Cisco ASA tunnel access list question

We have created a site to IPSec tunnel. Initially, only two IP address were allowed access to the tunnel. They ask now addresses. My question is, if I use access-list extended inside_access_in permit ip any host 10.60.55.10, I also have to make a statement of NAT that allows this?

And when we change the VPN Site to Site connection profile, I have to allow all through this tunnel as well, correct?

I thank you and I hope this makes sense. We were originally political thought based routing on the nearest core of the source.

Dwane

Hi Sylvie,.

If you use NAT so I say yes you must consider from... Normally, in a private LAN on L2L scenario, you might have used no. - NAT... If you have LAN identical at both ends, then you might have using a NAT to a diff of subnets at both ends... If you use the NAT public IP then it will be on the public IP based L2L address... So it depends on your current configuration.

If you use one to 10.60.55.10 (then your site any subnet which flows through the VPN Firewall to 10.60.55.10 is allowed... here you may need to modify NAT as a source...)

But the problem comes from the other end... for them the source will be 10.60.55.10 and destination would... then all traffic from host 10.60.55.10 is taken through the tunnel...

So instead of making a statement as any visit its respective great nets 172.16.0/16 for example...

Concerning

Knockaert

Tags: Cisco Security

Similar Questions

A possible bug related to the Cisco ASA "show access-list"?

We had a strange problem in our configuration of ASA.

In the "show running-config:

Inside_access_in access-list CM000067 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:http_access

Inside_access_in access-list CM000458 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:https_access

Note to inside_access_in to access test 11111111111111111111111111 EXP:1/16/2014 OWN list: IT_Security BZU:Network_Security

access-list extended inside_access_in permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 Journal

access-list inside_access_in note CM000260 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - dgm

access-list inside_access_in note CM006598 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - ns

access-list inside_access_in note CM000220 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - ssn

access-list inside_access_in note CM000223 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:tcp / 445

inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 any eq www log

inside_access_in allowed extended access list tcp 172.31.254.0 255.255.255.0 any https eq connect

inside_access_in list extended access permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log

inside_access_in list extended access permit udp 172.31.254.0 255.255.255.0 connect any eq netbios-ns

inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log

inside_access_in list extended access permitted tcp 172.31.254.0 connect any EQ 445 255.255.255.0

Inside_access_in access-list CM000280 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:domain

inside_access_in list extended access permitted tcp object 172.31.254.2 any newspaper domain eq

inside_access_in list extended access permitted udp object 172.31.254.2 any newspaper domain eq

Inside_access_in access-list CM000220 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:catch_all

inside_access_in list extended access permitted ip object 172.31.254.2 any newspaper

Inside_access_in access-list CM0000086 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:SSH_internal

inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 interface inside the eq ssh log

Inside_access_in access-list CM0000011 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

inside_access_in list extended access allow object TCPPortRange 172.31.254.0 255.255.255.0 host log 192.168.20.91

Inside_access_in access-list CM0000012 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:FTP

access-list extended inside_access_in permitted tcp object inside_range 1024 45000 192.168.20.91 host range eq ftp log

Inside_access_in access-list CM0000088 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

inside_access_in access list extended ip 192.168.20.0 255.255.255.0 allow no matter what paper

Inside_access_in access-list CM0000014 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:DropIP

inside_access_in list extended access permitted ip object windowsusageVM any newspaper

inside_access_in list of allowed ip extended access any object testCSM

inside_access_in access list extended ip 172.31.254.0 255.255.255.0 allow no matter what paper

Inside_access_in access-list CM0000065 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:IP

inside_access_in list extended access permit ip host 172.31.254.2 any log

Inside_access_in access-list CM0000658 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security

inside_access_in list extended access permit tcp host 192.168.20.95 any log eq www

In the "show access-list":

access-list inside_access_in line 1 comment CM000067 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:http_access

access-list inside_access_in line 2 Note CM000458 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:https_access

Line note 3 access-list inside_access_in test 11111111111111111111111111 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security

4 extended access-list inside_access_in line allowed tcp host 1.1.1.1 host 192.168.20.86 eq newsletter interval 300 (hitcnt = 0) 81 0x0a 3bacc1

line access list 5 Note CM000260 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - dgm

line access list 6 Note CM006598 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - ns

line access list 7 Note CM000220 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - ssn

line access list 8 Note CM000223 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:tcp / 445

allowed to Access-list inside_access_in line 9 extended tcp 172.31.254.0 255.255.255.0 any interval information eq www journal 300 (hitcnt = 0) 0 x 06 85254 has

allowed to Access-list inside_access_in 10 line extended tcp 172.31.254.0 255.255.255.0 any https eq log of information interval 300 (hitcnt = 0) 0 x7e7ca5a7

allowed for line access list 11 extended udp 172.31.254.0 inside_access_in 255.255.255.0 any netbios-dgm eq log of information interval 300 (hitcn t = 0) 0x02a111af

allowed to Access-list inside_access_in line 12 extended udp 172.31.254.0 255.255.255.0 any netbios-ns eq log of information interval 300 (hitcnt = 0) 0 x 19244261

allowed for line access list 13 extended tcp 172.31.254.0 inside_access_in 255.255.255.0 any netbios-ssn eq log of information interval 300 (hitcn t = 0) 0x0dbff051

allowed to Access-list inside_access_in line 14 extended tcp 172.31.254.0 255.255.255.0 no matter what eq 445 300 (hitcnt = 0) registration information interval 0 x 7 b798b0e

access-list inside_access_in 15 Note CM000280 EXP:1/16/2014 OWN line: IT_Security BZU:Network_Security JST:domain

allowed to Access-list inside_access_in line 16 extended tcp object 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 0x6c416 81 b

allowed to Access-list inside_access_in line 16 extended host tcp 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 0x6c416 81 b

allowed to Access-list inside_access_in line 17 extended udp object 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 227 0xc53bf

allowed to Access-list inside_access_in line 17 extended udp host 172.31.254.2 all interval information journal field eq 300 (hitcnt = 0) 227 0xc53bf

access-list inside_access_in 18 Note CM000220 EXP:1/16/2014 OWN line: IT_Security BZU:Network_Security JST:catch_all

allowed to Access-list inside_access_in line 19 scope ip object 172.31.254.2 no matter what information recording interval 300 (hitcnt = 0) 0xd063707c

allowed to Access-list inside_access_in line 19 scope ip host 172.31.254.2 any which information recording interval 300 (hitcnt = 0) 0xd063707c

access-list inside_access_in line 20 note CM0000086 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:SSH_internal

permit for line access list extended 21 tcp 172.31.254.0 inside_access_in 255.255.255.0 interface inside the eq ssh information recording interval 300 (hitcnt = 0) 0x4951b794

access-list inside_access_in line 22 NOTE CM0000011 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:PortRange

permit for access list 23 inside_access_in line scope object TCPPortRange 172.31.254.0 255.255.255.0 192.168.20.91 host registration information interval 300 (hitcnt = 0) 0x441e6d68

allowed for line access list 23 extended tcp 172.31.254.0 inside_access_in 255.255.255.0 192.168.20.91 host range ftp smtp log information interval 300 (hitcnt = 0) 0x441e6d68

access-list inside_access_in line 24 Note CM0000012 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:FTP

25 extended access-list inside_access_in line allowed tcp object inside_range Beach 1024 45000 host 192.168.20.91 eq ftp interval 300 0xe848acd5 newsletter

allowed for access list 25 extended range tcp 12.89.235.2 inside_access_in line 12.89.235.5 range 1024 45000 host 192.168.20.91 eq ftp interval 300 (hitcnt = 0) newsletter 0xe848acd5

permit for access list 26 inside_access_in line scope ip 192.168.20.0 255.255.255.0 no interval 300 (hitcnt = 0) newsletter 0xb6c1be37

access-list inside_access_in line 27 Note CM0000014 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:DropIP

allowed to Access-list inside_access_in line 28 scope ip object windowsusageVM no matter what information recording interval 300 (hitcnt = 0) 0 x 22170368

allowed to Access-list inside_access_in line 28 scope ip host 172.31.254.250 any which information recording interval 300 (hitcnt = 0) 0 x 22170368

allowed to Access-list inside_access_in line 29 scope ip testCSM any object (hitcnt = 0) 0xa3fcb334

allowed to Access-list inside_access_in line 29 scope ip any host 255.255.255.255 (hitcnt = 0) 0xa3fcb334

permit for access list 30 inside_access_in line scope ip 172.31.254.0 255.255.255.0 no interval 300 (hitcnt = 0) newsletter 0xe361b6ed

access-list inside_access_in line 31 Note CM0000065 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:IP

allowed to Access-list inside_access_in line 32 scope ip host 172.31.254.2 any which information recording interval 300 (hitcnt = 0) 0xed7670e1

access-list inside_access_in line 33 note CM0000658 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security

allowed to Access-list inside_access_in line 34 extended host tcp 192.168.20.95 any interval information eq www 300 newspapers (hitcnt = 0) 0x8d07d70b

There is a comment in the running configuration: (line 26)

Inside_access_in access-list CM0000088 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

This comment is missing in 'display the access-list '. In the access list, for all lines after this comment, the line number is more correct. This poses problems when trying to use the line number to insert a new rule.

Everyone knows about this problem before? Is this a known issue? I am happy to provide more information if necessary.

Thanks in advance.

See the version:

Cisco Adaptive Security Appliance Software Version 4,0000 1

Version 7.1 Device Manager (3)

Updated Friday, June 14, 12 and 11:20 by manufacturers

System image file is "disk0: / asa844-1 - k8.bin.

The configuration file to the startup was "startup-config '.

fmciscoasa up to 1 hour 56 minutes

Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor

Internal ATA Compact Flash, 128 MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)

Start firmware: CN1000-MC-BOOT - 2.00

SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03

Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.06

Number of Accelerators: 1

Could be linked to the following bug:

CSCtq12090: ACL note line is missing when the object range is set to ACL

The 8.4 fixed (6), so update to a newer version and observe again.

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

ACCESS LIST QUESTIONS?

I have a hand router Cisco 871 and 5 remote sites using the Cisco 850. The tunnel comes up fine and can ping back from the 850 to the 871. However, I think that I have a problem of access list because I can't open the main database which is on the main site of any of the 5 locations nor do I get on the internet that the proxy server get no not at other sites. I can ping these remote sites, but cannot use them in fact. These rules are very different, and then the PIX.

192.168.1x

* THE REMOTE SITE

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

not run cdp

sheep allowed 10 route map

corresponds to the IP 101

192.168.0.X

HAND ROUTER

recording of debug trap

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 103 allow ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 104. allow ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

not run cdp

sheep allowed 10 route map

corresponds to the IP 101

!

IP tcp mss<68-10000>

Hope this helps,

Gilbert

Cisco 837 and access list

Hi all

Sorry if my question sounds stupid, but I had a lot of problems with the syntax of the access list, especially to remove a line in an access list, for example:

Here is my list of access

access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 120 allow ip 192.168.6.0 0.0.0.255 172.20.0.0 0.0.255.255

access-list 120 allow ip 192.168.6.0 0.0.0.255 172.17.0.0 0.0.255.255

If I want to delete only this line

access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

I do not know how, I if do:

no access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

all the access-list 120 is removed!

Help, please!

Olivier

Hi, this is the usual behavior, if you delete the access list of the entire statement with sequence number is deleted.

You can create a named extended access-list and have the sequence number for each statements.

!

Standard IP access list note

permit 172.10.0.0 0.0.255.255

10.1.1.0 permit 0.0.0.255

permit 192.168.1.0 0.0.0.255

deny all

!

and if you want to delete something in between, or any particular line, you can run the command like this that will remove this line instead of the entire ACL itself...

Standard note of access-list (config) #ip

(config-std-nacl) #no 3

This configuration lines will remove the third line only (which is to allow the 192.168.1.0 0.0.0.255, leaving the other statements)

regds

PIX 501 ICMP access list Question

According to the book, I have the pix and firewall that I know of dealing with routers and switches access lists define what traffic is allowed outside the network. With pix access lists can only be applied one way, to the interface they enter, not leaving. It's my understanding, but when I do an ICMP command:

PIX1 (config) # access - list ethernet1 permit icmp any any echo response

PIX1 (config) # access - list icmp permitted ethernet1 everything all inaccessible

Access-group ethernet1 PIX1 (config) # interface inside

This does not work, but if I apply the access group to the external interface it works. I understand why it is like that.

Thank you

This works because the pix is not aware of session state for the way icmp traffic that it does for tcp and udp.

By default, less access to a high to an interface is allowed, unless you have an acl applies to the interface of higer - then only what the acl permits will be allowed. So you can send outbound icmp echo request. However, for the response to be returned, you must allow that explicitly in an acl that is applied on the external interface, because the pix won't allow any outside traffic by default.

Even for icmp unreachable, although I want to put in custody to be part of the config. Allow only the unattainable due to the ttl expired to facilitate detection of mtu path, not all unachievable.

Let me know if it helps.

Restrictions of ASA Anyconnect for Split Tunneling network list

Hello

I have a question. We use Cisco ASA 5520 9.1.1 firmware version with configure SSL VPN Anyconnect(Anyconnect client version 2.5.605).)

We use the big Split Tunneling access-list with 200 ACEs.

If I add more than 200 entries in the list of access and then I connect to the VPN, and after that, we will see that only 200 entries have been added to the routing table.

So my question is... There is a limit for Split Tunneling ACL when you use the Anyconnect client?

Thank you

Hello
```
This is very well document in one of internal bug at Cisco . Unfortunately, as it is internal I will not be able to share the same with you. The only workaround available as of now is to combine your networks and make the list as small as possible covering all the required network you need which is less than or equal to 200
```
Thank you

Jeet Kumar

Question of access list for Cisco 1710 performing the 3DES VPN tunnel

I have a question about the use of access lists in the configuration of a router Cisco 1710 that uses access lists to control traffic through the VPN tunnel.

For example the following lines in a configuration on the remote router. My question is whether or not the traffic that matches the definition of list access-130 (something other than 192.168.100.0/24), cross the VPN tunnel or go directly to the Ethernet0 interface.

My understanding is that traffic that matches the access list 120 would be encrypted and sent through the IPSec tunnel. If there was "ban" set out in the statements of 120 access-list, the traffic for those would be sent through the IPSec tunnel but not encrypted (if possible). And finally, given that the definition of crypto card reference only "adapt to 120", any traffic that matches 130 access list would be sent Ethernet0 but not associated with the card encryption and thus not sent through the IPSec tunnel. "

Any input or assistance would be greatly appreciated.

Map Test 11 ipsec-isakmp crypto

..

match address 120

Interface Ethernet0

..

card crypto Test

IP nat inside source overload map route sheep interface Ethernet0

access-list 120 allow ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 130 refuse ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 130 allow ip 192.168.100.0 0.0.0.255 any

sheep allowed 10 route map

corresponds to the IP 130

He would go through the interface e0 to the Internet in clear text without going above the tunnel

Jean Marc

Cisco ASA VPN tunnel question - DMZ interface

I am trying to build a tunnel to a customer with NAT and I'm able to get 3 of the 4 networks to communicate. The 1 that is not responding is a DMZ network. Excerpts from config below. What am I doing wrong with the 10.0.87.0/24 network? The error in the log is "routing cannot locate the next hop.

interface Ethernet0/1
Speed 100
half duplex
nameif inside
security-level 100
the IP 10.0.0.1 255.255.255.0
OSPF cost 10
send RIP 1 version
!
interface Ethernet0/2
nameif DMZ
security-level 4
IP 172.16.1.1 255.255.255.0
OSPF cost 10

network object obj - 172.16.1.0
subnet 172.16.1.0 255.255.255.0

object network comm - 10.240.0.0
10.240.0.0 subnet 255.255.0.0
network object obj - 10.0.12.0
10.0.12.0 subnet 255.255.255.0
network object obj - 10.0.14.0
10.0.14.0 subnet 255.255.255.0
network of the DNI-NAT1 object
10.0.84.0 subnet 255.255.255.0
network of the DNI-NAT2 object
10.0.85.0 subnet 255.255.255.0
network of the DNI-VIH3 object
10.0.86.0 subnet 255.255.255.0
network of the DNI-NAT4 object
10.0.87.0 subnet 255.255.255.0

the DNI_NAT object-group network
network-object DNI-NAT1
network-object DNI-NAT2
network-object ID-VIH3
network-object NAT4 DNI

DNI_VPN_NAT1 to access ip 10.0.0.0 scope list allow 255.255.255.0 object comm - 10.240.0.0
Access extensive list ip 10.0.12.0 DNI_VPN_NAT2 allow 255.255.255.0 object comm - 10.240.0.0
Access extensive list ip 10.0.14.0 DNI_VPN_NAT3 allow 255.255.255.0 object comm - 10.240.0.0
Access extensive list ip 172.16.1.0 DNI_VPN_NAT4 allow 255.255.255.0 object comm - 10.240.0.0
access-list extended DNI-VPN-traffic permit ip object-group, object DNI_NAT comm - 10.240.0.0

NAT (inside, outside) source static obj - 10.0.12.0 DNI-NAT2 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp
NAT (inside, outside) source static obj - 10.0.14.0 DNI-VIH3 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp
NAT (inside, outside) source static obj - 172.16.1.0 DNI-NAT4 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp

Hello

I see that the issue here is the declaration of NAT:

NAT (inside, outside) source static obj - 172.16.1.0 DNI-NAT4 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp

The correct statement would be:

NAT (DMZ, external) source static obj - 172.16.1.0 DNI-NAT4 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp

Go ahead and do a tracer of packages:

Packet-trace entry DMZ 172.16.1.15 tcp 443 detailed 10.240.X.X

Thus, you will see the exempt NAT works now.

I would like to know how it works!

Please don't forget to rate and score as correct the helpful post!

Kind regards

David Castro,

NAT before going on a VPN Tunnel Cisco ASA or SA520

I have a friend who asked me to try to help. We are established VPN site to site with a customer. Our camp is a Cisco sa520 and side there is a control point. The tunnel is up, we checked the phase 1 and 2 are good. The question is through the tunnel to traffic, our LAN ip address are private addresses 10.10.1.0/24 but the client says must have a public IP address for our local network in order to access that server on local network there. So, in all forums, I see that you cannot NAT before crossing the VPN tunnel, but our problem is that our site has only 6 assigned IP addresses and the comcast router, on the side of the firewall SA520 WAN. So we were wondering was there a way we can use the WAN on the SA520 interface or use another available 6 who were assigned to the NAT traffic and passes through the tunnel. That sounds confusing to you? Sorry, but it's rarely have I a customer say that I must have a public IP address on my side of the LAN. Now, I say this is a SA520 firewall, but if it is not possible to do with who he is a way were able with an ASA5505?

Help or direction would be very useful.

Hello

I guess I could quickly write a basic configuration. Can't be sure I remember all correctly. But should be the biggest part of it.

Some of the course settings may be different depending on the type of VPN L2L connection settings, you have chosen.

Naturally, there are also a lot of the basic configuration which is not mentioned below.

For example
- Configurations management and AAA
- DHCP for LAN
- Logging
- Interface "nonstop."
- etc.
Information for parameters below
- x.x.x.x = ASA 'outside' of the public IP interface
- y.y.y.y = ASA "outside" network mask
- z.z.z.z = ASA "outside" IP address of the default gateway
- a.a.a.a = the address of the remote site VPN L2L network
- b.b.b.b = mask of network to the remote site VPN L2L
- c.c.c.c = IP address of the public peer device VPN VPN L2L remote site
- PSK = The Pre Shared Key to connect VPN L2L
Interfaces - Default - Access-list Route

interface Vlan2

WAN description

nameif outside

security-level 0

Add IP x.x.x.x y.y.y.y

Route outside 0.0.0.0 0.0.0.0 z.z.z.z

interface Ethernet0

Description WAN access

switchport access vlan 2
- All interfaces are on default Vlan1 so their ' switchport access vlan x "will not need to be configured
interface Vlan1

LAN description

nameif inside

security-level 100

10.10.1.0 add IP 255.255.255.0

Note to access the INSIDE-IN list allow all local network traffic

access to the INTERIOR-IN ip 10.10.1.0 list allow 255.255.255.0 any

group-access INTERIOR-IN in the interface inside

Configuring NAT and VPN L2L - ASA 8.2 software and versions prior

Global 1 interface (outside)

NAT (inside) 1 10.10.1.0 255.255.255.0

Crypto ipsec transform-set AES-256 aes-256-esp esp-sha-hmac

crypto ISAKMP policy 10

preshared authentication

aes-256 encryption

sha hash

Group 2

lifetime 28800

L2L-VPN-CRYPTOMAP of the access list allow ip x.x.x.x a.a.a.a b.b.b.b host

card crypto WAN-CRYPTOMAP 10 matches L2L-VPN-CRYPTOMAP address

card crypto WAN-CRYPTOMAP 10 set peer c.c.c.c

card crypto WAN-CRYPTOMAP 10 the value transform-set AES-256

card crypto WAN-CRYPTOMAP 10 set security-association second life 3600

CRYPTOMAP WAN interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

tunnel-group c.c.c.c type ipsec-l2l

tunnel-group c.c.c.c ipsec-attributes

pre-shared key, PSK

NAT and VPN L2L - ASA 8.3 software configuration and after

NAT source auto after (indoor, outdoor) dynamic one interface

Crypto ipsec transform-set ikev1 AES-256 aes-256-esp esp-sha-hmac

IKEv1 crypto policy 10

preshared authentication

aes-256 encryption

sha hash

Group 2

lifetime 28800

L2L-VPN-CRYPTOMAP of the access list allow ip x.x.x.x a.a.a.a b.b.b.b host

card crypto WAN-CRYPTOMAP 10 matches L2L-VPN-CRYPTOMAP address

card crypto WAN-CRYPTOMAP 10 set peer c.c.c.c

card crypto WAN-CRYPTOMAP 10 set transform-set AES-256 ikev1

card crypto WAN-CRYPTOMAP 10 set security-association second life 3600

CRYPTOMAP WAN interface card crypto outside

crypto isakmp identity address

Crypto ikev1 allow outside

tunnel-group c.c.c.c type ipsec-l2l

tunnel-group c.c.c.c ipsec-attributes

IKEv1 pre-shared key, PSK

I hope that the above information was useful please note if you found it useful

If it boils down to the configuration of the connection with the ASA5505 and does not cut the above configuration, feel free to ask for more

-Jouni

Newbie question route-map/access-list

I am quite new to the thing whole cisco here. I'm very hesitant to make changes as I am not sure that I take down the entire network of 200%. (We are a very small company)

We have a router cisco 1811 (yes I know its old)

We now have a road map and I'm trying to understand it to make it work the way we want. Basically, we have a few servers and we do not want some servers to use our cable internet connection, we want to use our T1. Our T1 uses an ASA5505 as a router. I don't know why, I know its not the best practice but I was just hired and that's all I have to say on this subject. I am doing as a result. Web traffic currently out our interface cable, everything, including the speed of transfer on speedtest.net out our T1. This makes the bad, bad VoIP phone calls. We also have a tunnel punch in Q1 of our other offices as well as our server Exchange2010 using T1. If our cable goes down, everything for the T1 (by design). We have a long list of defined access our route map - use corresponding ip. I want to change the access list to not allow local network IP addresses. I know that if I put in a whole ip allow it break our network and nothing comes out of the T1 line, and no one can get to our mail server more. So, I was thinking of adding some statements, but I was wondering if someone could help me with logic, so I know not if I will break the network. I wouldn't pull the laminated cord and use the console. (I really need get a USB serial interface). Now, you understand a little more about my situation now for all numbers, etc.

Network internal 90.0.0.0/24, 192.168.0.0/24 192.168.30.0/24, 172.20.0.0/16 (we use only 40 addresses, why they chose 16 is beyond me, stupid really)

PTP VPN: 192.168.116.0/24 comes and goes out our T1.

1811 router: 90.0.0.254/192.168.30.254/192.168.0.254

ASA: 90.0.0.50

!

follow the accessibility of ALS 40 ip 40

delay the decline 90 60

!

interface Vlan1

Description * INTERFACE LAN 90.0.0.x network * $FW_INSIDE$

IP 90.0.0.254 255.255.255.0

IP nat inside

IP virtual-reassembly

IP tcp adjust-mss 1452

route WEBPBR card intellectual property policy

!

interface Vlan10

Description * INTERFACE LAN NET 192.168.0.x * $FW_INSIDE$

IP 192.168.0.254 255.255.255.0

IP nat inside

IP helper 90.0.0.2

IP virtual-reassembly

route WEBPBR card intellectual property policy

!

! Static routes

IP forward-Protocol ND

IP route 0.0.0.0 0.0.0.0 90.0.0.50 track 20

IP route 0.0.0.0 0.0.0.0 197.164.245.109 200

IP route 8.8.8.8 255.255.255.255 197.164.245.109 permanent

IP route 10.250.10.0 255.255.255.0 90.0.0.50 permanent

IP route 172.20.0.0 255.255.0.0 90.0.0.50 permanent

IP route 208.67.220.220 255.255.255.255 197.164.245.109 permanent

WEBTRAFFIC extended IP access list
deny ip any host 208.67.222.222
deny ip any 172.20.0.0 0.0.255.255
refuse the host tcp 90.0.0.2 any eq www
refuse 90.0.0.14 tcp host any eq www
refuse 90.0.0.235 tcp host any eq www
refuse the host ip 192.168.0.40 everything
deny ip any host 192.168.0.40
refuse the host ip 192.168.0.41 all
deny ip any host 192.168.0.41
deny ip any host 192.168.0.221
refuse the host ip 192.168.0.221 all
refuse the host ip 192.168.0.225 all
refuse 90.0.0.10 tcp host any eq www
deny ip any host 192.168.0.225
refuse 90.0.0.11 tcp host any eq www
refuse 90.0.0.9 tcp host any eq www
refuse 90.0.0.8 tcp host any eq www
refuse 90.0.0.7 tcp host any eq www
refuse 90.0.0.6 tcp host any eq www
refuse the 90.0.0.1 tcp host any eq www
refuse 90.0.0.13 tcp host any eq www
refuse 90.0.0.200 tcp host any eq www
permit tcp any any eq www
allow the host ip 192.168.0.131 one
allow the host ip 192.168.0.130 one
allow the host ip 192.168.0.132 one
allow the host ip 192.168.0.133 one
allow the host ip 192.168.0.134 one
allow the host ip 192.168.0.135 one
allow the host ip 192.168.0.136 one
allow the host ip 192.168.0.137 one
allow the host ip 192.168.0.138 one
allow the host ip 192.168.0.139 one
allow the host ip 192.168.0.140 one
allow the host ip 192.168.0.141 one
allow the host ip 192.168.0.142 one
allow the host ip 192.168.0.143 one
allow the host ip 192.168.0.144 a
allow the host ip 192.168.0.145 one
allow the host ip 192.168.0.146 one
allow the host ip 192.168.0.147 one
allow the host ip 192.168.0.148 one
allow the host ip 192.168.0.149 one
allow the host ip 192.168.0.150 one
allow the host ip 90.0.0.80 one
allow the host ip 90.0.0.81 one
allow the host ip 90.0.0.82 one
allow the host ip 90.0.0.83 one
allow the host ip 90.0.0.84 one
allow the host ip 90.0.0.85 one
allow the host ip 90.0.0.86 one
allow the host ip 90.0.0.87 one
allow the host ip 90.0.0.88 one
allow the host ip 90.0.0.89 one
allow the host ip 90.0.0.90 one
allow the host ip 90.0.0.91 one
allow the host ip 90.0.0.92 one
allow the host ip 90.0.0.93 one
allow the host ip 90.0.0.94 one
allow the host ip 90.0.0.95 one
refuse the host tcp 90.0.0.3 any eq www

ALS IP 40

208.67.220.220 ICMP echo source interface Vlan1

Timeout 6000

frequency 20

ALS annex IP 40 life never start-time now

allowed WEBPBR 2 route map

corresponds to the IP WEBTRAFFIC

set ip next-hop to check the availability of the 197.164.245.109 1 track 40

That is how we have it set up right now. If I put in a few lines above WEBTRAFFIC with:

deny ip any 192.168.0.0 0.0.0.255

deny ip any 90.0.0.0 0.0.0.255

deny ip any 192.168.116.0 0.0.0.255

! Etc with all internal networks

* And then put at the bottom:

allow an ip

who will ALL break so we can not communicate with anything? Or is that what I did to do this, we get internal routing etc.? Also, I guess I'd put in 15 IP addresses that are coming in the SAA as well? (We have public IPS 14 (one for the T1 gateway) that would go as well?) I don't want to try to put in those at the top and make sure no one can do anything. I hope I made clear what I'm doing...

Post edited by: Ryan Young

I have not read this thread well enough to be able to talk to the intricacies of the issue whether this access will make what you want. But I can answer the specific question you are asking. Yes - the access list is top-down, transformed and if a few more top line in the access list matches, then treatment for this package will not get the license at the bottom of the access list.

HTH

Rick

Cisco ASA 5505 - capable to connect to VPN - access forbidden inside

Hello

I tried to set up a virtual private network for weeks, I can connect to the public IP address of the ASA, but I can't reach anything behind Cisco.

I give you my config:

ASA Version 8.2 (5)
!
host name asa
sarg domain name * .net
activate the encrypted password of Z4K16OvBr0J5Dj/2
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
passive FTP mode
DNS server-group DefaultDNS
domain sargicisco.net
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.1.0 255.255.255.0
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.254.0 255.255.255.240
Remote_Sargi_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
sheep - in extended access-list permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
mask 192.168.254.1 - 192.168.254.10 255.255.255.0 IP local pool SAVPN_Pool
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
crypto ISAKMP allow outside
crypto ISAKMP allow inside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
VPN-addr-assign local reuse / time 5
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.36 inside
Wis field dhcpd * .net interface inside
dhcpd allow inside
!

a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
allow inside
SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image
enable SVC
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
internal Remote_Sargi group strategy
attributes of Group Policy Remote_Sargi
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Remote_Sargi_splitTunnelAcl
sargicisco.NET value by default-field
username kevin mz6JxJib/sQqvsw9 password encrypted privilege 0
username kevin attributes
VPN-group-policy DfltGrpPolicy
type tunnel-group SAVPN remote access
attributes global-tunnel-group SAVPN
address pool SAVPN_Pool
tunnel-group SAVPN webvpn-attributes
enable SAVPN group-alias
allow group-url https://82.228.XXX.XXX/SAVPN
type tunnel-group Remote_Sargi remote access
attributes global-tunnel-group Remote_Sargi
address pool SAVPN_Pool
Group Policy - by default-Remote_Sargi
IPSec-attributes tunnel-group Remote_Sargi
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:387a6e260247a545f4df0d3f28ba58c5
: end

Thank you

Hello

Could you remove this statement and add the last:

no nat (inside) 0-list of access inside_nat0_outbound

ADD: nat (inside) 0 access-list sheep - in

Kind regards

Aditya

Please evaluate the useful messages and mark the correct answers.

Cisco ASA, connect an IP address on the OUTSIDE of the VPN remote access

Hello

I tried to find resources on the net but could not find a solution, then post it here. Maybe someone can help.

So the problem is that I'm trying to access a server on the cloud for remote VPN access (cisco asa 5510).

The server on the cloud (54.54.54.54) is only accessible from the outside interface (192.168.11.2) NY Firewall (cisco asa 5510)

I added some ACE for this in the ACL of VPN tunnel to divide.

NY-standard host allowed fw # access - list vpn_remote-customer 54.54.54.54

And I see the road added to my cliet machine after the VPN connection, but still it cannot connect to this server.

The network INTERIOR, I can connect to the server.

Thanks in advance.

Hello

This is most likely a problem with NAT hair/U-turn hairpin.

Will need to see the configurations or you would need to check yourself

I don't know what your version of the Software ASA is to be like who determines what is the format of NAT configuration.

So far, you have confirmed that the ASA VPN configuration provides the VPN Client with the route to the remote server. Then in circulation should be tunnel to the ASA.

Then, you will need to check the output of this command

See the race same-security-traffic

You should see the command in the output below

permit same-security-traffic intra-interface

If you do not, you will need to add it. This effect of controls is to allow traffic to enter an interface and exit through the same interface. In your case this applies to Internet VPN Client traffic to the remote server as it between ' outside ' and spell through the 'outside'.

Then, should ensure that dynamic PAT is configured for the VPN Clients.

8.2 software (and below)

You most likely have a dynamic configuration PAT like that on the firewall, if levels of above running software version

Global 1 interface (outside)

NAT (inside) 1 0.0.0.0 0.0.0.0

In this situation if we wanted to add dynamic PAT for a pool of VPN, we would add

NAT (outside) 1

This would allow users to use the same public IP address as LAN users, when accessing the remote VPN server

Software 8.3 (and above)

Because the NAT configuration format is completely different in the latest software, you could probably just add a new configuration of NAT completely without adding a

network of the VPN-PAT object

subnet

dynamic NAT interface (outdoors, outdoor)

Of course, its possible that there could be some configuration NAT already on the device which could cause problems for this configuration. If this does not work then that we would have to look at the actual configurations on the ASA.

Hope this helps

Let me know how it goes

-Jouni

Cisco ASA 8.4 (3) remote access VPN - client connects but cannot access inside the network

I have problems to access the resources within the network when connecting with the Cisco VPN client for a version of 8.4 (3) operation of the IOS Cisco ASA 5510. I tried all new NAT 8.4 orders but cannot access the network interior. I can see traffic in newspapers when ping. I can only assume I have NAT evil or it's because the inside interface of the ASA is on the 24th of the same subnet as the network interior? Please see config below, any suggestion would be appreciated. I configured a VPN site to another in this same 5510 and it works well

Thank you

interface Ethernet0/0

Speed 100

full duplex

nameif outside

security-level 0

IP x.x.x.x 255.255.255.240

!

interface Ethernet0/1

Speed 100

full duplex

nameif inside

security-level 100

IP 10.88.10.254 255.255.255.0

!

interface Management0/0

Shutdown

nameif management

security-level 0

no ip address

!

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

network of the PAT_to_Outside_ClassA object

10.88.0.0 subnet 255.255.0.0

network of the PAT_to_Outside_ClassB object

subnet 172.16.0.0 255.240.0.0

network of the PAT_to_Outside_ClassC object

Subnet 192.168.0.0 255.255.240.0

network of the LocalNetwork object

10.88.0.0 subnet 255.255.0.0

network of the RemoteNetwork1 object

Subnet 192.168.0.0 255.255.0.0

network of the RemoteNetwork2 object

172.16.10.0 subnet 255.255.255.0

network of the RemoteNetwork3 object

10.86.0.0 subnet 255.255.0.0

network of the RemoteNetwork4 object

10.250.1.0 subnet 255.255.255.0

network of the NatExempt object

10.88.10.0 subnet 255.255.255.0

the Site_to_SiteVPN1 object-group network

object-network 192.168.4.0 255.255.254.0

object-network 172.16.10.0 255.255.255.0

object-network 10.0.0.0 255.0.0.0

outside_access_in deny ip extended access list a whole

inside_access_in of access allowed any ip an extended list

11 extended access-list allow ip 10.250.1.0 255.255.255.0 any

outside_1_cryptomap to access extended list ip 10.88.0.0 255.255.0.0 allow object-group Site_to_SiteVPN1

mask 10.250.1.1 - 10.250.1.254 255.255.255.0 IP local pool Admin_Pool

NAT static NatExempt NatExempt of the source (indoor, outdoor)

NAT (inside, outside) static source any any static destination RemoteNetwork4 RemoteNetwork4-route search

NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork1 RemoteNetwork1

NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork2 RemoteNetwork2

NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork3 RemoteNetwork3

NAT (inside, outside) static source LocalNetwork LocalNetwork static destination RemoteNetwork4 RemoteNetwork4-route search

!

network of the PAT_to_Outside_ClassA object

NAT dynamic interface (indoor, outdoor)

network of the PAT_to_Outside_ClassB object

NAT dynamic interface (indoor, outdoor)

network of the PAT_to_Outside_ClassC object

NAT dynamic interface (indoor, outdoor)

Access-group outside_access_in in interface outside

inside_access_in access to the interface inside group

Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

dynamic-access-policy-registration DfltAccessPolicy

Sysopt connection timewait

Service resetoutside

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-ikev1 esp-md5-hmac bh-series

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto-map dynamic dynmap 10 set pfs

Crypto-map dynamic dynmap 10 set transform-set bh - set ikev1

life together - the association of security crypto dynamic-map dynmap 10 28800 seconds

Crypto-map dynamic dynmap 10 kilobytes of life together - the association of safety 4608000

Crypto-map dynamic dynmap 10 the value reverse-road

card crypto mymap 1 match address outside_1_cryptomap

card crypto mymap 1 set counterpart x.x.x.x

card crypto mymap 1 set transform-set ESP-AES-256-SHA ikev1

card crypto mymap 86400 seconds, 1 lifetime of security association set

map mymap 1 set security-association life crypto kilobytes 4608000

map mymap 100-isakmp ipsec crypto dynamic dynmap

mymap outside crypto map interface

crypto isakmp identity address

Crypto isakmp nat-traversal 30

Crypto ikev1 allow outside

IKEv1 crypto ipsec-over-tcp port 10000

IKEv1 crypto policy 5

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 10

preshared authentication

3des encryption

sha hash

Group 1

life 86400

IKEv1 crypto policy 50

preshared authentication

the Encryption

md5 hash

Group 2

life 86400

IKEv1 crypto policy 60

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 70

preshared authentication

aes-256 encryption

sha hash

Group 1

life 86400

IKEv1 crypto policy 90

preshared authentication

aes encryption

sha hash

Group 2

life 86400

Telnet timeout 5

Console timeout 0

management-access inside

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal BACKDOORVPN group policy

BACKDOORVPN group policy attributes

value of VPN-filter 11

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelall

BH.UK value by default-field

type tunnel-group BACKDOORVPN remote access

attributes global-tunnel-group BACKDOORVPN

address pool Admin_Pool

Group Policy - by default-BACKDOORVPN

IPSec-attributes tunnel-group BACKDOORVPN

IKEv1 pre-shared-key *.

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group ipsec-attributes x.x.x.x

IKEv1 pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

Excellent.

Evaluate the useful ticket.

Thank you

Rizwan James

Enable ASA 9.1 problems with tunnel-group-list

Hello!

I try to get a working configuration where the Cisco VPN / DTLS phones VPN connect, while allowing access remotely via client AnyConnect of PCs. I have two groups of tunnel and configured for this purpose of group policy and use Group-URL.

Phones are connect very well, but I don't get the drop down menu to choose between the two groups of tunnel when connecting to a remote computer.

An excerpt from the config.

Moreover, I had the menu work previously when I used group instead of group-URL aliases. However, the phones seem to require the URL group. Now that I have those configured, the menu does not work. If I get the full URL in the AnyConnect window, both URLs work, and I can connect.

Thank you in advance for any suggestions you may have!

Deb

WebVPN

allow outside

AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

AnyConnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2

AnyConnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3

AnyConnect enable

tunnel-group-list activate

ABC Group-Policy internal

ABC Group Policy attributes

value of server WINS 10.10.16.17 10.10.16.12

value of 10.10.16.17 DNS server 10.10.16.12

VPN - connections 3

SSL VPN-tunnel-Protocol l2tp ipsec client ssl clientless

Split-tunnel-policy tunnelall

field default value abc.com

the address value AnyConnectPool pools

WebVPN

activate AnyConnect ssl dtls

AnyConnect Dungeon-Installer installed

time to generate a new key ssl AnyConnect 1440

AnyConnect ssl generate a new method ssl key

AnyConnect client of dpd-interval 5

dpd-interval gateway AnyConnect 30

AnyConnect ask none

internal strategy of group ABC - STG

ABC - STG group policy attributes

value of server DNS 8.8.8.8

VPN - connections 3

SSL VPN-tunnel-Protocol l2tp ipsec client ssl clientless

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value Split-Tunnel-encrypt-ACL

field default value abc.com

the address value AnyConnectPool pools

WebVPN

activate AnyConnect ssl dtls

AnyConnect Dungeon-Installer installed

time to generate a new key ssl AnyConnect 1440

AnyConnect ssl generate a new method ssl key

AnyConnect client of dpd-interval 5

dpd-interval gateway AnyConnect 30

AnyConnect ask none

type tunnel-group Split-Tunnel-Group remote access

attributes global-tunnel-group Split-Tunnel-Group

address pool AnyConnectPool

Group Policy - by default-ABC-STG

tunnel-group Split-Tunnel-Group webvpn-attributes

allow group-url https://asa.abc.com/ABC-STG

tunnel-group ABC - Tunnel - type remote access Group

attributes global-tunnel-group ABC - Tunnel - Group

address pool AnyConnectPool

Group-ACTIVE DIRECTORY authentication server

Group Policy - by default-ABC

password-management

ABC - Tunnel tunnel-group - webvpn-attributes Group

allow group-url https://asa.abc.com/ABC

Hello

You can have group-alias and group-url at the same time in the configuration so that the phones can connnect with Group-url and users can click on the drop down menu to select the right connection profile.

tunnel-group webvpn-attributes
Group-alias enable
Group-url help

Ref:- http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html

Kind regards
Dinesh Moudgil

PS Please rate helpful messages.

Cisco ASA vpn site to site with access internet, error

Hello

I have two offises, Central and removed, with the external IP addresses. They are connected to the site to site vpn, LAN works fine, then NAT is disable, but then there is no internet access, then I Internet in NAT is working well, but then there is no access to the local network.
Where would be the problem?

There's config:

ASA Version 8.4(4)1 ! hostname SalSK-ASA domain-name ld.lt enable password xxx encrypted passwd xxx encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address 81.X.X.X 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.204.254 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address ! ftp mode passive clock timezone EET 2 dns server-group DefaultDNS domain-name lietuvosdujos.lt object network LAN subnet 192.168.204.0 255.255.255.0 description Local Area Network object network LD_Lanai subnet 192.168.0.0 255.255.0.0 description LD lanai access-list inside_access_in extended permit ip any any access-list outside_access_in extended permit ip any any access-list vpn extended permit ip any 192.168.204.0 255.255.255.0 access-list vpn extended permit ip 192.168.204.0 255.255.255.0 any access-list vpn extended permit ip object LD_Lanai 192.168.204.0 255.255.255.0 access-list vpn extended permit ip 192.168.204.0 255.255.255.0 object LD_Lanai access-list outside_cryptomap_1 extended permit ip object LAN any access-list outside extended permit ip any any pager lines 24 logging enable logging list VPN_events level informational class auth logging list VPN_events level informational class vpdn logging list VPN_events level informational class vpn logging list VPN_events level informational class vpnc logging list VPN_events_ID message 713120 logging list VPN_events_ID message 713167 logging list VPN_events_ID message 602303 logging list VPN_events_ID message 713228 logging list VPN_events_ID message 113012 logging list VPN_events_ID message 113015 logging list VPN_events_ID message 713184 logging list VPN_events_ID message 713119 logging list VPN_events_ID message 602304 logging monitor debugging logging buffered debugging logging trap VPN_events_ID logging asdm informational mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 nat (inside,outside) source dynamic LAN interface inactive access-group outside in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 81.7.77.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server ISE protocol radius aaa-server ISE (inside) host 192.168.200.48 key ***** user-identity default-domain LOCAL aaa authentication enable console ISE LOCAL aaa authentication http console ISE LOCAL aaa authentication serial console ISE LOCAL aaa authentication ssh console ISE LOCAL http server enable http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set tripledes esp-3des esp-sha-hmac crypto map outside_map 1 match address outside_cryptomap_1 crypto map outside_map 1 set peer 213.X.X.X crypto map outside_map 1 set ikev1 transform-set tripledes crypto map outside_map interface outside crypto isakmp identity address crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access inside threat-detection basic-threat threat-detection statistics host threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 192.168.201.200 source inside prefer webvpn group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 l2tp-ipsec group-policy SalGP internal group-policy SalGP attributes vpn-filter value vpn vpn-tunnel-protocol ikev1 l2tp-ipsec username Admin password LVPpyc4ATztEAWtq encrypted privilege 15 tunnel-group 213.X.X.X type ipsec-l2l tunnel-group 213.X.X.X general-attributes default-group-policy SalGP tunnel-group 213.X.X.X ipsec-attributes ikev1 pre-shared-key ***** ! class-map global-class match default-inspection-traffic ! ! policy-map global-policy class global-class inspect dns inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect sip inspect skinny inspect sqlnet inspect sunrpc inspect tftp inspect xdmcp inspect icmp class class-default user-statistics accounting ! service-policy global-policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email [email protected]/* */ destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:d8c29755eff807b1530e38b9ead9edd5 : end

Two things are here according to you needs.

First you encrypt all the traffic on the network 192.168.204.0/24... do you intend to send all traffic on that subnet via the VPN? If this isn't the case, specify the remote subnet instead of using all the crypto ACL.

object network LAN subnet 192.168.204.0 255.255.255.0access-list outside_cryptomap_1 extended permit ip object LAN any

Second, you have not an exempt statement NAT so that encrypted traffic should not be translated. This statement would look like the following:
the object of the LAN network
192.168.204.0 subnet 255.255.255.0

being REMOTE-LAN network
255.255.255.0 subnet 192.168.100.0

Static NAT LAN LAN (inside, outside) destination static REMOTE - LAN LAN

--

Please do not forget to choose a good response and the rate

Cisco ASA tunnel access list question

Similar Questions

Maybe you are looking for