Skip to main content

VPN ACL

More
17 years 5 months ago #21927 by skepticals
Replied by skepticals on topic Re: VPN ACL
Well, maybe you are right :D

How would I go about letting the VPN network communicate with another network. The first address in the VPN pool is 10.3.254.10 and I want to be able to access the 10.3.4.0 network.

This is what I entered:[code:1]access-list inside_nat0_outbound extended permit ip 10.3.4.0 255.255.255.0 10.3.254.0 255.255.255.192[/quote]

It is subnetted to 64 address because my VPN pool only allows .10-.60

Am I going about this correctly? Is there something else I need?[/code:1]
More
17 years 5 months ago #22072 by naveenkollipara
Replied by naveenkollipara on topic Re: VPN ACL
Hi,

We need to add access-list for exclusing the vpn ip's from NAT while accessing the internal network.

Are you using split tunneling?

If you can paste the configuration with non real public ip's, we can provide a much better steps.

Thanks & Regards,
Naveen Kollipara.
More
17 years 5 months ago #22133 by anti-hack
Replied by anti-hack on topic Re: VPN ACL
well onething i have tested previously that nat0 doesn't work with tcp or udp, it only works ip.
I am trying the same thing with a PIX 515E but with a little varity. I want to grant access to my remote users through a RADIUS server. For that i have a FreeRADIUS server on my network. I am having trouble configuring my PIX to use the AAA to authenticate and authorize the users only for specific users and for specific ports. Accouting I have kept as a second phase.

Has anyone used a FreeRADIUS server in conjunction with a PIX. I am sure yes, someone must be using it here, i would be glad to get some more info. I have made no configurational changes on my PIX, because i haven't clearly understood what needs to be done.

Awaiting some response,
More
17 years 5 months ago #22145 by skepticals
Replied by skepticals on topic Re: VPN ACL
Here is my config. Any ideas on the VPN access?

[code:1]ASA Version 7.2(2)
!
hostname ASA
domain-name domain.local
enable password ************ encrypted
names
dns-guard
!
interface Ethernet0/0
description WAN Interface
nameif outside
security-level 0
ip address X.X.167.50 255.255.255.240
!
interface Ethernet0/1
description DMZ Interface
nameif DMZ
security-level 50
ip address 172.16.0.1 255.255.255.0
!
interface Ethernet0/2
description Lan Interface
nameif inside
security-level 100
ip address 10.3.254.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description Management Interface
nameif management
security-level 100
no ip address
management-only
!
passwd ************ encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name domain.local
access-list Static extended permit udp host X.X.161.20 host X.X.167.51 eq 1813
access-list Static extended permit tcp host X.X.161.20 host X.X.167.52 eq 1234
access-list Static extended permit tcp host X.X.161.20 host X.X.167.52 eq 1235
access-list Static extended permit tcp host X.X.161.20 host X.X.167.50 eq www
access-list Static extended permit tcp host X.X.203.3 host X.X.167.55 eq pcanywhere-data
access-list Static extended permit udp host X.X.203.3 host X.X.167.55 eq pcanywhere-status
access-list Static extended permit tcp host X.X.161.1 host X.X.167.55 eq ftp
access-list Static extended permit tcp 67.135.222.0 255.255.255.128 host X.X.167.56 eq 3389
access-list Static extended permit udp any any eq 4500
access-list Static extended permit udp any any eq isakmp
access-list Static extended permit udp any any
access-list Static extended permit icmp any any echo-reply
access-list Static extended permit icmp any any unreachable
access-list Static extended permit tcp any host X.X.167.57 eq www
access-list Static extended permit tcp any host X.X.167.60 eq www
access-list Static extended permit tcp any host X.X.167.58 eq www
access-list CPL_splitTunnelAcl standard permit 10.3.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.3.254.0 255.255.255.0 10.3.254.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.3.4.0 255.255.255.0 10.3.254.0 255.255.255.192
pager lines 24
logging enable
logging console debugging
logging asdm informational
mtu outside 1500
mtu DMZ 1500
mtu inside 1500
mtu management 1500
ip local pool Remote_Client_Pool 10.3.254.10-10.3.254.60 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.3.0.0 255.255.0.0
static (inside,outside) X.X.167.52 10.3.5.5 netmask 255.255.255.255
static (inside,outside) X.X.167.53 10.3.5.4 netmask 255.255.255.255
static (inside,outside) X.X.167.51 10.3.5.6 netmask 255.255.255.255
static (inside,outside) X.X.167.55 10.3.6.10 netmask 255.255.255.255
static (inside,outside) X.X.167.56 10.3.4.10 netmask 255.255.255.255
static (inside,outside) X.X.167.57 10.3.4.13 netmask 255.255.255.255
static (DMZ,outside) X.X.167.60 172.16.0.3 netmask 255.255.255.255
static (inside,outside) X.X.167.58 10.3.3.7 netmask 255.255.255.255
static (DMZ,inside) 10.3.4.250 172.16.0.3 netmask 255.255.255.255
access-group Static in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.167.49 1
route inside 10.3.4.0 255.255.255.0 10.3.254.2 1
route inside 10.3.6.0 255.255.255.0 10.3.254.2 1
route inside 10.3.7.0 255.255.255.0 10.3.254.2 1
route inside 10.3.5.0 255.255.255.0 10.3.254.2 1
route inside 10.3.3.0 255.255.255.0 10.3.254.2 1
route inside 10.3.2.0 255.255.255.0 10.3.254.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy CPL internal
group-policy CPL attributes
dns-server value 10.3.4.10
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CPL_splitTunnelAcl
vpn-group-policy CPL
aaa authentication enable console LOCAL
http server enable
http 10.3.254.0 255.255.255.192 outside
http 10.3.2.0 255.255.255.0 inside
http 10.3.4.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group CPL type ipsec-ra
tunnel-group CPL general-attributes
address-pool Remote_Client_Pool
default-group-policy CPL
tunnel-group CPL ipsec-attributes
pre-shared-key *
telnet 10.3.254.0 255.255.255.0 outside
telnet 10.254.0.0 255.255.255.0 outside
telnet 10.3.253.0 255.255.255.0 outside
telnet 10.3.4.0 255.255.255.0 inside
telnet 10.3.254.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 192.5.41.41 source outside prefer
ntp server 192.5.41.40 source outside
ntp server 192.43.244.18 source outside
ntp server 18.145.0.30 source outside
prompt hostname context
Cryptochecksum:b51f159320381dab4a99fb8ea1d0ec90
: end
[/code:1]
More
17 years 5 months ago #22156 by naveenkollipara
Replied by naveenkollipara on topic Re: VPN ACL
Hi,

Generally it is not suggested to use the same network for the vpn clients without performing proper subnetting. I would recommend the following commands to make the vpn clients connect to the network and access the resources,

New Commands: (the below two command enables you to communicate with 10.3.4.0 network from vpn clients)
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 10.3.1.0 255.255.255.0 10.3.4.0 255.255.255.0

Edit Commands:
(Have a seperate network for the vpn clients)
ip local pool Remote_Client_Pool 10.3.254.10-10.3.254.60 mask 255.255.255.0
ip local pool Remote_Client_Pool 10.3.1.0-10.3.1.254

(No nat for the inside clients trying to respond to the vpn client requests)
access-list inside_nat0_outbound extended permit ip 10.3.254.0 255.255.255.0 10.3.254.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.3.254.0 255.255.255.0 10.3.1.0 255.255.255.0

(No nat for the inside clients trying to respond to the vpn client requests)
access-list inside_nat0_outbound extended permit ip 10.3.4.0 255.255.255.0 10.3.254.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.3.4.0 255.255.255.0 10.3.1.0 255.255.255.0

Let me know for any clarifications.

Thank You,
Naveen

Thanks & Regards,
Naveen Kollipara.
More
17 years 5 months ago #22170 by pothead
Replied by pothead on topic Re: VPN ACL
access-list Static extended permit tcp host 1.2.3.4 10.x.x.x 255.x.x.x eq 3389

(where xxx= subnet of your internal network- the network that the VPN clients are trying to get to.)
Time to create page: 2.377 seconds