Client IPSec VPN in ASA9.02

Similar Questions

• client ipSec VPN and NAT on the router Cisco = FAIL

  I have a Cisco 3825 router that I have set up for a Cisco VPN ipSec client.  The same router is NAT.

  ipSec logs, but can not reach the internal network unless NAT is disabled on the inside interface.  But I need both at the same time.

  Suggestions?

  crypto ISAKMP policy 3

  BA 3des

  preshared authentication

  Group 2

  !

  ISAKMP crypto client configuration group myclient

  key password!

  DNS 1.1.1.1

  Domain name

  pool myVPN

  ACL 111

  !

  !

  Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

  !

  Crypto-map dynamic dynmap 10

  Set transform-set RIGHT

  market arriere-route

  !

  !
  list of card crypto clientmap client VPN - AAA authentication
  card crypto clientmap AAA - VPN isakmp authorization list
  client configuration address map clientmap crypto answer
  10 ipsec-isakmp crypto map clientmap Dynamics dynmap
  !

  interface Loopback0
  IP 10.88.0.1 255.255.255.0
  !
  interface GigabitEthernet0/0
  / / DESC it's external interface

  IP 192.168.168.5 255.255.255.0
  NAT outside IP
  IP virtual-reassembly
  automatic duplex
  automatic speed
  media type rj45
  clientmap card crypto
  !
  interface GigabitEthernet0/1

  / / DESC it comes from inside interface
  10.0.1.10 IP address 255.255.255.0
  IP nat inside<=================ipSec client="" connects,="" but="" cannot="" reach="" interior="" network="" unless="" this="" is="">
  IP virtual-reassembly
  the route cache same-interface IP
  automatic duplex
  automatic speed
  media type rj45

  !

  IP local pool myVPN 10.88.0.2 10.88.0.10

  p route 0.0.0.0 0.0.0.0 192.168.168.1
  IP route 10.0.0.0 255.255.0.0 10.0.1.4
  !

  IP nat inside source list 1 interface GigabitEthernet0/0 overload
  !
  access-list 1 permit 10.0.0.0 0.0.255.255
  access-list 111 allow ip 10.0.0.0 0.0.255.255 10.88.0.0 0.0.0.255
  access-list 111 allow ip 10.88.0.0 0.0.0.255 10.0.0.0 0.0.255.255

  Hello

  I think that you need to configure the ACL default PAT so there first statemts 'decline' for traffic that is NOT supposed to be coordinated between the local network and VPN pool

  For example, to do this kind of configuration, ACL and NAT

  Note access-list 100 NAT0 customer VPN
  

  access-list 100 deny ip 10.0.1.0 0.0.0.255 10.88.0.0 0.0.0.255
  

  Note access-list 100 default PAT for Internet traffic
  

  access-list 100 permit ip 10.0.1.0 0.0.0.255 ay

  overload of IP nat inside source list 100 interface GigabitEthernet0/0

  
  EDIT: seem to actually you could have more than 10 networks behind the router

  Then you could modify the ACL on this

  Note access-list 100 NAT0 customer VPN
  

  access-list 100 deny ip 10.0.1.0 0.0.255.255 10.88.0.0 0.0.0.255
  

  Note access-list 100 default PAT for Internet traffic
  

  access-list 100 permit ip 10.0.1.0 0.0.255.255 ay

  Don't forget to mark the answers correct/replys and/or useful answers to rate

  -Jouni

• DPD on site-2-client IPSEC VPN

  Hello

  I configured IPSEC client-2-site time and site 2 site tunnels on my ASR routers.

  Although I keepalive is enabled on the router, site-customer-2 tunnels are not disconnected in the event of failure of router connectivity client.

  At the same time site 2 site tunnels are being disconnected from the PDB.

  The DPD is configured as follows

  "crypto isakmp keepalive 60 10 periodicals.

  Is someone can help me with this problem?

  Thanks in advance

  Concerning

  Lukasz

  There Lukasz,

  We had recently two common culprits:

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCto16377

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty52047

  This COULD explain what you see. Check them out, if you use something more recent - we might as well have a case open TAC so that we can draw debugs and see.

  M.

• IP common in client IPSec VPN and VPN site to site

  Hello

  We have a scenario where the Cisco ASA 5505 will be one of the ends of a site to site VPN. The same ASA 5505 also allows the Client VPN connection. The issue is around the pooling of intellectual property.

  If I assign a pool of IP addresses (192.168.1.20 - 192.168.1.30) for connections VPN Client - do I need to be sure that these same IP are not used across the site to site VPN?

  There may be a PC / servers running 192.168.1.0/24 on the other side of the site to site VPN. This would lead to an address conflict?

  "

  I have attached a diagram of the scenario. I would like to know if the 'orange' PC would cause an IP conflict if they get the same IP that PC "blue color" - even if one of them is the VPN client and the other is VPN site-to-site

  Thank you.

  Altogether. The pool of the VPN Client must be single subnet which is not anywhere within your network.

• IP address of the IPSec VPN client did not get distributed via EIGRP

  We use an ASA for VPN remote access. He is running EIGRP redistribute static routes. When a client Anyconnect SSL connects, the SAA creates a static route for this client, and it gets redistributed via EIGRP. When an IPSec VPN client connects, the SAA creates a static route for this customer, but he isn't redisributed via EIGRP and so the client can not achieve anything. Why he would distribute a static created by an IPSec client?

  Thank you

  Have you set up IPP on dynamic Cryptography?

• Function of automatic update for the IPsec VPN Client

  Hello.

  Do you have anyone ever tried the PIX / ASA ' feature IPsec VPN Client Auto-Update?

  (see also Document ID: 105606).

  He wants to make sure that I understand this right.

  The user will receive a popup of information telling him to download the latest version of the client? And then there start the update itself?

  If so, this would mean that the user must have the rights of full adminsitative using a laptop.

  From my point of view, full administrator rights on a laptop are prohibited - 100% and therefore the functionality would be totally useless.

  Anyone who can tell me whether I am good or bad?

  Best

  Frank

  Frank,

  You are right, if the computer desktop or labtop is completely locked regarding the installation of the software the customer won't be able to install it, they may be able to download from the link that you configured in ASA, once they connect to your server ASA RA but with regard to the installation user's machine needs rights profile appropriate to be able to install it.

  HTH

  -Jorge

• Cisco VPN Client and Windows XP VPN Client IPSec to ASA

  I configured ASA for IPSec VPN via Cisco VPN Client and XP VPN client communications. I can connect successfully with Cisco VPN Client, but I get an error when connecting with the XP client. Debugging said "misconfigured groups and transport/tunneling mode" I know, they use different methods of transport and tunneling, and I think that I have configured both. Take a look at the config.

  PS a funny thing - when I connect with client VPN in Windows Server 2003, I have no error. The only difference is that client XP is behind an ADSL router and client server is directly connected to the Internet on one of its public IP of interfaces. NAT in the case of XP can cause problems?

  Config is:

  !

  interface GigabitEthernet0/2.30

  Description remote access

  VLAN 30

  nameif remote access

  security-level 0

  IP 85.*. *. 1 255.255.255.0

  !

  access-list 110 scope ip allow a whole

  NAT list extended access permit tcp any host 10.254.17.10 eq ssh

  NAT list extended access permit tcp any host 10.254.17.26 eq ssh

  access-list extended ip allowed any one sheep

  access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh

  sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0

  tunnel of splitting allowed access list standard 192.168.121.0 255.255.255.0

  flow-export destination inside-Bct 192.168.1.27 9996

  IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0

  ARP timeout 14400

  global (outside-Baku) 1 interface

  global (outside-Ganja) interface 2

  NAT (inside-Bct) 0 access-list sheep-vpn

  NAT (inside-Bct) 1 access list nat

  NAT (inside-Bct) 2-nat-ganja access list

  Access-group rdp on interface outside-Ganja

  !

  Access remote 0.0.0.0 0.0.0.0 85.*. *. 1 2

  Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1

  Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1

  Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1

  Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1

  Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1

  Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1

  Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1

  Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1

  dynamic-access-policy-registration DfltAccessPolicy

  Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

  Crypto ipsec transform-set newset aes - esp esp-md5-hmac

  Crypto ipsec transform-set esp-3des esp-md5-hmac vpnclienttrans

  Crypto ipsec transform-set vpnclienttrans transport mode

  Crypto ipsec transform-set esp-3des esp-md5-hmac raccess

  life crypto ipsec security association seconds 214748364

  Crypto ipsec kilobytes of life security-association 214748364

  raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

  vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1

  card crypto interface for remote access vpnclientmap

  crypto isakmp identity address

  ISAKMP crypto enable vpntest

  ISAKMP crypto enable outside-Baku

  ISAKMP crypto enable outside-Ganja

  crypto ISAKMP enable remote access

  ISAKMP crypto enable Interior-Bct

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  No encryption isakmp nat-traversal

  No vpn-addr-assign aaa

  Telnet timeout 5

  SSH 192.168.1.0 255.255.255.192 outside Baku

  SSH 10.254.17.26 255.255.255.255 outside Baku

  SSH 10.254.17.18 255.255.255.255 outside Baku

  SSH 10.254.17.10 255.255.255.255 outside Baku

  SSH 10.254.17.26 255.255.255.255 outside-Ganja

  SSH 10.254.17.18 255.255.255.255 outside-Ganja

  SSH 10.254.17.10 255.255.255.255 outside-Ganja

  SSH 192.168.1.0 255.255.255.192 Interior-Bct

  internal vpn group policy

  attributes of vpn group policy

  value of DNS-server 192.168.1.3

  Protocol-tunnel-VPN IPSec l2tp ipsec

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value split tunnel

  BCT.AZ value by default-field

  attributes global-tunnel-group DefaultRAGroup

  raccess address pool

  Group-RADIUS authentication server

  Group Policy - by default-vpn

  IPSec-attributes tunnel-group DefaultRAGroup

  pre-shared-key *.

  Hello

  For the Cisco VPN client, you would need a tunnel-group name configured on the ASA with a pre-shared key.

  Please see configuration below:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

  or

  http://tinyurl.com/5t67hd

  Please see the section of tunnel-group config of the SAA.

  There is a tunnel-group called "rtptacvpn" and a pre-shared key associated with it. This group name is used by the VPN Client Group name.

  So, you would need a specific tunnel-group name configured with a pre-shared key and use it on the Cisco VPN Client.

  Secondly, because you are behind a router ADSL, I'm sure that's configured for NAT. can you please activate NAT - T on your ASA.

  "crypto isakmp nat-traversal.

  Thirdly, change the transformation of the value

  raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

  Let me know the result.

  Thank you

  Gilbert

• UC500 and IPsec VPN client - disconnects

  Just throw a question out there.
  I have a UC560 running uc500-advipservicesk9 - mz.151 - 2.T2 site HQ.  Remote users, about 8 of them, attempt to connect via IPsec VPN (v5.0.07.0440) HQ clients to access files, etc..  The behavior I see is 5 users to connect successfully, but only 5.  As soon as more users trying to connect, they have either:

  1. connect with success for a minutes, then unmold
  2. get a 412, remote peer is not responding
  3. connect, but someone of another session kickoff.

  Users use the same VPN profile, but with names of single user and passwords.

  Here are some of the CPU configs for VPN clients
  Configuration group customer crypto isakmp USER01
  key *.
  DNS 192.168.0.110
  pool USER01_POOL
  ACL USER01_ACL

  local RAUTHEN AAA authentication login
  permission of AAA local RAUTHOR network authenticated by FIS

  Crypto isakmp USER01_PROF profile
  match of group identity USER01
  list of authentication of client RAUTHEN
  RAUTHOR of ISAKMP authorization list.
  client configuration address respond

  crypto ISAKMP policy 1
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  crypto ISAKMP policy 10
  BA aes
  preshared authentication
  Group 2
  lifetime 28800
  crypto ISAKMP policy 100
  BA aes
  preshared authentication
  Group 2
  life 3600
  crypto ISAKMP policy 1000
  BA 3des
  preshared authentication
  Group 2

  I enabled debugging
  Debug crypto ISAKMP
  Debug crypto ipsec

  Here are some of the things that I see on him debugs
  604899: 16:41:13.333 Aug 21: ISAKMP: (2073): HASH payload processing. Message ID = 284724149
  604900: 16:41:13.333 Aug 21: ISAKMP: (2073): treatment protocol NOTIFY DPD/R_U_THERE 1
  0, message ID SPI = 284724149, a = 0x8E7C6E68
  604901: 16:41:13.333 Aug 21: ISAKMP: (2073): error suppression node 284724149 FALSE reason 'informational (en) State 1.
  604902: 16:41:13.333 Aug 21: ISAKMP: (2073): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
  604903: 16:41:13.333 Aug 21: ISAKMP: (2073): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

  581504: 16:59:12.805 Aug 20: ISAKMP: (2147): purge the node-1455244451
  581505: 16:59:12.805 Aug 20: ISAKMP: (2147): purge the node 840814618
  581506: 16:59:13.933 Aug 20: ISAKMP (2147): received 201.195.231.162 packet dport 4500 sport 37897 Global (R) QM_IDLE
  581507: 16:59:13.933 Aug 20: ISAKMP: node set 801982813 to QM_IDLE
  581508: 20 August 16:59:13.933: ISAKMP: (2147): HASH payload processing. Message ID = 801982813
  581509: 16:59:13.933 Aug 20: ISAKMP: receives the payload type 18
  581510: 16:59:13.933 Aug 20: ISAKMP: (2147): treatment remove with load useful reason
  581511: 16:59:13.933 Aug 20: ISAKMP: (2147): remove the doi = 0
  581512: 16:59:13.933 Aug 20: ISAKMP: (2147): remove Protocol id = 1
  581513: 16:59:13.933 Aug 20: ISAKMP: (2147): remove spi_size = 16
  581514: 16:59:13.933 Aug 20: ISAKMP: (2147): remove the spis num = 1
  581515: 16:59:13.933 Aug 20: ISAKMP: (2147): delete_reason = 2
  581516: 20 August 16:59:13.933: ISAKMP: (2147): load DELETE_WITH_REASON, processing of message ID = 801982813, reason: DELETE_BY_USER_COMMAND
  581517: 16:59:13.933 Aug 20: ISAKMP: (2147): peer does not paranoid KeepAlive.

  581518: 16:59:13.933 Aug 20: ISAKMP: (2147): peer does not paranoid KeepAlive.

  581519: 16:59:13.933 Aug 20: ISAKMP: (2147): removal of State of SA reason 'Order BY user' (R) QM_IDLE (post 201.195.231.162)
  581520: 16:59:13.933 Aug 20: ISAKMP: (2147): error suppression node 801982813 FALSE reason 'informational (en) State 1.
  581521: 16:59:13.933 Aug 20: ISAKMP: node set-878597687 to QM_IDLE
  581522: 20 August 16:59:13.937: ISAKMP: (2147): lot of 201.195.231.162 sending peer_port my_port 4500 37897 (R) QM_IDLE
  581523: 16:59:13.937 Aug 20: ISAKMP: (2147): sending a packet IPv4 IKE.
  581524: 16:59:13.937 Aug 20: ISAKMP: (2147): purge the node-878597687
  581525: 16:59:13.937 Aug 20: ISAKMP: (2147): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  581526: 16:59:13.937 Aug 20: ISAKMP: (2147): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

  I opened a case with TAC on this and they do not understand what is the cause.  For them, it looks like a bug without papers.  And their recommendation is to reboot, upgrade or try configuring L2TP for remote users.

  Thank you

  JP

  JP,

  An update of IOS is worth it, even if him debugs seems to indicate that there is a problem with the client. If possible, I always suggest test with another client to see if it is unique to the Cisco VPN Client on Win7. Regarding the limit of 20 tunnel, it is very probably the number of IPsec security associations. If you issue a 'show crypto eli', this example displays the number of Sessions that are currently active IPSec.

  HTH,

  Frank

• IOS router VPN Client (easy VPN) IPsec with Anyconnect

  Hello

  I would like to set up my router IOS IPsec VPN Client and connect with any connect.
  Is it possible to configure an IPSec and SSL VPN Client on IOS router? I use for example a 1841.

  It would be perfect to give the user the choice of SSL or IPSec protocol. And the user needs that the Anyconnect Client.

  I think it's possible with a Cisco ASA. But I can also do this with an IOS router?

  Please let me know how if this is possible.

  Also is it true that the IOS routers are not affected to hear bug bleed? SSL VPN and SSL VPN with Anyconnect page is also save?

  http://Tools.Cisco.com/Security/Center/content/CiscoSecurityAdvisory/CIS...

  But I am in any way interested in using IPSec and SSL VPN on a router IOS...

  It's true - CCP does not yet offer the options to configure a VPN IPsec with IKEv2.

  The configuration guide (here) offers detailed advice and includes examples of configuration.

• AAA ipsec vpn clients how to see the history of connection on asdm or asa5510

  Hello all, I would like to know how see history of connection ipsec vpn client users, they authenticate to the local aaa, not in active directory. I am able to see the current logon session. go to monitoring\vpn\vpn statistics\sessions, this shows me sessions underway, but I would like to see for example the connections client vpn for the last month. I did some research and saw the info on aaa Server? I checked that article and does not see what I was looking for.

  It's actually a called (NPS) network policy server microsoft radius server.

  The one I used (ACS 5 and ACS 5) who was just an example.

  You can review the below listed doc

  http://fixingitpro.com/2009/09/08/using-Windows-Server-2008-as-a-RADIUS-server-for-a-Cisco-ASA/

  Jatin kone

  -Does the rate of useful messages-

• What is a VPN solution that is more stable than IPSEC VPN? What is the latest version of VPN client recommended for Windows 7 &amp; 8 users?

  Hello

  I would like to ask a few details & concerns on our existing VPN configuration.

  1. What is the Cisco VPN client recommended for users of Windows 7 and 8? Is there an official documentation for this Cisco? We currently use customer VPN Ciso 5.0.7.

  2. we are running IPSEC VPN with only 1 gateway & only local authentication (No ACS) for our client. Recently, we have some concerns that they are the VPN connection is down. Whereas if I'm the one connected to the VPN, my connection is stable. Is there any point that we must consider up in the network. Is there a better configuration or solution that we could recommend to the customer as SSL VPN?

  3. If you want to use SSL VPN anyconnect secure mobility & we want to implement redundancy on the FW, how will the license work?

  Thank you!

  An AnyConnect-based VPN is the replacement recommended for remote IPsec VPN access. (source)

  AnyConnect can use SSL or IPsec (IKEv2) for transport.

  For an ASA redundant firewalls (running 8.3 (1) or later) any permit required AnyConnect are shared between them. that is, you just buy licenses for a member of the HA pair. (source)

• Router configuration Cisco for the IPSec VPN with VPN in Windows 7 builtin client

  Where can I find an example config for IPSec VPN where Windows 7 native client to connect to the Cisco routers. I use the cisco 881w, in this case.

  Thomas McLeod

  Native Client Windows supports only L2TP over IPSec. Example at the end of this doc may be enough for you:

  http://www.Cisco.com/en/us/docs/security/vpn_modules/6342/configuration/guide/6342vpn4.html#wp1036111

  I've not personally configured L2TP/IPSec on IOS, only on ASA, so cannot be 100% sure that the config in the link works, but the general idea should be ok.

• IPsec VPN Client - aggressive mode

  Hi all

  I just got got off the phone with the customer who underwent a check sweep of security from a third-party vendor. One of the vulnerebilities mentioned in the report is this:

  

  I know that only the IPsec VPN client using aggressive mode to negotiate Phase I. So my question is how to convince my customer to continue to use the IPsec VPN? Is this what can I do to reduce the risk of the use of this type of access remotely. In addition, am I saw the same problem, if I use SSL based VPN Client?

  Kind regards

  Marty

  Hello

  Ikev1 HUB in aggressive mode sends his PSK hash in the second package as well as its public DH value.

  It is indeed a weakness of slope Protocol.

  To be able to act on this, U will be on the path to capture this stream in order to the brute force of the hash [which is not obvious - but not impossible.

  This issue is seriously attenuated by activating XAUTH [authentication].

  Xauth happens after the DH, so under encryption.

  Assuming that the strong password policy is in use, it is so very very very difficult to find the right combination of username/password.

  Ikev2 is much safer in this respect and this is the right way.

  See you soon,.

  Olivier

• Need help with the configuration of the Site with crossed on Cisco ASA5510 8.2 IPSec VPN Client (1)

  Need urgent help in the configuration of the Client VPN IPSec Site with crossed on Cisco ASA5510 - 8.2 (1).

  Here is the presentation:

  

  There are two leased lines for Internet access - a route 1.1.1.1 and 2.2.2.2, the latter being the default Standard, old East for backup.

  I was able to configure the Client VPN IPSec Site

  (1) with access to the outside so that the internal network (172.16.0.0/24) behind the asa

  (2) with Split tunnel with simultaneous assess internal LAN and Internet on the outside.

  But I was not able to make the tradiotional model Hairpinng to work in this scenario.

  I followed every possible suggestions made on this subject in many topics of Discussion but still no luck. Can someone help me here please?

  Here is the race-Conf with Normal Client to Site IPSec VPN configured with no access boarding:

  LIMITATION: Cannot boot into any other image ios for unavoidable reasons, must use 8.2 (1)

  race-conf - Site VPN Customer normal work without internet access/split tunnel

  : ASA Version 8.2 (1) ! ciscoasa hostname domain cisco.campus.com enable the encrypted password xxxxxxxxxxxxxx XXXXXXXXXXXXXX encrypted passwd names of ! interface GigabitEthernet0/0 nameif outside internet1 security-level 0 IP 1.1.1.1 255.255.255.240 ! interface GigabitEthernet0/1 nameif outside internet2 security-level 0 IP address 2.2.2.2 255.255.255.224 ! interface GigabitEthernet0/2 nameif dmz interface security-level 0 IP 10.0.1.1 255.255.255.0 ! interface GigabitEthernet0/3 nameif campus-lan security-level 0 IP 172.16.0.1 255.255.0.0 ! interface Management0/0 nameif CSC-MGMT security-level 100 the IP 10.0.0.4 address 255.255.255.0 ! boot system Disk0: / asa821 - k8.bin boot system Disk0: / asa843 - k8.bin passive FTP mode DNS server-group DefaultDNS domain cisco.campus.com permit same-security-traffic inter-interface permit same-security-traffic intra-interface object-group network cmps-lan the object-group CSC - ip network object-group network www-Interior object-group network www-outside object-group service tcp-80 object-group service udp-53 object-group service https object-group service pop3 object-group service smtp object-group service tcp80 object-group service http-s object-group service pop3-110 object-group service smtp25 object-group service udp53 object-group service ssh object-group service tcp-port port udp-object-group service object-group service ftp object-group service ftp - data object-group network csc1-ip object-group service all-tcp-udp access list INTERNET1-IN extended permit ip host 1.2.2.2 2.2.2.3 access-list extended SCC-OUT permit ip host 10.0.0.5 everything list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq www list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any https eq list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq ssh list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 no matter what eq ftp list of access CAMPUS-LAN extended permitted udp 172.16.0.0 255.255.0.0 no matter what eq field list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq smtp list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq pop3 access CAMPUS-wide LAN ip allowed list a whole access-list CSC - acl note scan web and mail traffic access-list CSC - acl extended permit tcp any any eq smtp access-list CSC - acl extended permit tcp any any eq pop3 access-list CSC - acl note scan web and mail traffic access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 993 access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq imap4 access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 465

  access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq www

  access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq https

  access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq smtp

  access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq pop3

  access-list extended INTERNET2-IN permit ip any host 1.1.1.2

  access-list sheep extended ip 172.16.0.0 allow 255.255.0.0 172.16.0.0 255.255.0.0

  access list DNS-inspect extended permit tcp any any eq field

  access list DNS-inspect extended permit udp any any eq field

  access-list extended capin permit ip host 172.16.1.234 all

  access-list extended capin permit ip host 172.16.1.52 all

  access-list extended capin permit ip any host 172.16.1.52

  Capin list extended access permit ip host 172.16.0.82 172.16.0.61

  Capin list extended access permit ip host 172.16.0.61 172.16.0.82

  access-list extended capout permit ip host 2.2.2.2 everything

  access-list extended capout permit ip any host 2.2.2.2

  Access campus-lan_nat0_outbound extended ip 172.16.0.0 list allow 255.255.0.0 192.168.150.0 255.255.255.0

  pager lines 24

  Enable logging

  debug logging in buffered memory

  asdm of logging of information

  Internet1-outside of MTU 1500

  Internet2-outside of MTU 1500

  interface-dmz MTU 1500

  Campus-lan of MTU 1500

  MTU 1500 CSC-MGMT

  IP local pool 192.168.150.2 - 192.168.150.250 mask 255.255.255.0 vpnpool1

  IP check path reverse interface internet2-outside

  IP check path reverse interface interface-dmz

  IP check path opposite campus-lan interface

  IP check path reverse interface CSC-MGMT

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 621.bin

  don't allow no asdm history

  ARP timeout 14400

  interface of global (internet1-outside) 1

  interface of global (internet2-outside) 1

  NAT (campus-lan) 0-campus-lan_nat0_outbound access list

  NAT (campus-lan) 1 0.0.0.0 0.0.0.0

  NAT (CSC-MGMT) 1 10.0.0.5 255.255.255.255

  static (CSC-MGMT, internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255

  Access-group INTERNET2-IN interface internet1-outside

  group-access INTERNET1-IN interface internet2-outside

  group-access CAMPUS-LAN in campus-lan interface

  CSC-OUT access-group in SCC-MGMT interface

  Internet2-outside route 0.0.0.0 0.0.0.0 2.2.2.5 1

  Route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  the ssh LOCAL console AAA authentication

  AAA authentication enable LOCAL console

  Enable http server

  http 10.0.0.2 255.255.255.255 CSC-MGMT

  http 10.0.0.8 255.255.255.255 CSC-MGMT

  HTTP 1.2.2.2 255.255.255.255 internet2-outside

  HTTP 1.2.2.2 255.255.255.255 internet1-outside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs set group5

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  Crypto map internet2-outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  crypto internet2-outside_map outside internet2 network interface card

  Crypto ca trustpoint _SmartCallHome_ServerCA

  Configure CRL

  Crypto ca certificate chain _SmartCallHome_ServerCA

  certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as

  quit smoking

  ISAKMP crypto enable internet2-outside

  crypto ISAKMP policy 10

  preshared authentication

  aes encryption

  md5 hash

  Group 2

  life 86400

  Telnet 10.0.0.2 255.255.255.255 CSC-MGMT

  Telnet 10.0.0.8 255.255.255.255 CSC-MGMT

  Telnet timeout 5

  SSH 1.2.3.3 255.255.255.240 internet1-outside

  SSH 1.2.2.2 255.255.255.255 internet1-outside

  SSH 1.2.2.2 255.255.255.255 internet2-outside

  SSH timeout 5

  Console timeout 0

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal VPN_TG_1 group policy

  VPN_TG_1 group policy attributes

  Protocol-tunnel-VPN IPSec

  username ssochelpdesk encrypted password privilege 15 xxxxxxxxxxxxxx

  privilege of encrypted password username administrator 15 xxxxxxxxxxxxxx

  username vpnuser1 encrypted password privilege 0 xxxxxxxxxxxxxx

  username vpnuser1 attributes

  VPN-group-policy VPN_TG_1

  type tunnel-group VPN_TG_1 remote access

  attributes global-tunnel-group VPN_TG_1

  address vpnpool1 pool

  Group Policy - by default-VPN_TG_1

  IPSec-attributes tunnel-group VPN_TG_1

  pre-shared-key *.

  !

  class-map cmap-DNS

  matches the access list DNS-inspect

  CCS-class class-map

  corresponds to the CSC - acl access list

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  CCS category

  CSC help

  cmap-DNS class

  inspect the preset_dns_map dns

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y

  : end

  Adding dynamic NAT for 192.168.150.0/24 on the external interface works, or works the sysopt connection permit VPN

  Please tell what to do here, to pin all of the traffic Internet from VPN Clients.

  That is, that I need clients connected via VPN tunnel, when connected to the internet, should have their addresses IP NAT'ted against the address of outside internet2 network 2.2.2.2 interface, as it happens for the customers of Campus (172.16.0.0/16)

  I am well aware of all involved in here, so please be elaborative in your answers. Please let me know if you need more information about this configuration to respond to my request.

  Thank you & best regards

  MAXS

  
  

  Hello

  If possible, I'd like to see that a TCP connection attempt (e.g. http://www.google.com) in the ASDM logging of the VPN Client when you set up the dynamic NAT for the VPN Pool also.

  I'll try also the command "packet - trace" on the SAA, while the VPN Client is connected to the ASA.

  The command format is

  packet-tracer intput tcp

  That should tell what the SAA for this kind of package entering its "input" interface

  Still can not see something wrong with the configuration (other than the statement of "nat" missing Dynamics PAT)

  -Jouni

• Router Cisco IPsec VPN client

  Hello

  I would like if it is possible to make the IPsec VPN connection as a customer.

  ISP router (VDSL connection)

  <--->Cisco 887 <---->pc more with conditional redirection

  VPN router (as strongVPN)

  Thank you for your help.

  Best regards

  Hi Bruno.

  Yes the IOS router may be a VPN client, it is called easy VPN:

  How to configure Easy VPN Cisco IOS (server and client)

  * The server must be a Cisco device such as another router or an ASA.

  Keep me posted.

  Thank you.

  Portu.

  Please note all useful messages.