Cisco ASA5505

manamsamuel · ‎12-11-2008

I have a cisco asa5505 with a base license. Can it be used for site to site and remote access vpn connection at the same time. I seem to be having problems using both options. The site to site is ok but when clients machines connect via remote access they are restricted from accessing resources on the inside interface. Please advise.

Thanks.

francisco_1 · ‎12-11-2008

yes you can. on the vpn group policy, you need to permit access to the internal network. i beleieve the default acl is any, any apply to the vpn policy group.

look at this link for split-tunnel: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

manamsamuel · ‎12-11-2008

Done all but clients still can't access network resources. Here is my config..

!

access-list basvpn_splitTunnelAcl standard permit any

access-list inside_nat0_outbound extended permit ip any 192.0.0.224 255.255.255.224

access-list inside_nat0_outbound extended permit ip 192.0.0.0 255.255.0.0 Wxxx 255.255.0.0

access-list inside_nat0_outbound extended permit ip 192.0.0.0 255.255.0.0 192.0.0.224 255.255.255.224

access-list outside_1_cryptomap extended permit ip 192.0.0.0 255.255.0.0 Wxxx 255.255.0.0

access-list civpn_splitTunnelAcl standard permit 192.0.0.0 255.255.0.0

ip local pool basvpnpool 192.0.0.230-192.0.0.250 mask 255.255.0.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 62.xx.xxx.xx 1

http server enable

http 192.0.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 62.xx.xxx.xxx

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

client-update enable

telnet timeout 5

ssh timeout 5

console timeout 0

tunnel-group-list enable

group-policy basvpn internal

group-policy basvpn attributes

wins-server value 192.0.0.22 192.0.0.21

dns-server value 192.0.0.23 192.0.0.22

vpn-tunnel-protocol IPSec l2tp-ipsec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value basvpn_splitTunnelAcl

default-domain value centerprise.co.uk

group-policy civpn internal

group-policy civpn attributes

wins-server value 192.0.0.22 192.0.0.21

dns-server value 192.0.0.23 192.0.0.22

vpn-tunnel-protocol IPSec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value civpn_splitTunnelAcl

default-domain value centerprise.co.uk

tunnel-group basvpn type remote-access

tunnel-group basvpn general-attributes

address-pool basvpnpool

authentication-server-group ciscobox

default-group-policy basvpn

tunnel-group basvpn ipsec-attributes

pre-shared-key *

tunnel-group 62.xxx.xx.xxx type ipsec-l2l

tunnel-group 62.xxx.xx.xxx ipsec-attributes

pre-shared-key *

tunnel-group civpn type remote-access

tunnel-group civpn general-attributes

address-pool basvpnpool

authentication-server-group ciscobox

default-group-policy civpn

tunnel-group civpn webvpn-attributes

group-alias centerprise enable

tunnel-group civpn ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

Alan Huseyin Kayahan · ‎12-11-2008

Hello Samuel,

Try the following change

ip local VPN_pool basvpnpool 172.16.5.1-172.16.5.254 mask 255.255.255.0

tunnel-group basvpn general-attributes

address-pool VPN_pool

no address-pool basvpnpool

tunnel-group civpn general-attributes

address-pool VPN_pool

no address-pool basvpnpool

no ip local pool basvpnpool 192.0.0.230-192.0.0.250 mask 255.255.0.0

access-list basvpn_splitTunnelAcl standard permit 192.0.0.0 255.255.0.0

no access-list basvpn_splitTunnelAcl standard permit any

crypto isakmp nat-traversal 20

no crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

no crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

no crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

no crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

no crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

no crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

no crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

no crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

no crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA

no access-list inside_nat0_outbound extended permit ip 192.0.0.0 255.255.0.0 192.0.0.224 255.255.255.224

access-list inside_nat0_outbound extended permit ip 192.0.0.0 255.255.0.0 172.16.5.0 255.255.255.240

no access-list inside_nat0_outbound extended permit ip any 192.0.0.224 255.255.255.224

Regards

manamsamuel · ‎12-11-2008

I have made the changes but no luck. I also discovered that when i apply the same configuration to a new asa5505 box without a site to site config it works but both site to site and remote access cannot work on the same box. Is this a license related issue as i currently have a base license.

Thanks.

francisco_1 · ‎12-11-2008

are u saying that both basvpn, civpn vpn group cannot access anything on the inside?

how is the ASA connected to the inside network. is it connected to a layer 3 switch?

after making the config changes Huseyin asked you to do, can you post the current config on the ASA.

Francisco.

manamsamuel · ‎12-11-2008

yes both groups cannot access inside network and am connected to a layer 3 hp switch with all port in vlan 1.

I have another cisco ASA5505 box and i configured it for remote access only and all remote clients can access the inside network. If i decide to add site to site service on the same box the remote clients will be denied access to inside interface. So am currently using 2 cisco asa5505, one for site to site vpn to my branch office and the second for remote access clients only.

francisco_1 · ‎12-11-2008

post your current config from the ASA not working...

manamsamuel · ‎12-11-2008

!

hostname Basvpn

enable password 8Ry2YjIyt7RRXU24 encrypted

names

name 192.1.0.0 Wxxx description Wxxx Remote LAN

!

interface Vlan1

nameif inside

security-level 100

ip address 192.0.0.7 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xx.xx4.84 255.255.255.240

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list Split_Tunnel_List remark The cooperate Network behind the ASA

access-list Split_Tunnel_List standard permit 172.16.5.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.0.0.0 255.255.0.0 Wales 255.255.0.0

access-list inside_nat0_outbound extended permit ip any 172.16.5.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.0.0.0 255.255.0.0 Wales 255.255.0.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool basvpnpool 172.16.5.1-172.16.5.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 xxx.xxx.x4.94 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server ciscobox protocol radius

aaa-server ciscobox host 192.0.0.23

timeout 5

key xxxxxxx

http server enable

http 192.0.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer xxx.xxx.x3.1xx

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

client-update enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics

webvpn

tunnel-group-list enable

group-policy basvpn internal

group-policy basvpn attributes

wins-server value 192.0.0.21 192.0.0.22

dns-server value 192.0.0.23 192.0.0.22

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

default-domain value centxxxxx.com

tunnel-group basvpn type remote-access

tunnel-group basvpn general-attributes

address-pool basvpnpool

authentication-server-group ciscobox

default-group-policy basvpn

tunnel-group basvpn ipsec-attributes

pre-shared-key *

tunnel-group 6xx.xxxx.xxxx type ipsec-l2l

tunnel-group 6xx.xxxx.xxxx ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:ff2de0ced4fd3b6d966d5e79683dfefb

ajagadee · ‎12-11-2008

Samuel,

After the users are connected and you do a show crypto ipsec sa, do u see packets making to the ASA.

Also, Is it a requirement to assign the Pool of IP Addresses for the VPN Client from your internal subnet. While, technically this should work, I have seen more issues when configuring VPN Pool from the internal subnet.

Can you change the VPN Pool of IP Address to something totally different from your inside subnet and then do the testing. You also, need to change the Split Tunnel and NAT 0 ACL to reflect the new pool of ip addresses.

Regards,

Arul

*Pls rate if it helps*

manamsamuel · ‎12-11-2008

I changed the vpn pool ip to 172.16.5.0 network but still having the same problem. I had to use a spare asa5505 box for remote access vpn only and is all working ok. The question is; why can't i have both site to site and remote access working on one box?

francisco_1 · ‎12-11-2008

what is your ASA software version.

see below for new changes

no access-list Split_Tunnel_List remark The cooperate Network behind the ASA (OLD

no access-list Split_Tunnel_List standard permit 172.16.5.0 255.255.255.0 (OLD)

access-list basvpnsplit remark internal_access_standard (NEW)

access-list basvpnsplit standard permit host 192.0.0.0 255.0.0.0 (NEW)

!

access-list basvpn_vpn_acl remark permit_any_extended (NEW)

access-list basvpn_vpn_acl extended permit ip any any (NEW)

group-policy basvpn internal

group-policy basvpn attributes

split-tunnel-network-list value basvpnsplit (NEW)

vpn-filter value basvpn_vpn_acl (NEW)

split-tunnel-policy tunnelspecified

no split-tunnel-network-list value Split_Tunnel_List (OLD)

if this doesnt work, because you have made few changes, its better to delete the the existing remote access VPN config in the ASDM. I then run the VPN wizard again but this time do not enable split tunneling in the wizard. configure split tunneling with the CLI. see the link i sent you before for split-tunnel.

Francisco

manamsamuel · ‎12-12-2008

Francisco,

Still not working after all changes;

sh run

: Saved

:

ASA Version 8.0(3)

!

hostname Basvpn

enable password 8Ry2YjIyt7RRXU24 encrypted

names

name 192.1.0.0 Wxxx description Wxxxx Remote LAN

!

interface Vlan1

nameif inside

security-level 100

ip address 192.0.0.7 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address 62x.xx.xxx.xx 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/7

access-list Split_Tunnel_List remark The corporate network behind the ASA

access-list Split_Tunnel_List standard permit 10.0.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 172.16.5.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.0.0.0 255.255.0.0 10.0.1.0 255.255.255.192

access-list outside_1_cryptomap extended permit ip 192.0.0.0 255.255.0.0 Wxxx 255.255.0.0

ip local pool basvpnpool 10.0.1.1-10.0.1.50 mask 255.255.255.0

asdm image disk0:/asdm-611.bin

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 6xx.xx.xxx.xxx 1

dynamic-access-policy-record DfltAccessPolicy

aaa-server ciscobox protocol radius

aaa-server ciscobox host 192.0.0.23

timeout 5

http server enable

http 192.0.0.0 255.255.0.0 inside

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 6xx.xx.xx.xxx

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

webvpn

tunnel-group-list enable

group-policy basvpn internal

group-policy basvpn attributes

wins-server value 192.0.0.21 192.0.0.22

dns-server value 192.0.0.23 192.0.0.22

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

default-domain value cenxxxxx.cm

tunnel-group basvpn type remote-access

tunnel-group basvpn general-attributes

address-pool basvpnpool

authentication-server-group ciscobox

default-group-policy basvpn

tunnel-group basvpn ipsec-attributes

pre-shared-key *

tunnel-group 6xx.xx.xx.xxx type ipsec-l2l

tunnel-group 6xx.xxx.xxx.xxx ipsec-attributes

pre-shared-key *

!

parameters

message-length maximum 512

policy-map global_policy

service-policy global_policy global