[c-nsp] VPN clients on Cisco ASA

Randy randy_94108 at yahoo.com
Tue Jul 28 17:12:31 EDT 2009


Hello Kiran,
1) you are using upper-case and lower case "o" in your crypto map -can't do that.
relevant changes (within parentheses)below-
 
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map O(o)utside_dyn_map 10 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map O(o)utside_map 10 ipsec-isakmp dynamic O(o)utside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
 
2) keyword "any" in split-tunnel acl effectively disables split-tunneling. Instead, specify subnets for which traffic needs to be encrypted.
 
3) crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2 (make sure the vpn client supports D-H group 2)
 lifetime 43200
 
4) make sure isakmp identity is not 'hostname' use 'address' instead. Also disable DPD(no isakmp keepalive. NAT-T should be enabled. If you are using udp/tcp wrappers, ensure udp/tcp ports match on both ends.
 
5) the outside acl is wide-open(with permit ip any any) Recommend locking it down. for vpn, allow tcp 50 and udp 500 to the outside int from any unless sysopt conn ipsec permit is enabled.
 
6) Probable would be a good idea to replace ip's with x.x.x.x when posting configs on a public site.
 
regards,
./Randy
 
 
 
 
 
 
 
 
 
 
 
 
--- On Tue, 7/28/09, Oddiraju, Kiran @ London SMC <Kiran.Oddiraju at cbre.com> wrote:


From: Oddiraju, Kiran @ London SMC <Kiran.Oddiraju at cbre.com>
Subject: Re: [c-nsp] VPN clients on Cisco ASA
To: "Ryan West" <rwest at zyedge.com>
Cc: cisco-nsp at puck.nether.net
Date: Tuesday, July 28, 2009, 7:01 AM


Hi Guys,

Appreciate your help on this. Have tried the VPN Wizard and the CLI
config from the below link but still no luck. The Cisco VPN client tries
to connect and after for a few seconds shows Not Connected. I think it
is an ACL issue but I am not 100% sure. I have attached the running
config, could someone please take a look?

Many thanks,
Kiran

-----Original Message-----
From: Ryan West [mailto:rwest at zyedge.com]
Sent: 27 July 2009 13:57
To: Oddiraju, Kiran @ London SMC; cisco-nsp at puck.nether.net
Subject: RE: VPN clients on Cisco ASA

Hello again Kiran,

I think you should take a quick read through the following link.  You
can use the ASDM Remote Access VPN wizard to configure most of the
settings and if you're interested in doing it via CLI, that's also an
option.

http://www.cisco.com/en/US/products/ps6120/products_configuration_exampl
e09186a008060f25c.shtml

In particular, the options you have asked are all covered in the doc
except for split-tunneling, at least the associated output in CLI.
You'll want to configure that inside the group policy you create from
the link above.  Here is an example:

group-policy mygrouppolicyname attributes  split-tunnel-policy
tunnelspecified  split-tunnel-network-list value <ACL Here>

Let me know how it works out for you.

-ryan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Oddiraju, Kiran
@ London SMC
Sent: Monday, July 27, 2009 8:33 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] VPN clients on Cisco ASA

Hi List,



Cisco ASA 5505

Cisco VPN Client 5.0

ASA External IP: 80.90.100.117 /29

Internal range: 192.168.0.0 /24



I am new to Cisco ASA world and have been struggling to configure my
5505 to accept VPN connections from external hosts. I want to allocate
IP address dynamically, allow access to certain subnets and allow
internet access thru their local connection. Can someone please post me
a sample ASA config?



Thanks guys



Regards,

Kiran


CB Richard Ellis Limited, Registered Office: St Martin's Court, 10
Paternoster Row, London, EC4M 7HP, registered in England and Wales No.
3536032. 
Regulated by the RICS and an appointed representative of CB Richard
Ellis Indirect Investment Services Limited which is authorised and
regulated by the Financial Services Authority.

This communication is from CB Richard Ellis Limited or one of its
associated/subsidiary companies. This communication contains information
which is confidential and may be privileged. If you are not the intended
recipient, please contact the sender immediately. Any use of its
contents is strictly prohibited and you must not copy, send or disclose
it, or rely on its contents in any way whatsoever. 
Reasonable care has been taken to ensure that this communication (and
any attachments or hyperlinks contained within it) is free from computer
viruses. 
No responsibility is accepted by CB Richard Ellis Limited or its
associated/subsidiary companies and the recipient should carry out any
appropriate virus checks.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

CB Richard Ellis Limited, Registered Office: St Martin's Court, 
10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 3536032. 
Regulated by the RICS and an appointed representative of CB Richard Ellis 
Indirect Investment Services Limited which is authorised and regulated by the Financial Services Authority.

This communication is from CB Richard Ellis Limited or one of its 
associated/subsidiary companies. This communication contains information 
which is confidential and may be privileged. If you are not the intended recipient, 
please contact the sender immediately. Any use of its contents is strictly prohibited 
and you must not copy, send or disclose it, or rely on its contents in any way whatsoever. 
Reasonable care has been taken to ensure that this communication 
(and any attachments or hyperlinks contained within it) is free from computer viruses. 
No responsibility is accepted by CB Richard Ellis Limited or its associated/subsidiary 
companies and the recipient should carry out any appropriate virus checks.

-----Inline Attachment Follows-----


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list