Whats up with RA VPN Wizard? - Cisco Community

541

Views

0

Helpful

3

Replies

It was my understanding that the goal of the Wizard was to leave you with a working Remote Access VPN. I have tried both the IPsec and the AnyConnect vpn with no success accessing internal objects after I connect. I suspect something is missing Nat related please check this config and tell me what you think.

ASA Version 8.4(2)

!

hostname Meador

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

description outside

nameif outside

security-level 0

ip address 192.168.50.1 255.255.255.0

!

interface GigabitEthernet1

nameif inside

security-level 100

ip address 10.20.20.1 255.255.255.0

!

interface GigabitEthernet2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet3

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object network I-10.20.20.0

subnet 10.20.20.0 255.255.255.0

object network NETWORK_OBJ_172.20.20.0_24

subnet 172.20.20.0 255.255.255.0

pager lines 1000

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool VPN-172.20.20.0 172.20.20.1-172.20.20.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static any any destination static NETWORK_OBJ_172.20.20.0_24 NETWORK_OBJ_172.20.20.0_24 no-proxy-arp route-lookup

!

object network I-10.20.20.0

nat (any,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 192.168.50.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable 4433

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint1

enrollment self

subject-name CN=Meador

crl configure

crypto ca certificate chain ASDM_TrustPoint1

certificate 25236c51

308201c7 30820130 a0030201 02020425 236c5130 0d06092a 864886f7 0d010105

05003028 310f300d 06035504 0313064d 6561646f 72311530 1306092a 864886f7

0d010902 16064d65 61646f72 301e170d 31333034 31353136 30393336 5a170d32

33303431 33313630 3933365a 3028310f 300d0603 55040313 064d6561 646f7231

15301306 092a8648 86f70d01 09021606 4d656164 6f723081 9f300d06 092a8648

86f70d01 01010500 03818d00 30818902 818100ba a1f08249 2c14798e 17f277ec

51e8c316 35929ca2 47d3bc58 52183e99 9308dc2c f56d5022 b445fb10 c75a1298

85183211 20dcfded 3f31634f 04528107 846f8ad5 8fffd3b0 e761b014 5c670b61

d8558d4c 070762bf bd7035cd da25c55c 1f22712a 634cbdd9 7e3fb0b9 35c72bd9

7ad2c452 da2e5d6d 5615a8e7 e8f48239 6c46cb02 03010001 300d0609 2a864886

f70d0101 05050003 8181005e 55126b26 0e0de05d 88f024c8 8c73bb87 127d4c39

84865adf 58ec904a 55a254e2 1363de23 5d04c7a2 3149adde c2c32bcc 7222a895

ec255ff9 eb052f62 51430488 3617bd42 5b82774d c455e570 4394064b 1683d08b

f3860d99 ff308522 3ad9f2ab cbe2e0ff 271abab2 0df4fcbf e744bc83 a0de158d

e7f9f704 cf9f5947 8f6159

quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint1

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint1 outside

webvpn

anyconnect image disk0:/anyconnect-win-3.1.02040-k9.pkg 1

anyconnect profiles Any-VPN_client_profile disk0:/Any-VPN_client_profile.xml

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_Any-VPN internal

group-policy GroupPolicy_Any-VPN attributes

wins-server none

dns-server value 4.2.2.2

vpn-tunnel-protocol ikev2 ssl-client

default-domain none

webvpn

anyconnect profiles value Any-VPN_client_profile type user

group-policy VPN-Bob internal

group-policy VPN-Bob attributes

dns-server value 4.2.2.2

vpn-tunnel-protocol ikev1

default-domain value Meador-Networks.com

username Bobby password rzpyEEdNtrAcOd5t encrypted privilege 15

tunnel-group VPN-Bob type remote-access

tunnel-group VPN-Bob general-attributes

address-pool VPN-172.20.20.0

default-group-policy VPN-Bob

tunnel-group VPN-Bob ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group Any-VPN type remote-access

tunnel-group Any-VPN general-attributes

address-pool VPN-172.20.20.0

default-group-policy GroupPolicy_Any-VPN

tunnel-group Any-VPN webvpn-attributes

group-alias Any-VPN enable

!

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email

callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:122c0353ece91fd00f846fdb2652149d

: end

3 Replies 3

Hi,

Can you tell us what you are using to test connectivity to the internal network? ICMP or perhaps some application?

Have you completely removed this default configuration?

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

no protocol-enforcement

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect icmp error

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect rtsp

inspect icmp

service-policy global_policy global

If you are testing with ICMP then its good to have the above ICMP inspection enabled.

Even though I imagine you NAT should be fine I would configure it in a different way

object network LAN

subnet 10.20.20.0 255.255.255.0

object network VPN-POOL

subnet 172.20.20.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

If you are planning to browse Internet while connected to the VPN Client connection you might need the following configurations

same-security-traffic permit intra-interface

object network VPN-PAT

subnet 172.20.20.0 255.255.255.0

nat (outside,outside) dynamic interface

Or alternatively change the default PAT to this

object-group network DEFAULT-PAT-SOURCE

network-object 10.20.20.0 255.255.255.0

network-object 172.20.20.0 255.255.255.0

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

- Jouni

Yes I'm testing with icmp from VPN client connected via pool address 172.20.20.1

Hi,

If you dont have this configuration on the ASA at all

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

no protocol-enforcement

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect icmp error

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect rtsp

inspect icmp

service-policy global_policy global

Then I would suggest adding it and testing again.

- Jouni

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community