05-13-2011 09:33 PM
I've been trying to fight my way through the configuration of an ASA5505. So far we've got it running as a firewall, but now we're trying to get IPSec VPN running and it is becoming much more difficult. I managed to get it so that we could access the interior network only (with split tunnelling turned off), but once I activated split tunneling you could get at the Internet but no longer get to the internal network (not even the DNS). Sounds to me like a routing problem, but I'm not sure where to go ("show running config" output attached at the end).
I imagine one of the problems is that I've been trying to set it up with the ASDM rather than through the console, to some extent so I don't have to haul a terminal to where the ASA is, but really patching in a line or using SSH wouldn't be too hard, but I'm not sure where to start. What's the best place to start with to learn how to really use the ASA for someone whose experience has been /Mac/UNIX/bit of VMS/Windows systems? We're a nonprofit, so expensive training programs are out.
Point 2: We're on ASA software version 8.2.2. When we got the device about a year ago it was recommended we not go to 8.3 because it was (a) new and (b) had a new and different NAT interface. If it's now recommended to go with a newer version then we can do that as well.
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(2)
!
hostname {REDACTED}
domain-name {REDACTED}
enable password {REDACTED}
passwd {REDACTED}
names
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address {REDACTED}
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner login VMP ASA5505 Authorized Use Only
banner asdm VMP ASA5505 Authorized Use Only
boot system disk0:/asa822-k8.bin
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.0.110
name-server 68.87.69.146
name-server 68.87.85.98
domain-name vinemapleplace.org
same-security-traffic permit inter-interface
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object traceroute
icmp-object unreachable
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_TCP_2 tcp
port-object eq imap4
port-object eq pop2
port-object eq pop3
object-group service DM_INLINE_TCP_3 tcp
port-object eq ssh
port-object eq telnet
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service IPSEC tcp
description IPSEC
port-object eq 4500
object-group service ftp-highports tcp
description ftp-highports
port-object range 49423 49500
port-object range 49500 55000
access-list VMP_VPN_users_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.240 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.240 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.0.240 255.255.255.240 inactive
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list mgmt_access_in extended permit ip any any
access-list inside_access_in_1 remark HTTP out
access-list inside_access_in_1 extended permit object-group TCPUDP any any eq www log disable
access-list inside_access_in_1 remark FTP out
access-list inside_access_in_1 extended permit tcp any any object-group DM_INLINE_TCP_1 log disable
access-list inside_access_in_1 remark Telnet/SSH
access-list inside_access_in_1 extended permit tcp any any object-group DM_INLINE_TCP_3 log disable
access-list inside_access_in_1 remark DNS
access-list inside_access_in_1 extended permit object-group TCPUDP any any eq domain log disable
access-list inside_access_in_1 remark Mail
access-list inside_access_in_1 extended permit tcp any any object-group DM_INLINE_TCP_2 log disable
access-list inside_access_in_1 remark NTP
access-list inside_access_in_1 extended permit udp any any eq ntp log disable
access-list inside_access_in_1 extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list inside_access_in_1 remark Mail to mail.vinemapleplace.org
access-list inside_access_in_1 extended permit tcp any host 207.97.245.100 eq smtp log disable
access-list inside_access_in_1 extended permit tcp any any eq https
access-list inside_access_in_1 extended permit ip any any inactive
access-list inside_access_in_1 extended permit tcp any any inactive
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit tcp any interface outside object-group IPSEC inactive
access-list outside_access_in extended permit tcp any any eq ftp-data
access-list VMP_VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL 192.168.0.240-192.168.0.255 mask 255.255.255.240
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside control-plane
access-group inside_access_in_1 in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 173.10.100.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
user-message "Not authorized for VPN access."
dynamic-access-policy-record "VPN access"
description "VPN access policy"
network-acl inside_access_in
network-acl mgmt_access_in
webvpn
file-browsing enable
file-entry enable
http-proxy enable
url-entry enable
aaa-server VMP_LDAP protocol ldap
aaa-server VMP_LDAP (inside) host 192.168.0.110
server-port 636
ldap-base-dn ou=MyBusiness,dc=vmp,dc=local
ldap-group-base-dn dc=local,dc=vmp,ou=MyBusiness
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=VMPAdmin,ou=SBSUsers,ou=Users,ou=MyBusiness,dc=vmp,dc=local
ldap-over-ssl enable
server-type microsoft
eou allow none
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint Gatekeeper
crl configure
crypto ca trustpoint ASDM_TrustPoint1
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=gatehouse.vinemapleplace.org,OU=IT,O=VineMaplePlace,C=US,St=Washington,L=MapleValley
no client-types
crl configure
crypto ca trustpoint VMProotca
enrollment terminal
crl configure
crypto ca trustpoint VMP_VPN
enrollment terminal
subject-name CN=gatehouse.vinemapleplace.org,OU=IT,O=VineMaplePlace,C=US,St=Washington,L=MapleValley
crl configure
crypto ca trustpoint ASDM_java
id-usage code-signer
crl configure
crypto ca trustpoint ASDM_Java_Sign
id-usage code-signer
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
subject-name CN=gatehouse.vinemapleplace.org,O=VineMaplePlace,C=US
id-usage code-signer
crl configure
crypto ca certificate chain VMProotca
certificate ca
{...trimmed...}
quit
crypto ca certificate chain VMP_VPN
certificate 0b
{...trimmed...}
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication rsa-sig
encryption aes-192
hash sha
group 5
lifetime 86400
crypto isakmp policy 40
authentication rsa-sig
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10500 11000 11500
crypto isakmp am-disable
crypto isakmp reload-wait
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.0.110 source inside prefer
webvpn
enable outside
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol webvpn
group-policy VMP_VPN internal
group-policy VMP_VPN attributes
wins-server value 192.168.0.110 192.168.0.111
dns-server value 192.168.0.110 192.168.1.1
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VMP_VPN_splitTunnelAcl
default-domain value vinemapleplace.org
vlan none
webvpn
url-list none
tunnel-group WebVPN type remote-access
tunnel-group WebVPN general-attributes
authentication-server-group VMP_LDAP
default-group-policy VMP_VPN
tunnel-group VMP_VPN type remote-access
tunnel-group VMP_VPN general-attributes
address-pool (inside) VPN_POOL
address-pool VPN_POOL
authentication-server-group VMP_LDAP
authentication-server-group (inside) VMP_LDAP
authorization-server-group VMP_LDAP
authorization-server-group (inside) LOCAL
default-group-policy VMP_VPN
tunnel-group VMP_VPN webvpn-attributes
group-alias VMP_remote enable
tunnel-group VMP_VPN ipsec-attributes
trust-point VMP_VPN
tunnel-group-map default-group VMP_VPN
!
class-map global-class
match default-inspection-traffic
class-map inspection_default
!
!
policy-map global-policy
class global-class
inspect ftp
policy-map asa_global_fw_policy
class inspection_default
inspect ftp
!
service-policy asa_global_fw_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:{REDACTED}
: end
Solved! Go to Solution.
05-14-2011 06:38 AM
Hi scott,
I can see your internal network is 192.168.0./24 and you are allowing access to this network to the remote clients
access-list VMP_VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
And I can also see that you are using "ip local pool VPN_POOL 192.168.0.240-192.168.0.255 mask 255.255.255.240"
for your Remote users.
Overlapping Private Networks
Problem
If you are unable to access the internal network after the tunnel establishment, check the IP address assigned to the VPN client that overlaps with the internal network behind the head-end device.
Solution
Always make sure that the IP addresses in the pool to be assigned for the VPN clients, the internal network of the head-end device and the VPN Client internal network must be in different networks. You can assign the same major network with different subnets, but sometimes the routing issues occur.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#ra-sol-3
HTH,
Regards,
Kishore
Please rate if helpful
05-14-2011 12:33 AM
Hi,
Please tell me what your internal networks are. It's a part of split-tunneling. They are 192.168.0.0/24 and 192.168.1.0/24. Right?
Toshi
05-14-2011 06:38 AM
Hi scott,
I can see your internal network is 192.168.0./24 and you are allowing access to this network to the remote clients
access-list VMP_VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
And I can also see that you are using "ip local pool VPN_POOL 192.168.0.240-192.168.0.255 mask 255.255.255.240"
for your Remote users.
Overlapping Private Networks
Problem
If you are unable to access the internal network after the tunnel establishment, check the IP address assigned to the VPN client that overlaps with the internal network behind the head-end device.
Solution
Always make sure that the IP addresses in the pool to be assigned for the VPN clients, the internal network of the head-end device and the VPN Client internal network must be in different networks. You can assign the same major network with different subnets, but sometimes the routing issues occur.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#ra-sol-3
HTH,
Regards,
Kishore
Please rate if helpful
05-14-2011 06:38 PM
OK, that seems simple enough, throw the VPN on a separate network and add routing table entries to route between the two.
One more question: how does the VPN relate to the firewall, and will changing the address require that there be entries in the firewall to allow/deny traffic between Inside/VPN and VPN/Outside, or is VPN traffic automatically considered to be on the Inside interface? I'm a bit confused because sometimes it seems as though VPN traffic is treated as "Inside" and other times not quite inside, but there isn't a "VPN" segment in the firewall panes.
05-14-2011 07:23 PM
Hi Scott,
Yep, you need to allow the remote VPN pool to access the internal networks in your firewall section.Your remote users will be coming from the outside interface as the crypto map would be assigned to outside interface.
create an object in the Network objects for remote users and you allow them to access whatever you want(internal,DMZ..etc) in the firewall section. If you want them to access everything then just allow permit ip any any.
when you use the ASA as a firewall, nothing is allowed by default. you have to specifically allow subnets to access what you want them to.
HTH,
Regards,
Kishore
Please rate if helpful
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide