ASA VPN behind 2911 Router

browe-tfx · ‎11-09-2011

So far my network is setup as follows:

ISP -> Router 2911 (four VLANs) -> Switch 2960, there has been an ASA 5510 sitting around for sometime now the end goal for the ASA setup is to have it setup as a site-to-site VPN as well as a remote access VPN. What I am trying to determine is how I would I place the ASA behind the router. Right now I have it setup and plugged into the Swith, so would I NAT the private IP of the ASA to one of my public IPs?

Also, does anyone know where I can find a good guide on configuring VPN to authenicate against AD without using ADSM?

Mohammad Alhyari · ‎11-09-2011

Hi Brandon ,

you have to statically NAT the ASA translating the private ip address to a public one as it should be accessable from outside , on the router you should have the following port opened for the inbound access-list :

UDP 500 ISAKMP

UDP 4500 NAT Traversal

ESP 50

now regarding the LDAP example , please see the following :

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml

part of the above example are to configure it via CLI,

HTH
Mohammad.

browe-tfx · ‎11-10-2011

Hi Mohammad,

Thanks for the LDAP work perfectly my firewall now does LDAP authenication! But maybe I'm missing something, on the side of the VPN setup on the firewall and I've got it statically map via the router. But when I open up my VPN client its still not connecting to the gateway I get the peer not responding. Any ideas?

Router Access List/Static Map/Interface:

interface GigabitEthernet0/0

ip address 38.xxx.xxx.xxx 255.255.255.252

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip verify unicast reverse-path

ip nbar protocol-discovery

ip flow ingress

ip nat outside

ip inspect TRAFFIC_ALLOWED out

ip virtual-reassembly

duplex full

speed 100

no cdp enable

ip nat inside source static 10.10.18.3 38.x.x.x

access-list 110 permit udp host 10.10.18.1 host 10.10.18.3 eq isakmp

access-list 110 permit udp host 10.10.18.1 host 10.10.18.3 eq non500-isakmp

ASA 5510

access-list NONAT extended permit ip 10.10.18.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list TFX100 remark ACL for TFX Remote

access-list TFX100 extended permit ip 10.10.18.0 255.255.255.0 10.0.0.0 255.255.255.0

pager lines 24

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (outside) 0 access-list NONAT

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYNAMIC-MAP 5 set transform-set ESP-AES-128-SHA

crypto map OUTSIDE_MAP 65530 ipsec-isakmp dynamic DYNAMIC-MAP

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

telnet timeout 5

ssh 10.10.18.0 255.255.255.0 outside

ssh timeout 60

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy TFXVPN internal

group-policy TFXVPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value TFX100

nem enable

username browe password jyPLVN4lhyIZeTsi encrypted privilege 15

tunnel-group TFX_TG type remote-access

tunnel-group TFX_TG general-attributes

default-group-policy TFXVPN

tunnel-group TFX_TG ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:7da7ebb38ef154ae00a2f8ad1ba430f8

browe-tfx · ‎11-10-2011

I've actually figured out whats wrong, but now I'm getting an error when a remote host tries to connect...

Removing peer from peer table failed, no match!

Unable to remove PeerTblEntry

It makes it through phase 1, but fails at phase 2