Static ip address linking to remote Cisco ASA vpn users

Similar Questions

• static ip address to the remote client asa 5500

  Hi all

  I am trying to configure static ip on the remote client side of the user, I use the following as an example doc, but I don't get the ip address which I am mentiong the user.

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080a7afb2.shtml

  my version of the asa is 8.2 (1)

  Thank you

  Cyril

  Great to hear. Pls kindly marks the message as answered while others may learn from your post. Thank you...

• Cisco ASA vpn site to site with access internet, error

  Hello

  I have two offises, Central and removed, with the external IP addresses. They are connected to the site to site vpn, LAN works fine, then NAT is disable, but then there is no internet access, then I Internet in NAT is working well, but then there is no access to the local network.
  Where would be the problem?

  There's config:

  ASA Version 8.4(4)1
!
hostname SalSK-ASA
domain-name ld.lt
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 81.X.X.X 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.204.254 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EET 2
dns server-group DefaultDNS
 domain-name lietuvosdujos.lt
object network LAN
 subnet 192.168.204.0 255.255.255.0
 description Local Area Network
object network LD_Lanai
 subnet 192.168.0.0 255.255.0.0
 description LD lanai
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list vpn extended permit ip any 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 any
access-list vpn extended permit ip object LD_Lanai 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 object LD_Lanai
access-list outside_cryptomap_1 extended permit ip object LAN any
access-list outside extended permit ip any any
pager lines 24
logging enable
logging list VPN_events level informational class auth
logging list VPN_events level informational class vpdn
logging list VPN_events level informational class vpn
logging list VPN_events level informational class vpnc
logging list VPN_events_ID message 713120
logging list VPN_events_ID message 713167
logging list VPN_events_ID message 602303
logging list VPN_events_ID message 713228
logging list VPN_events_ID message 113012
logging list VPN_events_ID message 113015
logging list VPN_events_ID message 713184
logging list VPN_events_ID message 713119
logging list VPN_events_ID message 602304
logging monitor debugging
logging buffered debugging
logging trap VPN_events_ID
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic LAN interface inactive
access-group outside in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 81.7.77.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ISE protocol radius
aaa-server ISE (inside) host 192.168.200.48
 key *****
user-identity default-domain LOCAL
aaa authentication enable console ISE LOCAL
aaa authentication http console ISE LOCAL
aaa authentication serial console ISE LOCAL
aaa authentication ssh console ISE LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set tripledes esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 213.X.X.X
crypto map outside_map 1 set ikev1 transform-set tripledes
crypto map outside_map interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.201.200 source inside prefer
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy SalGP internal
group-policy SalGP attributes
 vpn-filter value vpn
 vpn-tunnel-protocol ikev1 l2tp-ipsec
username Admin password LVPpyc4ATztEAWtq encrypted privilege 15
tunnel-group 213.X.X.X type ipsec-l2l
tunnel-group 213.X.X.X general-attributes
 default-group-policy SalGP
tunnel-group 213.X.X.X ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect dns
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip 
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp
 class class-default
  user-statistics accounting
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]/* */
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d8c29755eff807b1530e38b9ead9edd5
: end

  Two things are here according to you needs.

  First you encrypt all the traffic on the network 192.168.204.0/24... do you intend to send all traffic on that subnet via the VPN? If this isn't the case, specify the remote subnet instead of using all the crypto ACL.

  object network LAN
 subnet 192.168.204.0 255.255.255.0access-list outside_cryptomap_1 extended permit ip object LAN any

  Second, you have not an exempt statement NAT so that encrypted traffic should not be translated.  This statement would look like the following:
  the object of the LAN network
  192.168.204.0 subnet 255.255.255.0

  being REMOTE-LAN network
  255.255.255.0 subnet 192.168.100.0

  Static NAT LAN LAN (inside, outside) destination static REMOTE - LAN LAN

  --

  Please do not forget to choose a good response and the rate

• Unable to connect to other remote access (ASA) VPN clients

  Hello

  I have a cisco ASA 5510 appliance configured with remote VPN access

  I can connect all hosts on the INSIDE and DMZ network, but not able to access other clients connected to the same VPN.

  For example, if I have 2 clients connected to the VPN, customer and CustomerB, with a pool of vpn IP addresses such as 10.40.170.160 and 10.40.170.161 respectively, these two clients are not able to communicate with each other.

  Any help is welcome.

  Thanks in advance.

  Hello

  I'm a little rusty on the old format NAT, but would be what I would personally try to configure NAT0 on the 'outer' interface.

  It seems to me that you currently have dynamic PAT configured for the VPN users you have this

  NAT (outside) 1 10.40.170.0 255.255.255.0

  If your traffic is probably corresponding to it.

  The only thing I can think of at the moment would be to configure

  Note of VPN-CLIENT-NAT0-access-list NAT0 for traffic between VPN Clients

  list of access VPN-CLIENT-NAT0 permit ip 10.40.170.0 255.255.255.0 10.40.170.0 255.255.255.0

  NAT (outside) 0-list of access VPN-CLIENT-NAT0

  I don't know if it works. I did not really have to configure it on any ASAs running older software. There was some similar questions here on the forums for the new format.

  -Jouni

• Between Cisco ASA VPN tunnels with VLAN + hairpin.

  I have two Cisco ASA (5520 and 5505) both with version 9.1 (7) with Over VPN and Security Plus licenses. I try to understand all the internet a traffic tunnel strategy VLAN especially on the 5520 above the 5505 for further routing to the internet (such as a hair/u-turn hairpin). A few warnings:

  1. The 5505 has a dynamically assigned internet address.
  2. The 5505 has sometimes no device turned on behind her, bringing interfaces down to the inside (which can cause problems from site to site).
  3. The 5520 cannot be a client of ezvpn due to its current role as a server of webvpn (anyconnect).

  Let me know if I need to post my current config. Basically, I'm starting from scratch after several attempts.

  Thank you!

  1. The 5505 has a dynamically assigned internet address.

  You can use the following doc to set up the VPN and then this document to configure Hairping/U tuning

  2. the 5505 has sometimes no device turned on behind her, bringing interfaces down to the inside (which can cause problems from site to site).

  Make sure that the interface is connected to a switch so that it remains all the TIME.

  3. 5520 the may not be a ezvpn customer due to she has current as one role anyconnect webvpn ()) server.

  You can use dynamic VPN with normal static rather EZVPN tunnel.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• Cisco ASA VPN session reflect a public IP of different source

  Hi all

  I tested and managed to successfully establish the vpn on my cisco asa 5520.

  On my syslog, I can see "parent anyconnect session has begun" during my setting up vpn and "webvpn session is over" at the end of my vpn session

  where public ip used to establish the vpn address is reflected. However after the line "webvpn session is over", I can see other lines in my syslog example "group = vpngroup, username = test, ip = x.x.x.x, disconnected session, session type: anyconnect parent, duration 0 h: 00m23s, xmt bytes: 0, rcv:0 bytes, reason: requested user" where x.x.x.x is not the ip address used to establish my vpn for remote access, it is not related to my vpn ip address below. I am very sure that the x.x.x.x ip failed any vpn for my cisco asa5520. So why it is reflected in my logs to asa cisco? Pls advise, TIA!

  Hello

  Think I remember some display on a similar question in the past. Did some research on google and the next BugID was mentioned in the discussion.

  113019 syslog reports an invalid address when the VPN client disconnects.
  CSCub72545
   

  Description

• the Cisco asa vpn processing error payload: payload ID: 1

  Hello

  I set up vpn L2TP by using ASDM and now I am not able to connect my Cisco ASA 5505.

  It is showing the error message

  3

  July 7, 2011

  18:57:38

  IP = *. *. *. *, payload processing error: ID payload: 1

  Please suggest me how to solve this problem (by using ASDM)

  Thank you

  Hi Nikhil,

  Your config seems incomplete, command 'IPSec l2tp ipsec vpn-tunnel-Protocol' is missing, what is needed to connect L2tp try to reconfigure your firewall using the link:-

  http://www.Cisco.com/en/us/customer/docs/security/ASA/asa80/configuration/guide/l2tp_ips.html

  Hope this helps,

  Parminder Sian

• Configure Cisco ASA VPN client

  I did some research and the answers it was supposed to be possible, but no info on how to do it.  I wonder if it is possible to configure a Cisco ASA 5505/10/20 to be a customer to an existing (in this case) cisco vpn client.  The reasons why are complicated (and irrelevant IMO), but basically, I need to be able to make a small network that may be on this vpn rather than on individual computers.

  The vpn client is a Basic IPSec over UDP Cisco VPN to an ASA5505.

  So, how to set up an another ASA to connect to it as if it were a client?

  Hello

  Here is a document from Cisco on the configuration, the easy ASA of VPN server and Client

  Although in this case, they use a PIX firewall as a client.

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

  Here's another site with instructions related to this installation program

  http://www.petenetlive.com/kb/article/0000337.htm

  I imagine that the site of Cisco ASA Configuration Guide documents will also give instructions how to configure it.

  -Jouni

• Remote access ASA, VPN and NAT

  Hello

  I try to get access to remote VPN work using a Cisco VPN client and ASA with no split tunneling. The VPN works a little, I can access devices inside when I connect, but I can't access the Internet. I don't see any errors in the log ASA except these:

  1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/137 dst outside:192.168.47.255/137
  1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/54918 dst outsidexx.xxx.xxx.xxx/53

  There is only one address public IP that is assigned to the external interface of DHCP. The Interior is 192.168.1.0/24 network which is PAT'ed to the external interface and the VPN network is 192.168.47.X.

  I think my problem is that the net.47 is not NAT'ed out properly and I don't know how to put in place exactly. I can't understand how this is supposed to work since the net VPN technically provenance from the outside already.

  Here are all the relevant config:

  list of vpn access extended permits all ip 192.168.47.0 255.255.255.0
  Within 1500 MTU
  Outside 1500 MTU
  IP local pool vpnpool 192.168.47.200 - 192.168.47.220 mask 255.255.255.0
  IP verify reverse path to the outside interface
  IP audit info alarm drop action
  IP audit attack alarm drop action
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow all outside
  Global interface (2 inside)
  Global 1 interface (outside)
  NAT (inside) 0-list of access vpn
  NAT (inside) 1 0.0.0.0 0.0.0.0
  NAT (outside) 2 192.168.47.0 255.255.255.0 outside
  static (inside, outside) tcp 3074 XBOX360 3074 netmask 255.255.255.255 interface
  static (inside, outside) udp 3074 XBOX360 3074 netmask 255.255.255.255 interface
  public static (inside, outside) udp interface 88 88 XBOX360 netmask 255.255.255.255
  public static tcp (indoor, outdoor) https someids netmask 255.255.255.255 https interface

  I can post more of the configuration if necessary.

  Change ' nat (outside) 2 192.168.47.0 255.255.255.0 apart ' "NAT (2-list of vpn access outdoors outside)" gives these:

  1 Jul 06:18:35 % gatekeeper ASA-3-305005: no group of translation not found for udp src outside:192.168.47.200/56003 dst outside:66.174.95.44/53

  So, how I do right NAT VPN traffic so it can access the Internet?

  A few things that needs to be changed:

  (1) NAT exemption what ACL must be modified to be more specific while the traffic between the internal subnets and subnet pool vpn is not coordinated. NAT exemption takes precedence over all other statements of NAT, so your internet traffic from the vpn does not work.

  This ACL:

  list of vpn access extended permits all ip 192.168.47.0 255.255.255.0

  Should be changed to:

  extensive list of access vpn ip 192.168.47.0 255.255.255.0 allow

  (2) you don't need statement "overall (inside) 2. Here's what to be configured:

  no nat (outside) 2 192.168.47.0 255.255.255.0 outside

  no global interface (2 inside)

  NAT (outside) 1 192.168.47.0 255.255.255.0

  (3) and finally, you must activate the following allow traffic back on the external interface:

  permit same-security-traffic intra-interface

  And don't forget to clear xlate after the changes described above and connect to your VPN.

  Hope that helps.

• Cisco ASA VPN Site to Site WITH NAT inside

  Hello!

  I have 2 ASA 5505 related to IPSEC Tunnel VPN Site to Site.

  A 192.168.1.0/24 'remotely' inside the network and a local "192.168.200.0/24' inside the network (you can see the diagram)

  The local host have 192.168.200.254 as default gateway.

  I can't add static route to all army and I can't add static route to 192.168.200.254.

  NAT the VPN entering as 192.168.200.1 or a 192.168.200.x free to connect my host correcly?

  If my host sends packet to exit to the default gateway.

  Thank you for your support

  Best regards

  Marco

  The configuration must be applied on the SAA with the 192.168.200.0 subnet it is inside, there must be something like this:

  permit 192.168.1.0 ip access list VPN_NAT 255.255.255.0 192.168.200.0 255.255.255.0

  NAT (outside) X VPN_NAT outside access list

  Global (inside) X Y.Y.Y.Y (where the Y.Y.Y.Y) is the ip address

  If you have other traffic on the vpn through the tunnel that requires no nat, then you must add external nat exemption rules since these lines above obliges all traffic through the asa to have a nat statement.

  See if it works for you, else post your config nat here.

• Cisco ASA: Vpn SiteToSote with a backup VPN

  Hi all

  A partner have two VPN gateway. We have a connection on one of them, but we want to set up another tunnel for backup (if the first gateway goes down).

  How can I configure my ASA to only create a tunnel with a counterpart if approves it first failure?

  Thanks for the reply

  You can use multiple addresses peer in your map of cryto for example.

  card crypto mymap 10 set by peer

  Your ASA will use try in the order that they are entered, check out this link for more details.

  http://www.Cisco.com/en/us/docs/security/ASA/asa72/command/reference/c5_72.html#wp2066090

  Jon

• Problem Cisco ASA VPN/ACL

  All,

  The situation is that I'm trying to initiates a connection outside a Firewall ASA, to a destination IP address that is on the remote end of a VPN tunnel looked SAA even on the external interface. So logically slow traffic is outside to outside.

  The SAA is to deny the traffic that the conversation shows the source as the destination and the outside outside.

  Is there something smart, that I can do on the SAA to solve this problem?

  Thank you

  D

  Hello

  Use the following command on the ASA:

  permit same-security-traffic intra-interface

  Kind regards

  Aditya

  Please evaluate the useful messages and mark the correct answers.

• Transfer between Cisco ASA VPN Tunnels

  Hi Experts,

  I have a situation where I need to set up the transfer between two VPN Tunnels completed in the same box ASA. A VPN Tunnel will incoming traffic and that traffic should be sent to the bottom of the other VPN Tunnel to the ASA. The two VPN Tunnels are from the Internet and speak with the same IP address of the ASA peers.

  Retail

  Tunnel A

  Source: 192.168.1.0/25

  Destination: 10.1.1.0/25

  Local counterpart: 170.252.100.20 (ASA in question)

  Remote peer: 144.36.255.254

  Tunnel B

  Source: 192.168.1.0/25

  Destination: 10.1.1.0/25

  Local peer IP: 170.252.100.20 (box of ASA in question)

  Distance from peer IP: 195.75.75.1

  Can this be achieved? what configurations are needed in the ASA apart cryptographic ACL entries?

  Thanks in advance for your time.

  Believed that, in this case your config is good, and you can avoid using routes on your asa since it must route based on its default gateway, make sure you have good sheep in place rules and the inter-to interface same-security-interface allowed return you will need.

• 8.3 Cisco ASA VPN problem

  Hi all

  I have some problems with the implementation of a VPN using IPSEC to establish a connection from Site to Site.

  What I'm trying to Setup is the following, his IP address of a site can reach the beaches on site B and visa versa.

  Site A                                                       Site B

  192.168.10.0 172.16.0.0

  192.168.20.0 IPSEC tunnel - 172.17.0.0 -.

  192.168.30.0 172.18.0.0

  I tested with one subnet to another subnet that works. However, when I try to group the objects it fails.

  As an example I can set up a VPN of 192.168.20.0 to 172.18.0.0 that I can pass the traffic through but its unable to reach other subnets.

  Excerpts from the config.

  crypto ISAKMP allow outside

  ACL

  list of allowed outside_1_cryptomap ip access dmz LAN object dmz-network-remote

  Tunnel group

  tunnel-group type ipsec-l2l

  IPSec-attributes tunnel-group

  pre-shared key

  ISAKMP retry threshold 10 keepalive 2

  Phase 1

  part of pre authentication isakmp crypto policy 10

  crypto ISAKMP policy 10 3des encryption

  crypto ISAKMP policy hash 10 sah

  10 crypto isakmp policy group 2

  crypto ISAKMP policy life 10 86400

  Phase 2

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set pfs Group1

  map 1 set outside_map crypto peer

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  outside_map interface card crypto outside

  NAT

  NAT (inside, outside) 1 static source local-network-dmz dmz LAN destination static remote-network-dmz dmz-network distance

  Any advice would be greatly appreciated.

  Thank you.

  Andrew,

  Accroding to your config, each network is behind a different interface of the SAA, so you will need to change the NAT rule for each of them, for example:

  NAT (DMZ_Zone, outside) 1 static source ad-network-local ad-network-local destination static obj obj-remote control-remote control

  NAT (DB_Zone, outside) 1 static source local-network-db db-network-local destination static obj obj-remote control-remote control

  NAT (AD_Zone, outside) 1 static source local-network-dmz dmz LAN destination static obj obj-remote-distance

  Please review and give it a try.

  I hope hear from you soon.

• Problem with the Cisco ASA vpn redundancy?

  Hi all

  I have a series ASA 5500 firewall and need to set a different peer ip for the connection of site2sitevpn. In fact, my goal is, ASA tent first pair ip of the site2site tunnel, when ASA may not reach this ip, try to reach another ip I set before. I can configure this scenerio on Cisco router with this command;

  
  
      crypto map tohub 1 ipsec-isakmp 

   set peer 10.1.1.1 default 

   set peer 10.2.2.2
  
      

  but I wonder what can I do about ASA?

  Thank you.

  Best regards.

  Shane,

  You can configure multiple IP addresses, under the same entry of homologous set on ASA, but it works the same on IOS with preferred peer, it passes between defined peer.

  Marcin