10-09-2012 08:50 AM
Just a roundup of my Cisco ASA configuration...
1) Configure remote access IPSec VPN
2) Group Policies - vpntesting
3) AES256 SHA DH group 5
4) Configure local user vpntesting
5) Configure dhcp pool - 10.27.165.2 to 10.27.165.128 mask /24
6) open access on outside interface
7) IKE group - vpntesting
A) Did I miss anything?
B) For example, there is a LAN segment - 10.27.40.x/24 on the trusted leg of the Cisco ASA but I can't access it. Do I need to create access lists to allow my VPN session to access the trust LANs?
C) Any good guide for configuring remote access VPN using ASDM?
10-09-2012 10:50 AM
Hello Bernard,
U have listed all man :).. just a thing.. did you create the split tunnel and specified the network which VPN wants to access and also.. if you have a nat configured for internet access, for your lan , then you need to have a 'no nat ' configured
for this VPN communication..
please post your config so that, i can help you out if there some other playing a role
Harish,
10-12-2012 08:17 AM
I have couple of issues with my EasyVPN server and Cisco VPN Client on Win7.
1: Sometimes, clients are connected, connection shows established but no traffic or pings can be made to corp network. I might have to do with NAT settings to except VPN traffic from being NATed.
2: VPN Clients don't pick the same IP address from local address pool even though I specified "RECYLE" option.
I would apprecaite if you look at my configuration and advise any mis-config or anything that needs to be corrected.
Thank you so much.
Configuration:
##############################################################################
TQI-WN-RT2911#sh run
Building configuration...
Current configuration : 7420 bytes
!
! Last configuration change at 14:49:13 UTC Fri Oct 12 2012 by admin
! NVRAM config last updated at 14:49:14 UTC Fri Oct 12 2012 by admin
! NVRAM config last updated at 14:49:14 UTC Fri Oct 12 2012 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TQI-WN-RT2911
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp remember
!
!
ip domain name telquestintl.com
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2562258950
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2562258950
revocation-check none
rsakeypair TP-self-signed-2562258950
!
!
crypto pki certificate chain TP-self-signed-2562258950
certificate self-signed 01
#########
quit
license udi pid CISCO2911/K9 sn ##############
!
!
!
redundancy
!
!
!
!
!
track 1 ip sla 1 reachability
delay down 10 up 20
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ############## address 173.161.255.###
255.255.255.240
!
crypto isakmp client configuration group EASY_VPN
key ##############
dns 10.10.0.241 10.0.0.241
domain domain.com
pool EZVPN-POOL
acl VPN+ENVYPTED_TRAFFIC
save-password
max-users 50
max-logins 10
netmask 255.255.255.0
crypto isakmp profile EASY_VPN_IKE_PROFILE1
match identity group EASY_VPN
client authentication list default
isakmp authorization list default
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile EASY_VPN_IPSec_PROFILE1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile EASY_VPN_IKE_PROFILE1
!
!
crypto map VPN_TUNNEL 10 ipsec-isakmp
description ***TUNNEL-TO-FAIRFIELD***
set peer 173.161.255.241
set transform-set ESP-3DES-SHA
match address 105
!
!
!
!
!
interface Loopback1
ip address 10.10.30.1 255.255.255.0
!
interface Tunnel1
ip address 172.16.0.2 255.255.255.0
ip mtu 1420
tunnel source GigabitEthernet0/0
tunnel destination 173.161.255.241
tunnel path-mtu-discovery
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Optonline WAN secondary
ip address 108.58.179.### 255.255.255.248 secondary
ip address 108.58.179.### 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN_TUNNEL
!
interface GigabitEthernet0/1
description T1 WAN Link
ip address 64.7.17.### 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
description LAN
ip address 10.10.0.1 255.255.255.0 secondary
ip address 10.10.0.3 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
tunnel mode ipsec ipv4
tunnel protection ipsec profile EASY_VPN_IPSec_PROFILE1
!
!
router eigrp 1
network 10.10.0.0 0.0.0.255
network 10.10.30.0 0.0.0.255
network 172.16.0.0 0.0.0.255
!
router odr
!
router bgp 100
bgp log-neighbor-changes
!
ip local pool EZVPN-POOL 10.10.30.51 10.10.30.199 recycle delay
65535
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map OPTIMUM-ISP interface
GigabitEthernet0/0 overload
ip nat inside source route-map T1-ISP interface GigabitEthernet0/1
overload
ip nat inside source static tcp 10.10.0.243 25 108.58.179.### 25
extendable
ip nat inside source static tcp 10.10.0.243 80 108.58.179.### 80
extendable
ip nat inside source static tcp 10.10.0.243 443 108.58.179.### 443
extendable
ip nat inside source static tcp 10.10.0.220 3389 108.58.179.### 3389
extendable
ip nat inside source static tcp 10.10.0.17 12000 108.58.179.###
12000 extendable
ip nat inside source static tcp 10.10.0.16 80 108.58.179.### 80
extendable
ip nat inside source static tcp 10.10.0.16 443 108.58.179.### 443
extendable
ip nat inside source static tcp 10.10.0.16 3389 108.58.179.### 3389
extendable
ip route 0.0.0.0 0.0.0.0 108.58.179.### track 1
ip route 0.0.0.0 0.0.0.0 64.7.17.97 ##
!
ip access-list extended VPN+ENVYPTED_TRAFFIC
permit ip 10.10.0.0 0.0.0.255 any
permit ip 10.0.0.0 0.0.0.255 any
permit ip 10.10.30.0 0.0.0.255 any
!
ip sla 1
icmp-echo 108.58.179.### source-interface GigabitEthernet0/0
threshold 100
timeout 200
frequency 3
ip sla schedule 1 life forever start-time now
access-list 1 permit 10.10.0.0 0.0.0.255
access-list 2 permit 10.10.0.0 0.0.0.255
access-list 100 permit ip 10.10.0.0 0.0.0.255 any
access-list 105 remark ***GRE-TRAFFIC TO FAIRFIELD***
access-list 105 permit gre host 108.58.179.### host 173.161.255.###
!
!
!
!
route-map T1-ISP permit 10
match ip address 100
match interface GigabitEthernet0/1
!
route-map OPTIMUM-ISP permit 10
match ip address 100
match interface GigabitEthernet0/0
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
end
TQI-WN-RT2911#
##############################################################################
01-28-2014 06:23 AM
You may need to enable NAT Traversal. Type the following command.
CRYPTO ISAKMP NAT-TRAVERSAL 30
More in depth info here:
http://supertekboy.com/2014/01/28/cisco-vpn-connects-but-cannot-access-inside-resources/
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide