06-10-2016 03:47 AM
Hello,
I am currently attempting to configure a Cisco ASA 5512-x to sit within our local area network to conduct the following:
1. Accept VPN connections from clients outside the network and authenticate these clients against Active Directory. (Clients working from Home or another depot),
2. The ASA will be located and connected behind our firewall,
3. The ASA will issue 10 IP addresses which have been reserved from the DHCP Server for all VPN clients that connect into the network,
4. The ASA should connect (if possible) using one interface and allow bi-directional traffic through, The security level is fully trusted as authentication will ensure that trusted clients are connecting to the network.
Find attached the diagram for reference (please note the diagram is for reference),
Any help is greatly appreciated.
Vasilios
06-13-2016 03:53 AM
For me it just looks overly complex how you want to achieve that (and complexity is one of the enemies of security). Still, it should work as mentioned. Are there any specific problems you are facing?
06-13-2016 07:52 AM
06-13-2016 08:09 AM
You need to enable "same security-level permit intra-interface" on the ASA to allow packets being received and sent out of the same interface.
Then you enable all functionality (webvpn, default-route) on a single interface. Don't configure any NAT on that device.
On the transparent firewall allow tcp/443 and udp/443 from the gateway to the VPN-ASA.
06-13-2016 11:44 PM
Hi Karsten
i have enabled the command however my works on Cisco ASAs are very limited and my understanding on how the interfaces work using INSIDE and OUTSIDE are different because the device is not directly connected to any outside interfaces. The device will be sitting inside out network hence configuring two interfaces will result in overlapping. here is the current running configuration:
CCIH-ASA# sh run
: Saved
:
ASA Version 8.6(1)
!
hostname CCIH-ASA
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
description INSIDE INTERFACE
nameif INSIDE
security-level 100
ip address 10.0.50.101 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
object network NETWORK_OBJ_10.0.50.0_27
subnet 10.0.50.0 255.255.255.224
pager lines 24
mtu INSIDE 1500
ip local pool CCIH-VPN-POOL 10.0.50.15-10.0.50.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (INSIDE,INSIDE) source static any any destination static NETWORK_OBJ_10.0.50.0_27 NETWORK_OBJ_10.0.50.0_27 no-proxy-arp route-lookup
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.50.0 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map INSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map INSIDE_map interface INSIDE
crypto ikev1 enable INSIDE
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.50.0 255.255.255.0 INSIDE
telnet timeout 15
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
username brett password pk7vWhuOTkY9HKQBvrQMkg== nt-encrypted privilege 0
username brett attributes
vpn-group-policy DefaultRAGroup
username vasilios password 5lH32dbQrsYZ7rQSCCQpCg== nt-encrypted privilege 0
username vasilios attributes
vpn-group-policy DefaultRAGroup
username cisco password 3USUcOPFUiMCO4Jk encrypted
username mark password L6yyPF0rIYFt6c89aa9CgA== nt-encrypted privilege 0
username mark attributes
vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
address-pool CCIH-VPN-POOL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 28
subscribe-to-alert-group configuration periodic monthly 28
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:bd7f560f5f13f6d084b7be26fb6bc067
: end
CCIH-ASA#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide