cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14176
Views
30
Helpful
7
Comments
esundberg
Level 1
Level 1

So i just installed a new ASA running 8.4 has a new way of doing nat so here is an example config of how to setup a VPN on a stick.

I just wasted the better half of a night figuring this out. So i decieded to share the info since cisco has updated there documentation of this.

Reason for Doc: VPN Client Need Access to you inside network and also internet access via the VPN.

Old way to configure this is here Cisco document for ASA 7.2 http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00805734ae.shtml

Old Way

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1 172.16.43.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

New Way 8.4(2) and UP

same-security-traffic permit intra-interface

nat (inside,outside) source dynamic RFC1918 interface

nat (outside,inside) source static NET-VPNPOOL NET-VPNPOOL

nat (outside,outside) source dynamic NET-VPNPOOL interface

Full Example

! Allow traffic from the VPN "outside" to the Internet "outside" - AKA intra interface traffic

same-security-traffic permit intra-interface

! PRIVATE IP SPACE DEFINED BY RFC 1918
object-group network RFC1918
network-object 192.168.0.0 255.255.0.0
network-object 172.16.0.0 255.240.0.0
network-object 10.0.0.0 255.0.0.0

! VPN POOL
object-group network NET-VPNPOOL
network-object 172.16.43.0 255.255.255.0

! NORMAL NAT FROM INSIDE TO INTERNET
nat (inside,outside) source dynamic RFC1918 interface

! VPN to INSIDE AKA KEEP THE SAME ADDRESS
nat (outside,inside) source static NET-VPNPOOL NET-VPNPOOL

! VPN CLIENT NEEDS INTERNET TOO
nat (outside,outside) source dynamic NET-VPNPOOL interface


!VPN CONFIGURATION
!----------------------------------

! IP POOL
ip local pool VPN-POOL 172.16.43.1-172.16.43.254 mask 255.255.255.0

! TRANS SET
crypto ipsec ikev1 transform-set CIMCO_MAN_TRANS esp-3des esp-md5-hmac


crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set CIMCO_MAN_TRANS

! INJECT THE VPN CLIENT'S IP INTO THE LOCAL ROUTING TABLE USING OSPF/RIP - I USE OSPF Internally
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

! APPLY THE CRYPTO MAP TO THE OUTSIDE INTERFACE
crypto map OUTSIDE_MAP interface outside

crypto ikev1 enable outside
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

group-policy VPNCLIENT internal
group-policy VPNCLIENT attributes
! USE MY DNS SERVER (Optional)
dns-server value 192.168.1.2 192.168.1.3
vpn-tunnel-protocol ikev1
! FORCE THE VPNCLIENT TO TUNNEL ALL TRAFFIC
split-tunnel-policy tunnelall

tunnel-group VPNCLIENT type remote-access
tunnel-group VPNCLIENT general-attributes
address-pool VPN-POOL
default-group-policy VPNCLIENT
tunnel-group VPNCLIENT ipsec-attributes
ikev1 pre-shared-key shhhh!!!!
! (OPTIONAL) DISABLE PROMPTING OF A USERNAME AND PASSWORD - I LEAVE THIS OFF FOR TESTING
ikev1 user-authentication none

Comments
fabricecochard
Community Member

Thank you very much for this config, very usefull.

I was with one similar situation and it help me very much.

Fabrice

Thank you very much for this configuration, I just tested for my customer and work as a charm..

tortugiland
Level 1
Level 1

Thanks Thanks Thanks

Thanks.

Very useful.

EckoForce_1
Level 1
Level 1

This works great but how you set it up with a no nat?  Say I want my folks who VPN in to be able to access things on the LAN but still allow them surf the web through the ASA?

I go this so far

ip local pool VPNPOOL 192.168.0.101-192.168.0.125

object network obj-192.168.0.0
 subnet 192.168.0.0 255.255.255.0

nat (inside,outside) source dynamic obj-192.168.0.0 interface
nat (outside,inside) source static obj-192.168.0.0 obj-192.168.0.0
nat (outside,outside) source dynamic obj-192.168.0.0 interface

group-policy DefaultRAGroup attributes
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1
 password-storage disable
 pfs enable
 split-tunnel-policy tunnelall

BUT none of my traffic makes it to the LAN with any of these:

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (any,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp
nat (outside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (outside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup

I wonder if I have to play with the " split-tunnel-policy tunnelall" line??

Any help would be great thanks

ST

EckoForce_1
Level 1
Level 1

This works great but how you set it up with a no nat?  Say I want my folks who VPN in to be able to access things on the LAN but still allow them surf the web through the ASA?

I go this so far

ip local pool VPNPOOL 192.168.0.101-192.168.0.125

object network obj-192.168.0.0
 subnet 192.168.0.0 255.255.255.0

nat (inside,outside) source dynamic obj-192.168.0.0 interface
nat (outside,inside) source static obj-192.168.0.0 obj-192.168.0.0
nat (outside,outside) source dynamic obj-192.168.0.0 interface

group-policy DefaultRAGroup attributes
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1
 password-storage disable
 pfs enable
 split-tunnel-policy tunnelall

BUT none of my traffic makes it to the LAN with any of these:

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (any,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp
nat (outside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (outside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup

I wonder if I have to play with the " split-tunnel-policy tunnelall" line??

Any help would be great thanks

ST

EckoForce_1
Level 1
Level 1

This works great but how you set it up with a no nat?  Say I want my folks who VPN in to be able to access things on the LAN but still allow them surf the web through the ASA?

I go this so far

ip local pool VPNPOOL 192.168.0.101-192.168.0.125

object network obj-192.168.0.0
 subnet 192.168.0.0 255.255.255.0

nat (inside,outside) source dynamic obj-192.168.0.0 interface
nat (outside,inside) source static obj-192.168.0.0 obj-192.168.0.0
nat (outside,outside) source dynamic obj-192.168.0.0 interface

group-policy DefaultRAGroup attributes
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1
 password-storage disable
 pfs enable
 split-tunnel-policy tunnelall

 

BUT none of my traffic makes it to the LAN with any of these:

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (any,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp
nat (outside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (outside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup

 

I wonder if I have to play with the " split-tunnel-policy tunnelall" line??

 

Any help would be great thanks

ST

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: