Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
523
Views
0
Helpful
1
Replies

Advice ASA VPN Host-to-LAN implementation

cdicesare
Level 1
Level 1

‎04-05-2011 03:41 AM

Hello,

I would like to have advices concerning the implementation of two ASA 5520 (in failover).


Architecture Context

-The  ASA are used as VPN concentrator only.In a first time ASA will be in  charge to take in charge VPN IPSec Host-to-LAN connexion (with the IPSec  VPN client) and I think VPN SSL anyconnect client will be setup in a  near futur.

-We must define two categories of users (student and researcher), for each one we want define :

  + An IP address pool

  + ACL

  + Split Tunneling (only LAN traffic will go in the VPN tunnel)

-The ASA will perform authentification via RADIUS server (the radius server is linked with a LDAP server)

  + In the RADIUS server we want define the category of user (each one user is a student or a researcher)

-The VPN clients use the internal DNS to request LAN ressources.

-A timeout of the VPN if no traffic during 60 minutes

-The VPN user perform authentification with PSK (no certificate)

PS : the RADIUS server software is IETF compatible (http://www.open.com.au/radiator/index.html)

The architecture is the following :

-One internet connexion

-A corporate firewall with 3 DMZ :

+ 1 DMZ Public ; which is connected the ASA "outside" interface (encrypted traffic)

+ 1 DMZ Private ; which is connected the ASA "inside" interface (uncrypted traffic)

+ 1 DMZ LAN ; there is some VLANs routed by 6500 routers.

-On the LAN there is the radius servers

-On the corporate firewall :

  +The https and ipsec will be opened between the internet and the ASA

  +The RADIUS traffic between ASA and the radius servers and the traffic between the pool VPN users and the LAN.

A topology screenshot is attached to this post.


Questions

-What is the best solution to configure the ASA ?

I thought configure :

-One pool for the "students"

ip local pool student-pool X.X.X.X-Y.Y.Y.Y

-One pool for the "researchers"

ip local pool researcher-pool A.A.A.A-B.B.B.B

-One ACL for split tunneling for "students"

access-list student-filter standard permit xxxxxx xxxxx

-One ACL for split tunneling for "researchers"

access-list researcher-filter standard permit xxxxxx xxxxx

-The server group for the radius-server

aaa-server radius-server protocol radius
aaa-server radius-server  (inside) host C.C.C.C

key whatiwant
authentication-port 1812
accounting-port 1813

-The DNS servers

dns server-group dns-corp
  name-server X.X.X.X
  domain-name corp.lan

dns domain-lookup inside
dns domain-lookup outside

-Enable WebVPN

webvpn
  enable outside
  anyconnect-essentials
  svc image disk0:/XXXX regex "Windows CE"
  svc image disk0:/XXXXX 2 regex "Windows NT"
  svc image disk0:/XXXXX 3 regex "Linux"
  svc enable

-Define IPSec encryption

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5  ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA  ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

- One global tunnel-group for IPSec and anyconnect

  + tunnel-group VPNUSER general-attributes

  + authentication-server-group radius-server

- One group-policy for the "student", with attributes :

 +group-policy student internal
 +group-policy student attributes

  + vpn-tunnel-protocol IPSec svc webvpn

  + banner type "Welcome student"

  + split-tunnel-network-list student-filter

  + address-pool value student-pool

  + dns-server value dns-corp

  + default-domain value "corp.lan"

  + vpn-idle timeout 60

  + pre-shared-key *****

- One group-policy for the "researcher", with attributes :

 +group-policy researcher internal
 +group-policy researcher attributes

  + vpn-tunnel-protocol IPSec svc webvpn

  + banner type "Welcome researcher"

  + split-tunnel-network-list researcher-filter

  + address-pool value researcher-pool

  + dns-server value dns-corp

  + default-domain value "corp.lan"

  + vpn-idle timeout 60

- On the radius server I will be configure class 25 with ou=student or ou=researchers.

Do you think this parameter can be configured on each user on the radius ?

It's seems OK for you ?


I don't have the ASA for the moment for testing.

Thank you for your suggestions and helps.

Best Regards

Cédric

Labels:
Preview file
35 KB
0 Helpful
1 Reply 1

cdicesare
Level 1
Level 1

‎04-19-2011 12:39 AM

Hello world,

Nobody has an idea about my interrogations ?

Thank you in advance for your help

0 Helpful
Customers Also Viewed These Support Documents