Re: Remote VPN ASA

estelamathew · ‎10-21-2010

Hello Dear's,

Please find the attached configs for 7.2 and 8.2

I m trying to configure remote vpn on version 7.2 as well as on 8.2,

On version 7.2.I get an error 412 ,when i enabled debug for crypto isakmp and crypto ipsec,there are no logs to be seen,

On version 8.2 it prompts for username and password but is not accepted though the username and password are correct,Authentication is done through windows AD server,Do we have to specify any key between AD and ASA same like with ACS.

Thanks

connectone · ‎10-21-2010

So we are using Version 8 on the ASA and we use split tunneling for our Remote VPN (Cisco VPN Client) users to use when they are on the road so only interesting traffic is sent through the tunnel and regular internet traffic is sent over thier ISP default route. Here is the sample config from our ASA firewall used for remote VPN. WE use Microsoft IAS service on a domain controller and setup Radius for the authentication to Active Directory. Works perfectly. If you need help with IAS service setup I may be able to assist with that as well.

When you setup the VPN client software, in this example you would put REMOTEVPN in the group authentication section. The password is what you entered in the section :

tunnel-group RemoteVPN ipsec-attributes
pre-shared-key *

Example begin ------

access-list RH_splitunnel standard permit 192.168.x.0 255.255.254.0
access-list RH_splitunnel standard permit 172.x.x.0 255.255.254.0
access-list RH_splitunnel standard permit 172.x.x.0 255.255.255.0
access-list RH_splitunnel standard permit 10.1.x.0 255.255.0.0

aaa-server vpn protocol radius
aaa-server vpn host 172.x.x.x
key some_key_you_like

aaa local authentication attempts max-fail 5

crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set 3DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 14400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

group-policy RemoteVPN internal
group-policy RemoteVPN attributes
dns-server value 4.4.4.4
vpn-idle-timeout 180
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RH_splitunnel

tunnel-group RemoteVPN type remote-access
tunnel-group RemoteVPN general-attributes
address-pool RemoteVPN
authentication-server-group vpn
default-group-policy RemoteVPN

tunnel-group RemoteVPN ipsec-attributes
pre-shared-key *

Example end -----

Hope this helps..

Frank

estelamathew · ‎10-21-2010

Dear,

What u have posted all is OK according to my configs i want to know what can be the cause that in 7.2 i m not able to get a username prompt and in 8.2 after username prompt i m not able to authenticate.

Thanks

estelamathew · ‎10-21-2010

Dear's,

In version 7.2 i m able to connect but i m not able to ping directly connected core switch on inside interface.

There is static route in ASA for the remote VPN client but still not pinging. I have used NAT0 command for inside users to access tunnel bypassing NAT.

Is it i m missing any command

FOR EXTERNAL AUTHENTICATION:

If i want to specify external authentication to windows AD do i need to specify KEY in WIndows AD if so then where???

Thanks.

Jennifer Halim · ‎10-21-2010

For version 7.2, you might be missing the icmp inspection, please kindly add "inspect icmp" in your global policy.

For external authentication to Active Directory, you would need to have a member of domain account for binding. Here is the sample configuration to authenticate to Active Directory:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml

Hope that helps.

estelamathew · ‎10-22-2010

Hello Jennifer,

I have seen one of the ASA configs but i did'nt find any command of LDAP as u have specified in ur mail.Only the configs are such as below I hope these command can be seen not is normal sh run but in sh config all.

Can u clear my doub't.

It is authenticating through kerberos:

aaa-server ABC protocol kerberos
aaa-server ABC (inside) host 192.168.10.10
kerberos-realm XYZ.COM

Thanks

Jennifer Halim · ‎10-22-2010

LDAP is the protocol to authenticate, the AAA server would be Active Directory (NT).

Are you saying that you are authenticating to Kerberos instead? Here is the sample configuration for Kerberos if you are authenticating to a Kerberos server:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008060f261.shtml

PS: just check out the authentication section on kerberos (don't worry about the authorization to ldap if you are not performing authorization).

BTW, I don't see Kerberos in any of your configuration (7.2 or 8.2) posted.

estelamathew · ‎10-22-2010

Hello Jennifer,

I mean to say i have seen 2 ASA configuration in which vpn users are authenticate through AD,

i have only seen these below configuration for authentication apart from these i have to do anything else to work. ???? It is not working with me for version 8.2.

Customer-1--windows 2003 server

aaa-server AD protocol nt
aaa-server AD (inside) host 10.10.10.10
timeout 5
nt-auth-domain-controller AD01

Customer-2--windows 2008 server

aaa-server Kerb protocol kerberos
aaa-server Kerb (inside) host 172.16.10.10
kerberos-realm SMC.COM

The above are the only commands for AD authentication or i m missing something.if these are the only then i m not able to authenticate my vpn users

ANy hint username and password are correct but not accepted when prompt comes.

Jennifer Halim · ‎10-22-2010

Well, customer-2 seems to be authenticating through Kerberos base on the configuration. Is this correct? are they supposed to be authenticating through kerberos OR ldap?

For kerberos authentication, the aaa-server protocol will be kerberos (aaa-server Kerb protocol kerberos)

For ldap authentication, the aaa-server protocol will be nt (aaa-server AD protocol nt)

So you would need to check with your customer whether they are using kerberos or ldap authentication and configured it accordingly on the ASA.

estelamathew · ‎10-22-2010

Hello Jennifer,

For ldap authentication, the aaa-server protocol will be nt (aaa-server AD protocol nt)

I have configured aaa-server AD protocol nt i m not able to authenticate through vpn,

What can be the causes,??? Is it some configuration to be done on AD for ASA.

Thanks

Jennifer Halim · ‎10-25-2010

Here is a sample configuration on LDAP authentication:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml

Please only look through the authentication section.