cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1007
Views
0
Helpful
4
Replies

Cisco ASA 5512-X for VPN in transparent mode.

vasilioshapsis
Level 1
Level 1

Hello,

I am currently attempting to configure a Cisco ASA 5512-x to sit within our local area network to conduct the following:

1. Accept VPN connections from clients outside the network and authenticate these clients against Active Directory. (Clients working from Home or another depot),

2. The ASA will be located and connected behind our firewall,

3. The ASA will issue 10 IP addresses which have been reserved from the DHCP Server for all VPN clients that connect into the network,

4. The ASA should connect (if possible) using one interface and allow bi-directional traffic through, The security level is fully trusted as authentication will ensure that trusted clients are connecting to the network.

Find attached the diagram for reference (please note the diagram is for reference),

Any help is greatly appreciated.

Vasilios

4 Replies 4

For me it just looks overly complex how you want to achieve that (and complexity is one of the enemies of security). Still, it should work as mentioned. Are there any specific problems you are facing?

Hi Karsten, Basically what we are looking to achieve is for clients that are located outside our trusted network to be able to connect via VPN connection to the network, authenticate and then receive an IP that has been reserved on the DHCP Server. The client will then be able to use resources on the network just as they would if they were physically on the network. The problem i am facing is how to configure the ASA interface ports to permit these connections and how it will be connected to the network. I dont know if it is possible to permit bi-directional traffic through a single ASA interface port.

You need to enable "same security-level permit intra-interface" on the ASA to allow packets being received and sent out of the same interface.

Then you enable all functionality (webvpn, default-route) on a single interface. Don't configure any NAT on that device.

On the transparent firewall allow tcp/443 and udp/443 from the gateway to the VPN-ASA.

Hi Karsten

i have enabled the command however my works on Cisco ASAs are very limited and my understanding on how the interfaces work using INSIDE and OUTSIDE are different because the device is not directly connected to any outside interfaces. The device will be sitting inside out network hence configuring two interfaces will result in overlapping. here is the current running configuration:

CCIH-ASA# sh run
: Saved
:
ASA Version 8.6(1)
!
hostname CCIH-ASA
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
description INSIDE INTERFACE
nameif INSIDE
security-level 100
ip address 10.0.50.101 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
object network NETWORK_OBJ_10.0.50.0_27
subnet 10.0.50.0 255.255.255.224
pager lines 24
mtu INSIDE 1500
ip local pool CCIH-VPN-POOL 10.0.50.15-10.0.50.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (INSIDE,INSIDE) source static any any destination static NETWORK_OBJ_10.0.50.0_27 NETWORK_OBJ_10.0.50.0_27 no-proxy-arp route-lookup
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.50.0 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map INSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map INSIDE_map interface INSIDE
crypto ikev1 enable INSIDE
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.50.0 255.255.255.0 INSIDE
telnet timeout 15
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
username brett password pk7vWhuOTkY9HKQBvrQMkg== nt-encrypted privilege 0
username brett attributes
vpn-group-policy DefaultRAGroup
username vasilios password 5lH32dbQrsYZ7rQSCCQpCg== nt-encrypted privilege 0
username vasilios attributes
vpn-group-policy DefaultRAGroup
username cisco password 3USUcOPFUiMCO4Jk encrypted
username mark password L6yyPF0rIYFt6c89aa9CgA== nt-encrypted privilege 0
username mark attributes
vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
address-pool CCIH-VPN-POOL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 28
subscribe-to-alert-group configuration periodic monthly 28
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:bd7f560f5f13f6d084b7be26fb6bc067
: end
CCIH-ASA#