11-09-2011 11:44 AM
So far my network is setup as follows:
ISP -> Router 2911 (four VLANs) -> Switch 2960, there has been an ASA 5510 sitting around for sometime now the end goal for the ASA setup is to have it setup as a site-to-site VPN as well as a remote access VPN. What I am trying to determine is how I would I place the ASA behind the router. Right now I have it setup and plugged into the Swith, so would I NAT the private IP of the ASA to one of my public IPs?
Also, does anyone know where I can find a good guide on configuring VPN to authenicate against AD without using ADSM?
11-09-2011 12:37 PM
Hi Brandon ,
you have to statically NAT the ASA translating the private ip address to a public one as it should be accessable from outside , on the router you should have the following port opened for the inbound access-list :
UDP 500 ISAKMP
UDP 4500 NAT Traversal
ESP 50
now regarding the LDAP example , please see the following :
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml
part of the above example are to configure it via CLI,
HTH
Mohammad.
11-10-2011 10:17 AM
Hi Mohammad,
Thanks for the LDAP work perfectly my firewall now does LDAP authenication! But maybe I'm missing something, on the side of the VPN setup on the firewall and I've got it statically map via the router. But when I open up my VPN client its still not connecting to the gateway I get the peer not responding. Any ideas?
Router Access List/Static Map/Interface:
interface GigabitEthernet0/0
ip address 38.xxx.xxx.xxx 255.255.255.252
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip inspect TRAFFIC_ALLOWED out
ip virtual-reassembly
duplex full
speed 100
no cdp enable
ip nat inside source static 10.10.18.3 38.x.x.x
access-list 110 permit udp host 10.10.18.1 host 10.10.18.3 eq isakmp
access-list 110 permit udp host 10.10.18.1 host 10.10.18.3 eq non500-isakmp
ASA 5510
access-list NONAT extended permit ip 10.10.18.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list TFX100 remark ACL for TFX Remote
access-list TFX100 extended permit ip 10.10.18.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (outside) 0 access-list NONAT
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYNAMIC-MAP 5 set transform-set ESP-AES-128-SHA
crypto map OUTSIDE_MAP 65530 ipsec-isakmp dynamic DYNAMIC-MAP
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 10.10.18.0 255.255.255.0 outside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy TFXVPN internal
group-policy TFXVPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TFX100
nem enable
username browe password jyPLVN4lhyIZeTsi encrypted privilege 15
tunnel-group TFX_TG type remote-access
tunnel-group TFX_TG general-attributes
default-group-policy TFXVPN
tunnel-group TFX_TG ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7da7ebb38ef154ae00a2f8ad1ba430f8
11-10-2011 02:38 PM
I've actually figured out whats wrong, but now I'm getting an error when a remote host tries to connect...
Removing peer from peer table failed, no match!
Unable to remove PeerTblEntry
It makes it through phase 1, but fails at phase 2
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: