Skip to main content

ASA 5505 VPN Remote Access

More
14 years 5 months ago #32451 by Xenomes
Hi all,

First of all, i had a create help on the site for configuring the asa5505.
the article "HowTo: Basic ASA 5505 configuration" and "Port config on ASA 5505".
Now i want to setup a VPN Remote Access for extern login on the network. I have configure the ASA 5505 so that the vpn clients can login, using LDAP from our server. The clients get a ip-addres from the pool i have create. but if do a ping to a server in the network, there is no response.

running-config
[code:1]
: Saved
: Written by enable_15 at 07:16:34.176 UTC Wed Oct 21 2009
!
ASA Version 7.2(4)
!
hostname firewall
domain-name default.domain.invalid
enable password *****encrypted
passwd *****encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.8 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 195.1.2.3 255.255.255.248 *Change for privies*
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list 101 extended permit tcp any host 192.168.100.2 eq smtp
access-list 101 extended permit tcp any host 192.168.100.2 eq www
access-list 101 extended permit tcp any host 192.168.100.2 eq https
access-list 101 extended permit tcp any host 192.168.100.2 eq 3000
access-list 101 extended permit ip any any
access-list NAT0_Outbound extended permit ip 192.168.122.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list REMOTEVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool Remote_IP 192.168.122.1-192.168.122.10
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 192.168.100.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.100.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.100.2 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.100.2 https netmask 255.255.255.255
static (inside,outside) tcp interface 3000 192.168.100.2 3000 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 195.1.2.2 1 *Change for privies*
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server Domain protocol ldap
aaa-server Domain (inside) host 192.168.100.2
timeout 5
ldap-base-dn OU=Users, OU=Manntech, DC=Manntech, DC=local
ldap-scope subtree
ldap-login-password none *Change for privies*
ldap-login-dn login *Change for privies*
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map inside_dyn_map 20 set pfs group1
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 40 set pfs group1
crypto dynamic-map inside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 10 set reverse-route
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

group-policy Manntech internal
group-policy Manntech attributes
dns-server value 192.168.100.2 192.168.100.4
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NAT0_Outbound
default-domain value manntech.local
username admin password ***** encrypted privilege 15 *Change for privies*
tunnel-group Manntech type ipsec-ra
tunnel-group Manntech general-attributes
address-pool Remote_IP
authentication-server-group Domain
default-group-policy Manntech
tunnel-group Manntech ipsec-attributes
pre-shared-key ***** *Change for privies*
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum: ***** *Change for privies*
: end
[/code:1]
More
14 years 5 months ago #32452 by r0nni3
Hi Xenomes,

You forgot to configure the no-NAT rules.
Try the following:

[code:1]access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.122.0 255.255.255.0
!
nat (inside) 0 access-list nonat[/code:1]

Let me know if this fixed your problem ^^

Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
More
14 years 5 months ago #32453 by Xenomes
At first it was not working!
but when I set the
[code:1]split-tunnel-network-list value REMOTEVPN_splitTunnelAcl[/code:1]
It was working and the internet was local.

Thanks for the fast help.
More
12 years 11 months ago #36765 by beatricedns
Secure Remote Access, powered by the Cisco ASA 5500 Series SSL/IPsec VPN Edition enables organizations to deeply and seamlessly accommodate assets admission to a ample arrangement of users, contractors, and business ally on the better array of adaptable and anchored endpoints.ASA 5500 Series delivers best amount to your alignment with the a lot of absolute set of Secure Socket Layer and IP aegis VPN features, performance, and scalability in the industry.
Time to create page: 0.150 seconds