[c-nsp] ASA Remote site VPN

Daniel Hooper dhooper at emerge.net.au
Fri Jul 20 09:14:31 EDT 2007


Dear Mr Krishna,

Always a good idea to remove passwords (even encrypted ones) and
production IP address's from configuration's posted to public mailing
list.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
krishna at siticable.co.ug
Sent: Friday, 20 July 2007 3:00 PM
To: Amol Sapkal
Cc: cisco-nsp
Subject: Re: [c-nsp] ASA Remote site VPN

Dear Mr.Amol,

Thanks for your reply. I tried to allow the traffing from out side to
inside 
but still it failed. I think iam doing a small mistake in diverting the 
traffic from out side to inside/internal.

sh run
: Saved
:
ASA Version 7.0(5) 
!
hostname ASA
domain-name xxxx.xx
enable password oxHHVUhvm1EJfZCj encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 213.177.160.50 255.255.255.252 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
!
interface Ethernet0/2
 nameif internal
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list inside_nat0_outbound extended permit ip 192.168.0.0
255.255.255.0 
172.16.1.0 255.255.255.224 
access-list internal_nat0_outbound extended permit ip 192.168.10.0 
255.255.255.0 172.16.1.0 255.255.255.224 
access-list ucom_splitTunnelAcl standard permit 192.168.10.0
255.255.255.0 
access-list out_acc_in extended permit tcp any any 
access-list in_acc_out extended permit tcp any any 
pager lines 24
mtu outside 1500
mtu inside 1500
mtu internal 1500
ip local pool VPNPOOL 172.16.1.1-172.16.1.16 mask 255.255.255.240
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (outside) 100 213.177.160.49 netmask 255.255.255.252
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 100 192.168.0.0 255.255.255.0
nat (internal) 0 access-list internal_nat0_outbound
nat (internal) 100 192.168.10.0 255.255.255.0
static (inside,outside) tcp 213.177.160.50 www 192.168.10.44 www netmask

255.255.255.255 
access-group out_acc_in in interface outside
access-group in_acc_out out interface inside
access-group in_acc_out out interface internal
route outside 0.0.0.0 0.0.0.0 213.177.160.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ucom internal
group-policy ucom attributes
 dns-server value 213.177.160.1 213.177.160.2
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ucom_splitTunnelAcl
 default-domain value xxxx.xx
 webvpn
username telesec password mLUUBJZq1Q9OKOae encrypted privilege 15
username gemalto password EAwYWfbDrtjzr5xI encrypted privilege 0
username gemalto attributes
 vpn-group-policy ucom
 webvpn
username sigvalue password CFqT082gDAsqzvn0 encrypted privilege 0
username sigvalue attributes
 vpn-group-policy ucom
 webvpn
http server enable
http 192.168.10.0 255.255.255.0 internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group ucom type ipsec-ra
tunnel-group ucom general-attributes
 address-pool VPNPOOL
 default-group-policy ucom
 tunnel-group ucom ipsec-attributes
 pre-shared-key *
telnet 192.168.10.0 255.255.255.0 internal
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
Cryptochecksum:3c04c79e7b589375c3003c945a61f653
: end
ASA#


Any clue please. 

Thanks in Advance,

Kris.


Quoting Amol Sapkal <amolsapkal at gmail.com>:

> Kris,
> 
> In the below configuration, how are you allowing the incoming traffic?
(from
> outside to inside/internal)
> 
> Can you share your logs, when you try to initiate an access to the
inside?
> (output of 'show logging')
> 
> 
> Regards,
> Amol
> 
> PS: Hope the user/pass on the configs are not the actual ones!
> 
> 
> 
> On 7/20/07, krishna at siticable.co.ug <krishna at siticable.co.ug> wrote:
> >
> > Hi All,
> >
> > Iam confguring remote site VPN on ASA 5510. Iam using Cisco VPN
client. I
> > can
> > able to connect the vpn successfully, after connecting i cant able
to
> > access
> > the lan on ASA side. the config is as like as follows,
> >
> >
> >
> > sh run
> > : Saved
> > :
> > ASA Version 7.0(5)
> > !
> > hostname ASA
> > domain-name xxxx.xx
> > enable password oxHHVUhvm1EJfZCj encrypted
> > names
> > dns-guard
> > !
> > interface Ethernet0/0
> > nameif outside
> > security-level 0
> > ip address 213.177.160.50 255.255.255.252
> > !
> > interface Ethernet0/1
> > nameif inside
> > security-level 100
> > ip address 192.168.0.1 255.255.255.0
> > !
> > interface Ethernet0/2
> > nameif internal
> > security-level 100
> > ip address 192.168.10.1 255.255.255.0
> > !
> > interface Management0/0
> > shutdown
> > no nameif
> > no security-level
> > no ip address
> > management-only
> > !
> > passwd 2KFQnbNIdI.2KYOU encrypted
> > ftp mode passive
> > access-list inside_nat0_outbound extended permit ip 192.168.0.0
> > 255.255.255.0
> > 172.16.1.0 255.255.255.224
> > access-list internal_nat0_outbound extended permit ip 192.168.10.0
> > 255.255.255.0 172.16.1.0 255.255.255.224
> > access-list ucom_splitTunnelAcl standard permit 192.168.10.0
255.255.255.0
> > pager lines 24
> > mtu outside 1500
> > mtu inside 1500
> > mtu internal 1500
> >
> > ip local pool VPNPOOL 172.16.1.1-172.16.1.16 mask 255.255.255.240
> > asdm image disk0:/asdm505.bin
> > no asdm history enable
> > arp timeout 14400
> >
> > global (outside) 1 interface
> > nat (inside) 0 access-list inside_nat0_outbound
> > nat (inside) 1 192.168.0.0 255.255.255.0
> > nat (internal) 0 access-list internal_nat0_outbound
> > nat (internal) 1 192.168.10.0 255.255.255.0
> > route outside 0.0.0.0 0.0.0.0 213.177.160.49 1
> >
> > timeout xlate 3:00:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
> > timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
> >
> > group-policy ucom internal
> > group-policy ucom attributes
> > dns-server value 213.177.160.1 213.177.160.2
> > split-tunnel-policy tunnelspecified
> > split-tunnel-network-list value ucom_splitTunnelAcl
> > default-domain value xxxx.xx
> > webvpn
> > username telesec password mLUUBJZq1Q9OKOae encrypted privilege 15
> > username gemalto password EAwYWfbDrtjzr5xI encrypted privilege 0
> > username gemalto attributes
> > vpn-group-policy ucom
> > webvpn
> > username sigvalue password CFqT082gDAsqzvn0 encrypted privilege 0
> > username sigvalue attributes
> > vpn-group-policy ucom
> > webvpn
> > http server enable
> > http 192.168.10.0 255.255.255.0 internal
> > no snmp-server location
> > no snmp-server contact
> > snmp-server enable traps snmp authentication linkup linkdown
coldstart
> > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> > crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
> > crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> > crypto map outside_map interface outside
> > isakmp enable outside
> > isakmp policy 10 authentication pre-share
> > isakmp policy 10 encryption 3des
> > isakmp policy 10 hash sha
> > isakmp policy 10 group 2
> > isakmp policy 10 lifetime 86400
> > tunnel-group ucom type ipsec-ra
> > tunnel-group ucom general-attributes
> > address-pool VPNPOOL
> > default-group-policy ucom
> > tunnel-group ucom ipsec-attributes
> > pre-shared-key *
> > telnet 192.168.10.0 255.255.255.0 internal
> > telnet timeout 5
> > ssh timeout 5
> > console timeout 0
> > !
> > class-map inspection_default
> > match default-inspection-traffic
> > !
> > !
> > policy-map global_policy
> > class inspection_default
> > inspect dns maximum-length 512
> > inspect ftp
> > inspect h323 h225
> > inspect h323 ras
> > inspect rsh
> > inspect rtsp
> > inspect esmtp
> > inspect sqlnet
> > inspect skinny
> > inspect sunrpc
> > inspect xdmcp
> > inspect sip
> > inspect netbios
> > inspect tftp
> > !
> > service-policy global_policy global
> > Cryptochecksum:94fb36e22bab9ae94dcdd91dcdb9f188
> > : end
> >
> >
> > As iam new to vpn configuration on ASA, i couldnt understand where i
am
> > mistaken.
> > Has anyone else faced this problem before, Please share the solution
> >
> > Thanks in Advance
> >
> > Kris.
> >
> >
> >
----------------------------------------------------------------------
> > This mail sent through Toaster-Horde
(http://qmailtoaster.clikka.com/)
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> 
> 
> -- 
> Warm regards,
> 
> Amol Sapkal
> 
> -------------------------------------------------------------------
> "When I'm not in my right mind, my left mind
> gets pretty crowded"
> -------------------------------------------------------------------
> 




----------------------------------------------------------------------
This mail sent through Toaster-Horde (http://qmailtoaster.clikka.com/)
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list