cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8624
Views
0
Helpful
33
Replies

Cisco Easy VPN Configuration for ASA 5515-X version 9.1

Rizwan
Level 1
Level 1

Hi, 

I want to configure Easy vpn on ASA 5515-X firewall IOS version 9.1 and I don't want to use asdm. 

Please let me know the configuration. Thanks. 

1 Accepted Solution

Accepted Solutions

> How it is possible to access firewall using VPN?

"management-access inside"

View solution in original post

33 Replies 33

The Cisco VPN-client which is used by EasyVPN is EOL and a new deployment shouldn't be based on that. Better go for AnyConnect. If you still want to configure EasyVPN, here is an example:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/68795-asa-remotevpn-asdm.html

The syntax changed slightly but the concepts are the same.

More info and the actual syntax is shown in the config-guide:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_remote_access.html

Please also send me anyconnect VPN configuration

It's all found in the config-guide:

If you want to go the easy way, take the VPN-wizard and look at what gots configured there. That can be extended to your needs then.

I have configured EZ vpn and my client is connected but internet stops working and I am unable to access my local LAN. 

My crystal ball tells me that you missed to configure Split-tunneling and/or your NAT/NAT-exemption is wrong.

But sometimes even these crystal balls are wrong, so it could help to see what your actual config is. ;-)

I configured split tunneling and after that internet is working fine. 

When I use same subnet for VPN users and LAN users and exemt nat LAN  is also accessible but when I use different subnet for my VPN users LAN is not accessible.  I think NAT exempt is not required in second case. how to configure it without NAT exempt. 

>I think NAT exempt is not required in second case. how to configure it without NAT exempt. 

It's very unlikely that you don't need NAT-exemption. Just compare traffic from inside LAN to the VPN-pool if that matches any of the NAT-rules. Typically there is a NAT rule at the end of your NAT-config  for (inside,outside)  where the whole traffic gets NAT/PAT for internet-access. If this rule is matched, then it can't work.

I am getting following error message in asdm logs after manual configuration and VPN is not connecting

 

Group = RAS-MEDIA, Username = rizwan, IP = 182.180.114.243, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.50.100/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside

Probably your crypto-map and/or crypto access-lists are wrong.

y VPN is connected but unable to access local LAN. Following is my configuration 

 

ASA Version 9.1(1) 
!
hostname Medialogic-ASA
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPN_POL 192.168.50.100-192.168.50.150 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 202.x.x.x 255.255.255.240 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 172.20.57.1 255.255.0.0 
!
interface GigabitEthernet0/2
 shutdown
 nameif DMZ
 security-level 50
 no ip address
!             
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.100.1 255.255.255.0 
!
ftp mode passive
object network INSIDE_HOSTS
 subnet 172.20.0.0 255.255.0.0
object network NETWORK_OBJ_172.20.0.0_16
 subnet 172.20.0.0 255.255.0.0
object network NETWORK_OBJ_192.168.50.0_24
 subnet 192.168.50.0 255.255.255.0
access-list RAS-MEDIA_splitTunnelAcl standard permit 172.20.0.0 255.255.0.0 
pager lines 24
logging enable
logging console warnings
logging asdm warnings
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu backup 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic INSIDE_HOSTS interface
nat (inside,outside) source static NETWORK_OBJ_172.20.0.0_16 NETWORK_OBJ_172.20.0.0_16 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 202.x.x.x 1

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 192.168.100.0 255.255.255.0 management
http 172.20.58.59 255.255.255.255 inside
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
 
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 172.20.58.59 255.255.255.255 inside
ssh timeout 5
console timeout 0
threat-detection rate icmp-drop rate-interval 600 average-rate 5555 burst-rate 50
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy RAS-MEDIA internal
group-policy RAS-MEDIA attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RAS-MEDIA_splitTunnelAcl
username vpn password ipT92iBMo5fLIuiz encrypted
username umer password mTnGSw0kCnDHr780 encrypted
username rizwan password /BCII2dYm.UXESdU encrypted
tunnel-group RAS-MEDIA type remote-access
tunnel-group RAS-MEDIA general-attributes
 address-pool VPN_POL
 default-group-policy RAS-MEDIA
tunnel-group RAS-MEDIA ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
Cryptochecksum:a7744507f7cb4255faaba0a829f64155
: end

The NAT-rules are in the wrong order. They are processed top-down and the exemption has to be on the top of the list. 

I have changed the order but still not working, LAN is not accessible

Is there any route required for VPN pool 192.168.50.0/24

Is the ASA the centrag internet-gateway? then no extra routing is needed.

Is your client behind a NAT/PAT? the you have to reenable NAT-traversal:

crypto isakmp nat-traversal