on 09-23-2011 11:18 PM
So i just installed a new ASA running 8.4 has a new way of doing nat so here is an example config of how to setup a VPN on a stick.
I just wasted the better half of a night figuring this out. So i decieded to share the info since cisco has updated there documentation of this.
Reason for Doc: VPN Client Need Access to you inside network and also internet access via the VPN.
Old way to configure this is here Cisco document for ASA 7.2 http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00805734ae.shtml
Old Way
same-security-traffic permit intra-interface
global (outside) 1 interface
nat (outside) 1 172.16.43.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
New Way 8.4(2) and UP
same-security-traffic permit intra-interface
nat (inside,outside) source dynamic RFC1918 interface
nat (outside,inside) source static NET-VPNPOOL NET-VPNPOOL
nat (outside,outside) source dynamic NET-VPNPOOL interface
Full Example
! Allow traffic from the VPN "outside" to the Internet "outside" - AKA intra interface traffic
same-security-traffic permit intra-interface
! PRIVATE IP SPACE DEFINED BY RFC 1918
object-group network RFC1918
network-object 192.168.0.0 255.255.0.0
network-object 172.16.0.0 255.240.0.0
network-object 10.0.0.0 255.0.0.0
! VPN POOL
object-group network NET-VPNPOOL
network-object 172.16.43.0 255.255.255.0
! NORMAL NAT FROM INSIDE TO INTERNET
nat (inside,outside) source dynamic RFC1918 interface
! VPN to INSIDE AKA KEEP THE SAME ADDRESS
nat (outside,inside) source static NET-VPNPOOL NET-VPNPOOL
! VPN CLIENT NEEDS INTERNET TOO
nat (outside,outside) source dynamic NET-VPNPOOL interface
!VPN CONFIGURATION
!----------------------------------
! IP POOL
ip local pool VPN-POOL 172.16.43.1-172.16.43.254 mask 255.255.255.0
! TRANS SET
crypto ipsec ikev1 transform-set CIMCO_MAN_TRANS esp-3des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set CIMCO_MAN_TRANS
! INJECT THE VPN CLIENT'S IP INTO THE LOCAL ROUTING TABLE USING OSPF/RIP - I USE OSPF Internally
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
! APPLY THE CRYPTO MAP TO THE OUTSIDE INTERFACE
crypto map OUTSIDE_MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
group-policy VPNCLIENT internal
group-policy VPNCLIENT attributes
! USE MY DNS SERVER (Optional)
dns-server value 192.168.1.2 192.168.1.3
vpn-tunnel-protocol ikev1
! FORCE THE VPNCLIENT TO TUNNEL ALL TRAFFIC
split-tunnel-policy tunnelall
tunnel-group VPNCLIENT type remote-access
tunnel-group VPNCLIENT general-attributes
address-pool VPN-POOL
default-group-policy VPNCLIENT
tunnel-group VPNCLIENT ipsec-attributes
ikev1 pre-shared-key shhhh!!!!
! (OPTIONAL) DISABLE PROMPTING OF A USERNAME AND PASSWORD - I LEAVE THIS OFF FOR TESTING
ikev1 user-authentication none
Thank you very much for this config, very usefull.
I was with one similar situation and it help me very much.
Fabrice
Thank you very much for this configuration, I just tested for my customer and work as a charm..
Thanks Thanks Thanks
Thanks.
Very useful.
This works great but how you set it up with a no nat? Say I want my folks who VPN in to be able to access things on the LAN but still allow them surf the web through the ASA?
I go this so far
ip local pool VPNPOOL 192.168.0.101-192.168.0.125
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
nat (inside,outside) source dynamic obj-192.168.0.0 interface
nat (outside,inside) source static obj-192.168.0.0 obj-192.168.0.0
nat (outside,outside) source dynamic obj-192.168.0.0 interface
group-policy DefaultRAGroup attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1
password-storage disable
pfs enable
split-tunnel-policy tunnelall
BUT none of my traffic makes it to the LAN with any of these:
nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (any,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp
nat (outside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (outside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
I wonder if I have to play with the " split-tunnel-policy tunnelall" line??
Any help would be great thanks
ST
This works great but how you set it up with a no nat? Say I want my folks who VPN in to be able to access things on the LAN but still allow them surf the web through the ASA?
I go this so far
ip local pool VPNPOOL 192.168.0.101-192.168.0.125
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
nat (inside,outside) source dynamic obj-192.168.0.0 interface
nat (outside,inside) source static obj-192.168.0.0 obj-192.168.0.0
nat (outside,outside) source dynamic obj-192.168.0.0 interface
group-policy DefaultRAGroup attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1
password-storage disable
pfs enable
split-tunnel-policy tunnelall
BUT none of my traffic makes it to the LAN with any of these:
nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (any,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp
nat (outside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (outside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
I wonder if I have to play with the " split-tunnel-policy tunnelall" line??
Any help would be great thanks
ST
This works great but how you set it up with a no nat? Say I want my folks who VPN in to be able to access things on the LAN but still allow them surf the web through the ASA?
I go this so far
ip local pool VPNPOOL 192.168.0.101-192.168.0.125
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
nat (inside,outside) source dynamic obj-192.168.0.0 interface
nat (outside,inside) source static obj-192.168.0.0 obj-192.168.0.0
nat (outside,outside) source dynamic obj-192.168.0.0 interface
group-policy DefaultRAGroup attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1
password-storage disable
pfs enable
split-tunnel-policy tunnelall
BUT none of my traffic makes it to the LAN with any of these:
nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (any,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp
nat (outside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (outside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
I wonder if I have to play with the " split-tunnel-policy tunnelall" line??
Any help would be great thanks
ST
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: