events_ID message 113015
logging list VPN_events_ID message 713184
logging list VPN_events_ID message 713119
logging list VPN_events_ID message 602304
logging monitor debugging
logging buffered debugging
logging trap VPN_events_ID
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic LAN interface inactive
access-group outside in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 81.7.77.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ISE protocol radius
aaa-server ISE (inside) host 192.168.200.48
key *****
user-identity default-domain LOCAL
aaa authentication enable console ISE LOCAL
aaa authentication http console ISE LOCAL
aaa authentication serial console ISE LOCAL
aaa authentication ssh console ISE LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set tripledes esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 213.X.X.X
crypto map outside_map 1 set ikev1 transform-set tripledes
crypto map outside_map interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.201.200 source inside prefer
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy SalGP internal
group-policy SalGP attributes
vpn-filter value vpn
vpn-tunnel-protocol ikev1 l2tp-ipsec
username Admin password LVPpyc4ATztEAWtq encrypted privilege 15
tunnel-group 213.X.X.X type ipsec-l2l
tunnel-group 213.X.X.X general-attributes
default-group-policy SalGP
tunnel-group 213.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
class class-default
user-statistics accounting
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]/* */
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d8c29755eff807b1530e38b9ead9edd5
: endTwo things are here according to you needs.
First you encrypt all the traffic on the network 192.168.204.0/24... do you intend to send all traffic on that subnet via the VPN? If this isn't the case, specify the remote subnet instead of using all the crypto ACL.
object network LAN
subnet 192.168.204.0 255.255.255.0access-list outside_cryptomap_1 extended permit ip object LAN any
Second, you have not an exempt statement NAT so that encrypted traffic should not be translated. This statement would look like the following:
the object of the LAN network
192.168.204.0 subnet 255.255.255.0being REMOTE-LAN network
255.255.255.0 subnet 192.168.100.0Static NAT LAN LAN (inside, outside) destination static REMOTE - LAN LAN
--
Please do not forget to choose a good response and the rate
Maybe you are looking for
-
Why my MB Air decreases the wifi signal
My 2012 13 "core i5 MacBook Air running different operating systems will remove the wifi signal and it is getting worse. someone at - it a reason why?
-
Recently bought movies video app only appear not
Whenever I buy a new film, it takes several days for it appears in my video library on my iPad Pro. Immediately appears on my iPhone. All I have this problem and know how to fix?
-
HP 630: System disabled error in bios
Trying to get into the bios setup and someone set up a password, disabled system code is 77117524
-
Open Management GS108T Web site
Hello I have 2 switches GS108T managed. Because I lost the password, I found a knockout to its factory default switch. After the reset, I can set a new password with the discovery tool, but I can't open the Web site. The IP address is correct and the
-
iPhone 6 no service / number of 'research '.
I have recently bourght a 6 16 GB iPhone. The only problem is he didn't 'search' at the top of the screen. I went on the apple site for assistance and used their guide, If you can not connect to a cellular or cell - data Apple Support Network. The 's