Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2063
Views
0
Helpful
31
Replies

Configure Cisco ASA 5505

Go to solution
sagarshaha
Level 1
Level 1

‎01-19-2016 10:03 PM - edited ‎03-05-2019 03:09 AM

Hi,

We have Cisco ASA 5505 pix firewall and I have done the basic configuration and enabled DHCP on the firewall.

What i would like to know is, is there a way to test if the DHCP and internet from this firewall is working fine by connecting it into our existing network and without taking any downtime?

This is to test that the firewall works fine with current setup and ready to go in production.

Any help is highly appreciated

Thanks,

Sagar

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to sagarshaha

‎01-20-2016 05:42 PM

"ip name-server" allows the ASA to do DNS lookups.  Not likely to be very important.

To enable the ASA to give out the DNS servers of the ISP via DHCP use:

dhcpd dns <isp name server 1> <isp name server 2>

View solution in original post

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to sagarshaha

‎01-25-2016 01:09 AM

I can't generate any config for you because there isn't enough information.

You need to extend outside_cryptomap_2 to include the pool used for VPN users, on both ends of the VPN.

You then need to create a rule saying not to NAT traffic between the two VPNs, and an access rule to allow it. 

View solution in original post

0 Helpful
31 Replies 31

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-19-2016 10:26 PM

You could configure the outside interface to use DHCP, and then plug it into the inside of your current network, and then your machine into the back of the 5505.

0 Helpful

Go to solution
sagarshaha
Level 1
Level 1
In response to Philip D'Ath

‎01-20-2016 12:50 AM

Hi Philip,

Thanks, this works.

Now, if I want to put under production, I will need to enter the ISP IP details and DNS. Can you please share me the command for same

Thanks for your help

Cheers

0 Helpful

Go to solution
shaps
Level 3
Level 3
In response to sagarshaha

‎01-20-2016 08:14 AM

the commands are pretty much the same as IOS,    

config t

interface gi0/0 ip address 192.69.69.1 255.255.255.252

ip name-server 10.10.10.1 

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to shaps

‎01-20-2016 11:47 AM

And don't forget the default route.

route outside 0.0.0.0 0.0.0.0 a.b.c.d
0 Helpful

Go to solution
sagarshaha
Level 1
Level 1
In response to Philip D'Ath

‎01-23-2016 04:09 AM

Thanks Philip. This helped and appreciate your help in same. My firewall is setup and working fine in network.

Now, I need to configure users who can connect to this firewall using Cisco VPN client or Any VPN client. Do you have the steps for same?

Also, I have configured site-to-site vpn from this firewall to my servers located in cloud.

So, I need to make sure, when my user connects using vpn client, they get access to those servers located in cloud.

Please help

Thanks,

Sagar

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to sagarshaha

‎01-23-2016 09:59 AM

The ASA comes with  "demo" licence that enables two concurrent AnyConnect users.  Otherwise you have to buy an "AnyConnect Essentials" licence (it has a new name now, can't remember what it is).  That licence is not very expensive.

It does use a public SSL certificate on the ASA though which is also an extra cost.  You can use a private certificate if you don't mind users getting a warning that the certificate is not trusted.

You also need a Cisco SmartNet contract (or similar Cisco maintenance contract) to download the Cisco AnyConnect client, or the older IPSec client.

AnyConnect is the best way to go.   There is a Wizard in the ASDM for configuring AnyConnect.  I would start by using that.

The other option is to use the older Cisco IPSec client.  It is no longer developed.  It does not play nicely with Windows 10.  However you don't need any extra licencing on the 5505 or a public SSL certificate.

The ASDM has a wizard for configuring it was well.

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Philip D'Ath

‎01-23-2016 10:00 AM

Also note there will be some extra pain giving the users access to the servers in the cloud.

You'll need to extend the site to site VPN encryption domain to include the IP addresses of your VPN users.

0 Helpful

Go to solution
sagarshaha
Level 1
Level 1
In response to Philip D'Ath

‎01-24-2016 05:24 PM

Thanks Philip. Do you have any guide or video on AnyConnect VPN? I tried using wizard and configured the same using old Cisco VPN Client but it fails.

Also, is it possible to use Windows/Mac in-built VPN service to configure VPN and use it instead of any VPN clients?

The main purpose of configuring VPN is allowing users to access to the servers located in cloud.

Let me know

Thanks

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to sagarshaha

‎01-24-2016 06:46 PM

Best you post your whole config as it stands now then.

0 Helpful

Go to solution
sagarshaha
Level 1
Level 1
In response to Philip D'Ath

‎01-24-2016 08:26 PM

So, the thing is..after using the wizard and changing couple of settings...I'm able to connect to AnyConnect VPN using my WAN IP.

So, once the VPN is successfully connected, I'm unable to use couple of things

1. Internet doesnt work once the VPN is connected

2. I cannot ping or connect to Firewall using my internal IP

3. As i said, I have site-to-site VPN configured to my servers in cloud, I need to connect to those servers. Need to enable that network too once the users are connected.

Below is the config for your reference...

Thanks for all your help...

Config:

ciscoasa# show conf
: Saved
:
: Serial Number: XXXXXXX
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
: Written by enable_15 at 03:12:37.896 UTC Mon Jan 25 2016
!
ASA Version 9.1(6)
!
hostname ciscoasa
enable password XXXXXXX encrypted
passwd XXXXXXX encrypted
names
ip local pool ADKVPN 192.168.XXX.1-192.168.XXX.10 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!             
interface Ethernet0/6
!             
interface Ethernet0/7
!             
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.XXX.254 255.255.255.0
!             
interface Vlan2
 nameif outside
 security-level 0
 ip address XXX.XXX.XXX.XXX 255.255.255.252
!

ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_XXX.XXX.XXX.XXX_24
 subnet XXX.XXX.XXX.XXX 255.255.255.0
object network NETWORK_OBJ_XXX.XXX.XXX.XXX_24
 subnet XXX.XXX.XXX.XXX 255.255.255.0
object network NETWORK_OBJ_XXX.XXX.XXX.XXX_16
 subnet XXX.XXX.XXX.XXX 255.255.0.0
object network NETWORK_OBJ_XXX.XXX.XXX.XXX_28
 subnet XXX.XXX.XXX.XXX 255.255.255.240
access-list outside_cryptomap_1 extended permit ip 192.168.XXX.0 255.255.255.0 192.168.XXX.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.XXX.0 255.255.255.0 10.XXX.0.0 255.255.0.0
access-list adk-vpn_splitTunnelAcl standard permit 192.168.XXX.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover   
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.XXX.0_24 NETWORK_OBJ_192.168.XXX.0_24 destination static NETWORK_OBJ_192.168.XXX.0_24 NETWORK_OBJ_192.168.XXX.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.XXX.0_24 NETWORK_OBJ_192.168.XXX.0_24 destination static NETWORK_OBJ_10.XXX.0.0_16 NETWORK_OBJ_10.XXX.0.0_16 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.XXX.0_24 NETWORK_OBJ_192.168.XXX.0_24 destination static NETWORK_OBJ_192.168.XXX.0_28 NETWORK_OBJ_192.168.XXX.0_28 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.XXX.0_28 NETWORK_OBJ_192.168.XXX.0_28 no-proxy-arp route-lookup

!                         
object network obj_any
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.XXX.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer XXX.XXX.XXX.XXX
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer XXX.XXX.XXX.XXX
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 subject-name CN=192.168.XXX.XXX,CN=ciscoasa
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 crl configure
crypto ca trustpoint advpn
 enrollment self
 subject-name CN=adkvpn.adknowledgeasia.com
 keypair adkvpn
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate 7e4ea356
    30820203 3082016c a0030201 0202047e 4ea35630 0d06092a 864886f7 0d010105
    05003046 3111300f 06035504 03130863 6973636f 61736131 18301606 03550403
    130f3139 322e3136 382e3130 342e3235 34311730 1506092a 864886f7 0d010902
    16086369 73636f61 7361301e 170d3136 30313235 30313432 31305a17 0d323630
    31323230 31343231 305a3046 3111300f 06035504 03130863 6973636f 61736131
    18301606 03550403 130f3139 322e3136 382e3130 342e3235 34311730 1506092a
    864886f7 0d010902 16086369 73636f61 73613081 9f300d06 092a8648 86f70d01
    01010500 03818d00 30818902 818100c3 11d89fbf 8956a8c7 fd4e775f 410a66cf
    bdfaa675 54d86a37 cf7aad65 3a34608a fc36c23e 125638bc 986c917c 18827662
    c6bf6541 9a273c10 86be490b acdfd39e 2dd3e12c 887446e9 c3ff4d9e a58d6fc3
    4b266a77 ca1a33d2 a4d914f9 ea79babe 4b25c0a7 f14e5f0e 8167f872 803ec0eb
    20770f37 07068ddb 4df3293a a73f2b02 03010001 300d0609 2a864886 f70d0101
    05050003 81810030 efbbd462 0daf5515 cd72e678 f99afd73 88585af3 472f67b7
    3f72d00b 0f6523cb 3bbe9d2c 4edeef86 d652c459 d4886b36 3d2053c9 4b8f0fb4
    054a03d7 2ba6ebc1 100f5ab7 3d3a31c3 bfbcee92 9d2d0876 a71cfb81 7aa74622
    2f856fdb 2019c72f d1df417b db7acede 5031fe06 7538c639 a6ca817f 18cc0bf2
    4fa890e0 bd33c0
  quit        
crypto ca certificate chain advpn
 certificate 7f4ea356
    308201f3 3082015c a0030201 0202047f 4ea35630 0d06092a 864886f7 0d010105
    0500303e 31233021 06035504 03131a61 646b7670 6e2e6164 6b6e6f77 6c656467
    65617369 612e636f 6d311730 1506092a 864886f7 0d010902 16086369 73636f61
    7361301e 170d3136 30313235 30323132 30315a17 0d323630 31323230 32313230
    315a303e 31233021 06035504 03131a61 646b7670 6e2e6164 6b6e6f77 6c656467
    65617369 612e636f 6d311730 1506092a 864886f7 0d010902 16086369 73636f61
    73613081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c5
    a0482d37 3d34ff9c e525d2c1 f3a185ab e070366a 8b0e49a2 e97c80a6 5658baa1
    ba64810c d5c71dda 904d78cb be755655 e4da08be b032d92b 4782a5e6 c0cc0f76
    b4816d94 11d5caa9 91261536 87f6401c cef2c2d2 bd4785f6 525e1e3e 3d49bec1
    5f384f6d d21698aa 3e5eb0a3 aaef52d1 9459bd2f 768d7ed9 5f0f9029 7e2bf102
    03010001 300d0609 2a864886 f70d0101 05050003 8181007f ae7a1903 77aee0b5
    47c3e823 1366b7ab 460fbfb4 229477fe 058357c4 283552ad 29e8570e 2fdcfcbf
    0b33118f 06a2a66f a7af6568 364a2ab5 2450fb8a 188c4b65 e627825f cb8e5410
    c84da372 672953a6 9a2e403f 4b22071c 74758c11 9ae0a5af 0832b28b 133f0898
    868fca8e 0e3e55c9 fff70969 037d3bef 5d5fd5af 1f3a22
  quit        
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2    
 prf sha      
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2    
 prf sha      
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2    
 prf sha      
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2    
 prf sha      
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2    
 prf sha      
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint advpn
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha     
 group 2      
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha     
 group 2      
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha     
 group 2      
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha     
 group 2      
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha     
 group 2      
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha     
 group 2      
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha     
 group 2      
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha     
 group 2      
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha     
 group 2      
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha     
 group 2      
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha     
 group 2      
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha     
 group 2      
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha     
 group 2      
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha     
 group 2      
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha     
 group 2      
 lifetime 86400
telnet 192.168.XXX.0 255.255.255.0 inside
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
              
dhcpd dns 165.21.83.88 165.21.100.88
dhcpd lease 432000
dhcpd domain adknowledgeasia.com
dhcpd auto_config outside
!             
dhcpd address 192.168.XXX.50-192.168.XXX.252 inside
dhcpd enable inside
!             
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point advpn outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
webvpn        
 enable outside
 no anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-4.0.00048-k9.pkg 1
 anyconnect image disk0:/anyconnect-macosx-i386-4.0.00048-k9.pkg 2
 anyconnect profiles adkasia_vpn_client_profile disk0:/adkasia_vpn_client_profile.xml
 anyconnect profiles adkvpn_client_profile disk0:/adkvpn_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_adkvpn internal
group-policy GroupPolicy_adkvpn attributes
 wins-server none
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
 default-domain none
 webvpn       
  url-list value Bookmark1
  anyconnect profiles value adkvpn_client_profile type user
group-policy GroupPolicy_XXX.XXX.XXX.XXX internal
group-policy GroupPolicy_XXX.XXX.XXX.XXX attributes
 vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_XXX.XXX.XXX.XXX internal
group-policy GroupPolicy_XXX.XXX.XXX.XXX attributes
 vpn-tunnel-protocol ikev1 ikev2
username adkuser password XXXXXXXXXX encrypted
username adkuser attributes
 vpn-group-policy GroupPolicy_adkvpn
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX general-attributes
 default-group-policy GroupPolicy_XXX.XXX.XXX.XXX
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX general-attributes
 default-group-policy GroupPolicy_XXX.XXX.XXX.XXX
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
tunnel-group adkvpn type remote-access
tunnel-group adkvpn general-attributes
 address-pool ADKVPN
 default-group-policy GroupPolicy_adkvpn
tunnel-group adkvpn webvpn-attributes
 group-alias AnyConnect enable
!             
class-map inspection_default
 match default-inspection-traffic
!             
!             
policy-map type inspect dns preset_dns_map
 parameters   
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!             
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
Cryptochecksum:cc381fac8d9dcaf9bc7ac4cbb34ef61a
ciscoasa#

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to sagarshaha

‎01-24-2016 09:53 PM

You need to configure it to use the split acl to access the Internet at the same time.  You also need to add the cloud subnets to the split acl.

group-policy GroupPolicy_adkvpn attributes
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value adk-vpn_splitTunnelAcl
0 Helpful

Go to solution
sagarshaha
Level 1
Level 1
In response to Philip D'Ath

‎01-25-2016 12:31 AM

Hi Philip,

Internet works with above commands but my cloud servers still doesnt works neither they respond to pings. Please help

Thanks

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to sagarshaha

‎01-25-2016 12:40 AM

Add your cloud servers to the split ACL.  Create a rule to prevent NAT from the VPN address range to the cloud address range.

Of course, the VPN to the cloud service needs to have your users VPN pool included in the encryption domain.  Have you extended this existing VPN yet?

0 Helpful

Go to solution
sagarshaha
Level 1
Level 1
In response to Philip D'Ath

‎01-25-2016 12:52 AM

Not yet. Can you please help

Also, how do i do NAT?

Sorry, never done this before so asking silly questions

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card