08-15-2013 03:45 AM - edited 03-11-2019 07:26 PM
Hello,
I apologize if this has already been asked. If you see a thread asking this same question, please link.
I am currently overseas and wish to setup my home (US) ASA 5505 with two VPN profiles; one full tunnel, one split tunnel. This would enable me to connect from either my PC or iPad and access my things at home (split-tunnel), or reach websites sourcing from my US address (full-tunnel).
I would prefer to go about this configuration via CLI as I am not too familiar with the GUI.
My first question is just a basic: What am I going for? Remote Access VPN with multiple groups? AnyConnect? Eazy VPN? I'm not sharp on the ASA platform, so any help would be appreciated. I would very much like to use the iPad's built in IPSEC VPN option (labeled "Cisco").
Thanks for any help
-Scott
ASA 5505 9.1(1)
Solved! Go to Solution.
08-17-2013 12:07 PM
Do you mean to give your VPN users internet access while using full tunneling? then yes you would to do a NAT and also allow the ASA to send traffic out the same interface it was received on.
network object VPN
subnet 192.168.1.0 255.255.255.0
nat (outside,outside) dynamic interface
same-security-traffic permit intra-interface
08-17-2013 08:03 AM
I've been messing with the configuration and this is what I have. I am able to successfully authenticate via my iPad and obtain an IP from the vpnPool. However, I can only ping the inside interface IP (192.168.0.250), nothing else.
Right now I'm focusing on the Full Tunnel (hairpin) configuration. I know I'm missing something with NAT, but I'm not sure what...
ip local pool vpnPool 192.168.0.210-192.168.0.220 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.250 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
no pim
!
boot system disk0:/asa911-k8.bin
!
access-list outsideIN extended permit icmp any4 any4 object-group DM_INLINE_ICMP_1
!
asdm image disk0:/asdm-711-52.bin
!
nat (inside,outside) source static VPN-SOURCE VPN-SOURCE destination static VPN-DESTINATION-1 VPN-DESTINATION-1
nat (inside,outside) source static VPN-SOURCE VPN-SOURCE destination static VPN-DESTINATION-2 VPN-DESTINATION-2
!
object network obj_any
nat (inside,outside) dynamic interface
access-group outsideIN in interface outside
!
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-3DES-SHA
!
crypto ca trustpool policy
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
!
dhcpd address 192.168.0.100-192.168.0.200 inside
dhcpd dns 4.2.2.6 4.2.2.2 interface inside
dhcpd domain local.lan interface inside
dhcpd update dns both interface inside
dhcpd enable inside
!
webvpn
anyconnect-essentials
group-policy Full_Tunnel internal
group-policy Full_Tunnel attributes
vpn-tunnel-protocol ssl-clientless
group-policy Split_Tunnel internal
group-policy Split_Tunnel attributes
vpn-tunnel-protocol ssl-clientless
webvpn
smart-tunnel tunnel-policy tunnelspecified homeNetwork
username scott password .. encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool vpnPool
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group groupFullTunnel type remote-access
tunnel-group groupFullTunnel general-attributes
address-pool vpnPool
default-group-policy Full_Tunnel
tunnel-group groupFullTunnel ipsec-attributes
ikev1 pre-shared-key *****
!
Excuse all the random config. I made the mistake of trying the wizard. I prefer CLI.
Side note, can I remove those 'crypto ikev policty' statements?
Thanks for any help
08-17-2013 09:03 AM
One thing is that you will have connection issues because the VPN pool is on the same subnet as the inside network. The inside network will think it is directly connected and never send the traffic to the ASA to be routed to the VPN. To get around this you could either subnet the current IP allocation or assign a comletely separate subnet to the VPN (192.168.1.0/24 for example).
As for the NAT I am uncertain what you mean by VPN-SOURCE and VPN-DESTINATION. If the VPN-SOURCE is the VPN IP and VPN-DESTINATION is the LAN then the NAT statement is backwards and should read something like this:
nat (inside,outside) source static VPN-DESTINATION-1 VPN-DESTINATION-1 destination static VPN-SOURCE VPN-SOURCE
08-17-2013 09:07 AM
You need to exempt the VPN clients from NAT. Try adding:
object network lan-subnet
subnet 192.168.0.0 255.255.255.0
nat (inside,outside) source static lan-subnet lan-subnet destination static lan-subnet lan-subnet
If that doesn't work have a look at this pdf guide -
http://www.vpntracker.com/cms_components/media/vpnt/VPNT_Interop_Howtos/1101/CiscoASA.pdf
It's for a Mac IPsec client but I've found that the configuration works perfectly well with the iPhone/iPad built-in Cisco IPsec client connecting to an ASA5505. The CLI commands are at the end of the document.
08-17-2013 11:28 AM
Thank you for the replies.
You're right in that I should have a different subnet for the vpnPool. I changed it to this:
ip local pool vpnPool 192.168.1.200-192.168.1.220 mask 255.255.255.0
I also added the following lines based on second reply:
object network vpn-subnet
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source static vpn-subnet vpn-subnet destination static vpn-subnet vpn-subnet
When I connect, I now obtain the new pool of IP's, but I'm in the same spot as before. I can ping the inside interface IP, but that's it.
Marius, those VPN-SOURCE objects are defined for a site-to-site VPN I've been playing with. I shouldn't have included that in this effort, my apologies.
I now get the following log message when I connect to the VPN and try to ping:
5 | Aug 17 2013 | 14:10:03 | 305013 | 192.168.1.200 | LOCAL | 192.168.0.252 | Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.1.200(LOCAL\scott) dst inside:192.168.0.252 (type 8, code 0) denied due to NAT reverse path failure |
It's obvious a NAT issue, I'm just unsure of the solution...
Thanks again for the help
08-17-2013 11:36 AM
It is not necessary to have a different subnet but if you do then I think the statement should be:
nat (inside,outside) source static lan-subnet lan-subnet destination static vpn-subnet vpn-subnet
Look at the linked document I sent - it breaks down the process into steps that I think are easy to follow.
08-17-2013 11:55 AM
Thank you. Very helpful PDF and it really outlines it for you. I like that only the subject configuration is shown.
I can now connect with my iPad and ping internal IP's, which is a lot further than where I was.
Now I just need to figure out the hairpin part. Allowing my iPad to use my Firewalls connection as it's source.
Is this also a simple NAT config?
08-17-2013 12:07 PM
Do you mean to give your VPN users internet access while using full tunneling? then yes you would to do a NAT and also allow the ASA to send traffic out the same interface it was received on.
network object VPN
subnet 192.168.1.0 255.255.255.0
nat (outside,outside) dynamic interface
same-security-traffic permit intra-interface
08-17-2013 12:29 PM
Sweet! That was it. I can now browse from my iPad with my home ASA as the source.
Thank both of you much for the help! I really need to read up on NAT; it's always been my weak point. The syntax is boggling.
Thanks again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide