02-02-2011 06:17 AM - edited 03-11-2019 12:43 PM
Ok these are my needs:
I really need the ASA to failover between 2 ISPs but heres the hard part, I need the exchange email to also failover with the ISP (owa). Oh and if possible, I need the VPN to failover also.
I have drafted out a config in notepad (not tested in the ASA yet as I dont have it and I have to get this correct quickly when it does come in). I hope all the below info is more helpful than it is overwhelming for everyone. Thanks in advance
-------------------------------------------------------------
--------------------- BASIC INFO ---------------------
hostname ASA
domain-name domain.local
enable password GmSL9emLLUC2J7jz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
----------------------------------------------------------------
--------------------- INTERFACES ---------------------
interface Vlan1
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
interface Vlan2
nameif outside1
security-level 0
ip address <T1 Outside Static IP> 255.255.255.248
interface Vlan3
nameif outside2
security-level 0
ip address <Cable One Outside Static IP> 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
-------------------------------------------------------------
--------------------- BASIC INFO ---------------------
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
-------------------------------------------------------------------
------------------- OBJECT GROUPS --------------------
object network obj_any_T1
subnet 0.0.0.0 0.0.0.0
object network obj_any_CableOne
subnet 0.0.0.0 0.0.0.0
object network obj-vpnPool
subnet 10.100.0.0 255.255.255.0
object network obj-LANSubnet
subnet 192.168.101.0 255.255.255.0
object network SERVER01
host <Inside Server IP>
object network SERVER02
host <Inside Server IP>
object network SERVER03
host <Inside Server IP>
object network SERVER04
host <Inside Server IP>
object network SERVER05
host <Inside Server IP>
object network SERVER06
host <Inside Server IP>
----------------------------------------------------------------
------------------- ACCESS LISTS ---------------------
\\ SPLIT TUNNELING
access-list splittunnel extended permit ip 192.168.101.0 255.255.255.0
\\ STOP SMTP SPAMMERS INTERNALLY
access-list inside_access_out extended permit tcp host <server inside Static> any eq smtp
access-list inside_access_out extended deny tcp any any eq smtp
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit icmp any any
\\ OUTSIDE1
access-list 101_Outside1_access_in remark <Description>
access-list 101_Outside1_access_in extended permit tcp any host <Server static for T1 side> eq www
access-list 101_Outside1_access_in extended permit tcp any host <Server static for T1 side> eq smtp
access-list 101_Outside1_access_in extended permit tcp any host <Server static for T1 side> eq https
access-list 101_Outside1_access_in permit ip 10.100.0.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list 101_Outside1_access_in permit ip 192.168.101.0 255.255.255.0 10.100.0.0 255.255.255.0
\\ OUTSIDE2
access-list 101_Outside2_access_in remark <Description>
access-list 101_Outside2_access_in extended permit tcp any host <Server static for CableOne side> eq www
access-list 101_Outside2_access_in extended permit tcp any host <Server static for CableOne side> eq smtp
access-list 101_Outside2_access_in extended permit tcp any host <Server static for CableOne side> eq https
access-list 101_Outside2_access_in permit ip 10.100.0.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list 101_Outside2_access_in permit ip 192.168.101.0 255.255.255.0 10.100.0.0 255.255.255.0
------------------ Are the above access lists needed, or will the below cover it? ------------------
access-list outside_in extended permit tcp any host <server inside Static> eq www
access-list outside_in extended permit tcp any host <server inside Static> eq https
access-list outside_in extended permit tcp any host <server inside Static> eq smtp
-----------------------------------------------------------------------------------------------------
-------------------------------------------------------------
--------------------- BASIC INFO ---------------------
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside1 1500
mtu outside2 1500
----------------------------------------------------------------
-------------------- VPN POOL INFO -------------------
ip local pool vpnpool 10.100.0.50-10.100.0.100
-------------------------------------------------------------
--------------------- BASIC INFO ---------------------
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
----------------------------------------------------------------------------------------
----- APPLYING OBJECT GROUPS, NAT AND ACCESSLISTS -----
nat (inside,outside) source static obj-LANSubnet obj-LANSubnet destination static obj-vpnPool obj-vpnPool
object network obj_any_T1
nat (inside,outside1) dynamic interface
object network obj_any_CableOne
nat (inside,outside2) dynamic interface
\\ OUTSIDE1 (T1)
object network SERVER01
nat (inside,outside1) static interface service tcp smtp smtp
object network SERVER02
nat (inside,outside1) static interface service tcp www www
object network SERVER03
nat (inside,outside1) static interface service tcp https https
\\ OUTSIDE2 (CableOne)
object network SERVER04
nat (inside,outside2) static interface service tcp smtp smtp
object network SERVER05
nat (inside,outside2) static interface service tcp www www
object network SERVER06
nat (inside,outside2) static interface service tcp https https
access-group outside_in in interface outside1 <------- ONLY USED IF USING OTHER ACCESS LIST MENTIONED ABOVE
access-group outside_in in interface outside2 <------- ONLY USED IF USING OTHER ACCESS LIST MENTIONED ABOVE
access-group inside_access_out in interface inside
access-group 101_Outside1_access_in in interface Outside1
access-group 101_Outside2_access_in in interface Outside2
-------------------------------------------------------------
---------------------- ROUTES ------------------------
route outside1 0.0.0.0 0.0.0.0 <T1 Gatweway IP> 1 track 1
route outside2 0.0.0.0 0.0.0.0 <CableOne Gateway IP> 255
-------------------------------------------------------------
--------------------- BASIC INFO ---------------------
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
---------------------------------------------------------------
--------------------- AAA SERVER ---------------------
aaa-server TACACS+ protocol tacacs+
aaa-server RA_SERVER_GROUP protocol radius
aaa-server LDAP_SERV_GROUP protocol ldap
aaa-server LDAP_SERV_GROUP (inside) host <server inside Static>
ldap-base-dn dc=domain, dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password <server password>
ldap-login-dn cn=Administrator, cn=Users, dc=domain, dc=local
server-type microsoft
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
-------------------------------------------------------------
--------------------- BASIC INFO ---------------------
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside1
http 0.0.0.0 0.0.0.0 outside2
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
--------------------------------------------------------
------------ SLA MONITOR FOR ISP FAILOVER ------------
sla monitor 1
type echo protocol ipIcmpEcho 4.2.2.2 interface outside1
num-packets 4
frequency 10
sla monitor schedule 1 life forever start-time now
service resetoutside
-----------------------------------------------------------------
--------------------- CRYPTO MAPS --------------------
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set transform-set ESP-3DES-MD5
crypto dynamic-map RA-VPN 1 set security-association lifetime seconds 28800
crypto dynamic-map RA-VPN 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set reverse-route
crypto map RA-VPN 65535 ipsec-isakmp dynamic RA-VPN
crypto map RA-VPN interface outside1
crypto map RA-VPN interface outside2
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside1
crypto isakmp enable outside2
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 10
crypto isakmp ipsec-over-tcp port 1000
-------------------------------------------------------------
---------------------- FAILOVER ----------------------
track 1 rtr 1 reachability
-----------------------------------------------------------------------
----------------- TELNET/SSH/CONSOLE -----------------
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside1
ssh 0.0.0.0 0.0.0.0 outside2
ssh timeout 60
console timeout 0
management-access inside
---------------------------------------------------------------
---------------------- DHCP/DNS ----------------------
dhcpd dns <server inside Static> 8.8.8.8
dhcpd lease 8400
dhcpd ping_timeout 750
dhcpd domain domain.local
dhcpd auto_config outside1
dhcpd auto_config outside2
dhcpd address 192.168.101.100-192.168.101.200 inside
dhcpd enable inside
-------------------------------------------------------------
--------------------- BASIC INFO ---------------------
priority-queue inside
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
------------------------------------------------------------------
--------------------- ANYCONNECT ---------------------
webvpn
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value <server inside Static> 8.8.8.8
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnpool
default-domain value domain.local
------------------------------------------------------------------
-------------------- GROUP POLICYS -------------------
group-policy ldapvpn internal
group-policy ldapvpn attributes
dns-server value <server inside Static> 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value domain.local
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value <server inside Static> 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value domain.local
-----------------------------------------------------------------
--------------------- USERNAMES ----------------------
username administrator password <Password> encrypted privilege 15
username UserExample password <Password> encrypted privilege 7
--------------------------------------------------------------------
-------------------- TUNNEL GROUPS -------------------
tunnel-group RA-VPN type remote-access
tunnel-group remotevpn type remote-access
tunnel-group remotevpn general-attributes
address-pool vpnpool
authorization-server-group (outside) LOCAL
default-group-policy remotevpn
tunnel-group gcrenvpn ipsec-attributes
pre-shared-key <Key>
tunnel-group ldapvpn type remote-access
tunnel-group ldapvpn general-attributes
address-pool vpnpool
authentication-server-group LDAP_SERV_GROUP
default-group-policy ldapvpn
tunnel-group ldapvpn ipsec-attributes
pre-shared-key <Key>
-------------------------------------------------------------
--------------------- BASIC INFO ---------------------
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:f6e35e4741bf944d8f3d7fb5d2794655
: end
02-03-2011 10:16 PM
Hi,
I took like 20 minutes to write a nice post, but, the session kicked me out and all that I wrote went to... you know. You can accomplish that doing the following
1-MX record for SMTP should be able to resolve to 2 IPs, one for the primary Link and the other one for the secondary.
2-VPN information will failover if the stateful link is configured (In case of IPsec Tunnels) ISAKMP tables are replicated.
3-Internet is going to failover if SLA is correclty configured.
Hope it helps.
Mike
SLA monitor
02-04-2011 07:59 AM
I hate that, I had to write my post three times because it kept timing out. Anyway, in regards to your answer, thank you for the post, I quickly went through it and that is the information I have found in the past to originally set this config up. The only issue I am facing is whenever the connection does switch any traffic headed out the backup link is not binding to the new address (let me explain better):
So lets say you have a web server at 192.168.1.3 and that is static natted to a static IP (lets call it static1) and that allows traffic to know that when it hits the T1 connection, the outside sees static1, well when it switches to the DSL link 192.168.1.3 needs to then be static natted to the DSL static IP (lets call this one static2 so now its switched to the DSL the outside users will only see the IP static2. That is the main issue I am having, I just want to see if my config is really performing this correctly. I have tried to implement this with the ACLs as shown here:
object network obj_any_T1
nat (inside,outside1) dynamic interface
object network obj_any_CableOne
nat (inside,outside2) dynamic interface
access-group 101_Outside1_access_in in interface Outside1
access-group 101_Outside2_access_in in interface Outside2
The same goes for the VPN, if you look down the config you will see several areas where I tried to force information to carry over to the backup link:
Under DHCP/DNS:
dhcpd auto_config outside1 <-------------------
dhcpd auto_config outside2 <-------------------
Under Crypto Maps:
crypto map RA-VPN interface outside1 <-------------------
crypto map RA-VPN interface outside2 <-------------------
crypto isakmp enable outside1 <-------------------
crypto isakmp enable outside2 <-------------------
What do you think? I know you mentioned in points 1 and 2 that it will work but is that because it automaticallty will or is it because the commands I mentioned above (looking for reassurance more than anything here if you cant tell)
02-05-2011 09:47 AM
Hi,
Well, both, the statics are needed in order to access the servers on both links and the crypto map is needed when it does failover to the other one. And you know what? I am starting to have second thoughts on the VPN. Once the ASA goes to the other link, clients may need to reconnect. I think there is an option on the VPN client where you can configure backup servers, but I am not quite sure.
The other stuff will work fine.
Cheers
Mike
02-07-2011 06:33 AM
Awesome, thank you. I am going to be configuring this today on the ASA, I will let you know how it goes.
02-08-2011 02:43 PM
Waiting on the Security Plus licensing currently, I will update you when I get that and can finish the config.
02-12-2011 08:44 AM
Excellent Vicky, I will standby.
Mike
02-14-2011 09:40 AM
Well still waiting on the Security Plus licensing stuff but just an update to the situation:
I went ahead and set the company up with their primary link and kept the backoff line turned off while I wait for the security Plus licensing. Also a change had to be made to the config, I had some issues and had to work around them. Also they wanted to have Cable One as the Primary link. I will link the config with the changes made:
Changes to note:
Explanation:
Cable One:
IP Address range: 101.XXX.XXX.100 - XX.XXX.XXX.105
Subnet Mask: 255.255.255.248
Gateway: 101.XXX.XXX.1
T1:
IP Address range: 202.XXX.XXX.100 - XX.XXX.XXX.105
Subnet Mask: 255.255.255.248
Gateway: 202.XXX.XXX.1
I had the firewall (outside1) as lets say: 101.XXX.XXX.101 and the server as 101.XXX.XXX.102 for the primary link, then 202.XXX.XXX.101 for outside2 and 202.XXX.XXX.102 for the server on the secondary link. THis did not work so I had to use the firewall IP address and turn off all management on the outside (no management-access inside, no http 0.0.0.0 outside1, no http 0.0.0.0 outside2 ) so OWA (mail would work on HTTP/HTTPS)
I was not able to troubleshoot why this would not work before having to change it though in the future I would really prefer to NOT use the external IP of the ASA as the server. How do I do this? Which is best practice?
4. Obviously due to the above I had to talk ASDM off the external interface
5. Final issue I have is that if you get two A-records for this model (one for the server on the cableOne side and one for the T1 side) DNS would then have to "round Robin" meaning 50% of the time, you would have timeout issues. So long story short, I had to tell the client we would not do this and that we would make it so you can send but not recieve when on the secondary link. I think and ASA 5510 will be better for this implementation but I am half way in so lets carry on anyway.
-------------------------------------------------------------
--------------------- BASIC INFO ---------------------
hostname ASA
domain-name domain.local
enable password
passwd
names
----------------------------------------------------------------
--------------------- INTERFACES ---------------------
interface Vlan1
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
interface Vlan2
nameif outside1
security-level 0
ip address 101.XXX.XXX.102 255.255.255.248
interface Vlan3
nameif outside2
security-level 0
ip address 202.XXX.XXX.102 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
-------------------------------------------------------------
--------------------- BASIC INFO ---------------------
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
-------------------------------------------------------------------
------------------- OBJECT GROUPS --------------------
object network obj_any_T1
subnet 0.0.0.0 0.0.0.0
object network obj_any_CableOne
subnet 0.0.0.0 0.0.0.0
object network obj-vpnPool
subnet 10.100.0.0 255.255.255.0
object network obj-LANSubnet
subnet 192.168.101.0 255.255.255.0
object network SERVER01
host
object network SERVER02
host
object network SERVER03
host
object network SERVER04
host
object network SERVER05
host
object network SERVER06
host
----------------------------------------------------------------
------------------- ACCESS LISTS ---------------------
\\ SPLIT TUNNELING
access-list splittunnel extended permit ip 192.168.101.0 255.255.255.0
\\ STOP SMTP SPAMMERS INTERNALLY
access-list inside_access_out extended permit tcp host
access-list inside_access_out extended deny tcp any any eq smtp
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit icmp any any
\\ OUTSIDE1
NOTE: Ended up having to refer to the server via its internal IP due to the 8.2(3) IOS changes
access-list 101_Outside1_access_in remark
access-list 101_Outside1_access_in extended permit tcp any host
access-list 101_Outside1_access_in extended permit tcp any host
access-list 101_Outside1_access_in extended permit tcp any host
access-list 101_Outside1_access_in permit ip 10.100.0.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list 101_Outside1_access_in permit ip 192.168.101.0 255.255.255.0 10.100.0.0 255.255.255.0
\\ OUTSIDE2
NOTE: Ended up having to refer to the server via its internal IP due to the 8.2(3) IOS changes
access-list 101_Outside2_access_in remark
access-list 101_Outside2_access_in extended permit tcp any host
access-list 101_Outside2_access_in extended permit tcp any host
access-list 101_Outside2_access_in extended permit tcp any host
access-list 101_Outside2_access_in permit ip 10.100.0.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list 101_Outside2_access_in permit ip 192.168.101.0 255.255.255.0 10.100.0.0 255.255.255.0
-------------------------------------------------------------
--------------------- BASIC INFO ---------------------
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside1 1500
mtu outside2 1500
----------------------------------------------------------------
-------------------- VPN POOL INFO -------------------
ip local pool vpnpool 10.100.0.50-10.100.0.100
-------------------------------------------------------------
--------------------- BASIC INFO ---------------------
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
----------------------------------------------------------------------------------------
----- APPLYING OBJECT GROUPS, NAT AND ACCESSLISTS -----
nat (inside,outside) source static obj-LANSubnet obj-LANSubnet destination static obj-vpnPool obj-vpnPool
object network obj_any_T1
nat (inside,outside1) dynamic interface
object network obj_any_CableOne
nat (inside,outside2) dynamic interface
\\ OUTSIDE1 (T1)
object network SERVER01
nat (inside,outside1) static interface service tcp smtp smtp
object network SERVER02
nat (inside,outside1) static interface service tcp www www
object network SERVER03
nat (inside,outside1) static interface service tcp https https
\\ OUTSIDE2 (CableOne)
object network SERVER04
nat (inside,outside2) static interface service tcp smtp smtp
object network SERVER05
nat (inside,outside2) static interface service tcp www www
object network SERVER06
nat (inside,outside2) static interface service tcp https https
access-group inside_access_out in interface inside
access-group 101_Outside1_access_in in interface Outside1
access-group 101_Outside2_access_in in interface Outside2
-------------------------------------------------------------
---------------------- ROUTES ------------------------
route outside1 0.0.0.0 0.0.0.0 101.XXX.XXX.1 1 track 1
route outside2 0.0.0.0 0.0.0.0 202.XXX.XXX.1 255
-------------------------------------------------------------
--------------------- BASIC INFO ---------------------
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
---------------------------------------------------------------
--------------------- AAA SERVER ---------------------
aaa-server TACACS+ protocol tacacs+
aaa-server RA_SERVER_GROUP protocol radius
aaa-server LDAP_SERV_GROUP protocol ldap
aaa-server LDAP_SERV_GROUP (inside) host
ldap-base-dn dc=domain, dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password
ldap-login-dn cn=Administrator, cn=Users, dc=domain, dc=local
server-type microsoft
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
-------------------------------------------------------------
--------------------- BASIC INFO ---------------------
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside1
http 0.0.0.0 0.0.0.0 outside2
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
--------------------------------------------------------
------------ SLA MONITOR FOR ISP FAILOVER ------------
sla monitor 1
type echo protocol ipIcmpEcho 4.2.2.2 interface outside1
num-packets 4
frequency 10
sla monitor schedule 1 life forever start-time now
service resetoutside
-----------------------------------------------------------------
--------------------- CRYPTO MAPS --------------------
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set transform-set ESP-3DES-MD5
crypto dynamic-map RA-VPN 1 set security-association lifetime seconds 28800
crypto dynamic-map RA-VPN 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set reverse-route
crypto map RA-VPN 65535 ipsec-isakmp dynamic RA-VPN
crypto map RA-VPN interface outside1
crypto map RA-VPN interface outside2
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside1
crypto isakmp enable outside2
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 10
crypto isakmp ipsec-over-tcp port 1000
-------------------------------------------------------------
---------------------- FAILOVER ----------------------
track 1 rtr 1 reachability
-----------------------------------------------------------------------
----------------- TELNET/SSH/CONSOLE -----------------
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside1
ssh 0.0.0.0 0.0.0.0 outside2
ssh timeout 60
console timeout 0
management-access inside <---------------- Had to take this out as server now uses firewall external IP
---------------------------------------------------------------
---------------------- DHCP/DNS ----------------------
dhcpd dns
dhcpd lease 8400
dhcpd ping_timeout 750
dhcpd domain domain.local
dhcpd auto_config outside1
dhcpd auto_config outside2
dhcpd address 192.168.101.100-192.168.101.200 inside
dhcpd enable inside
-------------------------------------------------------------
--------------------- BASIC INFO ---------------------
priority-queue inside
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
------------------------------------------------------------------
--------------------- ANYCONNECT ---------------------
webvpn
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnpool
default-domain value domain.local
------------------------------------------------------------------
-------------------- GROUP POLICYS -------------------
group-policy ldapvpn internal
group-policy ldapvpn attributes
dns-server value
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value domain.local
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value domain.local
-----------------------------------------------------------------
--------------------- USERNAMES ----------------------
username administrator password
username UserExample password
--------------------------------------------------------------------
-------------------- TUNNEL GROUPS -------------------
tunnel-group RA-VPN type remote-access
tunnel-group remotevpn type remote-access
tunnel-group remotevpn general-attributes
address-pool vpnpool
authorization-server-group (outside) LOCAL
default-group-policy remotevpn
tunnel-group gcrenvpn ipsec-attributes
pre-shared-key
tunnel-group ldapvpn type remote-access
tunnel-group ldapvpn general-attributes
address-pool vpnpool
authentication-server-group LDAP_SERV_GROUP
default-group-policy ldapvpn
tunnel-group ldapvpn ipsec-attributes
pre-shared-key
-------------------------------------------------------------
--------------------- BASIC INFO ---------------------
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:f6e35e4741bf944d8f3d7fb5d2794655
: end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide