Prev: AUTHENTIC DESIGNER HANDBAGS WWW.VOGUELANDE.COM. CHANEL, LOUIS VUITTON, GUCCI
Next: How to configure a Cisco Nexus 7000 to export NetFlow v9
From: David Kerber on 8 Apr 2010 10:26
I'm having trouble setting up a remote access vpn on my ASA 5505. Right
now, we're using a windows pptp vpn and remote desktop to connect to
office machines from home, and it works fine (so I know my firewalls
aren't an issue). I want to migrate to a Cisco vpn so I can retire the
MS vpn server, which is quite old.

I can get the cisco vpn client 5.05 to connect from windows, and the
open-source vpnc client from Debian Linux, but in both cases, even
though the client is fully connected, I cannot see or do anything on the
office network. No pings, Remote Desktop times out, etc. These both
work with the MS vpn. I suspect a routing issue, but it's also possible
that there may be ACL issues. Here is my current attempt in the 5505,
which gives me a client connect, but no data flow.

Suggestions for cleaning up or improving the config are also welcome.


A few notes about the config:

The series of 10.96.96.* addresses in the config are a way of making a
lan-to-lan vpn with a customer whose network addresses overlap with our
internal addresses. It looks funky, but it works and I don't dare touch
it.

Also, note the vpn ip pool:
ip local pool CiscoVpnPool 172.17.47.96-172.17.47.127 mask
255.255.255.240
I have tried putting the pool in a separate subnet with the same non-
working result:
ip local pool CiscoVpnPool 172.31.1.1-172.31.1.254 mask
255.255.255.255

I know the word wrap will make things tough to decipher, but here's what
I have:


Result of the command: "sh run"

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name <my domain>
enable password <password> encrypted
passwd <password> encrypted
names
name 192.168.3.3 web-ftp-email_server description in-house web, ftp, e-
mail server
name 172.17.47.6 realtime-osp-server description RealTime OSP data
collection server
name 172.17.47.50 vpn-server description internal VPN server
name 172.17.47.71 websira-server description WebSIRA server
name 172.17.47.90 exchange-server description internal Exchange server
name 192.168.3.4 wraenviro-email description Second IP address on web-
ftp-email_server
name 12.129.242.22 WorldOfWarcraft description WOW website
name 172.17.47.80 XAMPP-server description XAMPP server
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address 172.17.47.49 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.2.2 255.255.255.0
!
interface Vlan3
nameif DMZ
security-level 50
ip address 192.168.3.1 255.255.255.0
!
interface Vlan10
description Connected to <Customer>'s Juniper VPN appliance
nameif <Customer>
security-level 50
ip address 10.96.96.20 255.255.255.0
!
interface Vlan20
nameif Monitoring
security-level 0
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 10
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 20
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name <my domain>
same-security-traffic permit inter-interface
object-group service E-MAIL_SERVICES tcp
port-object eq pop3
port-object eq smtp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service WOW tcp
description World of Warcraft ports
port-object eq 3724
port-object eq 6112
access-list outside_access_in remark RealTime OSP data for <customer 6>
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq 1024
access-list outside_access_in remark RealTime OSP for <customer 7>
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq 55003
access-list outside_access_in remark VPN server
access-list outside_access_in extended permit gre any 192.168.2.0
255.255.255.0
access-list outside_access_in remark VPN server
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq pptp
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 object-group E-MAIL_SERVICES
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq ftp
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 object-group DM_INLINE_TCP_1
access-list outside_access_in remark WebSIRA - <customer 2>
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq 81
access-list outside_access_in remark WebSIRA - <customer 3>
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq 8085
access-list outside_access_in remark WebSIRA - <customer 4>
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq 8081
access-list outside_access_in remark Exchange OWA
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq 1443
access-list outside_access_in remark Exchange OWA
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq 8088
access-list outside_access_in remark RealTime OSP for <customer 5>
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq 55005
access-list outside_access_in remark XAMPP server
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq 8090
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq 8021
access-list outside_access_in extended deny tcp any any object-group WOW
access-list DMZ_access_in extended permit tcp host web-ftp-email_server
172.17.47.0 255.255.255.0 eq smtp
access-list DMZ_access_in extended permit tcp host wraenviro-email
172.17.47.0 255.255.255.0 eq smtp
access-list DMZ_access_in extended permit tcp host web-ftp-email_server
172.17.47.0 255.255.255.0 eq domain
access-list DMZ_access_in extended permit tcp host wraenviro-email
172.17.47.0 255.255.255.0 eq domain
access-list DMZ_access_in extended permit udp host web-ftp-email_server
172.17.47.0 255.255.255.0 eq domain
access-list DMZ_access_in extended permit udp host wraenviro-email
172.17.47.0 255.255.255.0 eq domain
access-list DMZ_access_in remark Deny all from DMZ to inside, part of
allowing outside-world browsing from DMZ
access-list DMZ_access_in extended deny ip 192.168.3.0 255.255.255.0
172.17.47.0 255.255.255.0
access-list DMZ_access_in remark Allow all traffic from DMZ to outside,
allows browsing from DMZ
access-list DMZ_access_in extended permit ip 192.168.3.0 255.255.255.0
any
access-list <Customer>_access_in extended permit ip any any
access-list outside_access_out extended deny tcp any any object-group
WOW
access-list outside_access_out extended deny ip any host WorldOfWarcraft
access-list outside_access_out extended permit ip any any
access-list WraUsers_splitTunnelAcl standard permit 172.17.47.0
255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.47.0
255.255.255.0 172.31.1.0 255.255.255.0
pager lines 24
logging trap warnings
logging asdm informational
logging host inside 172.17.47.94
logging debug-trace
logging permit-hostdown
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
mtu <Customer> 1500
mtu Monitoring 1500
ip local pool CiscoVpnPool 172.17.47.96-172.17.47.127 mask
255.255.255.240
no failover
monitor-interface inside
monitor-interface outside
monitor-interface DMZ
monitor-interface <Customer>
monitor-interface Monitoring
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any DMZ
icmp permit any <Customer>
icmp permit any Monitoring
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 dns
nat (DMZ) 1 0.0.0.0 0.0.0.0 dns
static (DMZ,outside) tcp interface ftp web-ftp-email_server ftp netmask
255.255.255.255 dns
static (DMZ,outside) tcp interface www web-ftp-email_server www netmask
255.255.255.255 dns
static (DMZ,outside) tcp interface smtp web-ftp-email_server smtp
netmask 255.255.255.255 dns
static (DMZ,outside) tcp interface pop3 web-ftp-email_server pop3
netmask 255.255.255.255 dns
static (inside,outside) tcp interface 1024 realtime-osp-server 1024
netmask 255.255.255.255
static (inside,outside) tcp interface 55003 realtime-osp-server 55003
netmask 255.255.255.255
static (DMZ,outside) tcp interface https web-ftp-email_server https
netmask 255.255.255.255 dns
static (inside,outside) tcp interface 55005 realtime-osp-server 55005
netmask 255.255.255.255
static (inside,outside) tcp interface pptp vpn-server pptp netmask
255.255.255.255
static (inside,outside) tcp interface 81 XAMPP-server 81 netmask
255.255.255.255 dns
static (inside,outside) tcp interface 8085 XAMPP-server 8085 netmask
255.255.255.255 dns
static (inside,outside) tcp interface 8081 XAMPP-server 8081 netmask
255.255.255.255 dns
static (inside,outside) tcp interface 1443 exchange-server 1443 netmask
255.255.255.255 dns
static (inside,outside) tcp interface 8088 exchange-server 8088 netmask
255.255.255.255 dns
static (inside,outside) tcp interface 8090 XAMPP-server 8090 netmask
255.255.255.255 dns
static (inside,outside) tcp interface 8021 XAMPP-server ftp netmask
255.255.255.255
static (DMZ,<Customer>) 10.96.96.3 web-ftp-email_server netmask
255.255.255.255
static (inside,DMZ) 172.17.47.0 172.17.47.0 netmask 255.255.255.0
static (inside,<Customer>) 10.96.96.16 172.17.47.16 netmask
255.255.255.240
static (inside,<Customer>) 10.96.96.32 172.17.47.32 netmask
255.255.255.224
static (inside,<Customer>) 10.96.96.64 172.17.47.64 netmask
255.255.255.192
static (inside,<Customer>) 10.96.96.128 172.17.47.128 netmask
255.255.255.128
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group DMZ_access_in in interface DMZ
access-group <Customer>_access_in in interface <Customer>
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
route <Customer> 172.16.0.0 255.255.0.0 10.96.96.1 1
route <Customer> 172.19.0.0 255.255.0.0 10.96.96.1 1
route <Customer> 172.20.0.0 255.255.0.0 10.96.96.1 1
route <Customer> 172.18.0.0 255.255.0.0 10.96.96.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 172.17.47.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 172.17.47.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0

ntp server 172.17.47.1 source inside prefer
group-policy WraUsers internal
group-policy WraUsers attributes
wins-server value 172.17.47.90 172.17.47.1
dns-server value 172.17.47.90 172.17.47.1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value WraUsers_splitTunnelAcl
default-domain value <my domain>
address-pools value CiscoVpnPool
username davek password <my encrypted password> encrypted privilege 15
tunnel-group WraUsers type ipsec-ra
tunnel-group WraUsers general-attributes
address-pool CiscoVpnPool
default-group-policy WraUsers
tunnel-group WraUsers ipsec-attributes
pre-shared-key *
peer-id-validate cert
tunnel-group WraUsers ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
tunnel-group-map default-group WraUsers
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7e721e22b08ee2878d6f15ecd592c870
: end


From: David Kerber on 8 Apr 2010 14:45
Got it going. I was missing the settings to turn off NAT for my vpn
clients. Here's what I ended up with; I'm still open to suggestions for
cleaning it up or improving it:


Result of the command: "sh run"

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name <my domain>
enable password <deleted> encrypted
passwd <deleted> encrypted
names
name 192.168.3.3 web-ftp-email_server description WRA in-house web, ftp,
e-mail server
name 172.17.47.6 realtime-osp-server description RealTime OSP data
collection server
name 172.17.47.50 vpn-server description WRA internal VPN server
name 172.17.47.71 websira-server description WebSIRA server
name 172.17.47.90 exchange-server description WRA internal Exchange
server
name 192.168.3.4 email description Second IP address on web-ftp-
email_server
name 12.129.242.22 WorldOfWarcraft description WOW website
name 172.17.47.80 XAMPP-server description XAMPP server
name 172.31.1.0 CiscoVPNpool
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address 172.17.47.49 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.2.2 255.255.255.0
!
interface Vlan3
nameif DMZ
security-level 50
ip address 192.168.3.1 255.255.255.0
!
interface Vlan10
description Connected to <Customer>'s Juniper VPN appliance
nameif <Customer>
security-level 50
ip address 10.96.96.20 255.255.255.0
!
interface Vlan20
nameif Monitoring
security-level 0
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 10
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 20
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name <my domain>
same-security-traffic permit inter-interface
object-group service E-MAIL_SERVICES tcp
port-object eq pop3
port-object eq smtp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service WOW tcp
description World of Warcraft ports
port-object eq 3724
port-object eq 6112
access-list outside_access_in remark RealTime OSP data for customer2
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq 1024
access-list outside_access_in remark RealTime OSP for customer3
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq 55003
access-list outside_access_in remark VPN server
access-list outside_access_in extended permit gre any 192.168.2.0
255.255.255.0
access-list outside_access_in remark VPN server
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq pptp
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 object-group E-MAIL_SERVICES
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq ftp
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 object-group DM_INLINE_TCP_1
access-list outside_access_in remark WebSIRA - customer4
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq 81
access-list outside_access_in remark WebSIRA - customer5
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq 8085
access-list outside_access_in remark WebSIRA - customer6
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq 8081
access-list outside_access_in remark Exchange OWA
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq 1443
access-list outside_access_in remark Exchange OWA
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq 8088
access-list outside_access_in remark RealTime OSP for customer7
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq 55005
access-list outside_access_in remark XAMPP server
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq 8090
access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq 8021
access-list outside_access_in extended deny tcp any any object-group WOW
access-list DMZ_access_in extended permit tcp host web-ftp-email_server
172.17.47.0 255.255.255.0 eq smtp
access-list DMZ_access_in extended permit tcp host email 172.17.47.0
255.255.255.0 eq smtp
access-list DMZ_access_in extended permit tcp host web-ftp-email_server
172.17.47.0 255.255.255.0 eq domain
access-list DMZ_access_in extended permit tcp host email 172.17.47.0
255.255.255.0 eq domain
access-list DMZ_access_in extended permit udp host web-ftp-email_server
172.17.47.0 255.255.255.0 eq domain
access-list DMZ_access_in extended permit udp host email 172.17.47.0
255.255.255.0 eq domain
access-list DMZ_access_in remark Deny all from DMZ to inside, part of
allowing outside-world browsing from DMZ
access-list DMZ_access_in extended deny ip 192.168.3.0 255.255.255.0
172.17.47.0 255.255.255.0
access-list DMZ_access_in remark Allow all traffic from DMZ to outside,
allows browsing from DMZ
access-list DMZ_access_in extended permit ip 192.168.3.0 255.255.255.0
any
access-list <Customer>_access_in extended permit ip any any
access-list outside_access_out extended deny tcp any any object-group
WOW
access-list outside_access_out extended deny ip any host WorldOfWarcraft
access-list outside_access_out extended permit ip any any
access-list WraUsers_splitTunnelAcl standard permit 172.17.47.0
255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.47.0
255.255.255.0 CiscoVPNpool 255.255.255.0
access-list vpnclients extended permit ip 172.17.47.0 255.255.255.0
CiscoVPNpool 255.255.255.0
pager lines 24
logging trap warnings
logging asdm informational
logging host inside 172.17.47.94
logging debug-trace
logging permit-hostdown
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
mtu <Customer> 1500
mtu Monitoring 1500
ip local pool CiscoVpnPool 172.31.1.1-172.31.1.254 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface DMZ
monitor-interface <Customer>
monitor-interface Monitoring
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any DMZ
icmp permit any <Customer>
icmp permit any Monitoring
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list vpnclients
nat (inside) 1 0.0.0.0 0.0.0.0 dns
nat (DMZ) 1 0.0.0.0 0.0.0.0 dns
static (DMZ,outside) tcp interface ftp web-ftp-email_server ftp netmask
255.255.255.255 dns
static (DMZ,outside) tcp interface www web-ftp-email_server www netmask
255.255.255.255 dns
static (DMZ,outside) tcp interface smtp web-ftp-email_server smtp
netmask 255.255.255.255 dns
static (DMZ,outside) tcp interface pop3 web-ftp-email_server pop3
netmask 255.255.255.255 dns
static (inside,outside) tcp interface 1024 realtime-osp-server 1024
netmask 255.255.255.255
static (inside,outside) tcp interface 55003 realtime-osp-server 55003
netmask 255.255.255.255
static (DMZ,outside) tcp interface https web-ftp-email_server https
netmask 255.255.255.255 dns
static (inside,outside) tcp interface 55005 realtime-osp-server 55005
netmask 255.255.255.255
static (inside,outside) tcp interface pptp vpn-server pptp netmask
255.255.255.255
static (inside,outside) tcp interface 81 XAMPP-server 81 netmask
255.255.255.255 dns
static (inside,outside) tcp interface 8085 XAMPP-server 8085 netmask
255.255.255.255 dns
static (inside,outside) tcp interface 8081 XAMPP-server 8081 netmask
255.255.255.255 dns
static (inside,outside) tcp interface 1443 exchange-server 1443 netmask
255.255.255.255 dns
static (inside,outside) tcp interface 8088 exchange-server 8088 netmask
255.255.255.255 dns
static (inside,outside) tcp interface 8090 XAMPP-server 8090 netmask
255.255.255.255 dns
static (inside,outside) tcp interface 8021 XAMPP-server ftp netmask
255.255.255.255
static (DMZ,<Customer>) 10.96.96.3 web-ftp-email_server netmask
255.255.255.255
static (inside,DMZ) 172.17.47.0 172.17.47.0 netmask 255.255.255.0
static (inside,<Customer>) 10.96.96.16 172.17.47.16 netmask
255.255.255.240
static (inside,<Customer>) 10.96.96.32 172.17.47.32 netmask
255.255.255.224
static (inside,<Customer>) 10.96.96.64 172.17.47.64 netmask
255.255.255.192
static (inside,<Customer>) 10.96.96.128 172.17.47.128 netmask
255.255.255.128
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group DMZ_access_in in interface DMZ
access-group <Customer>_access_in in interface <Customer>
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
route <Customer> 172.16.0.0 255.255.0.0 10.96.96.1 1
route <Customer> 172.19.0.0 255.255.0.0 10.96.96.1 1
route <Customer> 172.20.0.0 255.255.0.0 10.96.96.1 1
route <Customer> 172.18.0.0 255.255.0.0 10.96.96.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 172.17.47.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 172.17.47.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0

ntp server 172.17.47.1 source inside prefer
group-policy WraUsers internal
group-policy WraUsers attributes
wins-server value 172.17.47.90 172.17.47.1
dns-server value 172.17.47.90 172.17.47.1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value WraUsers_splitTunnelAcl
default-domain value <my domain>
address-pools value CiscoVpnPool
username davek password <deleted> encrypted privilege 15
tunnel-group WraUsers type ipsec-ra
tunnel-group WraUsers general-attributes
address-pool CiscoVpnPool
default-group-policy WraUsers
tunnel-group WraUsers ipsec-attributes
pre-shared-key *
peer-id-validate cert
tunnel-group WraUsers ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
tunnel-group-map default-group WraUsers
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:blah
: end
From: David Kerber on 9 Apr 2010 10:34
I should have said that I got it *partially* going. Can anybody help me
figure out how to get the vpn clients to be able to connect to machines
on the dmz (192.168.3.3), and to the <Customer> vpn?

Thanks!!
D


In article <MPG.2627ee0918a4e4f69896ea(a)news.onecommunications.net>,
ns_dkerber(a)ns_warrenrogersassociates.com says...
>
> Got it going. I was missing the settings to turn off NAT for my vpn
> clients. Here's what I ended up with; I'm still open to suggestions for
> cleaning it up or improving it:
>
>
> Result of the command: "sh run"
>
> : Saved
> :
> ASA Version 7.2(4)
> !
> hostname ciscoasa
> domain-name <my domain>
> enable password <deleted> encrypted
> passwd <deleted> encrypted
> names
> name 192.168.3.3 web-ftp-email_server description WRA in-house web, ftp,
> e-mail server
> name 172.17.47.6 realtime-osp-server description RealTime OSP data
> collection server
> name 172.17.47.50 vpn-server description WRA internal VPN server
> name 172.17.47.71 websira-server description WebSIRA server
> name 172.17.47.90 exchange-server description WRA internal Exchange
> server
> name 192.168.3.4 email description Second IP address on web-ftp-
> email_server
> name 12.129.242.22 WorldOfWarcraft description WOW website
> name 172.17.47.80 XAMPP-server description XAMPP server
> name 172.31.1.0 CiscoVPNpool
> dns-guard
> !
> interface Vlan1
> nameif inside
> security-level 100
> ip address 172.17.47.49 255.255.255.0
> !
> interface Vlan2
> nameif outside
> security-level 0
> ip address 192.168.2.2 255.255.255.0
> !
> interface Vlan3
> nameif DMZ
> security-level 50
> ip address 192.168.3.1 255.255.255.0
> !
> interface Vlan10
> description Connected to <Customer>'s Juniper VPN appliance
> nameif <Customer>
> security-level 50
> ip address 10.96.96.20 255.255.255.0
> !
> interface Vlan20
> nameif Monitoring
> security-level 0
> ip address 10.1.1.1 255.255.255.0
> !
> interface Ethernet0/0
> switchport access vlan 2
> !
> interface Ethernet0/1
> !
> interface Ethernet0/2
> switchport access vlan 3
> !
> interface Ethernet0/3
> switchport access vlan 10
> !
> interface Ethernet0/4
> !
> interface Ethernet0/5
> !
> interface Ethernet0/6
> !
> interface Ethernet0/7
> switchport access vlan 20
> !
> ftp mode passive
> clock timezone EST -5
> clock summer-time EDT recurring
> dns server-group DefaultDNS
> domain-name <my domain>
> same-security-traffic permit inter-interface
> object-group service E-MAIL_SERVICES tcp
> port-object eq pop3
> port-object eq smtp
> object-group service DM_INLINE_TCP_1 tcp
> port-object eq www
> port-object eq https
> object-group service WOW tcp
> description World of Warcraft ports
> port-object eq 3724
> port-object eq 6112
> access-list outside_access_in remark RealTime OSP data for customer2
> access-list outside_access_in extended permit tcp any 192.168.2.0
> 255.255.255.0 eq 1024
> access-list outside_access_in remark RealTime OSP for customer3
> access-list outside_access_in extended permit tcp any 192.168.2.0
> 255.255.255.0 eq 55003
> access-list outside_access_in remark VPN server
> access-list outside_access_in extended permit gre any 192.168.2.0
> 255.255.255.0
> access-list outside_access_in remark VPN server
> access-list outside_access_in extended permit tcp any 192.168.2.0
> 255.255.255.0 eq pptp
> access-list outside_access_in extended permit tcp any 192.168.2.0
> 255.255.255.0 object-group E-MAIL_SERVICES
> access-list outside_access_in extended permit tcp any 192.168.2.0
> 255.255.255.0 eq ftp
> access-list outside_access_in extended permit tcp any 192.168.2.0
> 255.255.255.0 object-group DM_INLINE_TCP_1
> access-list outside_access_in remark WebSIRA - customer4
> access-list outside_access_in extended permit tcp any 192.168.2.0
> 255.255.255.0 eq 81
> access-list outside_access_in remark WebSIRA - customer5
> access-list outside_access_in extended permit tcp any 192.168.2.0
> 255.255.255.0 eq 8085
> access-list outside_access_in remark WebSIRA - customer6
> access-list outside_access_in extended permit tcp any 192.168.2.0
> 255.255.255.0 eq 8081
> access-list outside_access_in remark Exchange OWA
> access-list outside_access_in extended permit tcp any 192.168.2.0
> 255.255.255.0 eq 1443
> access-list outside_access_in remark Exchange OWA
> access-list outside_access_in extended permit tcp any 192.168.2.0
> 255.255.255.0 eq 8088
> access-list outside_access_in remark RealTime OSP for customer7
> access-list outside_access_in extended permit tcp any 192.168.2.0
> 255.255.255.0 eq 55005
> access-list outside_access_in remark XAMPP server
> access-list outside_access_in extended permit tcp any 192.168.2.0
> 255.255.255.0 eq 8090
> access-list outside_access_in extended permit tcp any 192.168.2.0
> 255.255.255.0 eq 8021
> access-list outside_access_in extended deny tcp any any object-group WOW
> access-list DMZ_access_in extended permit tcp host web-ftp-email_server
> 172.17.47.0 255.255.255.0 eq smtp
> access-list DMZ_access_in extended permit tcp host email 172.17.47.0
> 255.255.255.0 eq smtp
> access-list DMZ_access_in extended permit tcp host web-ftp-email_server
> 172.17.47.0 255.255.255.0 eq domain
> access-list DMZ_access_in extended permit tcp host email 172.17.47.0
> 255.255.255.0 eq domain
> access-list DMZ_access_in extended permit udp host web-ftp-email_server
> 172.17.47.0 255.255.255.0 eq domain
> access-list DMZ_access_in extended permit udp host email 172.17.47.0
> 255.255.255.0 eq domain
> access-list DMZ_access_in remark Deny all from DMZ to inside, part of
> allowing outside-world browsing from DMZ
> access-list DMZ_access_in extended deny ip 192.168.3.0 255.255.255.0
> 172.17.47.0 255.255.255.0
> access-list DMZ_access_in remark Allow all traffic from DMZ to outside,
> allows browsing from DMZ
> access-list DMZ_access_in extended permit ip 192.168.3.0 255.255.255.0
> any
> access-list <Customer>_access_in extended permit ip any any
> access-list outside_access_out extended deny tcp any any object-group
> WOW
> access-list outside_access_out extended deny ip any host WorldOfWarcraft
> access-list outside_access_out extended permit ip any any
> access-list WraUsers_splitTunnelAcl standard permit 172.17.47.0
> 255.255.255.0
> access-list inside_nat0_outbound extended permit ip 172.17.47.0
> 255.255.255.0 CiscoVPNpool 255.255.255.0
> access-list vpnclients extended permit ip 172.17.47.0 255.255.255.0
> CiscoVPNpool 255.255.255.0
> pager lines 24
> logging trap warnings
> logging asdm informational
> logging host inside 172.17.47.94
> logging debug-trace
> logging permit-hostdown
> mtu inside 1500
> mtu outside 1500
> mtu DMZ 1500
> mtu <Customer> 1500
> mtu Monitoring 1500
> ip local pool CiscoVpnPool 172.31.1.1-172.31.1.254 mask 255.255.255.0
> no failover
> monitor-interface inside
> monitor-interface outside
> monitor-interface DMZ
> monitor-interface <Customer>
> monitor-interface Monitoring
> icmp unreachable rate-limit 1 burst-size 1
> icmp permit any inside
> icmp permit any outside
> icmp permit any DMZ
> icmp permit any <Customer>
> icmp permit any Monitoring
> asdm image disk0:/asdm-524.bin
> no asdm history enable
> arp timeout 14400
> nat-control
> global (outside) 1 interface
> nat (inside) 0 access-list vpnclients
> nat (inside) 1 0.0.0.0 0.0.0.0 dns
> nat (DMZ) 1 0.0.0.0 0.0.0.0 dns
> static (DMZ,outside) tcp interface ftp web-ftp-email_server ftp netmask
> 255.255.255.255 dns
> static (DMZ,outside) tcp interface www web-ftp-email_server www netmask
> 255.255.255.255 dns
> static (DMZ,outside) tcp interface smtp web-ftp-email_server smtp
> netmask 255.255.255.255 dns
> static (DMZ,outside) tcp interface pop3 web-ftp-email_server pop3
> netmask 255.255.255.255 dns
> static (inside,outside) tcp interface 1024 realtime-osp-server 1024
> netmask 255.255.255.255
> static (inside,outside) tcp interface 55003 realtime-osp-server 55003
> netmask 255.255.255.255
> static (DMZ,outside) tcp interface https web-ftp-email_server https
> netmask 255.255.255.255 dns
> static (inside,outside) tcp interface 55005 realtime-osp-server 55005
> netmask 255.255.255.255
> static (inside,outside) tcp interface pptp vpn-server pptp netmask
> 255.255.255.255
> static (inside,outside) tcp interface 81 XAMPP-server 81 netmask
> 255.255.255.255 dns
> static (inside,outside) tcp interface 8085 XAMPP-server 8085 netmask
> 255.255.255.255 dns
> static (inside,outside) tcp interface 8081 XAMPP-server 8081 netmask
> 255.255.255.255 dns
> static (inside,outside) tcp interface 1443 exchange-server 1443 netmask
> 255.255.255.255 dns
> static (inside,outside) tcp interface 8088 exchange-server 8088 netmask
> 255.255.255.255 dns
> static (inside,outside) tcp interface 8090 XAMPP-server 8090 netmask
> 255.255.255.255 dns
> static (inside,outside) tcp interface 8021 XAMPP-server ftp netmask
> 255.255.255.255
> static (DMZ,<Customer>) 10.96.96.3 web-ftp-email_server netmask
> 255.255.255.255
> static (inside,DMZ) 172.17.47.0 172.17.47.0 netmask 255.255.255.0
> static (inside,<Customer>) 10.96.96.16 172.17.47.16 netmask
> 255.255.255.240
> static (inside,<Customer>) 10.96.96.32 172.17.47.32 netmask
> 255.255.255.224
> static (inside,<Customer>) 10.96.96.64 172.17.47.64 netmask
> 255.255.255.192
> static (inside,<Customer>) 10.96.96.128 172.17.47.128 netmask
> 255.255.255.128
> access-group outside_access_in in interface outside
> access-group outside_access_out out interface outside
> access-group DMZ_access_in in interface DMZ
> access-group <Customer>_access_in in interface <Customer>
> route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
> route <Customer> 172.16.0.0 255.255.0.0 10.96.96.1 1
> route <Customer> 172.19.0.0 255.255.0.0 10.96.96.1 1
> route <Customer> 172.20.0.0 255.255.0.0 10.96.96.1 1
> route <Customer> 172.18.0.0 255.255.0.0 10.96.96.1 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
> http server enable
> http 172.17.47.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication crack
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 20
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp nat-traversal 20
> no vpn-addr-assign aaa
> no vpn-addr-assign dhcp
> telnet 172.17.47.0 255.255.255.0 inside
> telnet timeout 30
> ssh timeout 5
> console timeout 0
>
> ntp server 172.17.47.1 source inside prefer
> group-policy WraUsers internal
> group-policy WraUsers attributes
> wins-server value 172.17.47.90 172.17.47.1
> dns-server value 172.17.47.90 172.17.47.1
> split-tunnel-policy tunnelspecified
> split-tunnel-network-list value WraUsers_splitTunnelAcl
> default-domain value <my domain>
> address-pools value CiscoVpnPool
> username davek password <deleted> encrypted privilege 15
> tunnel-group WraUsers type ipsec-ra
> tunnel-group WraUsers general-attributes
> address-pool CiscoVpnPool
> default-group-policy WraUsers
> tunnel-group WraUsers ipsec-attributes
> pre-shared-key *
> peer-id-validate cert
> tunnel-group WraUsers ppp-attributes
> authentication pap
> authentication ms-chap-v2
> authentication eap-proxy
> tunnel-group-map default-group WraUsers
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum 512
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect rsh
> inspect rtsp
> inspect esmtp
> inspect sqlnet
> inspect skinny
> inspect sunrpc
> inspect xdmcp
> inspect sip
> inspect netbios
> inspect tftp
> inspect icmp
> inspect icmp error
> inspect pptp
> !
> service-policy global_policy global
> prompt hostname context
> Cryptochecksum:blah
> : end


 | 
Pages: 1
Prev: AUTHENTIC DESIGNER HANDBAGS WWW.VOGUELANDE.COM. CHANEL, LOUIS VUITTON, GUCCI
Next: How to configure a Cisco Nexus 7000 to export NetFlow v9