Solved: Re: Urgent Help in ASA 5055 VPN

maenabutabanjeh · ‎05-14-2010

Hey guys ...

am beginner in ASA and cisco configuration , i always use ASDM Launcher to configure or modifying my Cisco ASA5055 Firewall , i tried to enable VPN on my ASA using IPsec VPN Wizard , Remote VPN section and i made correct configuration for Cisco VPN Client (not windows) , until this moment i still unable to connect to my VPN , i dont know where is the problem exactly , is it routing ? or access list?
here is running configuration :

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

: Saved
:
ASA Version 8.0(3)6 
!
hostname ciscoasa
enable password ******* encrypted
passwd ********* encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.10.2 255.255.255.252 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list DALLAS_splitTunnelAcl standard permit host 192.168.3.229 
access-list DALLAS_splitTunnelAcl standard permit 10.10.10.0 255.255.255.252 
access-list DALLAS_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0 
access-list dallas_VPN_splitTunnelAcl standard permit 10.10.10.0 255.255.255.252 
access-list Out extended permit ip any any 
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.252 192.168.14.0 255.255.255.192 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1492
ip local pool Dallas 192.168.14.1-192.168.14.50 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) interface 192.168.3.229 netmask 255.255.255.255 
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
route inside 192.168.3.0 255.255.255.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 1:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
vpnclient server xx.xx.xx.xx
vpnclient mode client-mode
vpnclient vpngroup dallas password ********
vpnclient username dallas password ********
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
group-policy dallas internal
group-policy dallas attributes
 dns-server value xx.xx.xx.xx
 vpn-tunnel-protocol IPSec 
username admin password *************** encrypted privilege 15
username dallas password *********  nt-encrypted privilege 0
username dallas attributes
 vpn-group-policy DefaultRAGroup
username user1 password *********** nt-encrypted privilege 0
username cisco password ********* encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group dallas type remote-access
tunnel-group dallas general-attributes
 address-pool Dallas
 default-group-policy dallas
tunnel-group dallas ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:beac138dba28b1b3b58dffbcbc4fbb93
: end
asdm image disk0:/asdm-603.bin
no asdm history enable

when i use VPN Client to connect to my VPN network using real IP ,this message appears

please if anyone can see the problem and tell me how to solve it by ASDM GUI or CLI , but i preferred ASDM..

Note : VPN tunnel should connect to Internal Network IP Range 192.168.3.X
which is accessible by ASA as you see from redirection to 192.168.3.229

thanks everyone

Jennifer Halim · ‎05-14-2010

Here are the step by step on all the commands that are required so far:

conf t

sysopt connection permit-vpn

crypto isakmp nat-traversal 25

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.14.0 255.255.255.192

group-policy dallas attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DALLAS_splitTunnelAcl

username dallas attributes

no vpn-group-policy DefaultRAGroup

vpn-group-policy dallas

no static (inside,outside) interface 192.168.3.229 netmask 255.255.255.255

static (inside,outside) tcp interface 80 192.168.3.229 80 netmask 255.255.255.255

static (inside,outside) tcp interface 132 192.168.3.229 132 netmask 255.255.255.255

static (inside,outside) tcp interface 444 192.168.3.229 444 netmask 255.255.255.255

static (inside,outside) tcp interface 66 192.168.3.229 66 netmask 255.255.255.255

static (inside,outside) tcp interface 77 192.168.3.229 77 netmask 255.255.255.255

clear xlate

And finally "wr mem" to save the configuration.

In regards to spam, ASA can't block spam unless you have CSC module installed on the ASA.

View solution in original post

maenabutabanjeh · ‎05-14-2010

where are you people , moderators ... no one is live in there??? heloooooooooooooooo

Jennifer Halim · ‎05-14-2010

This static NAT statement is incorrect:

static (inside,outside) interface 192.168.3.229 netmask 255.255.255.255

Please remove the above line.

You might want to enable NAT-T too just in case you are connecting from PAT device:

crypto isakmp nat-traversal 25

Split tunnel has not been applied to your group policy even though you have configured ACL for it. To apply the split tunnel (assuming you are using Dallas group):

group-policy dallas attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DALLAS_splitTunnelAcl

Lastly, if you are using username "dallas", currently the group policy is assigned to "DefaultRAGroup". If you want to use "dallas" group policy instead for "dallas" username, you might want to change it to be assigned to "dallas" default group policy:

username dallas attributes
no vpn-group-policy DefaultRAGroup

vpn-group-policy dallas

Hope the above will help.

PS: this is an online community, and no moderator that provides urgent assistance. If you would like urgent assistance, pls open a Cisco TAC case, and engineer can provide urgent assistance. Thanks.

maenabutabanjeh · ‎05-14-2010

thank you man for replying , first about this statement :

static (inside,outside) interface 192.168.3.229 netmask 255.255.255.255

I cant remove it because its uses to redirect users to Citrix Server through Web through port 80 , users connecting to citrix server to access our applications by using static IP (http://xx.xx.xx.xx) , this NAT statement will redirect connecton to Citrix Essential , so its looks like Port forward from 1-65000 --> 192.168.3.229. i dont know if there is method to specifiy some ports to be redirected to Citrix instead of redirect all ports connection to one server , i mean if citrix ports were for example (80,132,444,66,77) , how can i redirect theses ports to 192.168.3.229?

this why i can remove NAT STATEMENT.

i will try and tell you what will happen ..

thank you man in advance

Jennifer Halim · ‎05-14-2010

You need to do port redirection if you are using the outside interface ip address for your citrix translation. Otherwise, all will be forwarded to citrix including the IPSec traffic.

Here is the example of port redirection:

static (inside,outside) tcp interface 80 192.168.3.229 80 netmask 255.255.255.255

static (inside,outside) tcp interface 132 192.168.3.229 132 netmask 255.255.255.255

static (inside,outside) tcp interface 444 192.168.3.229 444 netmask 255.255.255.255

static (inside,outside) tcp interface 66 192.168.3.229 66 netmask 255.255.255.255

static (inside,outside) tcp interface 77 192.168.3.229 77 netmask 255.255.255.255

"clear xlate" after the configuration changes.

maenabutabanjeh · ‎05-14-2010

really thank you for replaying , someone in other forums answered the following :

here's one thing:

no sysopt connection permit-vpn

i don't know ASDM so I can't tell you where to enable this feature in the GUI, sorry. if you want to get into the CLI you will just issue sysopt connection permit-vpn

.

you will also need to add this line to enable communication from your 3 network out to your vpn clients:

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.14.0 255.255.255.192

is that correct??? and now what should i do?? exactly , am sorry for that i know , but you do a good help for me , using CLI i will open terminal and write

ena , ... and then??? i mean tell me step by step what to do , because i dont know how to use CLI Commands , i always use GUI ..

one more thing , can i use ASA rules or filters to prevent outgoing SPAM??

thank you again

Jennifer Halim · ‎05-14-2010

Here are the step by step on all the commands that are required so far:

conf t

sysopt connection permit-vpn

crypto isakmp nat-traversal 25

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.14.0 255.255.255.192

group-policy dallas attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DALLAS_splitTunnelAcl

username dallas attributes

no vpn-group-policy DefaultRAGroup

vpn-group-policy dallas

no static (inside,outside) interface 192.168.3.229 netmask 255.255.255.255

static (inside,outside) tcp interface 80 192.168.3.229 80 netmask 255.255.255.255

static (inside,outside) tcp interface 132 192.168.3.229 132 netmask 255.255.255.255

static (inside,outside) tcp interface 444 192.168.3.229 444 netmask 255.255.255.255

static (inside,outside) tcp interface 66 192.168.3.229 66 netmask 255.255.255.255

static (inside,outside) tcp interface 77 192.168.3.229 77 netmask 255.255.255.255

clear xlate

And finally "wr mem" to save the configuration.

In regards to spam, ASA can't block spam unless you have CSC module installed on the ASA.

maenabutabanjeh · ‎05-15-2010

sir after applying these settings i was unable to connect to my ASA through ASDM or even through http://10.10.10.2/admin

i only through terminal on COM2

the users want to kill me they cant access citrix and i cant also access ASA through asdm

Jennifer Halim · ‎05-15-2010

I would strongly recommend that you open a Cisco TAC case so an engineer can assist you with the configuration.

For citrix access, just reconfigure the static statement that works before.

maenabutabanjeh · ‎05-15-2010

man wait here , i will let you access my computer through team viewer and check the configuration ... please stay here i will provide you with user name and password to check the configuration ... just please for a minutes there 6 branchs currently cant use application

maenabutabanjeh · ‎05-15-2010

all right man , download Teamviewer ID :

**************

password *************

please connect to my computer and i will lead you to terminal just i want you to roll back configuration and re-enable redirection to 192.168.3.229 all ports , same as was and enable web management and ASDM Managment all what i want is this ... please i dont want loose my job