topic Re: VPN setup, SSL and IPsec in Network Security

VPN setup, SSL and IPsec

patrifick — Mon, 11 Mar 2019 17:44:23 GMT

Hi,

I wonder whether would anybody be able to help me setup VPN on our firewall.

What we try to achieve is to have 2 option IPsec, SSL with option to use Anyconnect cisco client.

I have ran a wizard and adder NAT exception but it doesn't seem to work.

Thanks

Patrick

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(2)
!
names
name 10.1.4.4 ctxsvr01
name 10.1.4.5 itsvr
name 10.1.4.10 unicornsvr
name 10.1.4.12 blbsvr
name 10.1.4.13 exchsvr
name 10.1.5.4 barracuda
name 10.1.5.15 video-conferencing-unit
name 192.168.1.5 ctxdmz
name 62.253.196.178 outside
name 62.253.196.179 remote-outside-179
name 62.253.196.180 webmail-outside-180
name 62.253.196.181 connect-outside-181
name 62.253.196.182 unicorn-outside-182
name 62.253.196.184 sirsi-outside-184
name 62.253.196.185 blb-outside-185
name 62.253.196.188 streaming-outside-188
name 62.253.196.189 video-conferencing-outside-189
name 82.111.186.146 sdt-rdc
name 150.147.68.20 sirsi-1
name 193.110.143.20 sirsi-2
name 10.1.5.16 streaming-unit
name 192.168.1.1 dmz
name 62.253.196.186 email-outside-186
name 62.253.196.187 Logmein-outside-187
name 10.1.3.11 VPN1
name 10.1.3.12 VPN2
name 10.1.3.13 VPN3
name 10.1.3.14 VPN4
name 10.1.3.15 VPN5
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.5.1 255.255.0.0
ospf cost 10
!
interface Vlan3
nameif dmz
security-level 50
ip address dmz 255.255.255.0
ospf cost 10
!
interface Vlan12
nameif outside
security-level 0
ip address outside 255.255.255.240
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 12
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name chathamhouse.org.uk
same-security-traffic permit intra-interface
object-group network sirsi-support
network-object host sirsi-1
network-object host sirsi-2
object-group service backup-exec tcp
port-object eq 10000
port-object eq 3106
port-object eq 3527
port-object eq 6101
port-object eq 6103
port-object eq 6106
object-group service barracuda-8000 tcp
port-object eq 8000
object-group service blackberry-3101 tcp
port-object eq 3101
object-group service citrix-session-reliability-2598 tcp
port-object eq 2598
object-group service rdc-3389 tcp
port-object eq 3389
object-group service sql-1433 tcp
port-object eq 1433
object-group service streaming-1935 tcp
port-object eq 1935
object-group service video-streaming-tcp-udp tcp
port-object eq 3230
port-object eq 3231
port-object eq 3232
port-object eq 3233
port-object eq 3234
port-object eq 3235
object-group service rdp tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object host remote-outside-179
network-object host webmail-outside-180
object-group network DM_INLINE_NETWORK_2
network-object host unicorn-outside-182
network-object host email-outside-186
object-group service DM_INLINE_TCP_1 tcp
port-object eq h323
group-object video-streaming-tcp-udp
group-object streaming-1935
object-group service Reuters udp
port-object eq 10202
port-object eq 10302
port-object eq 9876
object-group network VPN-IP
network-object host VPN1
network-object host VPN2
network-object host VPN3
network-object host VPN4
network-object host VPN5
access-list outside_access_in extended permit tcp any any object-group rdc-3389
access-list outside_access_in extended permit tcp any host blbsvr object-group blackberry-3101
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq https
access-list outside_access_in extended permit tcp any host blbsvr eq ssh
access-list outside_access_in extended permit tcp any host ctxdmz eq ftp
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_2 eq www
access-list outside_access_in extended permit tcp any host outside eq smtp
access-list outside_access_in remark SQL
access-list outside_access_in extended permit tcp any any object-group sql-1433
access-list outside_access_in extended permit tcp any host video-conferencing-outside-189 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any any object-group backup-exec
access-list outside_access_in extended permit udp any any object-group Reuters
access-list outside_access_in extended permit tcp any host streaming-unit eq nntp
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group rdp
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq www
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq citrix-ica
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group citrix-session-reliability-2598
access-list dmz_access_in extended permit object-group TCPUDP host ctxdmz 10.1.0.0 255.255.0.0 eq domain
access-list inside_access_in extended permit tcp host barracuda any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 host ctxdmz
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 object-group VPN-IP
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.1.3.0 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu outside 1500
ip local pool CH-VPN-IP 10.1.3.10-10.1.3.20 mask 255.255.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp connect-outside-181 3389 itsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp barracuda smtp netmask 255.255.255.255
static (inside,outside) tcp interface ssh barracuda ssh netmask 255.255.255.255
static (inside,outside) tcp blb-outside-185 3101 blbsvr 3101 netmask 255.255.255.255
static (inside,outside) tcp unicorn-outside-182 www unicornsvr www netmask 255.255.255.255
static (inside,outside) tcp streaming-outside-188 1935 streaming-unit 1935 netmask 255.255.255.255
static (inside,outside) tcp Logmein-outside-187 nntp streaming-unit nntp netmask 255.255.255.255
static (inside,outside) tcp sirsi-outside-184 3389 unicornsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp video-conferencing-outside-189 h323 video-conferencing-unit h323 netmask 255.255.255.255
static (inside,outside) tcp webmail-outside-180 https exchsvr https netmask 255.255.255.255 dns
static (dmz,outside) tcp remote-outside-179 https ctxdmz https netmask 255.255.255.255 dns
static (dmz,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,outside) video-conferencing-outside-189 video-conferencing-unit netmask 255.255.255.255
static (inside,inside) webmail-outside-180 exchsvr netmask 255.255.255.255
static (dmz,inside) remote-outside-179 ctxdmz netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.253.196.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.0.0 255.255.0.0 inside
http sdt-rdc 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh 10.1.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
svc enable
group-policy CH-VPN internal
group-policy CH-VPN attributes
vpn-tunnel-protocol svc
group-policy CH-VPN-IP internal
group-policy CH-VPN-IP attributes
dns-server value 10.1.4.9 10.1.4.5
vpn-tunnel-protocol IPSec
default-domain value riia.local
username sdt.support password T2e5gsVDBxSeG5hI encrypted privilege 0
username sdt.support attributes
vpn-group-policy CH-VPN
username leet password 1HQqUS.HfJJHjs12 encrypted privilege 0
username leet attributes
vpn-group-policy CH-VPN
tunnel-group CH-VPN type remote-access
tunnel-group CH-VPN general-attributes
address-pool CH-VPN-IP
default-group-policy CH-VPN
tunnel-group CH-VPN-IP type remote-access
tunnel-group CH-VPN-IP general-attributes
address-pool CH-VPN-IP
default-group-policy CH-VPN-IP
tunnel-group CH-VPN-IP ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
smtp-server 10.1.4.13
prompt hostname context

Re: VPN setup, SSL and IPsec

Jennifer Halim — Wed, 12 May 2010 12:26:49 GMT

1) Try to use a different subnet for your vpn pool, currently it's in the same subnet as your inside interface (/16 subnet).

Currently: ip local pool CH-VPN-IP 10.1.3.10-10.1.3.20 mask 255.255.0.0

Change it to the following eg: ip local pool CH-VPN-IP 10.3.3.10-10.3.3.20 mask 255.255.255.0

Then you would need to change the NAT exemption to:

access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.3.3.0 255.255.255.0

2) IPSec client should work. Have you tried, where is it failing?

3) For SSL VPN Client (AnyConnect), you have to upload the AnyConnect software to the ASA, and install the software. From the configuration, it has not been installed yet.

Here is the sample configuration to setup AnyConnect (SSL VPN Client) for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

Hope that helps.

Re: VPN setup, SSL and IPsec

patrifick — Wed, 12 May 2010 12:39:06 GMT

I am trying to change the CH-VPN-IP but I get the error:

"IP address pool cannot be edited beause is used by - connection profile CH-VPN and CH-VPN-IP"

regarding the error for IPsec from the log I get

1 13:37:47.294 05/12/10 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation

2 13:37:47.300 05/12/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 62.253.196.178

3 13:37:47.349 05/12/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 62.253.196.178

4 13:37:47.355 05/12/10 Sev=Warning/3 IKE/0xE3000057
The received HASH payload cannot be verified

5 13:37:47.355 05/12/10 Sev=Warning/2 IKE/0xE300007E
Hash verification failed... may be configured with invalid group password.

6 13:37:47.355 05/12/10 Sev=Warning/2 IKE/0xE300009B
Failed to authenticate peer (Navigator:915)

7 13:37:47.355 05/12/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to 62.253.196.178

8 13:37:47.355 05/12/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to 62.253.196.178

9 13:37:47.355 05/12/10 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2263)

10 13:37:47.355 05/12/10 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=9D7AA76E5551780B R_Cookie=A0499047502140BF) reason = DEL_REASON_IKE_NEG_FAILED

11 13:37:48.359 05/12/10 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=9D7AA76E5551780B R_Cookie=A0499047502140BF) reason = DEL_REASON_IKE_NEG_FAILED

12 13:37:48.379 05/12/10 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

any ideas?

thanks Patrick

Re: VPN setup, SSL and IPsec

Jennifer Halim — Wed, 12 May 2010 12:44:43 GMT

For IPSec, it seems that you have entered invalid group password as per the following errorr:

Hash verification failed... may be configured with invalid group password.

Please check that you use the pre-shared key as the group password for IPSec VPN.

To change the IP Pool, you would need to remove it first as follows:

tunnel-group CH-VPN general-attributes
no address-pool CH-VPN-IP

tunnel-group CH-VPN-IP general-attributes
no address-pool CH-VPN-IP

Make the changes, and reapply it:

tunnel-group CH-VPN general-attributes
address-pool CH-VPN-IP

tunnel-group CH-VPN-IP general-attributes
address-pool CH-VPN-IP

Re: VPN setup, SSL and IPsec

patrifick — Wed, 12 May 2010 13:14:42 GMT

Hi,

- sorry I cannot find the setting where I can change the password.

- I have uploaded a image the the firewall and the SLL client was installed correctly on my PC however it cannot connect either

error: AnyConnect was not able to establish a connecttion to the specified secure gateway. Please try connectin again.

thanks

Patrick

names
name 10.1.4.4 ctxsvr01
name 10.1.4.5 itsvr
name 10.1.4.10 unicornsvr
name 10.1.4.12 blbsvr
name 10.1.4.13 exchsvr
name 10.1.5.4 barracuda
name 10.1.5.15 video-conferencing-unit
name 192.168.1.5 ctxdmz
name 62.253.196.178 outside
name 62.253.196.179 remote-outside-179
name 62.253.196.180 webmail-outside-180
name 62.253.196.181 connect-outside-181
name 62.253.196.182 unicorn-outside-182
name 62.253.196.184 sirsi-outside-184
name 62.253.196.185 blb-outside-185
name 62.253.196.188 streaming-outside-188
name 62.253.196.189 video-conferencing-outside-189
name 82.111.186.146 sdt-rdc
name 150.147.68.20 sirsi-1
name 193.110.143.20 sirsi-2
name 10.1.5.16 streaming-unit
name 192.168.1.1 dmz
name 62.253.196.186 email-outside-186
name 62.253.196.187 Logmein-outside-187
name 10.3.3.11 VPN1
name 10.3.3.12 VPN2
name 10.3.3.13 VPN3
name 10.3.3.14 VPN4
name 10.3.3.15 VPN5
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.5.1 255.255.0.0
ospf cost 10
!
interface Vlan3
nameif dmz
security-level 50
ip address dmz 255.255.255.0
ospf cost 10
!
interface Vlan12
nameif outside
security-level 0
ip address outside 255.255.255.240
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 12
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name chathamhouse.org.uk
same-security-traffic permit intra-interface
object-group network sirsi-support
network-object host sirsi-1
network-object host sirsi-2
object-group service backup-exec tcp
port-object eq 10000
port-object eq 3106
port-object eq 3527
port-object eq 6101
port-object eq 6103
port-object eq 6106
object-group service barracuda-8000 tcp
port-object eq 8000
object-group service blackberry-3101 tcp
port-object eq 3101
object-group service citrix-session-reliability-2598 tcp
port-object eq 2598
object-group service rdc-3389 tcp
port-object eq 3389
object-group service sql-1433 tcp
port-object eq 1433
object-group service streaming-1935 tcp
port-object eq 1935
object-group service video-streaming-tcp-udp tcp
port-object eq 3230
port-object eq 3231
port-object eq 3232
port-object eq 3233
port-object eq 3234
port-object eq 3235
object-group service rdp tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object host remote-outside-179
network-object host webmail-outside-180
object-group network DM_INLINE_NETWORK_2
network-object host unicorn-outside-182
network-object host email-outside-186
object-group service DM_INLINE_TCP_1 tcp
port-object eq h323
group-object video-streaming-tcp-udp
group-object streaming-1935
object-group service Reuters udp
port-object eq 10202
port-object eq 10302
port-object eq 9876
object-group network VPN-IP
network-object host VPN1
network-object host VPN2
network-object host VPN3
network-object host VPN4
network-object host VPN5
access-list outside_access_in extended permit tcp any any object-group rdc-3389
access-list outside_access_in extended permit tcp any host blbsvr object-group blackberry-3101
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq https
access-list outside_access_in extended permit tcp any host blbsvr eq ssh
access-list outside_access_in extended permit tcp any host ctxdmz eq ftp
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_2 eq www
access-list outside_access_in extended permit tcp any host outside eq smtp
access-list outside_access_in remark SQL
access-list outside_access_in extended permit tcp any any object-group sql-1433
access-list outside_access_in extended permit tcp any host video-conferencing-outside-189 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any any object-group backup-exec
access-list outside_access_in extended permit udp any any object-group Reuters
access-list outside_access_in extended permit tcp any host streaming-unit eq nntp
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group rdp
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq www
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq citrix-ica
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group citrix-session-reliability-2598
access-list dmz_access_in extended permit object-group TCPUDP host ctxdmz 10.1.0.0 255.255.0.0 eq domain
access-list inside_access_in extended permit tcp host barracuda any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 host ctxdmz
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 object-group VPN-IP
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu outside 1500
ip local pool CH-VPN-IP 10.3.3.10-10.3.3.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp connect-outside-181 3389 itsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp barracuda smtp netmask 255.255.255.255
static (inside,outside) tcp interface ssh barracuda ssh netmask 255.255.255.255
static (inside,outside) tcp blb-outside-185 3101 blbsvr 3101 netmask 255.255.255.255
static (inside,outside) tcp unicorn-outside-182 www unicornsvr www netmask 255.255.255.255
static (inside,outside) tcp streaming-outside-188 1935 streaming-unit 1935 netmask 255.255.255.255
static (inside,outside) tcp Logmein-outside-187 nntp streaming-unit nntp netmask 255.255.255.255
static (inside,outside) tcp sirsi-outside-184 3389 unicornsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp video-conferencing-outside-189 h323 video-conferencing-unit h323 netmask 255.255.255.255
static (inside,outside) tcp webmail-outside-180 https exchsvr https netmask 255.255.255.255 dns
static (dmz,outside) tcp remote-outside-179 https ctxdmz https netmask 255.255.255.255 dns
static (dmz,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,outside) video-conferencing-outside-189 video-conferencing-unit netmask 255.255.255.255
static (inside,inside) webmail-outside-180 exchsvr netmask 255.255.255.255
static (dmz,inside) remote-outside-179 ctxdmz netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.253.196.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.0.0 255.255.0.0 inside
http sdt-rdc 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh 10.1.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.0217-k9.pkg 1
svc enable
group-policy CH-VPN internal
group-policy CH-VPN attributes
vpn-tunnel-protocol svc
group-policy CH-VPN-IP internal
group-policy CH-VPN-IP attributes
dns-server value 10.1.4.9 10.1.4.5
vpn-tunnel-protocol IPSec
default-domain value riia.local
username sdt.support password T2e5gsVDBxSeG5hI encrypted privilege 0
username sdt.support attributes
vpn-group-policy CH-VPN
username leet password 1HQqUS.HfJJHjs12 encrypted privilege 0
username leet attributes
vpn-group-policy CH-VPN
tunnel-group CH-VPN type remote-access
tunnel-group CH-VPN general-attributes
address-pool CH-VPN-IP
default-group-policy CH-VPN
tunnel-group CH-VPN-IP type remote-access
tunnel-group CH-VPN-IP general-attributes
address-pool CH-VPN-IP
default-group-policy CH-VPN-IP
tunnel-group CH-VPN-IP ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
smtp-server 10.1.4.13
prompt hostname context

: end

Re: VPN setup, SSL and IPsec

Jennifer Halim — Wed, 12 May 2010 13:28:42 GMT

It's the tunnel-group ipsec attributes:

tunnel-group CH-VPN-IP ipsec-attributes

pre-shared-key

Re: VPN setup, SSL and IPsec

patrifick — Wed, 12 May 2010 13:53:22 GMT

I have reset the password and tried again to connect but I get the same error. However when I was saving

the changes I also got another error: [ERROR] no isakmp ikev1-user-authentication (inside) xauth

thanks

Patrick

Re: VPN setup, SSL and IPsec

patrifick — Wed, 12 May 2010 14:15:42 GMT

well, I got a bit further, I have change the password to all lower case and I am now getting prompt for username and password

error: secure vpn connection terminated by peer, reason 433 - not specified by peer.

it seems that the same error comes from both SSL and IPsec

thanks

Patrick

Re: VPN setup, SSL and IPsec

patrifick — Wed, 12 May 2010 15:21:03 GMT

Hi,

I managed to get the IPsec working however when I connect I am getting an IP address on 10.3.3.x / 24 range rather the inside network range.

The SSL is stil not working. It prompts for username and password and after that it fails.

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(2)
!

names
name 10.1.4.4 ctxsvr01
name 10.1.4.5 itsvr
name 10.1.4.10 unicornsvr
name 10.1.4.12 blbsvr
name 10.1.4.13 exchsvr
name 10.1.5.4 barracuda
name 10.1.5.15 video-conferencing-unit
name 192.168.1.5 ctxdmz
name 62.253.196.178 outside
name 62.253.196.179 remote-outside-179
name 62.253.196.180 webmail-outside-180
name 62.253.196.181 connect-outside-181
name 62.253.196.182 unicorn-outside-182
name 62.253.196.184 sirsi-outside-184
name 62.253.196.185 blb-outside-185
name 62.253.196.188 streaming-outside-188
name 62.253.196.189 video-conferencing-outside-189
name 82.111.186.146 sdt-rdc
name 150.147.68.20 sirsi-1
name 193.110.143.20 sirsi-2
name 10.1.5.16 streaming-unit
name 192.168.1.1 dmz
name 62.253.196.186 email-outside-186
name 62.253.196.187 Logmein-outside-187
name 10.3.3.11 VPN1
name 10.3.3.12 VPN2
name 10.3.3.13 VPN3
name 10.3.3.14 VPN4
name 10.3.3.15 VPN5
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.5.1 255.255.0.0
ospf cost 10
!
interface Vlan3
nameif dmz
security-level 50
ip address dmz 255.255.255.0
ospf cost 10
!
interface Vlan12
nameif outside
security-level 0
ip address outside 255.255.255.240
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 12
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup outside
dns server-group DefaultDNS
domain-name chathamhouse.org.uk
same-security-traffic permit intra-interface
object-group network sirsi-support
network-object host sirsi-1
network-object host sirsi-2
object-group service backup-exec tcp
port-object eq 10000
port-object eq 3106
port-object eq 3527
port-object eq 6101
port-object eq 6103
port-object eq 6106
object-group service barracuda-8000 tcp
port-object eq 8000
object-group service blackberry-3101 tcp
port-object eq 3101
object-group service citrix-session-reliability-2598 tcp
port-object eq 2598
object-group service rdc-3389 tcp
port-object eq 3389
object-group service sql-1433 tcp
port-object eq 1433
object-group service streaming-1935 tcp
port-object eq 1935
object-group service video-streaming-tcp-udp tcp
port-object eq 3230
port-object eq 3231
port-object eq 3232
port-object eq 3233
port-object eq 3234
port-object eq 3235
object-group service rdp tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object host remote-outside-179
network-object host webmail-outside-180
object-group network DM_INLINE_NETWORK_2
network-object host unicorn-outside-182
network-object host email-outside-186
object-group service DM_INLINE_TCP_1 tcp
port-object eq h323
group-object video-streaming-tcp-udp
group-object streaming-1935
object-group service Reuters udp
port-object eq 10202
port-object eq 10302
port-object eq 9876
object-group network VPN-IP
network-object host VPN1
network-object host VPN2
network-object host VPN3
network-object host VPN4
network-object host VPN5
access-list outside_access_in extended permit tcp any any object-group rdc-3389
access-list outside_access_in extended permit tcp any host blbsvr object-group blackberry-3101
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq https
access-list outside_access_in extended permit tcp any host blbsvr eq ssh
access-list outside_access_in extended permit tcp any host ctxdmz eq ftp
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_2 eq www
access-list outside_access_in extended permit tcp any host outside eq smtp
access-list outside_access_in remark SQL
access-list outside_access_in extended permit tcp any any object-group sql-1433
access-list outside_access_in extended permit tcp any host video-conferencing-outside-189 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any any object-group backup-exec
access-list outside_access_in extended permit udp any any object-group Reuters
access-list outside_access_in extended permit tcp any host streaming-unit eq nntp
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group rdp
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq www
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq citrix-ica
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group citrix-session-reliability-2598
access-list dmz_access_in extended permit object-group TCPUDP host ctxdmz 10.1.0.0 255.255.0.0 eq domain
access-list inside_access_in extended permit tcp host barracuda any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 host ctxdmz
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 object-group VPN-IP
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu outside 1500
ip local pool CH-VPN-IP 10.3.3.10-10.3.3.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp connect-outside-181 3389 itsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp barracuda smtp netmask 255.255.255.255
static (inside,outside) tcp interface ssh barracuda ssh netmask 255.255.255.255
static (inside,outside) tcp blb-outside-185 3101 blbsvr 3101 netmask 255.255.255.255
static (inside,outside) tcp unicorn-outside-182 www unicornsvr www netmask 255.255.255.255
static (inside,outside) tcp streaming-outside-188 1935 streaming-unit 1935 netmask 255.255.255.255
static (inside,outside) tcp Logmein-outside-187 nntp streaming-unit nntp netmask 255.255.255.255
static (inside,outside) tcp sirsi-outside-184 3389 unicornsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp video-conferencing-outside-189 h323 video-conferencing-unit h323 netmask 255.255.255.255
static (inside,outside) tcp webmail-outside-180 https exchsvr https netmask 255.255.255.255 dns
static (dmz,outside) tcp remote-outside-179 https ctxdmz https netmask 255.255.255.255 dns
static (dmz,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,outside) video-conferencing-outside-189 video-conferencing-unit netmask 255.255.255.255
static (inside,inside) webmail-outside-180 exchsvr netmask 255.255.255.255
static (dmz,inside) remote-outside-179 ctxdmz netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.253.196.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.0.0 255.255.0.0 inside
http sdt-rdc 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh 10.1.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.0217-k9.pkg 1
svc enable
group-policy CH-VPN internal
group-policy CH-VPN attributes
vpn-tunnel-protocol IPSec svc
group-policy CH-VPN-IP internal
group-policy CH-VPN-IP attributes
dns-server value 10.1.4.9 10.1.4.5
vpn-tunnel-protocol IPSec svc
default-domain value riia.local
username sdt.support password cdUOkKYGfsyZgwTx encrypted privilege 0
username sdt.support attributes
vpn-group-policy CH-VPN
username leet password 1fJc82CICO2zAFcfTW47KQ== nt-encrypted privilege 0
username leet attributes
vpn-group-policy CH-VPN
tunnel-group CH-VPN type remote-access
tunnel-group CH-VPN general-attributes
address-pool (inside) CH-VPN-IP
address-pool CH-VPN-IP
authentication-server-group (inside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
default-group-policy CH-VPN
tunnel-group CH-VPN-IP type remote-access
tunnel-group CH-VPN-IP general-attributes
address-pool CH-VPN-IP
default-group-policy CH-VPN-IP
tunnel-group CH-VPN-IP ipsec-attributes
pre-shared-key *****
radius-sdi-xauth
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
smtp-server 10.1.4.13
prompt hostname context

: end

Re: VPN setup, SSL and IPsec

patrifick — Wed, 12 May 2010 15:52:12 GMT

Hi,

I managed to get the the IP address right on IPsec, however I cannot ping anything on internal network or to connect to it.

I don't have any progress on SSL anyconnect.

thanks

Patrick

Re: VPN setup, SSL and IPsec

Jennifer Halim — Thu, 13 May 2010 04:10:19 GMT

Add the following lines:

management-access inside

crypto isakmp nat-traversal 20

policy-map global_policy
class inspection_default

inspect icmp

and reconnect the VPN, and see if you can ping 10.1.5.1, or any other internal hosts now.

Re: VPN setup, SSL and IPsec

patrifick — Thu, 13 May 2010 08:03:45 GMT

Hi,

I can connect on IPsec and ping the 10.1.5.1 ( firewall ) but cannot ping or connect to anything else.

I have also tried to test the Anyconnect and cannot connect at all.

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(2)
!
hostname ch-asa

name 10.1.4.4 ctxsvr01
name 10.1.4.5 itsvr
name 10.1.4.10 unicornsvr
name 10.1.4.12 blbsvr
name 10.1.4.13 exchsvr
name 10.1.5.4 barracuda
name 10.1.5.15 video-conferencing-unit
name 192.168.1.5 ctxdmz
name 62.253.196.178 outside
name 62.253.196.179 remote-outside-179
name 62.253.196.180 webmail-outside-180
name 62.253.196.181 connect-outside-181
name 62.253.196.182 unicorn-outside-182
name 62.253.196.184 sirsi-outside-184
name 62.253.196.185 blb-outside-185
name 62.253.196.188 streaming-outside-188
name 62.253.196.189 video-conferencing-outside-189
name 82.111.186.146 sdt-rdc
name 150.147.68.20 sirsi-1
name 193.110.143.20 sirsi-2
name 10.1.5.16 streaming-unit
name 192.168.1.1 dmz
name 62.253.196.186 email-outside-186
name 62.253.196.187 Logmein-outside-187
name 10.1.3.11 VPN1
name 10.1.3.12 VPN2
name 10.1.3.13 VPN3
name 10.1.3.14 VPN4
name 10.1.3.15 VPN5
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.5.1 255.255.0.0
ospf cost 10
!
interface Vlan3
nameif dmz
security-level 50
ip address dmz 255.255.255.0
ospf cost 10
!
interface Vlan12
nameif outside
security-level 0
ip address outside 255.255.255.240
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 12
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup outside
dns server-group DefaultDNS
domain-name chathamhouse.org.uk
same-security-traffic permit intra-interface
object-group network sirsi-support
network-object host sirsi-1
network-object host sirsi-2
object-group service backup-exec tcp
port-object eq 10000
port-object eq 3106
port-object eq 3527
port-object eq 6101
port-object eq 6103
port-object eq 6106
object-group service barracuda-8000 tcp
port-object eq 8000
object-group service blackberry-3101 tcp
port-object eq 3101
object-group service citrix-session-reliability-2598 tcp
port-object eq 2598
object-group service rdc-3389 tcp
port-object eq 3389
object-group service sql-1433 tcp
port-object eq 1433
object-group service streaming-1935 tcp
port-object eq 1935
object-group service video-streaming-tcp-udp tcp
port-object eq 3230
port-object eq 3231
port-object eq 3232
port-object eq 3233
port-object eq 3234
port-object eq 3235
object-group service rdp tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object host remote-outside-179
network-object host webmail-outside-180
object-group network DM_INLINE_NETWORK_2
network-object host unicorn-outside-182
network-object host email-outside-186
object-group service DM_INLINE_TCP_1 tcp
port-object eq h323
group-object video-streaming-tcp-udp
group-object streaming-1935
object-group service Reuters udp
port-object eq 10202
port-object eq 10302
port-object eq 9876
object-group network VPN-IP
network-object host VPN1
network-object host VPN2
network-object host VPN3
network-object host VPN4
network-object host VPN5
access-list outside_access_in extended permit tcp any any object-group rdc-3389
access-list outside_access_in extended permit tcp any host blbsvr object-group blackberry-3101
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq https
access-list outside_access_in extended permit tcp any host blbsvr eq ssh
access-list outside_access_in extended permit tcp any host ctxdmz eq ftp
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_2 eq www
access-list outside_access_in extended permit tcp any host outside eq smtp
access-list outside_access_in remark SQL
access-list outside_access_in extended permit tcp any any object-group sql-1433 inactive
access-list outside_access_in extended permit tcp any host video-conferencing-outside-189 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any any object-group backup-exec
access-list outside_access_in extended permit udp any any object-group Reuters
access-list outside_access_in extended permit tcp any host streaming-unit eq nntp
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group rdp
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq www
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq citrix-ica
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group citrix-session-reliability-2598
access-list dmz_access_in extended permit object-group TCPUDP host ctxdmz 10.1.0.0 255.255.0.0 eq domain
access-list inside_access_in extended permit tcp host barracuda any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 host ctxdmz
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 object-group VPN-IP
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu outside 1500
ip local pool CH-VPN-IP 10.1.3.10-10.1.3.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp connect-outside-181 3389 itsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp barracuda smtp netmask 255.255.255.255
static (inside,outside) tcp interface ssh barracuda ssh netmask 255.255.255.255
static (inside,outside) tcp blb-outside-185 3101 blbsvr 3101 netmask 255.255.255.255
static (inside,outside) tcp unicorn-outside-182 www unicornsvr www netmask 255.255.255.255
static (inside,outside) tcp streaming-outside-188 1935 streaming-unit 1935 netmask 255.255.255.255
static (inside,outside) tcp Logmein-outside-187 nntp streaming-unit nntp netmask 255.255.255.255
static (inside,outside) tcp sirsi-outside-184 3389 unicornsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp video-conferencing-outside-189 h323 video-conferencing-unit h323 netmask 255.255.255.255
static (inside,outside) tcp webmail-outside-180 https exchsvr https netmask 255.255.255.255 dns
static (dmz,outside) tcp remote-outside-179 https ctxdmz https netmask 255.255.255.255 dns
static (dmz,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,outside) video-conferencing-outside-189 video-conferencing-unit netmask 255.255.255.255
static (inside,inside) webmail-outside-180 exchsvr netmask 255.255.255.255
static (dmz,inside) remote-outside-179 ctxdmz netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.253.196.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.0.0 255.255.0.0 inside
http sdt-rdc 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh 10.1.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.0217-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
group-policy CH-VPN internal
group-policy CH-VPN attributes
vpn-tunnel-protocol IPSec svc
group-policy CH-VPN-IP internal
group-policy CH-VPN-IP attributes
dns-server value 10.1.4.9 10.1.4.5
vpn-tunnel-protocol IPSec svc
default-domain value riia.local
username sdt.support password cdUOkKYGfsyZgwTx encrypted privilege 0
username sdt.support attributes
vpn-group-policy CH-VPN
username leet password 1fJc82CICO2zAFcfTW47KQ== nt-encrypted privilege 0
username leet attributes
vpn-group-policy CH-VPN
tunnel-group CH-VPN type remote-access
tunnel-group CH-VPN general-attributes
address-pool (inside) CH-VPN-IP
authentication-server-group (inside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
default-group-policy CH-VPN
tunnel-group CH-VPN-IP type remote-access
tunnel-group CH-VPN-IP general-attributes
address-pool CH-VPN-IP
default-group-policy CH-VPN-IP
tunnel-group CH-VPN-IP ipsec-attributes
pre-shared-key *****
radius-sdi-xauth
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
smtp-server 10.1.4.13
prompt hostname context

: end

Re: VPN setup, SSL and IPsec

Jennifer Halim — Thu, 13 May 2010 10:19:03 GMT

Well, it looks like you have changed your IP Pool to what it was before again:

ip local pool CH-VPN-IP 10.1.3.10-10.1.3.20 mask 255.255.255.0

As advised earlier, the ip pool needs to be in different subnet than your internal network. I've seen that NAT exemption access-list has also changed to 10.1.3.x.

Please change all back to 10.3.3.0/24 subnet. Otherwise, because pool and internal subnet are in the same subnet, it will try to ARP for the ip instead of routing it towards their default gateway.

Re: VPN setup, SSL and IPsec

patrifick — Thu, 13 May 2010 15:22:33 GMT

Hi,

the IPsec now works I can connect to the network - many thanks for this, however is there a way that I can browse my local network as well. I have checked the option on the client but I cannot ping anything my side?

The SSL Anyconnect doesn't work and doesn't give me any informations where is it failing. It prompts me for username and password then it asks to confirm a certificate and then it tries to connect after about 10s it says that it cannot connect.

Thanks

Patrick

Re: VPN setup, SSL and IPsec

Jennifer Halim — Fri, 14 May 2010 09:25:21 GMT

1) Are you able to ping the ASA inside interface from VPN client? ping 10.1.5.1

2) You might also want to add the split tunnel policy:

access-list split-acl standard permit 10.1.0.0 255.255.0.0

group-policy CH-VPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-acl

group-policy CH-VPN-IP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-acl

3) Can you also confirm that you have changed the NAT exemption access-list to the new ip pool (10.3.3.0/24)?

4) Lastly, for your internal subnets, is the ASA inside interface the default gateway? OR/ alternatively, can you add route for the pool subnet (10.3.3.0/24) on your internal router to point towards the ASA inside interface (10.1.5.1).

Re: VPN setup, SSL and IPsec

patrifick — Fri, 14 May 2010 09:35:05 GMT

Hi,

the IPsec now works exactly as we want, brilliant, thanks.

The SSL Anyconnect doesn't but I wouldn't worry about it, we can work on the IPsec without any issue.

Please take this as answered call

Patrick

Re: VPN setup, SSL and IPsec

Jennifer Halim — Fri, 14 May 2010 09:37:55 GMT

Great to hear, and thanks for the rating.