05-18-2011 11:25 PM
Dear Fellows,
I have a question that my users cant dial to remote vpn beside asa. They are some financial guys and need to access the vpn of some bank but they cant dial.
I have a setup in which on front there is Router--->ASA--->Core---->User
But users are complaining that they cant access the VPN. below is the configuration that i have done on my asa:
=======================================
ASA Version 7.2(4)
interface Ethernet0/0
nameif Outside
security-level 90
ip address 221.120.194.18 255.255.255.240
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.1.10.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
access-list 1 extended permit icmp any host x.x.x.x echo-reply
access-list 1 extended permit tcp any host x.x.x.x eq www
access-list 1 extended permit tcp any host x.x.x.x eq 1533
access-list 1 extended permit icmp any host x.x.x.x echo
access-list 1 extended permit tcp any host x.x.x.x eq www
access-list 1 extended permit tcp any host x.x.x.x eq 8642
access-list 1 extended permit tcp any host x.x.x.x eq 4500
access-list 1 extended permit tcp any host x.x.x.x eq 5000
global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) x.x.x.x 10.1.10.9 netmask 255.255.255.255
static (Inside,Outside) x.x.x.x 10.1.10.3 netmask 255.255.255.255
static (Inside,Outside) x.x.x.x 10.1.10.4 netmask 255.255.255.255
static (Inside,Outside) x.x.x.x 10.1.10.8 netmask 255.255.255.255
static (Inside,Outside) x.x.x.x 10.1.10.10 netmask 255.255.255.255
access-group 1 in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.x.x 1
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
=====================================================================
x represent the public ip addresses.
Waiting for the reply.
Regards,
05-19-2011 12:19 AM
05-19-2011 12:32 AM
Shoaib this the more updated copy of my ASA
================================================================
ASA Version 7.2(4)
interface Ethernet0/0
nameif Outside
security-level 90
ip address x.x.x.x 255.255.255.240
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.1.10.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone PKT 5
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list 1 extended permit icmp any host x.x.x.x echo-reply
access-list 1 extended permit tcp any host x.x.x.x eq www
access-list 1 extended permit tcp any host x.x.x.x eq 1533
access-list 1 extended permit icmp any host x.x.x.x echo
access-list 1 extended permit tcp any host x.x.x.x eq www
access-list 1 extended permit tcp any host x.x.x.x eq 8642
access-list 1 extended permit tcp any host x.x.x.x
access-list 1 extended permit ip any host x.x.x.x
access-list 1 extended permit ip any any
access-list 1 extended permit gre any host x.x.x.x
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) x.x.x.x 10.1.10.9 netmask 255.255.255.255
static (Inside,Outside) x.x.x.x 10.1.10.3 netmask 255.255.255.255
static (Inside,Outside) x.x.x.x 10.1.10.4 netmask 255.255.255.255
static (Inside,Outside) x.x.x.x 10.1.10.8 netmask 255.255.255.255
static (Inside,Outside) x.x.x.x 10.1.10.10 netmask 255.255.255.255
access-group 1 in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.0.0.0 Inside
http 10.1.10.0 255.255.255.255 Inside
http 58.27.246.10 255.255.255.255 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.1.10.0 255.255.255.0 Inside
telnet timeout 1000
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect pptp
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide