Remote VPN on ASA5510 - get static IP address of ASA
Hi all
Please, I have configured a remote VPN on cisco ASA 5520 and everythings seems to work very well... DHCP IP have been renting to users who connect to the VPN. but the question is now that our customers want a static IP address to give to a particular user when it connect via VPN.
is this possible?
Hello
You can configure a static IP address in a configuration of "username" users on the SAA. Of course, I want to say that you need to do the LOCAL on the SAA authentication itself for users VPN to use this command
For example
user testuser password testpassword privilege 0 name
user testuser name attributes
VPN-framed-ip-address 10.10.10.2 255.255.255.0
This should make the same IP address in the user always
Hope this helps
-Jouni
Tags: Cisco Security
Similar Questions
-
Remote VPN access - add new internal IP address
Hello
I have an existing configuration of Cisco VPN client in ASA 5510 for remote access.
-------------------------------------
Name of the Group: ISETANLOT10
Group password: xxxxIP pool: lot10ippool, 172.27.17.240 - 172.27.17.245enycrption: 3DESauthentication: SHA------------------------------------the connection was successful, and I was able to ping to the internal server 172.47.1.10.Now, there is demand for remote access VPN even can do a ping to access a new server within LAN, 172.57.1.10 & 172.57.1.20But with the same VPN access, I was unable to ping the two new IP.How can I add both IP in order to make a ping by using the same configuration of remote access VPN?I have attached below existing config (edited version)===: Saved
:
ASA Version 8.0 (4)
!
hostname asalot10
names of
name 172.17.100.22 NAVNew
name 172.27.17.215 NECUser
172.47.1.10 NarayaServer description Naraya server name
name 62.80.122.172 NarayaTelco1
name 62.80.122.178 NarayaTelco2
name 172.57.1.10 IPVSSvr IPVSSvr description
name 122.152.181.147 Japan01
name 122.152.181.0 Japan02
name 175.139.156.174 Outside_Int
name 178.248.228.121 NarayaTelco3
name 172.67.1.0 VCGroup
name 172.57.1.20 IPVSSvr2
!
object-group service NECareService
Description NECareService remote
the eq https tcp service object
EQ-ssh tcp service object
response to echo icmp service object
inside_access_in deny ip extended access list all Japan02 255.255.255.0
inside_access_in ip VCGroup 255.255.255.0 allowed extended access list all
inside_access_in list extended access deny tcp object-group PermitInternet any object-group torrent1
inside_access_in list extended access allowed object-group ip PermitInternet any newspaper disable
inside_access_in list any newspaper disable extended access allowed host ip NarayaServer
inside_access_in list extended access permit ip host IPVSSvr all
inside_access_in list any newspaper disable extended access allowed host ip NAVNew
inside_access_in list extended access permit ip host 172.17.100.30 all
outside_access_in list extended access allow object-group objects NECare a NECareService-group
outside_access_in list extended access allowed host ip DM_INLINE_NETWORK_1 NarayaServer object-group
outsidein list extended access permit tcp any host Outside_Int eq https
outsidein list extended access allowed object-group rdp any host Outside_Int debug log
outsidein list extended access allowed host tcp object-group DM_INLINE_NETWORK_2 eq Outside_Int 8080
outsidein list extended access allowed host ip DM_INLINE_NETWORK_3 IPVSSvr object-group
inside_mpc list extended access allowed object-group TCPUDP any any eq www
inside_mpc list extended access permit tcp any any eq www
inside_nat0_outbound list of allowed ip extended access all 172.27.17.240 255.255.255.248
inside_nat0_outbound list extended access permit ip host NarayaServer Nry_Png object-group
inside_nat0_outbound list extended access allowed host ip IPVSSvr2 172.27.17.240 255.255.255.248
outside_cryptomap list extended access permitted ip object-group Naraya_Png-group of objects Nry_PngGlobal interface 10 (external)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 10 0.0.0.0 0.0.0.0
static (inside, outside) interface tcp 8080 8080 NarayaServer netmask 255.255.255.255
static (inside, outside) tcp 3389 3389 NAVNew netmask 255.255.255.255 interface
public static tcp (indoor, outdoor) interface ssh IPVSSvr2 ssh netmask 255.255.255.255
Access-group outsidein in external interface
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 175.139.156.173 1
Route inside 172.17.100.20 255.255.255.255 172.27.17.100 1
Route inside NAVNew 255.255.255.255 172.27.17.100 1
Route inside 172.17.100.30 255.255.255.255 172.27.17.100 1
Route inside NarayaServer 255.255.255.255 172.27.17.100 1
Route inside 172.47.1.11 255.255.255.255 172.27.17.100 1
Route inside VCGroup 255.255.255.0 172.27.17.100 1Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set 218.x.x.105 counterpart
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map 1 set security-association life kilobytes 4608000
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
md5 hash
Group 2
life 86400internal ISETANLOT10 group policy
ISETANLOT10 group policy attributes
value of server DNS 172.27.17.100
Protocol-tunnel-VPN IPSec l2tp ipsec
username, password nectier3 dPFBFnrViJi/LGbT encrypted privilege 0
username nectier3 attributes
VPN-group-policy ISETANLOT10
username password necare encrypted BkPn6VQ0VwTy7MY7 privilege 0
necare attributes username
VPN-group-policy ISETANLOT10
naraya pcGKDau9jtKgFWSc encrypted password username
naraya attribute username
VPN-group-policy ISETANLOT10
type of nas-prompt service
type tunnel-group ISETANLOT10 remote access
attributes global-tunnel-group ISETANLOT10
address lot10ippool pool
Group Policy - by default-ISETANLOT10
IPSec-attributes tunnel-group ISETANLOT10
pre-shared-key *.
tunnel-group 218.x.x.105 type ipsec-l2l
218.x.x.105 group of tunnel ipsec-attributes
pre-shared-key *.
type tunnel-group ivmstunnel remote access
tunnel-group ivmstunnel General-attributes
address lot10ippool pool
ivmstunnel group of tunnel ipsec-attributes
pre-shared-key *.
!=====
Remote VPN access must allow the connection, but I'm guessing that your ASA does not know how to get to the two new destinations.
You have a name and a static route to the job to 172.47.1.10 Server:
name 172.47.1.10 NarayaServer description Naraya Serverroute inside NarayaServer 255.255.255.255 172.27.17.100 1.. but no equivalent for the two new hosts. As a result, all traffic of ASA destiny for them will attempt to use the default route (via the external interface).
If you add:
route inside 172.57.1.10 255.255.255.255 172.27.17.100route inside 172.57.1.20 255.255.255.255 172.27.17.100(assuming this is your correct entry), it should work.
-
Can VPN site-to-site with just 1 static IP address in PIX?
Hi all
Can I use pix for VPN with just 1 static IP address as follows:
LAN-A---PIX1---INTERNET---PIX2---LAN-B
Just PIX1 has static IP, PIX2 use DHCP from ISP. I have the config this type of VPN with another brand equipment. But the use of PIX, I just VPN config with both ends have a static IP and I can't find any information in the web site. Because when config VPN site-to-site I have to use the command 'same game '.
Can someone tell me how can I do with PIX? Thank you!
Best regards
Teru Lei
You just need to set up a dynamic encryption on PIX 1 card and a card standard encryption with a peer 'set' on 2 PIX. Here is an example configuration:
http://www.Cisco.com/warp/public/110/dynamicpix.html
Note that it also has VPN connection clients in 1 PIX (Lion), so forget all orders of "vpngroup" that you see in his configuration cause, they are not necessary for your scenario.
-
Tunnel VPN remote Internet and VPN remote VPN from Site to Site traffic?
Hello
We try to remote traffic from our users VPN tunnel through our ASA 5510 as well as to allow the only access for remote user VPN traffic to the other end of the all our VPN site-to-site connected to the same ASA. Basically, we who want to VPN in the network in order to access all of our networks business. We try to get away with this without using split Tunneling.
I can currently get internal traffic from the remote user VPN to reach all other vpn site-to-site tunnels without the internet in tunnel. The problem is when I add the following statement to the NAT:
NAT (outside) 1 10.10.19.0 255.255.255.0 * 10.10.19.0 is the address of the remote VPN Client
Internet traffic to the remote VPN starts to get in the tunnel, but I lose the opportunity to reach one of the other tunnels from site to site by the remote VPN tunnel.
I also begin to receive the following errors in the journal of the ASA
3 July 1, 2009 12:34:18 305005 10.10.19.255 137 no group of translation not found for udp src outside:10.10.19.3/137 dst outside:10.10.19.255/137
Any help with how NAT statements must be defined for this work would be appreciated.
Thank you
Will be
Will,
the link of this post for your scenario of vpn hub & speak reference, you problem may be on exempt nat rules.
Have a second look at your sheep rules.
Be sure to eliminate tunnel rules related to rheumatoid arthritis, as appropriate, to not let him get in the way of splitting.
If always emits discribe topology for l2ls and info logic RA and sanatized hub config asa... but I think if you look at the thread above, you should be able to solve.
Concerning
-
Routing of a VPN from Site to site to remote VPN users
Hello
We have a site and remote vpn site configured in the same interface in ASA 5520 (software version 8.3). When the remote vpn users try to connect to the computers located at the far end of the site to site VPN, their request has failed. I tried No.-Nat between remote vpn IP private to the private IP address of remote site, also said the same split tunneling. I can't find even the tracert, ping has also expired.
Is there any solution to make this live thing.
Shankar.
There are a few things that need to be added to make it work:
(1) on the SAA where remote vpn users connect to, you must add "permit same-security-traffic intra-interface"
(2) you mention that you have added the LAN of remote site-to-site in the list of split tunnel, so that's good.
(3) on the SAA ending the vpn for remote access, you must also add the following text:
-Crypto ACL for the site to site VPN must include the following:
permit ip access list
(4) on the ASA site to remote site, you must add:
-Crypto ACL for the site to site VPN must include the following:
permit ip access list
-No - Nat: ip access list allow
-
A remote VPN (link source and destination ip peer)
Hi all
I can access my thought of networking Office RAS VPN I have a static ip address on my home modem, now I want to create an access list, so I should be able to access to my office network through this static ip address only, I tried with given below ACL on my desktop firewall, but it did not work for me.
Example access-list 101 permit interface host 10.0.0.1 udp outside eq 500
access-list 101 permit interface host 10.0.0.1 esp outdoors
Access-group 101 in external interface
Any idea,
Thank you inadvance
Concerning
Tash
Hello guys,.
Tash, so say you now you have purchased a static IP address for your home, and now you want your ASA to accept than intellectual property. you use the Cisco VPN Client right?
Amatahen, you have reason sysopt connection permit VPN will allow encrypted traffic to bypass the access-group, but is not encrypted but the traffic of negotiation, because it's we´re AM going to use 3 packets (UDP 500, but if any side is at the origin of the package NAT #2 and #3 will move to UDP 4500 instead of 500)
Filter access group by-the-box traffic is NOT employment traffic so to achieve, you need to create a group of access to your home IP but the thing, it is that your group access must be configured with the keyword for control-plane at the end., you'll also need to allow ssh, https, etc., depending on the services you run on this device.
Kind regards
-
How to use ACS 5.2 to create a static ip address user for remote access VPN
Hi all
I have the problem. Please help me.
Initially, I use ACS 4.2 to create the static ip address for VPN remote access user, it's easy, configuration simply to the user defined > address assignment IP Client > assign the static IP address, but when I use ACS 5.2 I don't ' t know how to do.
I'm trying to add the IPv4 address attribute to the user to read "how to use 5.2 ACS", it says this:
1Ajouter step to attribute a static IP address to the user attribute dictionary internal:
Step 2select System Administration > Configuration > dictionaries > identity > internal users.
Step 3click create.
Static IP attribute by step 4Ajouter.
5selectionnez users and identity of the stage stores > internal identity stores > users.
6Click step create.
Step 7Edit static IP attribute of the user.
I just did, but this isn't a job. When I use EasyVPN client to connect to ASA 5520, user could the success of authentication but will not get the static IP I set up on internal users, so the tunnel put in place failed. I'm trying to configure a pool of IP on ASA for ACS users get the IP and customer EasyVPN allows you to connect with ASA, everything is OK, the user authenticates successed.but when I kill IP pool coufigurations and use the "add a static IP address to the user 'configurations, EzVPN are omitted.
so, what should I do, if anyboby knows how to use ACS 5.2 to create a user for ip address static for remote access VPN, to say please.
Wait for you answer, no question right or not, please answer, thank you.
There are a few extra steps to ensure that the static address defined for the user is returned in the Access-Accept. See the instuctions in the two slides attached
-
ASA static IP Addressing for IPSec VPN Client
Hello guys.
I use a Cisco ASA 5540 with version 8.4.I need to assign a static IP address to a VPN client. I saw in the documentation Cisco that this can be done to validate the user against the local ASA and in the user account database, you assign a dedicated IP address, or using the vpn-framed-ip-address CLI command.The problem is that the customer never gets this address and it always gets one of the pool in the political group. If I delete this pool, the client can't get any address.No idea on how to fix this or how can I give this static IP address to a specific VPN client?Thank you.Your welcome please check the response as correct and mark.
See you soon
-
static ip address to the remote client asa 5500
Hi all
I am trying to configure static ip on the remote client side of the user, I use the following as an example doc, but I don't get the ip address which I am mentiong the user.
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080a7afb2.shtml
my version of the asa is 8.2 (1)
Thank you
Cyril
Great to hear. Pls kindly marks the message as answered while others may learn from your post. Thank you...
-
I'm doing research using VSphere our Organization and that you can't find the answer to an important question:
If you have 2 VM using the Hot Standby how do you deal with the fact that the VM active must have the same static IP address, since it is the only address our VPN router will allow our remote users to access?
For clarity:
VMServer 1 @ 1.1.1.1 (where the 1.1.1.1. is the only address the VPN will allow a user to do) switches to a Hot Standby Server VMServer2
After switching to the VMServer 2 needs to be 1.1.1.1 so that the VPN will continue to let the remote users work with the machine.
Sorry if it's a simple question, but it's at the top of the list "should be able"!
Thanks for any answers
See:
also
FT is large, but also imposes constraints on the virtual machine. I wouldn't think that all virtual machines will be decent candidates for pi... Make sure you that understand the use cases and limitations before implementing FT.
-
Computers with static IP address, get addresses (169.254) APIPA
There are several posts on my network configured with static IP addresses. To go to sleep or restart (warm), they will get an APIPA 169.254.x.x. address I found that there are three ways to solve this case temporarily:
- Shut the computer down (cold) and back on the power.
- Disable and re-enable the adapter.
- Disconnect and reconnect the network cable.
I had some success with affecting the NETWORK 100 Mbit/s/Full Duplex card AND the port of the switch to match. This seems like a solution of cloogy. Updated the drivers of the card toward the newer versions does not help. The problem exists on many brands adapter, including Intel, Broadcom and Marvell. Nothing useful is in the event logs. Our switching infrastructure is Cisco all if it matters.
Can anyone help?
This issue is beyond the scope of this site and must be placed on Technet or MSDN
-
Cannot get internet static IP address
Hi, I put several new Win7 PC in an office that replace Win XP PC. I need to use static IP addresses on all of the PCs, as it is required to access the Unix server. Start of the new PC with internet access very well, but when I assign static IP addresses, they have more internet. My IP address, DNS server, gateway, etc. are all correct and identical to what is plugged into the PC XP (except IP address of course). Even if the new PC do not have internet access, they can connect with the Unix server and other PCs on the working group. When I diagnose the problem I get the answer: "your computer seems to be configured correctly, but the device or resource (DNS server) is not responding." All the XP computers using the static IP address and have the internet very well. Yes, I already tried to clear the DNS cache.Hello
As you work on a domain network, the question would be better suited on the TechNet support forum.
I suggest you to check with TechNet support for more information.
http://social.technet.Microsoft.com/forums/en-us/newThread?category=&Forum
-
Hi all
I'm trying to p2v linux 6.4. It fails with the following message is displayed:
Error: Cannot get the IP address of the virtual destination machine running the converter assistance server.
I have seen discussions on this message, but they all refer to dynamic IP address, taken from DHCP, as in my case, I use static IP address.
In the meantime the p2v (which then breaks down...) I open console support machine and saw a message:
eth0 is not a recognized interface.
Can someone tell me what is happening?
Hello
I assume you are using converter 5.5. There is a new feature that allows the selection of the network card. However, it works well in the case of Linux P2V. If you have changed the type of adapter, use 'e1000' or 'auto' and try again.
HTH
Plamen
-
Someone at - it will meet it before? Of course it is in a LAB environment, but what a Win 2012R2 VM is simply not cooperate... lol
I tried to vMotion there something hot but even. Other virtual machines, 2008 R2 can obtain a static IP address fine as well as works fine. It is the only 2012R2 VM in the LABORATORY.
No 'ghosts' NIC or whatever it is. It's a new generation of machine virtual Windows.
Thank you
EDIT:
I use the VMXNET3 card.
Figured it out. Someone added an IP in DHCP address range rule "out for delivery" and they used the whole range of... lol
-
We have 2 sites with ASA5510 and want to configure VPN tunnel for data. At this moment we have mpls that we love to get rid of.
I see in our configuration, there are already configured VPN tunnels, but it does not work. Because we have stoped mpls and data between both parties cease to operate.
Here's the configs et among the ASA5510, please let me know if you see VPN configured... I'm new on the firewall...
Help, please...
ASA Version 8.0 (3)
!
host House name
domain none.com
names ofname 10.10.10.10 Exchange2010
1.1.1.1.1 Exchange2010outside name
DNS-guard
!
interface Ethernet0/0
Speed 100
full duplex
nameif outside
security-level 0
address IP Exchange2010outside 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
IP 10.10.10.2255.255.255.0
!
interface Ethernet0/2
nameif mpls
security-level 100
10.10.10.2 IP address 255.255.255.240
!
interface Ethernet0/3
nameif temp
security-level 0
no ip address
!
interface Management0/0
Shutdown
nameif management
security-level 100
no ip address
management only
!passive FTP mode
DNS server-group DefaultDNS
domain none.com
permit same-security-traffic inter-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
access-list 101 extended permit icmp any any echo response
access-list 101 extended permit icmp any any source-quench
access-list 101 extended allow all unreachable icmp
access-list 101 extended permit icmp any one time exceed
access-list 101 extended allow tcp no matter what interface outside eq 3390
access-list 101 extended allow tcp no matter what interface outside eq 3391
access-list 101 extended allow tcp no matter what interface outside eq 3392
access-list 101 extended allow tcp no matter what interface outside eq 3393
access-list 101 extended allow tcp no matter what interface outside eq 3394
access-list 101 extended allow tcp no matter what external interface Equalizer 3395
access-list 101 extended allow tcp no matter what interface outside eq 3396
access-list 101 extended allow tcp no matter what interface outside eq 3397
access-list 101 extended allow tcp no matter what interface outside eq 3398
access-list 101 extended allow tcp no matter what interface outside eq 3399
Note access-list 101 OWA 2010
access-list 101 extended permit tcp any host Exchange2010outside eq 3389
access-list 101 extended permit tcp any host Exchange2010outside eq www
access-list 101 extended permit tcp host 64.92.220.155 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 64.92.220.156 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 64.92.220.157 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 64.92.220.158 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 64.92.220.159 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 64.92.220.160 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 64.92.220.161 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 64.92.220.162 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 64.92.220.163 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 64.92.220.164 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 64.92.220.165 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 64.92.220.166 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 208.82.145.85 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 208.82.145.86 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 208.82.145.87 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 208.82.145.88 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 208.82.145.89 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 208.82.145.90 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 208.82.145.91 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 208.82.145.92 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 208.78.240.245 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 208.78.240.246 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 208.78.240.247 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 208.78.240.248 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 208.78.240.249 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 208.78.240.250 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 208.78.240.251 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp host 208.78.240.252 Exchange2010outside
EQ smtp
access-list 101 extended permit tcp 64.18.0.0 255.255.240.0 host Exchange2010out
on the side of eq smtp
access-list 101 extended permit tcp any host Exchange2010outside eq https
access-list 101 extended allow object-group TCPUDP any host Exchange2010 eq wwwHome-list of allowed remote access ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255
. 255.0
Home-list of allowed remote access ip 10.10.10.0 255.255.255.0 10.10.12.0 255.255
. 255.0
Home-list of allowed remote access ip 10.10.10.0 255.255.255.0 10.10.13.0 255.255
. 255.0
Home-list of allowed remote access ip 10.10.10.0 255.255.255.0 10.10.14.0 255.255
. 255.0
course access-list extended permit tcp any eq 3391 everything
course access-list extended permit tcp any eq 3394 everything
Home-remoteNONAT extended 10.10.10.0 ip access list allow 255.255.255.0 10.10.11.0 25
5.255.255.0
Home-remoteNONAT extended 10.10.10.0 ip access list allow 255.255.255.0 10.10.12.0 25
5.255.255.0
Home-RemoteNONAT access list extended 10.10.10.0 allowed ip 255.255.255.0 10.10.13.0 25
5.255.255.0
Home-RemoteNONAT access list extended 10.10.10.0 allowed ip 255.255.255.0 10.10.14.0 25
5.255.255.0
access-list extended plastique1 permit tcp any any eq smtp
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MPLS MTU 1500
temp of MTU 1500
management of MTU 1500
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 613.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 list access home-RemoteNONAT
NAT (inside) 1 10.10.1.0 255.255.255.0 50 20 tcp
NAT (inside) 1 10.10.2.0 255.255.255.0 50 20 tcp
NAT (inside) 1 10.10.3.0 255.255.255.0 50 20 tcp
NAT (inside) 1 10.10.4.0 255.255.255.0 50 20 tcp
NAT (inside) 1 10.10.5.0 255.255.255.0 50 20 tcp
NAT (inside) 1 10.10.6.0 255.255.255.0 50 20 tcp
NAT (inside) 1 10.10.7.0 255.255.255.0 50 20 tcp
NAT (inside) 1 10.10.8.0 255.255.255.0 50 20 tcp
NAT (inside) 1 10.10.9.0 255.255.255.0 50 20 tcp
NAT (inside) 1 10.10.10.0 255.255.255.0 50 20 tcppublic static (inside, outside) tcp smtp smtp Exchange2010 netmask 255.255.255 interface
.255
public static tcp (indoor, outdoor) interface https Exchange2010 https netmask 255.255.2
55.255Access-group 101 in external interface
Route outside 0.0.0.0 0.0.0.0 111.111.11.111 1 (note side 111.111.11.111 seems gateway isp)
Route inside 10.10.4.0 255.255.255.0 10.10.4.1 1
Route inside 10.10.5.0 255.255.255.0 10.10.5.1 1
Route inside 10.10.6.0 255.255.255.0 10.10.6.1 1
Route inside 10.10.7.0 255.255.255.0 10.10.7.1 1
Route inside 10.10.8.0 255.255.255.0 10.10.8.1 1
Route inside 10.10.9.0 255.255.255.0 10.10.9.1 1
Mpls route 10.10.11.0 255.255.255.0 10.10.20.1 1
Mpls route 10.10.12.0 255.255.255.0 10.10.20.1 1
Mpls route 10.10.13.0 255.255.255.0 10.10.20.1 1
Mpls route 10.10.14.0 255.255.255.0 10.10.20.1 1
Mpls route 10.10.21.0 255.255.255.0 10.10.20.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 0.0.0.0 0.0.0.0 outdoors
http 10.10.11.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-aes-256 Home_Tunnel, esp-sha-hmac
maptoREMOTE card crypto 10 matches the home address / remote
card crypto maptoREMOTE 10 game of transformation-Home_Tunnel
maptoREMOTE interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 11
preshared authentication
aes-256 encryption
sha hash
Group 2
lifetime 28800
crypto ISAKMP policy 30
preshared authentication
aes encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 30
Telnet 10.10.10.0 255.255.255.0 inside
Telnet 10.10.11.0 255.255.255.0 inside
Telnet timeout 60
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 60
Console timeout 0
a basic threat threat detection
threat detection statistics
username admin privilege 15 encrypted password id6XqXzHqVdjWpuR
tunnel-group 38.1.1.1 type ipsec-l2l (note aside it's remote ip address asa)
IPSec-attributes tunnel-group 38.1.1.1 (note aside it's remote ip address asa)
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
class-map-port pptp
match eq pptp tcp port
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Policy-map pptp_policy
class-port pptp
inspect the pptp
pptp-policy policy-map
class-port pptp
inspect the pptp
!
global service-policy global_policy
service-policy pptp_policy outside interface
context of prompt hostnameHi Gurpreet,
Yes, depending on the vpn configuration will work:
card crypto outside_map 20 set pfs
peer set card crypto outside_map 20 64.1.1.1tunnel-group 64.1.1.1 type ipsec-l2l
IPSec-attributes tunnel-group 64.1.1.1
pre-shared-key *.-Now in the above configuration, we are missing remote vpn access list defines interesting traffic, for this you need to identify the interesting traffic (probably) by checking the configuration of endpoint, and it applies here. We must apply the encryption card interface. So the complete vpn config should look like this:
outside_map card crypto 20 is the address
card crypto outside_map 20 set pfs
peer set card crypto outside_map 20 64.1.1.1tunnel-group 64.1.1.1 type ipsec-l2l
IPSec-attributes tunnel-group 64.1.1.1
pre-shared key
outside_map interface card crypto outside
See you soon,.
Christian V
Maybe you are looking for
-
I need BIOS for Satellite A660 PSAW3E was last updated
Hello world I have laptopModel A660 - 17 MVersion PSAW3E-06P00WARVersion of the BIOS 2.30 And every time I run the program more agent bios it shows me that there is a new bios updateand when I check drivers Toshiba it show me the same bios update tha
-
Get automatically disconnected Windows XP
Looking for general help. Bought a Satellite MX30X at Christmas. When I used it on the internet for the first time downloaded window updates to day (I think), talked to some friends on MSN (got a virus or 20 along the way) and then the next time I tu
-
Compac CQ58: CQ58 BIOS password does not
Laptop is asking to specify a password for the system. I tried the password only I have ever used and it does not work. After three attempts, it gives me disable the code 78503941. Help, please
-
Visual effects in Windows Media Center displays white screen
Earlier, when I want to play music from Windows Media Center, I was able to select the Visual effects and had a view that would go with the music (Alchemy, scratches & waves, battery) then I ran a Windows Update, which included an update for Media Ce
-
should what download I use to open TIF files /cad files/map files?
I need to open a tif file. I'm interested in maps of the city. I go to a website and click on the list. I get the error that I don't have the right software to open and I would like to find on the internet? I have XP. Is there a download here, I can