Hello,
I've successfully configured Cisco ASA 5512-x device. This includes internal networks connection, NAT and almost VPN.
Now the problem is that I can establish VPN tunnel from outside network. I can ping from vpn to inside network devices and vice-versa. I can resolve network names of internal devices and so on. When i try to use Remote desktop access or access to internal webpages, it seems, that everything is restricted or denied.
My config :
interface Redundant1
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/1
nameif Outside
security-level 0
ip address g.g.g.i 255.255.255.192
!
interface Redundant5
description Inside Interface
member-interface GigabitEthernet0/2
member-interface GigabitEthernet0/3
nameif Inside
security-level 100
ip address x.x.x.x 255.255.255.0
ipv6 address autoconfig
ipv6 enable
!
ftp mode passive
clock timezone EET 2
dns domain-lookup Inside
dns server-group DefaultDNS
name-server x.x.x.c
name-server x.x.x.y
domain-name MyNet.ee
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_x.y.c.0_24
subnet x.y.c.0 255.255.255.0
object network Gateway
host g.g.g.g
description Gateway address
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object udp
protocol-object tcp
object-group network MyNet
description MyNet Internal networks
network-object x.x.x.0 255.255.255.0
network-object k.k.k.0 255.255.255.0
network-object t.t.t.0 255.255.255.0
network-object p.p.p.0 255.255.255.0
network-object pt.pt.pt.0 255.255.255.0
object-group network VPN-network
description VPN Users Network Group
network-object object NETWORK_OBJ_x.y.c.0_24
object-group network DM_INLINE_NETWORK_2
group-object MyNet
group-object VPN-network
object-group service Inside-outside
description Inside-Outside policy for internet access
service-object tcp-udp destination eq domain
service-object tcp-udp destination eq www
service-object tcp destination eq domain
service-object tcp destination eq https
service-object object 7046
service-object object 8008
service-object object MS-DS-SMB
service-object object RDMI-SHO-HTTP
service-object tcp destination eq pop3
service-object tcp destination eq smtp
access-list Inside_access_in extended permit ip object-group VPN-network object-group MyNet
access-list Inside_access_in extended permit ip object-group MyNet object-group VPN-network
access-list Inside_access_in extended permit ip object-group MyNet object-group MyNet
access-list Inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group MyNet any
access-list Inside_access_in extended permit ip any object-group MyNet
access-list Inside_access_in extended permit ip any any
access-list global_access extended permit ip any object-group VPN-network
access-list global_access extended permit ip object-group VPN-network any
access-list global_access extended permit object-group Inside-outside any object-group MyNet
access-list global_access extended permit ip any object-group MyNet inactive
access-list global_access extended permit ip any any inactive
access-list ACL_IN extended permit ip object-group MyNet object-group VPN-network
access-list tcp_bypass extended permit tcp x.x.x.0 255.255.255.0 any
access-list tcp_bypass extended permit tcp k.k.k.0 255.255.255.0 any
access-list tcp_bypass extended permit tcp t.t.t.0 255.255.255.0 any
access-list tcp_bypass extended permit tcp p.p.p.0 255.255.255.0 any
access-list tcp_bypass extended permit tcp pt.pt.pt.0 255.255.255.0 any
access-list Inside_access_out extended permit ip any object-group VPN-network
access-list Inside_access_out extended permit ip object-group MyNet object-group MyNet
access-list Inside_access_out extended permit ip object-group MyNet any
access-list Inside_access_out extended permit ip any any
access-list Outside_access_out extended permit ip object-group VPN-network object-group MyNet
access-list Outside_access_out extended permit ip object-group MyNet object-group VPN-network
access-list Outside_access_out extended permit object-group Inside-outside object-group MyNet any
access-list Outside_access_out extended permit ip object-group MyNet any
access-list Outside_access_in extended permit ip object-group MyNet object-group VPN-network
access-list Outside_access_in extended permit ip object-group VPN-network object-group MyNet
access-list Outside_access_in extended permit object-group Inside-outside any object-group MyNet
access-list Outside_access_in extended permit ip any object-group MyNet inactive
access-list Internal-VPN standard permit x.y.c.0 255.255.255.0
ip local pool VPN-Pool x.y.c.50-x.y.c.150
nat (any,any) source static VPN-network VPN-network destination static MyNet MyNet
nat (Inside,any) source static MyNet MyNet destination static MyNet MyNet
!
nat (Inside,Outside) after-auto source dynamic MyNet interface
access-group Outside_access_in in interface Outside
access-group Outside_access_out out interface Outside
access-group Inside_access_in in interface Inside
access-group Inside_access_out out interface Inside
access-group global_access global
route Outside 0.0.0.0 0.0.0.0 g.g.g.1 1
route Inside k.k.k.0 255.255.255.0 x.x.x.254 1
route Inside t.t.t.0 255.255.255.0 x.x.x.254 1
route Inside p.p.p.0 255.255.255.0 x.x.x.254 1
route Inside pt.pt.pt.0 255.255.255.0 x.x.x.254 1
route Inside 0.0.0.0 0.0.0.0 x.x.x.1 tunneled
dynamic-access-policy-record DfltAccessPolicy
aaa-server UM-Radius protocol radius
aaa-server UM-Radius (Inside) host x.x.x.y
key *****
no user-identity enable
user-identity default-domain LOCAL
no user-identity action mac-address-mismatch remove-user-ip
http server enable
crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac
crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES256-SHA1_TRANS ESP-AES128-SHA1_TRANS ESP-AES256-SHA1
crypto dynamic-map DYN_OUTSIDE 10000 set reverse-route
crypto map MAP_OUTSIDE 10000 ipsec-isakmp dynamic DYN_OUTSIDE
crypto map MAP_OUTSIDE interface Outside
crypto ikev1 enable Outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 1000
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2000
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 3000
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
group-policy EMPLOYEES_L2TP_IPSEC internal
group-policy EMPLOYEES_L2TP_IPSEC attributes
dns-server value x.x.x.y x.x.x.c
vpn-tunnel-protocol l2tp-ipsec
default-domain value MyNet.ee
tunnel-group DefaultRAGroup general-attributes
address-pool (Inside) VPN-Pool
address-pool VPN-Pool
authentication-server-group UM-Radius
authentication-server-group (Inside) UM-Radius
authorization-server-group UM-Radius
accounting-server-group UM-Radius
default-group-policy EMPLOYEES_L2TP_IPSEC
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
I have been on this issue for few weeks now.
Thanks for advance.
