- Posts: 5
- Thank you received: 0
Basic ASA config with VPN. (updated)
15 years 9 months ago #29724
by haddock
Basic ASA config with VPN. (updated) was created by haddock
Hey, Im going edit this post because I understand now that I wasnt that clear in my question. What Im wondering about is 2 things and I think both of them comes down to my access-list's. I cant seem to make a simple port forward on any port from my ASA to my servers on the inside network. second Im also having some problems with my VPN I can connect so that seems fine, but I cant reach anything on the inside network. Here is my basic configuration. If someone has the time please look over it and point out what I have done wrong.
: Saved
: Written by enable_15 at 00:29:04.082 UTC Mon Mar 23 2009
!
ASA Version 8.0(2)
!
hostname ciscokontor
domain-name engbergs.se
enable password "something private" encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.135.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address *.*.*.157 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd "something private" encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 195.198.219.6
domain-name engbergs.se
dns server-group swipnet
name-server 192.71.220.10
object-group network group-inside-vpnclient
description All inside accessible networks
network-object 192.168.135.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 192.168.135.0 255.255.255.0 192.168.134.0 255.255.255.224
access-list vpnclient_splitTunnelAcl standard permit 192.168.135.0 255.255.255.0
access-list outside_access_in extended permit tcp any host *.*.*.157 eq www
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host *.*.*.157 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ippool-vpnclient 192.168.134.2-192.168.134.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.135.0 255.255.255.0
static (inside,outside) tcp *.*.*.157 3389 192.168.135.201 3389 netmask 255.255.255.255
static (inside,outside) tcp *.*.*.157 www 192.168.135.207 www netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.135.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set xform-3des-md5 esp-3des esp-md5-hmac
crypto dynamic-map dcmap-vpnclient 1 set transform-set xform-3des-md5
crypto map cmap-vpncient 65535 ipsec-isakmp dynamic dcmap-vpnclient
crypto map cmap-vpncient interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.1.2 255.255.255.255 inside
telnet 192.168.135.89 255.255.255.255 inside
telnet 192.168.135.201 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.135.2-192.168.135.33 inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy group-policy-default internal
group-policy group-policy-default attributes
dns-server value 192.168.135.201
vpn-tunnel-protocol IPSec
password-storage disable
re-xauth disable
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclient_splitTunnelAcl
default-domain value etab.local
username haddock password "something private" encrypted
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool ippool-vpnclient
default-group-policy group-policy-default
tunnel-group vpnclient ipsec-attributes
pre-shared-key *
prompt hostname context
: Saved
: Written by enable_15 at 00:29:04.082 UTC Mon Mar 23 2009
!
ASA Version 8.0(2)
!
hostname ciscokontor
domain-name engbergs.se
enable password "something private" encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.135.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address *.*.*.157 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd "something private" encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 195.198.219.6
domain-name engbergs.se
dns server-group swipnet
name-server 192.71.220.10
object-group network group-inside-vpnclient
description All inside accessible networks
network-object 192.168.135.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 192.168.135.0 255.255.255.0 192.168.134.0 255.255.255.224
access-list vpnclient_splitTunnelAcl standard permit 192.168.135.0 255.255.255.0
access-list outside_access_in extended permit tcp any host *.*.*.157 eq www
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host *.*.*.157 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ippool-vpnclient 192.168.134.2-192.168.134.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.135.0 255.255.255.0
static (inside,outside) tcp *.*.*.157 3389 192.168.135.201 3389 netmask 255.255.255.255
static (inside,outside) tcp *.*.*.157 www 192.168.135.207 www netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.135.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set xform-3des-md5 esp-3des esp-md5-hmac
crypto dynamic-map dcmap-vpnclient 1 set transform-set xform-3des-md5
crypto map cmap-vpncient 65535 ipsec-isakmp dynamic dcmap-vpnclient
crypto map cmap-vpncient interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.1.2 255.255.255.255 inside
telnet 192.168.135.89 255.255.255.255 inside
telnet 192.168.135.201 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.135.2-192.168.135.33 inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy group-policy-default internal
group-policy group-policy-default attributes
dns-server value 192.168.135.201
vpn-tunnel-protocol IPSec
password-storage disable
re-xauth disable
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclient_splitTunnelAcl
default-domain value etab.local
username haddock password "something private" encrypted
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool ippool-vpnclient
default-group-policy group-policy-default
tunnel-group vpnclient ipsec-attributes
pre-shared-key *
prompt hostname context
- cisco-tips
- Offline
- New Member
Less
More
- Posts: 9
- Thank you received: 0
15 years 8 months ago #29806
by cisco-tips
Replied by cisco-tips on topic Re: Basic ASA config with VPN. (updated)
Your confi looks ok. Can you run a show crypto isakmp and also show crypto ipsec and post the output here.
15 years 8 months ago #29972
by haddock
Replied by haddock on topic Re: Basic ASA config with VPN. (updated)
Sorry forgot to say that I got it to work and thats the running config Im using atm. But now on to my next project try to get an site2site working between to ASA 5505. Wish me good luck.
Time to create page: 0.134 seconds