Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Basic ASA config with VPN. (updated)

Basic ASA config with VPN. (updated) 7 years 7 months ago #29724

  • haddock
  • haddock's Avatar
  • Offline
  • New Member
  • Posts: 5
  • Karma: 0
Hey, Im going edit this post because I understand now that I wasnt that clear in my question. What Im wondering about is 2 things and I think both of them comes down to my access-list's. I cant seem to make a simple port forward on any port from my ASA to my servers on the inside network. second Im also having some problems with my VPN I can connect so that seems fine, but I cant reach anything on the inside network. Here is my basic configuration. If someone has the time please look over it and point out what I have done wrong.

: Saved
: Written by enable_15 at 00:29:04.082 UTC Mon Mar 23 2009
ASA Version 8.0(2)
hostname ciscokontor
enable password "something private" encrypted
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address *.*.*.157
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd "something private" encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
dns server-group swipnet
object-group network group-inside-vpnclient
description All inside accessible networks
access-list inside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip
access-list vpnclient_splitTunnelAcl standard permit
access-list outside_access_in extended permit tcp any host *.*.*.157 eq www
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host *.*.*.157 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ippool-vpnclient mask
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
static (inside,outside) tcp *.*.*.157 3389 3389 netmask
static (inside,outside) tcp *.*.*.157 www www netmask
access-group outside_access_in in interface outside
route outside *.*.*.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set xform-3des-md5 esp-3des esp-md5-hmac
crypto dynamic-map dcmap-vpnclient 1 set transform-set xform-3des-md5
crypto map cmap-vpncient 65535 ipsec-isakmp dynamic dcmap-vpnclient
crypto map cmap-vpncient interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet inside
telnet inside
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside

threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
group-policy group-policy-default internal
group-policy group-policy-default attributes
dns-server value
vpn-tunnel-protocol IPSec
password-storage disable
re-xauth disable
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclient_splitTunnelAcl
default-domain value etab.local
username haddock password "something private" encrypted
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool ippool-vpnclient
default-group-policy group-policy-default
tunnel-group vpnclient ipsec-attributes
pre-shared-key *
prompt hostname context
The administrator has disabled public write access.

Re: Basic ASA config with VPN. (updated) 7 years 6 months ago #29806

Your confi looks ok. Can you run a show crypto isakmp and also show crypto ipsec and post the output here.
The administrator has disabled public write access.

Re: Basic ASA config with VPN. (updated) 7 years 6 months ago #29972

  • haddock
  • haddock's Avatar
  • Offline
  • New Member
  • Posts: 5
  • Karma: 0
Sorry forgot to say that I got it to work and thats the running config Im using atm. But now on to my next project try to get an site2site working between to ASA 5505. Wish me good luck.
The administrator has disabled public write access.
Time to create page: 0.086 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup