Skip to main content

Please check my VPN configuration in ASA 5510

More
17 years 6 months ago #21454 by mazen
Please check my VPN configuration in ASA 5510 was created by mazen
Hi,
I configured VPN in ASA 5510 but it doesn’t work can anyone check my configuration an till what is the problem?
________________________

[edited by smurf to remove passwords]

ciscoasa> en
Password:
ciscoasa# sh runn
: Saved
:
ASA Version 7.0(5)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ************encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 88.84.*.* 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.10 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd **************** encrypted
ftp mode passive
access-list inside_nat0_outbound extended permit ip interface inside 192.168.2.1
6 255.255.255.240
access-list branchesvpn_splitTunnelAcl standard permit host 192.168.2.10
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool branchesvpn 192.168.2.20-192.168.2.30 mask 255.255.255.0
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy branchesvpn internal
group-policy branchesvpn attributes
dns-server value 192.168.2.2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value branchesvpn_splitTunnelAcl
webvpn
username mazen password ************ encrypted privilege 0
username mazen attributes
vpn-group-policy branchesvpn
webvpn
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group branchesvpn type ipsec-ra
tunnel-group branchesvpn general-attributes
address-pool branchesvpn
default-group-policy branchesvpn
tunnel-group branchesvpn ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 managem
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:a9d9564ba81be08ff4e464bec8037f75
: end
ciscoasa#
More
17 years 6 months ago #21537 by anti-hack
Replied by anti-hack on topic Re: Please check my VPN configuration in ASA 5510
hi mazen,

what you seem to have done wrong is you have created the VPN through the PDM's wizard. that in my experience is not a very guranteed way of getting it right, to be frank with you it never worked for me either. i use the CLI to get i done, works all the time.

the steps for configuring Remote-Access VPNs are easily available at www.cisco.com , you can follow them and get it right the first time.
More
17 years 4 months ago #22482 by Bikramjit
Replied by Bikramjit on topic Re: Please check my VPN configuration in ASA 5510
Hi,

Check the following config. You can copy and paste it.

tunnel-group branchesvpn general-attributes
no address-pool branchesvpn
exit
no access-list inside_nat0_outbound extended permit ip interface inside 192.168.2.1 6 255.255.255.240
no access-list branchesvpn_splitTunnelAcl standard permit host 192.168.2.10
no ip local pool branchesvpn 192.168.2.20-192.168.2.30 mask 255.255.255.0
ip local pool branchesvpn 192.168.3.20-192.168.3.30 mask 255.255.255.0
access-list branchesvpn_splitTunnelAcl standard permit 192.168.2..0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2..0 255.255.255.0 192.168.3.0 255.255.255.240
tunnel-group branchesvpn general-attributes
address-pool branchesvpn

- After the changes disconnects and reconnect the vpn client.
- Cisco always suggest to have a different Ip pool subnet than what you are using in the internal interface for avoid any possible routing conflicts.

Let me know about the status!!!! :D
Time to create page: 0.127 seconds