Need a second pair of eyes for REMOTE-ACCESS VPN deployment - Page 2

Jean Paul Enerst · ‎11-15-2010

Hi all,

I am about to deploy a Remote access VPN, I have generated the config with SDM. And I need some guidance before i jump to the testing phase. There are my goal, I need 3 groups(office,travelers and Guess). For now I only have one group set up and I want to start testing with it. I want to log all the users using Radius server, and I want my radius server to provide them their Network configuration(IP,DNS..) and I want to tie them to their group. There is the config for the office group, please let me know if it will meet my goal..... Thanks a lot..

Any guidance will be really really appreciate....

hostname trans_Atlas_VPN
!
boot-start-marker
boot-end-marker
!
logging buffered 20000
enable secret 5 $1$ktbl$QwO4ELmnsnfYAkcdiLsyO.
!
aaa new-model
!
!
aaa authentication login ssh group radius local
aaa authentication login vpn_authen group radius local
aaa authentication login sdm_vpn_xauth_ml_1 group radius local
aaa authorization network sdm_vpn_group_ml_1 group radius local
!
!
aaa session-id common
memory-size iomem 25
ip cef
!
!
no ip dhcp conflict logging
!
!
no ip domain lookup
ip domain name trans.Atl.com
!
multilink bundle-name authenticated
!
!
!
crypto isakmp policy 3
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group OFFICE
key Ru$i055@CC$55
dns 10.11.a.b 10.11.c.d
domain trans.Atl.com
pool OFFICE_POOL
acl 100
group-lock
netmask 255.255.255.224
crypto isakmp profile sdm-ike-profile-1
   match identity group OFFICE
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set OFFICE_SET esp-aes esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set OFFICE_SET
set isakmp-profile sdm-ike-profile-1
!
!

interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface FastEthernet0/0
description DMZ9_Connection
ip address 10.1x.xx.5 255.255.255.0
no ip redirects
no ip unreachables
no ip mroute-cache
speed auto
full-duplex
no cdp enable
!
interface Ethernet1/0
description DMZ6_Connection
ip address 10.1x.x.45 255.255.254.0
no ip redirects
no ip unreachables
no ip mroute-cache
full-duplex
no cdp enable
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
ip route 0.0.0.0 0.0.0.0 Ethernet1/0
ip route 1.1.1.1 255.255.255.255 Null0
!
!
ip http server
ip http secure-server
ip dns server
!
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.11.0.0 0.0.255.255 any
!
!
radius-server configure-nas
radius-server host 10.1xx.x.8 auth-port 1645 acct-port 1646 key 7 075870181E
!
control-plane
!

Jean Paul Enerst · ‎11-23-2010

Hi Prapanch,

I did enable NAT-T, in fact I have enable NAT-T in the ASA andthe remote vpn server router behind the ASA. This was the step. Just to let you know, the vpn router is behind a 5510 in a dmz. Traffic to Port 500,isakmp,esp and ah is permited in the outside interface. As the interface connected to the VPN has a higher security level than the ouside interface, there is no ACL in vpn dmz.

At this point, I really don't what else to try!

Thanks,

Jean Paul

praprama · ‎11-23-2010

Hey Jean,

What we can try is apply captures on the ASAs outside and DMZ interfaces to see how packets are flowing and analyze them in a .pcap format.

https://supportforums.cisco.com/docs/DOC-1222

Also, as Nash suggested, this has gone on for a long time now. If needed, please feel free to open up a TAC case and get this addressed at the earliest.

Cheers,

Prapanch