Remote VPN access - add new internal IP address
Hello
I have an existing configuration of Cisco VPN client in ASA 5510 for remote access.
-------------------------------------
Name of the Group: ISETANLOT10
: Saved
:
ASA Version 8.0 (4)
!
hostname asalot10
names of
name 172.17.100.22 NAVNew
name 172.27.17.215 NECUser
172.47.1.10 NarayaServer description Naraya server name
name 62.80.122.172 NarayaTelco1
name 62.80.122.178 NarayaTelco2
name 172.57.1.10 IPVSSvr IPVSSvr description
name 122.152.181.147 Japan01
name 122.152.181.0 Japan02
name 175.139.156.174 Outside_Int
name 178.248.228.121 NarayaTelco3
name 172.67.1.0 VCGroup
name 172.57.1.20 IPVSSvr2
!
object-group service NECareService
Description NECareService remote
the eq https tcp service object
EQ-ssh tcp service object
response to echo icmp service object
inside_access_in deny ip extended access list all Japan02 255.255.255.0
inside_access_in ip VCGroup 255.255.255.0 allowed extended access list all
inside_access_in list extended access deny tcp object-group PermitInternet any object-group torrent1
inside_access_in list extended access allowed object-group ip PermitInternet any newspaper disable
inside_access_in list any newspaper disable extended access allowed host ip NarayaServer
inside_access_in list extended access permit ip host IPVSSvr all
inside_access_in list any newspaper disable extended access allowed host ip NAVNew
inside_access_in list extended access permit ip host 172.17.100.30 all
outside_access_in list extended access allow object-group objects NECare a NECareService-group
outside_access_in list extended access allowed host ip DM_INLINE_NETWORK_1 NarayaServer object-group
outsidein list extended access permit tcp any host Outside_Int eq https
outsidein list extended access allowed object-group rdp any host Outside_Int debug log
outsidein list extended access allowed host tcp object-group DM_INLINE_NETWORK_2 eq Outside_Int 8080
outsidein list extended access allowed host ip DM_INLINE_NETWORK_3 IPVSSvr object-group
inside_mpc list extended access allowed object-group TCPUDP any any eq www
inside_mpc list extended access permit tcp any any eq www
inside_nat0_outbound list of allowed ip extended access all 172.27.17.240 255.255.255.248
inside_nat0_outbound list extended access permit ip host NarayaServer Nry_Png object-group
inside_nat0_outbound list extended access allowed host ip IPVSSvr2 172.27.17.240 255.255.255.248
outside_cryptomap list extended access permitted ip object-group Naraya_Png-group of objects Nry_Png
Global interface 10 (external)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 10 0.0.0.0 0.0.0.0
static (inside, outside) interface tcp 8080 8080 NarayaServer netmask 255.255.255.255
static (inside, outside) tcp 3389 3389 NAVNew netmask 255.255.255.255 interface
public static tcp (indoor, outdoor) interface ssh IPVSSvr2 ssh netmask 255.255.255.255
Access-group outsidein in external interface
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 175.139.156.173 1
Route inside 172.17.100.20 255.255.255.255 172.27.17.100 1
Route inside NAVNew 255.255.255.255 172.27.17.100 1
Route inside 172.17.100.30 255.255.255.255 172.27.17.100 1
Route inside NarayaServer 255.255.255.255 172.27.17.100 1
Route inside 172.47.1.11 255.255.255.255 172.27.17.100 1
Route inside VCGroup 255.255.255.0 172.27.17.100 1
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set 218.x.x.105 counterpart
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map 1 set security-association life kilobytes 4608000
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
internal ISETANLOT10 group policy
ISETANLOT10 group policy attributes
value of server DNS 172.27.17.100
Protocol-tunnel-VPN IPSec l2tp ipsec
username, password nectier3 dPFBFnrViJi/LGbT encrypted privilege 0
username nectier3 attributes
VPN-group-policy ISETANLOT10
username password necare encrypted BkPn6VQ0VwTy7MY7 privilege 0
necare attributes username
VPN-group-policy ISETANLOT10
naraya pcGKDau9jtKgFWSc encrypted password username
naraya attribute username
VPN-group-policy ISETANLOT10
type of nas-prompt service
type tunnel-group ISETANLOT10 remote access
attributes global-tunnel-group ISETANLOT10
address lot10ippool pool
Group Policy - by default-ISETANLOT10
IPSec-attributes tunnel-group ISETANLOT10
pre-shared-key *.
tunnel-group 218.x.x.105 type ipsec-l2l
218.x.x.105 group of tunnel ipsec-attributes
pre-shared-key *.
type tunnel-group ivmstunnel remote access
tunnel-group ivmstunnel General-attributes
address lot10ippool pool
ivmstunnel group of tunnel ipsec-attributes
pre-shared-key *.
!
=====
Remote VPN access must allow the connection, but I'm guessing that your ASA does not know how to get to the two new destinations.
You have a name and a static route to the job to 172.47.1.10 Server:
name 172.47.1.10 NarayaServer description Naraya Server
route inside NarayaServer 255.255.255.255 172.27.17.100 1
.. but no equivalent for the two new hosts. As a result, all traffic of ASA destiny for them will attempt to use the default route (via the external interface).
If you add:
route inside 172.57.1.10 255.255.255.255 172.27.17.100
route inside 172.57.1.20 255.255.255.255 172.27.17.100
(assuming this is your correct entry), it should work.
Tags: Cisco Security
Similar Questions
-
ASA5505 can transfer clients to remote VPN access to the local network
I have currently ASA 5505 and 2911-router and I am trying to configure the VPN topology.
Can ASA5505 you transmit to remote VPN access clients LAN operated by another router?
These two cases are possible? :
(1) ASA 5505 and 2911-router are separate WAN interfaces, each connected directly to the ISP. But so can I connect an other interfaces LAN of ASA 5505 in a switch managed by 2911 router customers to distance-SSL-VPN to inject into the local network managed by the router?
(2) ASA 5505 is behind router-2911. May 2911 router address public ip or public ip address VPN-access attempts have directly be sent to ASA 5505 when there is only a single public ip address address available?
Long put short, ASA 5505 can inject its clients to remote-access-VPN as one of the hosts on the local network managed by 2911-router?
Thank you.I could help you more if you can explain the purpose of this configuration and connectivity between the router and ASA.
You can activate the reverse route on the dynamic plane on the SAA. The ASA will install a static route to the customer on the routing table. You can use a routing protocol to redistribute static routes to your switch on the side of LAN of the SAA.
-
Hello
Is there a difference between WebVPN and remote VPN access or they are the same.
Thank you.
access remote vpn consists of
-IPSEC VPN remote access. It is part of the ASA, no permit required, requires pre-installed Client from Cisco VPN IPSEC on PC
-with AnyConnect SSL VPN remote access. It requires licensing of SSL VPN on SAA. AnyConnect client can be installed automatically on the PC with the launch of web.
-with Essentials AnyConnect SSL VPN remote access. Beginning with ASA 8.2 (1), almost license $ 0. It's the same AnyConnect client as in the previous article, but it cannot be installed automatically with the launch of web. It must be previously installed as of Cisco IPSEC VPN client.
-webvpn aka clientless vpn. It is a portal HTTPS which allows HTTP connections, file sharing, telnet, RDP and much more (with smart tunnels) resources without having to install a real client on the PC. It requires licensing of SSL VPN on SAA. It cannot be used if "AnyConnect Essentials" license is activated on SAA after 8.2 (1)
Kind regards
Roman
-
is it possible this with remote vpn access?
Hello
I have access to my corporate network through the VPN Cisco (software) customer and it goes through the vpn to access configuration remote ipsec on an ASA 5510. Everything works fine.
But now that connect to the corporate network users also need access to remote sites connected by tunnels VPN site to site networks: tunnels IPSec between mentioned ASA5510 and distance ASA5510s and ASA5505s in the branches.
Is this possible?
If so what shoud I consider make it works?
My setup looks like
business network: 10.1.1.0/24
Remote vpn clients receive the ip addresses of: 10.0.5.0/28
Branch on the remote 1 network: 10.1.10.0/24
network of remote sites 2: 10.1.20.0/24
3 remote site network: 10.1.30.0/24
There rule for NAT exemption which exempts the networks 10.1.10.0/24, 10.1.20.0/24, 10.1.30.0/24
All traffic on the local network 10.1.1.0/24 have complete ip connectivity with all networks in the branches. The PROBLEM is that the remote vpn clients can reach only local network 10.1.1.0/24, but not the remote networks.
The ASAs in remote sites has created NAT exemption to the two local network 10.1.1.0/24 and network 10.0.5.0/28 remote access clients, but as I said, it won't. Help, please!
Thanks in advance!
Zoran
Yes, you can...
Let's take 1 remote sites for example network: network of agencies 1 (10.1.10.0/24):
Company ASA:
-If you have split tunnel configured for the VPN Client, you must also add the remote site network in the list (10.1.10.0/24).
-Crypto ACL between the company ASA and ASA 1 remote sites must have added the following:
10.0.5.0 ip access list allow 255.255.255.240 10.1.10.0 255.255.255.0
-' same-security-traffic permit intra-interface' must be configured
On the remote control of the branch 1 ASA:
-Crypto ACL between remote branch 1 ASA and company ASA must have added the following:
ip 10.1.10.0 access list allow 255.255.255.0 10.0.5.0 255.255.255.240
-Rule of exemption NAT to exempt traffic:
ip 10.1.10.0 access list allow 255.255.255.0 10.0.5.0 255.255.255.240
Clear the tunnels of both ends and test the connectivity.
I hope this helps.
-
Cisco ASA 5505 remote VPN access to the local network
I have installed two ASA 5505 VPN site to site that works perfectly. Now, I also need to have 1 customer site to remote access VPN with Cisco VPN dialer. I can get the VPN dialer to connect the VPN and get a VPN IP address, but I do not have access to the remote network. can someone take a look and see what I'm missing? I have attached the ASA running config.
Apologize for the misunderstanding.
To access the remote vpn client 10.10.100.x subnet, the vpn-filter ACL is the opposite.
Please please share the following ACL:
FROM: / * Style Definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
outside_cryptomapVPN list of allowed ip extended access any 10.10.20.0 255.255.255.224
TO:
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
outside_cryptomapVPN to access extended list ip 10.10.20.0 allow 255.255.255.224 all
Hope that helps.
-
IPsec over UDP - remote VPN access
Hello world
The VPN client user PC IPSEC over UDP option is checked under transport.
When I check the details of the phase 1 of IKE ASDM of user login, it shows only UDP 500 port not port 4500.
Means that user PC VPN ASA there that no device in question makes NAT.
What happens if we checked the same option in the client IPSEC VPN - over UDP and now, if we see the port UDP 4500 under IKE phase 1 Connection Details
This means that there is now ASA a NAT device VPN Client PC, but he allows IKE connection phase 1?
Concerning
MAhesh
Hello Manu,
I suggest to use the following commands on your ASA have a look at these ports as the test of VPN connections. The command that you use depends on your level of software as minor changes in the format of the command
View details remote vpn-sessiondb
view sessiondb-vpn remote detail filter p-ipaddress
Or
View details of ra-ikev1-ipsec-vpn-sessiondb
display the filter retail ra-ikev1-ipsec-vpn-sessiondb p-ipaddress
These will provide information on the type of VPN Client connection.
Here are a few out of different situations when connecting with the VPN Client
Dynamic PAT - no Transparent on the Client VPN tunnel
- Through the VPN connections do not work as connects via PAT without Transparent tunnel
Username: Index: 22
Public IP address 10.0.1.2 assigned IP::
Protocol: IPsec IKEv1
IKEv1:
Tunnel ID: 22.1
The UDP Src Port: 18451 UDP Dst Port: 500
IKE Neg Mode: Aggressive Auth Mode: preSharedKeys
Encryption: AES 256 hash: SHA1
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28551 seconds
Group D/H: 2
Name of the filter:
Client OS: Windows NT Client OS worm: 5.0.07.0290
IPsec:
Tunnel ID: 22.2
Local addr: 0.0.0.0/0.0.0.0/0/0
Remote addr: 10.0.1.2/255.255.255.255/0/0
Encryption: AES 256 hash: SHA1
Encapsulation: Tunnel
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28551 seconds
Idle Time Out: 30 Minutes idling left: 25 Minutes
TX Bytes: 0 Rx bytes: 0
TX pkts: Rx Pkts 0: 0
Dynamic PAT - Transparent tunnel (NAT/PAT) on the VPN Client
- Via VPN connections work as we use Tunneling Transparent when we train the dynamic VPN Client through PAT connection
Username: Index: 28
Public IP address 10.0.1.2 assigned IP::
Protocol: IKEv1 IPsecOverNatT
IKEv1:
Tunnel ID: 28.1
The UDP Src Port: 52825 UDP Dst Port: 4500
IKE Neg Mode: Aggressive Auth Mode: preSharedKeys
Encryption: AES 256 hash: SHA1
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28784 seconds
Group D/H: 2
Name of the filter:
Client OS: Windows NT Client OS worm: 5.0.07.0290
IPsecOverNatT:
Tunnel ID: 28.2
Local addr: 0.0.0.0/0.0.0.0/0/0
Remote addr: 10.0.1.2/255.255.255.255/0/0
Encryption: AES 256 hash: SHA1
Encapsulation: Tunnel
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28784 seconds
Idle Time Out: 30 Minutes idling left: 30 Minutes
TX Bytes: 360 bytes Rx: 360
TX pkts: 6 Pkts Rx: 6
Dynamics PAT, Transparent IPsec (TCP) on the Client VPN tunnel
- Via VPN connections work as we use Tunneling Transparent when we train the dynamic VPN Client through PAT connection
Username: Index: 24
Public IP address 10.0.1.2 assigned IP::
Protocol: IKEv1 IPsecOverTCP
IKEv1:
Tunnel ID: 24.1
The UDP Src Port: 20343 UDP Dst Port: 500
IKE Neg Mode: Aggressive Auth Mode: preSharedKeys
Encryption: AES 256 hash: SHA1
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28792 seconds
Group D/H: 2
Name of the filter:
Client OS: Windows NT Client OS worm: 5.0.07.0290
IPsecOverTCP:
Tunnel ID: 24,2
Local addr: 0.0.0.0/0.0.0.0/0/0
Remote addr: 10.0.1.2/255.255.255.255/0/0
Encryption: AES 256 hash: SHA1
Encapsulation: Tunnel TCP Src Port: 20343
The TCP Dst Port: 10000
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28792 seconds
Idle Time Out: 30 Minutes idling left: 30 Minutes
TX Bytes: 180 bytes Rx: 180
TX pkts: Rx 3 Pkts: 3
Static NAT - no Transparent on the Client VPN tunnel
- VPN Client connections to the LAN work because our VPN Client has a static NAT configured for its local IP address. This allows the ESP without encapsulation through the device doing the static NAT. You must allow the ESP traffic through the NAT device of management of the device VPN or configure VPN connections inspection if there is an ASA acting as the NAT device.
Username: Index: 25
Public IP address 10.0.1.2 assigned IP::
Protocol: IPsec IKEv1
IKEv1:
Tunnel ID: 25.1
The UDP Src Port: 50136 UDP Dst Port: 500
IKE Neg Mode: Aggressive Auth Mode: preSharedKeys
Encryption: AES 256 hash: SHA1
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28791 seconds
Group D/H: 2
Name of the filter:
Client OS: Windows NT Client OS worm: 5.0.07.0290
IPsec:
Tunnel ID: 25.2
Local addr: 0.0.0.0/0.0.0.0/0/0
Remote addr: 10.0.1.2/255.255.255.255/0/0
Encryption: AES 256 hash: SHA1
Encapsulation: Tunnel
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28791 seconds
Idle Time Out: 30 Minutes idling left: 30 Minutes
TX Bytes: 120 bytes Rx: 120
TX pkts: Rx 2 Pkts: 2
Static NAT - Transparent tunnel (NAT/PAT) on the VPN Client
- The VPN Client connections are functioning normally. Even if the host Staticly using a NAT VPN Client does not need UDP encapsulation it is always used if your connection of the VPN Client profile is configured to use (tab in the Transport of the client software)
Username: Index: 26
Public IP address 10.0.1.2 assigned IP::
Protocol: IKEv1 IPsecOverNatT
IKEv1:
Tunnel ID: 26.1
The UDP Src Port: 60159 UDP Dst Port: 4500
IKE Neg Mode: Aggressive Auth Mode: preSharedKeys
Encryption: AES 256 hash: SHA1
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28772 seconds
Group D/H: 2
Name of the filter:
Client OS: Windows NT Client OS worm: 5.0.07.0290
IPsecOverNatT:
Tunnel ID: 26.2
Local addr: 0.0.0.0/0.0.0.0/0/0
Remote addr: 10.0.1.2/255.255.255.255/0/0
Encryption: AES 256 hash: SHA1
Encapsulation: Tunnel
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28772 seconds
Idle Time Out: 30 Minutes idling left: 29 Minutes
TX Bytes: 1200 bytes Rx: 1200
TX pkts: Rx 20 Pkts: 20
Static NAT - Transparent tunnel on the VPN Client (IPsec, TCP)
- The VPN Client connections are functioning normally. Even if the host Staticly using a NAT VPN Client does not need TCP encapsulation it is always used if your connection of the VPN Client profile is configured to use (tab in the Transport of the client software)
Username: Index: 27
Public IP address 10.0.1.2 assigned IP::
Protocol: IKEv1 IPsecOverTCP
IKEv1:
Tunnel ID: 27.1
The UDP Src Port: 61575 UDP Dst Port: 500
IKE Neg Mode: Aggressive Auth Mode: preSharedKeys
Encryption: AES 256 hash: SHA1
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28790 seconds
Group D/H: 2
Name of the filter:
Client OS: Windows NT Client OS worm: 5.0.07.0290
IPsecOverTCP:
Tunnel ID: 27.2
Local addr: 0.0.0.0/0.0.0.0/0/0
Remote addr: 10.0.1.2/255.255.255.255/0/0
Encryption: AES 256 hash: SHA1
Encapsulation: Tunnel TCP Src Port: 61575
The TCP Dst Port: 10000
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28790 seconds
Idle Time Out: 30 Minutes idling left: 30 Minutes
TX Bytes: 120 bytes Rx: 120
TX pkts: Rx 2 Pkts: 2
VPN device with a public IP address directly connected (as a customer VPN) to an ASA
Username: Index: 491
Assigned IP: 172.31.1.239 public IP address:
Protocol: IPsec IKE
IKE:
Tunnel ID: 491.1
The UDP Src Port: 500 UDP Dst Port: 500
IKE Neg Mode: Aggressive Auth Mode: preSharedKeys
Encryption: 3DES hash: SHA1
Generate a new key Int (T): 86400 seconds given to the key Left (T): 71016 seconds
Group D/H: 2
Name of the filter:
IPsec:
Tunnel ID: 491.2
Local addr: 0.0.0.0/0.0.0.0/0/0
Remote addr: 172.31.1.239/255.255.255.255/0/0
Encryption: AES128 hash: SHA1
Encapsulation: Tunnel
Generate a new key Int (T): 28800 seconds given to the key Left (T): 12123 seconds
Generate a new key Int (D): 4608000 K-bytes given to the key Left (D): 4607460 K-bytes
Idle Time Out: 0 Minutes idling left: 0 Minutes
TX Bytes: bytes 3767854 Rx: 7788633
TX pkts: 56355 Pkts Rx: 102824
Above are examples for your reference. I must also say that I am absolutely not an expert when it comes to virtual private networks in general. I had to learn two firewall/vpn basically on my own, as during my studies, we had no classes related to them (which was quite strange).
While I learned how to set up VPN and troubleshoot them I think I missed on the basic theory. I had plans to get the title Associates CCNA/CCNP certifications but at the moment everything is possible. Don't have the time for it.
I guess that you already go to the VPN security CCNP Exam?
Hope this helps and I hope that I didn't get anything wrong above
-Jouni
-
Remote VPN on ASA5510 - get static IP address of ASA
Hi all
Please, I have configured a remote VPN on cisco ASA 5520 and everythings seems to work very well... DHCP IP have been renting to users who connect to the VPN. but the question is now that our customers want a static IP address to give to a particular user when it connect via VPN.
is this possible?
Hello
You can configure a static IP address in a configuration of "username" users on the SAA. Of course, I want to say that you need to do the LOCAL on the SAA authentication itself for users VPN to use this command
For example
user testuser password testpassword privilege 0 name
user testuser name attributes
VPN-framed-ip-address 10.10.10.2 255.255.255.0
This should make the same IP address in the user always
Hope this helps
-Jouni
-
Hi all. I have a 5510 I use for tunneling ipsec l2l as remote access. I've been watching this thing so long as I'm goofy.
My tunnel l2l is up and happy. Hosts can talk to each other.
My RA is happy that I can connect with a vpn client. Unfortunately, I can't access anything other than the SAA itself when I am connected. I can't ping the host inside.
I need to be able to access the host of 10.0.5.10/26 inside the interface which is 10.0.5.1/26. I have attached the config.
Can we see some glaring problems? I think its likely an ACL problem, I'm kinda new to this kind of things well and I don't know if I'm doing things.
One thing I noticed, is that when I check my ipconfig after the connection to the vpn. I get this...
IP address: 10.0.5.20
Subnet mask: 255.255.255.192
Default gateway: 10.0.5.20
This seems like a strange gateway...
Thank you!
Add...
ISAKMP nat-traversal
In addition, changing your vpn to another subnet client pool. It should not be on the same subnet as your interior.
IP local pool gsa 10.0.6.0 - 10.0.6.254 mask 255.255.255.0
inside_nat0_outbound to access extended list ip 10.0.5.0 allow 255.255.255.192 10.0.6.0 255.255.255.0
Please rate helpfulp messages.
-
INTERNET VIA REMOTE VPN ACCESS
We have a customer who wants to route all internet traffic to their remote sites of their internet connection to Headquarters. In other words, when users connect to corporate headquarters using Cisco VPN client on their PC, we need to route all internet traffic on through the firewall of the headquarters. Head office is running a ASA place all the VPN configuration. We have a number of virtual private network set up for this customer but would welcome suggestions as to the best way to configure this particular step.
Thank you very much.
Hello
This looks like back or Hairpining for VPN clients, so they could access the Internet through the tunnel.
In which case it is a ASA 8.2 or earlier:
permit same-security-traffic intra-interface
NAT (outside) 1 192.168.1.0 255.255.255.0---> range of IP addresses assigned to VPN clients.
Global 1 interface (outside)
In which case it is an ASA 8.3 or later:
permit same-security-traffic intra-interface
network vpn-pool objects
subnet 192.168.1.0 255.255.255.0
dynamic NAT interface (outdoors, outdoor)
!
On the configuration of VPN:
mypolicy group policy attributes
Split-tunnel-policy tunnelall
!
tunnel-group mytunnel General-attributesMyPolicy defaul-group-policy
!
Benefits:
1-Internet access is controlled by the ASA.
Disadvantages:
1 Internet connection of the ASA is severely affected, it will be used by VPN clients to access the Internet.
Alternative solution:
Send all traffic to a Layer 3 internal device or a server that has an external Internet connection, so the ASA forwards all traffic to this device, if this device is able to perform web filterting advance as the unit of Microsoft IIS, then you would have a powerful way to control your users and that they access, thus preventing sites such undesirable sites for adults and animation.
To do this, all you need is:
Route within 0 0 192.168.10.1 tunnele---> where the 192.168.10.1 corresponds to the internal device responsible for providing Internet.
* Remember that this device must have an external connection for Internet access, not on the SAA.
Let me know.
Portu.
Please note any workstation that will be useful.
Post edited by: Javier Portuguez
-
Don't host any remote VPN access
Hello guys,.
I have an ASA 5505 with two tunnels, a Site to Site (between two ASA 5505), and also, I added a remote access VPN using the factor of Cisco's VPN. The thing I discovered is that the Site to Site connection, I can reach the hosts of the LAN, but the use of the VPN Client I only can reach the inside Interface of the ASA, but not for the hosts.
Something is perhaps missing from my ACL but I was not able to determine what it is. You give me a hand on this?
Attached my config file, and the LAN behind the ASA consist in a couple of VLAN segment 192.168.0.0 24 receives the Client VPN IP to the 10.10.10.X segment
Thanks in advance,
Hi David,
You are missing a statement of NAT exemption.
Need to add this:
access-list sheep extended 10.10.10.0 any allowed ip 255.255.255.0
-
I am accessing a remote site with a VPN client. I am trying to download the config of the router for this laptop remotely with a server tftp on it.
This does not work, and I think it is because it is the supply of the external interface. Is this correct? If so how to fix it?
Thanks for help.
Antony
To fix this problem set up the router with ip tftp source interface
This will get the router to use the address of the interface specified as the source for TFTP.
HTH
Rick
-
I'm trying to migrate some VPN remote access for some directors of the power of a router to an ASA 5500. The profile I'm using is vpnclient. When I add the access lists to join networks (10,200 and 10.25) inside what it appears on the route print command is the network of 10,200. I can ping to a server or a client, but cannot ping any network device. I can't ping any device in the subnet 10.25. Any help in this would be greatly appreciated. Here is the config.
Hi Mitch,
Ensure that subnet 10.25.x.x pass thru nat (inside) 0 for example access list 102
HTH
Mike
-
PORT of Configuration.DEFAULT of ASA AnyConnect remote VPN access.
Hello!!! Now, I need to configure the AnyConnect VPN remote access. And I have a question.
The default 443 AnyConnect port, but the port is occupied on SAA. We use this port for another application.
How to change the port to connect? Is this true? Thank you!!!
Hi, please add the following configuration:
- Enable the WebVPN on the SAA feature:
ASA(config)#webvpn
- Enable WebVPN services for the external interface of the ASA:
ASA(config-webvpn)#enable outside
- Allow the ASA to listen WebVPN traffic on the custom port number:
ASA(config-webvpn)#port <1-65535>
- Enable the WebVPN on the SAA feature:
-
IPSec VPN (remote VPN access) - dynamic NAT
Hello dear group
I like ASA 5510 is configured for remote access VPN, ASA authenticates Clients remoter with Radius Server (accounting software) and will be assigned an address IP of VPN-pool (172.16.20.0/24). Prose all in use of authentication with radius server is successful, but there is no any Internet browsing on the client side. I've set up a dynamic NAT rule on the external interface of SAA, I write in the following:
Interface: outside
Source: VPN-users object (address pool 172.16.20.0/24)
The translation of the output interface.
the NAT rule to above does not. (I think that traffic is not clothed with VPN POOL address via external interface)
Note: this VPN users access the INTERNET only. (because of this, the pool address range is different with inside the Network Interface)
Its a favor if you help me how NAT.
Thank you
Best regards
Hello
Would really need to see your current NAT configurations to the CLI format to determine the problem.
Naturally, the problem could be as simple as missing the following command on the SAA
permit same-security-traffic intra-interface
This command is required on the SAA for traffic to come through an interface and let the same interface. In your case this interface would be "Outside" the customer VPN traffic arrives at the ASA via this interface what is leaving through this interface to the Internet.
-Jouni
-
Remote VPN access to authenticate the Client by (real IP)?
Hi all
I need to authenticate the user to remote access VPN in additional to the username & password I will give you to him, I need to authenticate the real IP that he will use to connect to the ASA. Is this possible?
Thanks in advance...
Hello
Unfortunately, this is not possible because demand will relay just the user name and password for authentication and no real ip address.
I hope this helps.
Kind regards
Anisha
P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.
Maybe you are looking for
-
HP Office jet 4500 all in one - runtime error
Hello I get the runtime error after installation of the software for the HP Office jet one 4500 allin. Runtime error Signature of the problem:Problem event name: APPCRASHApplication name: Setup.exe_HP InstallerApplication version: 13.0.445.0Applicati
-
Windows 7 upgrade & have no original oem disk (1) if the upgrade to windows 7 (retail disc) is placed on a machine with functioning earlier OEM version of windows XP (2) windows OEM version is not available (3) windows 7 crashes (4) what is 7 reinsta
-
Windows activation code question
I woke up this morning to the computer asks me a product key Windows activation code after an update of service. I entered the product key off the coast of the sticker from original manufacturers on the back of the computer, but it tells me that the
-
A9T87B: 4502 won't print black
4502 WILL NOT PRINT BLACK. First of all my mac won't read 4502 - only as 4500 series (I don't know if that has anything to do with him) So even if the ink levels are fine and the test print appears far too, I am unable to print in black. I don't have
-
Group-lock for users of vpn with acs
Hello Is it possible to controll what VPN profile, a user is allowed to use by Cisco ACS or the router? 2811 router IOS 12.4 worm, ACS 4.1 using I just want to be sure that the VPN allows the user only the Client Profile assigned to them and no other