!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
switchport access vlan 10
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.20.0.1 255.255.255.0
!
interface Vlan10
nameif outside
security-level 0
ip address 172.1.1.1 255.255.255.240
!
boot system disk0:/asa842-k8.bin
ftp mode passive
object network obj-10.20.0.0
subnet 10.20.0.0 255.255.255.0
object network obj-192.168.44.0
subnet 192.168.44.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 192.168.44.0 255.255.255.0
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-10.20.0.0 obj-10.20.0.0 destination static obj-192.168.44.0 obj-192.168.44.0 no-proxy-arp
!
object network obj-10.20.0.0
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 172.1.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map mymap 1 set ikev1 transform-set myset
crypto dynamic-map mymap 1 set reverse-route
crypto map dyn-map 10 ipsec-isakmp dynamic mymap
crypto map dyn-map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key mykey
!
class-map inspection_default
match default-inspection-traffic
!

no asdm history enable

Hi,

I have an example working config I can share. Only problem is I'm away from my network and configs until Saturday...

I have asa5510 with 8.42 with fixed outside (public) ip address configured with ikev2 and dynamic tunnel-group to a asa5505 8.42. This test VPN was designed so that home workers can take a 5505 home along with a wireless Poe ap and a toshiba VoIP handset located on the inside of the asa. The asa is assumed to be located behind the users' dsl router, but I'be not yet tested behind nat.

The test was performed successfully and i got the 5505 to initiate a tunnel and pass LAN traffic to the fixed ip asa. The asa outside interfaces were configured in the same subnet (we have lots of public ip's from our ISP to play with fortunately ;-)). To validate my test, I manually changed the 5505 outside ip to several different addresses whilst the tunnel was up and only saw short drops in traffic flow until the tunnels were reestablished with each ip i assigned.

I did notice a few weird things -

Using asdm to monitor ONLY (I hate using asdm with a passion to make config changes, I only use to watch the tunnels and keep an eye on fancy graphs) I noticed the tunnel was still referring to the previous 5505 ip address, not the current one... But thinking about it, that may have been a stale arp entry?

Hope I havnt got your hopes up if you see a flaw in my test because I've not yet performed this through another nat device on a different public range, but I'm pretty confident.

FYI, the 5510mis in a live environment

.... Sorry, submitted before finishing my essay!

5510 is live and terminates 5 other ikev2 VPN tunnels to our remote offices around the world (but they all have static public ip's)

As soon as I can I'll post the relevant configs from each side of the tunnels

Stuart

Stuart, I look foward to seeing your eample configs and trying them in my enviroment.

Thank you

Hi Martin,

I do apologise for the delay, its been hectic at work with a new VoIP telephone system being installed and other work...sometimes being a solo network/system admin can take its toll!

I've pasted the configs below- they are heavily scrubbed, but i have made sure the cryptomaps/tunnel-groups/acls and fake IP's are matching, so you can get an idea of how i performed my tests.

Since i had to put this project on hold a few weeks ago, i fired the 5505 up and made sure it still worked, as i change my configs daily, mostly to tighten security and tweak settings here and there... The 5505 brought the tunnel up quick as lightening when i plugged the outside cable into my public network switch, even without any hosts on its inside. I guess this is due to the fact i have syslogging/RADIUS which are located at HQ, so those packets triggered the tunnel.

FYI, the object "obj_HomeVPN-ANR" is the subnet that is on the remote end = range 192.168.200.169 192.168.200.174

Feel free to ask any questions :-)

Regards,

Stuart

HQ Config on 5510:

: Saved

: Written by enable_15 at 15:01:01.672 GMT Tue Jan 24 2012

!

ASA Version 8.4(2)

!

hostname UK-FW

domain-name domain-name.com

enable password 123456 encrypted

passwd 123456 encrypted

names

name 192.168.44.3 Servername description Server1

dns-guard

!

interface Ethernet0/0

description ISP-GW

speed 1000

nameif outside

security-level 0

ip address 123.123.123.123 255.255.255.224 standby 123.123.123.124

!

interface Ethernet0/1

description Internal

speed 1000

duplex full

nameif inside

security-level 100

ip address 192.168.44.2 255.255.255.0 standby 192.168.44.254

!

interface Ethernet0/2

description DMZ Network

speed 100

duplex full

nameif dmz

security-level 50

ip address 192.168.100.1 255.255.255.0 standby 192.168.100.254

!

interface Ethernet0/3

description Guest Network

speed 100

duplex full

nameif guest

security-level 25

ip address 192.168.168.1 255.255.255.0 standby 192.168.168.254

!

interface Management0/0

description LAN/STATE Failover Interface

!

boot system disk0:/asa842-k8.bin

ftp mode passive

clock timezone GMT 0

clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup inside

dns server-group DefaultDNS

name-server Server1

name-server Server2

domain-name domain-name.com

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj_any_In>Out

subnet 0.0.0.0 0.0.0.0

object network obj_any_DMZ

subnet 0.0.0.0 0.0.0.0

object network obj_UK1

subnet 192.168.44.0 255.255.255.0

object network obj_UK2

subnet 192.168.100.0 255.255.255.0

object network obj_UK3

subnet 10.16.192.0 255.255.224.0

object network obj_UK-Test

subnet 192.168.41.0 255.255.255.0

object network obj_UK-TestVoIP

subnet 172.16.41.0 255.255.255.0

object network obj_UK-Guests

subnet 192.168.168.0 255.255.255.0

object network obj_Test-Inside

host 192.168.41.1

object network obj_HomeVPN-ANR

range 192.168.200.169 192.168.200.174

object-group network UK

network-object object obj_UK1

network-object object obj_UK2

network-object object obj_UK3

object-group service VoIP_Protocols

service-object tcp destination eq h323

service-object tcp destination eq sip

service-object tcp destination eq 2000

service-object tcp destination eq 8080

object-group service Web_Browsing

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq ftp

object-group service DNS_Protocols

service-object udp destination eq domain

service-object tcp destination eq domain

object-group service ICMP_Protocols

service-object icmp echo

service-object icmp echo-reply

service-object icmp unreachable

object-group service IPSec_Protocols

service-object esp

service-object udp destination eq 4500

service-object udp destination eq 10000

service-object udp destination eq isakmp

object-group service GuestMail_Protocols

service-object tcp destination eq pop3

service-object tcp destination eq smtp

object-group service MySQL_Protocols

service-object tcp destination eq 3306

object-group service HT_to_Edge_Protocols

service-object tcp destination eq smtp

service-object tcp destination eq 50389

service-object tcp destination eq 50636

object-group service Remote_Admin_Protocols

service-object tcp destination eq 3389

service-object tcp destination eq 5900

service-object tcp destination eq ssh

service-object tcp destination eq telnet

access-list InsideIn remark Allow ICMP

access-list InsideIn extended permit object-group ICMP_Protocols object obj_UK1 any

access-list InsideIn extended permit object-group ICMP_Protocols object obj_UK3 any

access-list InsideIn extended permit object-group ICMP_Protocols object obj_UK-VoIP any

access-list InsideIn remark Allow Web Browsing

access-list InsideIn extended permit tcp object obj_UK1 any eq 8081

access-list InsideIn extended permit object-group Web_Browsing object obj_UK3 any

access-list InsideIn remark Allow IMAP & IMAP/S

access-list InsideIn extended permit tcp object obj_UK1 any eq 993

access-list InsideIn extended permit tcp object obj_UK1 any eq imap4

access-list InsideIn remark Allow DNS from ADDC's

access-list InsideIn extended permit object-group DNS_Protocols object-group UK-DC's object-group External_DNS

access-list InsideIn remark Allow NTP from ADDC's

access-list InsideIn extended permit udp object-group UK-DC's any eq ntp

access-list InsideIn remark Allow RDP/SSH from UK IT Admin

access-list InsideIn extended permit object-group Remote_Admin_Protocols any any

access-list InsideIn extended permit object-group Remote_Admin_Protocols object-group UK_ITAdmin_Clients any

access-list InsideIn remark Allow ePO to McAfee Threat Labs

access-list InsideIn extended permit tcp object obj_UK-Deploy any eq 8801

access-list InsideIn remark Allow Traffic to UK-Test

access-list InsideIn extended permit ip object obj_UK1 object obj_UK-Test

access-list InsideIn extended permit ip object obj_UK3 object obj_UK-Test

access-list InsideIn extended permit object-group MySQL_Protocols object-group UK-SQL_Servers object-group UK-Unix_DMZ

access-list InsideIn extended permit object-group MySQL_Protocols object obj_UK1 object-group UK-Unix_DMZ

access-list InsideIn extended permit object-group HT_to_Edge_Protocols object obj_UK-Mailbox object obj_UK-Edge

access-list InsideIn extended permit tcp object obj_UK-Mailbox any eq smtp

access-list InsideIn remark Allow IPSec Traffic Out

access-list InsideIn extended permit object-group IPSec_Protocols object obj_UK1 any

access-list InsideIn remark Deny All Other Traffic

access-list InsideIn extended deny ip any any

access-list OutsideIn remark Deny All Other Traffic

access-list OutsideIn extended deny ip any any

access-list DMZIn remark Allow DMZ Traffic In

access-list DMZIn remark Allow NTP

access-list DMZIn extended permit udp object obj_UK2 any eq ntp

access-list DMZIn remark Allow Edge to Mailbox SMTP

access-list DMZIn extended permit tcp object obj_UK-Edge any eq smtp

access-list DMZIn remark Deny All Other Traffic

access-list DMZIn extended deny ip any any

access-list GuestIn remark Allow Traffic from Guest

access-list GuestIn remark Allow Guest Web Browsing

access-list GuestIn extended permit object-group Web_Browsing object obj_UK-Guests any

access-list GuestIn remark Allow Guest NTP

access-list GuestIn extended permit udp object obj_UK-Guests any eq ntp

access-list GuestIn remark Allow POP3 and SMTP Access

access-list GuestIn extended permit object-group GuestMail_Protocols object obj_UK-Guests any

access-list GuestIn remark Allow IPSec Traffic Out

access-list GuestIn extended permit object-group IPSec_Protocols object obj_UK-Guests any

access-list GuestIn remark Deny All Other Traffic

access-list GuestIn extended deny ip any any

access-list UK-Test_VPN remark Encrypt Traffic to UK Test

access-list UK-Test_VPN extended permit ip object-group UK object obj_UK-Test

access-list UK-Test_VPN extended permit ip object obj_UK-VoIP object obj_UK-TestVoIP

access-list VPN_Accounting remark Capture Traffic for NPS Accounting

access-list VPN_Accounting extended permit tcp object obj_UK-RA any

access-list HomeVPN_Alex remark Encrypt Traffic to Alex Home

access-list HomeVPN_Alex extended permit ip object-group UK object obj_HomeVPN-ANR

pager lines 24

logging enable

logging timestamp

logging trap warnings

logging asdm debugging

logging mail critical

logging facility 21

logging host inside UK-Monitor

logging message 722053 level notifications

logging rate-limit 10 10 level 2

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu guest 1500

ip verify reverse-path interface outside

failover

failover lan unit primary

failover lan interface failover Management0/0

failover key 1 123456

failover replication http

failover link failover Management0/0

failover interface ip failover 10.10.44.1 255.255.255.224 standby 10.10.44.2

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-206.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static obj_UK1 obj_UK1 destination static obj_UK-Test obj_UK-Test no-proxy-arp route-lookup

nat (inside,outside) source static obj_UK1 obj_UK1 destination static obj_UK-RA obj_UK-RA no-proxy-arp route-lookup

nat (inside,outside) source static obj_UK3 obj_UK3 destination static obj_UK-Test obj_UK-Test no-proxy-arp route-lookup

nat (inside,outside) source static obj_UK3 obj_UK3 destination static obj_UK-RA obj_UK-RA no-proxy-arp route-lookup

nat (inside,outside) source static obj_UK-RA obj_UK-RA destination static obj_UK-Test obj_UK-Test no-proxy-arp route-lookup

nat (dmz,outside) source static obj_UK2 obj_UK2 destination static obj_UK-Test obj_UK-Test no-proxy-arp route-lookup

nat (inside,outside) source static obj_UK1 obj_UK1 destination static obj_HomeVPN-SP obj_HomeVPN-SP no-proxy-arp route-lookup

nat (inside,outside) source static obj_UK3 obj_UK3 destination static obj_HomeVPN-SP obj_HomeVPN-SP no-proxy-arp route-lookup

nat (inside,outside) source static obj_UK-RA obj_UK-RA destination static obj_HomeVPN-SP obj_HomeVPN-SP no-proxy-arp route-lookup

nat (dmz,outside) source static obj_UK2 obj_UK2 destination static obj_HomeVPN-SP obj_HomeVPN-SP no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic 123.123.123.123

object network obj_any_DMZ

nat (dmz,outside) dynamic 123.123.123.123

object network obj_UK-Guests

nat (guest,outside) dynamic 123.123.123.123

access-group OutsideIn in interface outside

access-group InsideIn in interface inside

access-group DMZIn in interface dmz

access-group GuestIn in interface guest

route outside 0.0.0.0 0.0.0.0 123.123.123.124 1

timeout xlate 3:00:00

timeout conn 5:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server UK_NPS protocol radius

aaa-server UK_NPS (inside) host NPSServer1

key 1234567

aaa-server UK_NPS (inside) host NPSServer2

key 1234567

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa accounting enable console UK_NPS

aaa accounting match VPN_Accounting inside UK_NPS

http server enable

http redirect outside 80

snmp-server host inside UK-Monitor community 123456

snmp-server location location1

snmp-server contact Someone

snmp-server community 123456

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps interface-threshold

snmp-server enable traps remote-access session-threshold-exceeded

snmp-server enable traps cpu threshold rising

service resetoutside

crypto ipsec ikev1 transform-set AES esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set 3DES esp-3des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes-256

protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity md5

crypto dynamic-map Dynamic_ISP_L2L 1 match address HomeVPN_Alex

crypto dynamic-map Dynamic_ISP_L2L 1 set ikev1 transform-set AES

crypto dynamic-map Dynamic_ISP_L2L 1 set ikev2 ipsec-proposal AES

crypto dynamic-map Dynamic_ISP_L2L 1 set security-association lifetime seconds 28800

crypto dynamic-map Dynamic_ISP_L2L 1 set security-association lifetime kilobytes 4608000

crypto dynamic-map Dynamic_ISP_L2L 1 set reverse-route

crypto dynamic-map Dynamic_ISP_L2L 65535 set ikev1 transform-set AES

crypto dynamic-map Dynamic_ISP_L2L 65535 set ikev2 ipsec-proposal AES

crypto dynamic-map Dynamic_ISP_L2L 65535 set security-association lifetime seconds 28800

crypto dynamic-map Dynamic_ISP_L2L 65535 set security-association lifetime kilobytes 4608000

crypto dynamic-map Dynamic_ISP_L2L 65535 set reverse-route

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map VPN 1 match address A_Remote_ACL

crypto map VPN 1 set peer 222.222.222.222

crypto map VPN 1 set ikev1 transform-set AES

crypto map VPN 1 set ikev2 ipsec-proposal AES

crypto map VPN 1 set security-association lifetime seconds 28800

crypto map VPN 1 set security-association lifetime kilobytes 4608000

crypto map VPN 65535 ipsec-isakmp dynamic UK_RA_VPN_Map

crypto map VPN interface outside

crypto map UK_RA_VPN_Map 1 ipsec-isakmp dynamic UK_RA_VPN_Map

crypto ca trustpoint localtrust

enrollment self

fqdn somefqdn

subject-name CN=somefqdn

keypair sslvpnkeypair

crl configure

crypto ca certificate chain localtrust

certificate BIG HEX KEY

quit

crypto isakmp identity address

crypto isakmp nat-traversal 15

crypto isakmp disconnect-notify

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5

prf sha

lifetime seconds 14400

crypto ikev2 policy 2

encryption aes-256

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 65535

encryption 3des

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint localtrust

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 14400

crypto ikev1 policy 2

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 60

console timeout 0

management-access inside

dhcpd address 192.168.168.100-192.168.168.149 guest

dhcpd dns externaldns1 externaldns1 interface guest

dhcpd enable guest

!

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics host number-of-rate 2

threat-detection statistics port number-of-rate 2

threat-detection statistics protocol number-of-rate 2

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server Server2 source inside

ntp server Server1 source inside prefer

ssl trust-point localtrust outside

webvpn

enable outside

anyconnect-essentials

anyconnect image disk0:/anyconnect-win-2.5.3055-k9.pkg 1

anyconnect profiles aprofilename disk0:/aprofile.xml

anyconnect enable

tunnel-group-list enable

username anadministrator password 123456 encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

ikev1 pre-shared-key ikev1psk

ikev2 remote-authentication pre-shared-key ikev2pskremote

ikev2 local-authentication pre-shared-key ikev2psklocal

tunnel-group Alex_Home-Dynamic type ipsec-l2l

tunnel-group Alex_Home-Dynamic ipsec-attributes

ikev1 pre-shared-key ikev1psk

ikev2 remote-authentication pre-shared-key ikev2remotepsk

ikev2 local-authentication pre-shared-key ikev2localpsk

!

class-map VoIP_In

match access-list VoIP_Inbound

class-map inspection_default

match default-inspection-traffic

class-map VoIP_Out

match access-list VoIP_Outbound

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect http

inspect icmp

inspect icmp error

policy-map VoIP_Policy

class VoIP_In

class VoIP_Out

!

service-policy global_policy global

service-policy VoIP_Policy interface outside

smtp-server smtpserver1 smtpserver2

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:6f08ce23cd223a61c51a22aae2f83130

: end

Remote Config on 5505:

: Saved

: Written by enable_15 at 14:54:50.694 GMT Tue Jan 24 2012

!

ASA Version 8.4(2)

!

hostname UKANR-FW

domain-name domain-bname.com

enable password 987654 encrypted

passwd 987654 encrypted

names

name 192.168.44.3 UK-DC1 description AserverinHQ

name 192.168.44.4 UK-DC2 description UK Domain Controller2

name 192.168.44.14 UK-Monitor description UK Network Monitor

name 123.123.123.123 UK_VPN_Endpoint description UK VPN Endpoint

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.200.169 255.255.255.248

!

interface Vlan2

nameif outside

security-level 0

ip address 124.124.124.125 255.255.255.224

!

ftp mode passive

clock timezone GMT 0

clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server Server1

name-server Server2

domain-name domain-name.com

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network obj_UK1

subnet 192.168.44.0 255.255.255.0

object network obj_UK2

subnet 192.168.100.0 255.255.255.0

object network obj_UK3

subnet 10.16.192.0 255.255.224.0

object network obj_UK-VPN_Clients

subnet 192.168.200.0 255.255.255.0

object network obj_UK-VoIP

subnet 172.16.44.0 255.255.255.0

object network obj_UKANR1

subnet 192.168.200.168 255.255.255.248

object-group service Web-Browsing

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq ftp

service-object tcp destination eq 8080

object-group network UK

network-object object obj_UK1

network-object object obj_UK2

network-object object obj_UK3

network-object object obj_UK-VPN_Clients

object-group service DNS

service-object tcp destination eq domain

service-object udp destination eq domain

object-group service IPSec_VPN_Data

service-object esp

service-object udp destination eq 10000

service-object udp destination eq 4500

service-object udp destination eq isakmp

object-group service ICMP

service-object icmp echo

service-object icmp echo-reply

service-object icmp unreachable

access-list InsideIn remark allow ICMP

access-list InsideIn extended permit object-group ICMP object obj_UKANR1 any

access-list InsideIn remark allow DNS

access-list InsideIn extended permit object-group DNS object obj_UKANR1 any

access-list InsideIn remark allow Web Browsing

access-list InsideIn extended permit object-group Web-Browsing object obj_UKANR1 any

access-list InsideIn remark allow Internal Hosts to Remote Site

access-list InsideIn extended permit ip object obj_UKANR1 object-group UK

access-list InsideIn remark Allow IPSec VPN Clients Out

access-list InsideIn extended permit object-group IPSec_VPN_Data object obj_UKANR1 any

access-list InsideIn extended deny ip any any

access-list UK_VPN remark Traffic for encryption to UK

access-list UK_VPN extended permit ip object obj_UKANR1 object-group UK

access-list OutsideIn extended deny ip any any

pager lines 24

logging enable

logging timestamp

logging trap warnings

logging asdm notifications

logging host inside UK-Monitor

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo inside

icmp permit any echo-reply inside

icmp permit any echo-reply outside

icmp permit any echo outside

no asdm history enable

arp timeout 14400

nat (inside,outside) source static obj_UKANR1 obj_UKANR1 destination static obj_UK1 obj_UK1 no-proxy-arp route-lookup

nat (inside,outside) source static obj_UKANR1 obj_UKANR1 destination static obj_UK2 obj_UK2 no-proxy-arp route-lookup

nat (inside,outside) source static obj_UKANR1 obj_UKANR1 destination static obj_UK3 obj_UK3 no-proxy-arp route-lookup

nat (inside,outside) source static obj_UKANR1 obj_UKANR1 destination static obj_UK-VPN_Clients obj_UK-VPN_Clients no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

access-group InsideIn in interface inside

access-group OutsideIn in interface outside

route outside 0.0.0.0 0.0.0.0 123.123.123.124 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server UK_NPS protocol radius

aaa-server UK_NPS (inside) host NPSServer1

timeout 5

key key1

aaa-server UK_NPS (inside) host NPSServer2

timeout 5

key key2

user-identity default-domain LOCAL

aaa authentication ssh console UK_NPS LOCAL

http server enable

snmp-server host inside UK-Monitor community 123456

snmp-server location somewhere

snmp-server contact AnAdmin

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set AES256 esp-aes-256 esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1

crypto map VPN 1 match address UK_VPN

crypto map VPN 1 set peer UK_VPN_Endpoint

crypto map VPN 1 set ikev1 transform-set AES256

crypto map VPN 1 set ikev2 ipsec-proposal AES256

crypto map VPN interface outside

crypto isakmp identity address

crypto isakmp nat-traversal 15

crypto isakmp disconnect-notify

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5

prf sha

lifetime seconds 28800

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto ikev1 policy 2

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 14400

telnet timeout 5

ssh timeout 60

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.200.171-192.168.200.174 inside

dhcpd dns Server1 Server2 interface inside

dhcpd domain domain-name.com interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server Server2 source inside

ntp server Server1 source inside prefer

webvpn

username anadmin password password1 encrypted privilege 15

tunnel-group 123.123.123.123 type ipsec-l2l

tunnel-group 123.123.123.123 ipsec-attributes

ikev1 pre-shared-key ikev1psk

isakmp keepalive threshold 30 retry 2

ikev2 remote-authentication pre-shared-key localkeuopnhq

ikev2 local-authentication pre-shared-key remotekeyonhq

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:f4d57b622289f1d30b852209ebaf0efe

: end

Martin,

Just realised the outside interface ip's on each device are confusing when i scrubbed - to clarify, they ARE in the same subnet.

Good luck

Stuart

Hi Stuart,

Is this configuration working?

Should:

crypto map VPN 65535 ipsec-isakmp dynamic UK_RA_VPN_Map

crypto map UK_RA_VPN_Map 1 ipsec-isakmp dynamic UK_RA_VPN_Map

Actually be:

crypto map VPN 65535 ipsec-isakmp dynamic Dynamic_ISP_L2L

crypto map Dynamic_ISP_L2L ipsec-isakmp dynamic Dynamic_ISP_L2L

Regards,

Jacob

Hi Jacob,

I see your point, since i heavily scrubbed the config, you are not seeing the full picture.

It was easier/quicker for me to remove some of my group policies entirely as they included sensitive data that i am not prepared to share with anyone outside of our organisation (they include FQDN's for my SSL AnyConnect clients and banners that give too much information).

For the scope of this article, i wanted to leave some other working config in my post to show that in addition to dynamic map for the Site to Site VPN tunnels, we also have dynamic for Remote Access clients and static maps for static IP addressed sites. The UK_RA_VPN_Map crypto maps are for our IPSec VPN Clients, hence the terms "RA" and "L2L".

FYI we have around 70 remote users, some of which i still need to get hold of their laptops to remove and replace their older IPSec clients with our more recent AnyConnect Essentials VPN clients. Personally, i did not want them to be installing AnyConnect through a web-browser, as some of our more technically-aware users may decide to install the client on their personal computers. At this time, we only use PSK's for our VPN's, as i do not have the time to manage an in-house CA for client-certificates...NAC is another project i will be scheduling for near-future installation... again, im a solo admin, so i can only deal with so many projects at once!

Regards,

Stuart

Ah I see. Sounds like interesting projects :-)

Hi, Stuart for setting me off in the right direction.

As my setup is currently still at the testing stage below is my complet config from a ASA 5505

I wanted to have

users with Windows 7 Native VPN Client

users with XP using the Cisco VPN Client

Site 2 Site VPN using IPSEC

My config below works for all the above in my test enviroment

Windows 7 Native VPN Client
Win 7 client configured under the security tab as VPN Type L2TP/IPSEC
Allow Protocols MSCHAP V 2

gets an address in pool TW-POOL 10.200.0.x
uses default RA Group

Site 2 Site with Remote has Dynamic IP
default l2l tunnel group
(I am using Draytek Vigor  Router as my remote)

WIn XP using Cisco VPN Client
gets an address in CISCOVPN-POOL 10.201.0.x
uses tunnel group TG-CISCOVPN
users connecting this way are authenticated by Radius with backup to local user database

ASA indside = 10.20.0.0

Remote LAN  Site-2-Site VPN = 192.168.1.0

: Saved
:
ASA Version 8.4(2)
!
! users using the native win7 client
username win7user password win7user mschap
username cisco password cisco priv 15
username ciscovpn password ciscovpn
names
!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 109
shutdown
!
interface Ethernet0/3
switchport access vlan 99
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.20.0.1 255.255.255.0
!
interface Vlan99
nameif outside
security-level 0
ip address 192.168.104.100 255.255.255.240
!
interface Vlan109
no nameif
security-level 90
ip address 172.16.1.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_10.200.0.0_24
subnet 10.200.0.0 255.255.255.0
object network obj-10.20.0.0
subnet 10.20.0.0 255.255.255.0
object network obj-192.168.44.0
subnet 192.168.44.0 255.255.255.0
object network NETWORK_OBJ_10.201.0.0_24
subnet 10.201.0.0 255.255.255.0

access-list outside_access_in extended permit ip any any
access-list TG-CISCOVPN_splitTunnelAcl standard permit 10.20.0.0 255.255.255.0
access-list TG-CISCOVPN_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool TW-POOL 10.200.0.1-10.200.0.254 mask 255.255.255.0
ip local pool CISCOVPN-POOL 10.201.0.1-10.201.0.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
! no nat for the WIN7 VPN connection
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.200.0.0_24 NETWORK_OBJ_10.200.0.0_24 no-proxy-arp route-lookup
!
! no nat for my Site to Site Tunnel   add one for each remote sites LAN
nat (inside,outside) source static obj-10.20.0.0 obj-10.20.0.0 destination static obj-192.168.44.0 obj-192.168.44.0 no-proxy-arp route-lookup
!
! no nat for ny Cisco VPN client connections
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.201.0.0_24 NETWORK_OBJ_10.201.0.0_24 no-proxy-arp route-lookup
!
object network obj-10.20.0.0
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.104.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AUTH-SRVR-GROUP protocol radius
aaa-server AUTH-SRVR-GROUP (inside) host 10.20.0.200
timeout 5
key *****
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map mymap 1 set ikev1 transform-set myset
crypto dynamic-map mymap 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map outside-map 50 ipsec-isakmp dynamic mymap
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 2.2.2.2 3.3.3.3
dns-server value 8.8.8.8 1.1.1.1
vpn-tunnel-protocol l2tp-ipsec
default-domain value teleworker.com
group-policy TG-CISCOVPN internal
group-policy TG-CISCOVPN attributes
wins-server value 1.1.1.1 2.2.2.2
dns-server value 8.8.8.8 1.1.1.1
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TG-CISCOVPN_splitTunnelAcl
default-domain value ciscovpn.com

tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key myl2lkey
tunnel-group DefaultRAGroup general-attributes
address-pool TW-POOL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key mywin7key
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group TG-CISCOVPN type remote-access
tunnel-group TG-CISCOVPN general-attributes
address-pool CISCOVPN-POOL
authentication-server-group AUTH-SRVR-GROUP LOCAL
default-group-policy TG-CISCOVPN
tunnel-group TG-CISCOVPN ipsec-attributes
ikev1 pre-shared-key myciscovpnkey
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:26ddaf173b51581072319fa49abe9c8e
: end
no asdm history enable

Hi Martin,

You've got a good config from what i can see. Couple of things i notice is that you've got quite a selection of transform sets. I personally have not configured any Windows clients without the Cisco VPN clients (IPSec or SSL), so not sure what options you have with the built-in VPN (L2TP using MSCHAP auth). You may be able to remove the un-needed sets (e.g. 3DES and lower AES encryption levels). This is not neccessary, but just keeps your config a little smaller and easier to read. Im sure Windows7 supports AES, which is better that 3DES, but you need to check your Draytek options too before trimming this down.

Also, you've got SSH enabled on your outside interface for all sources - if you don't need this, only allow a range of known addresses, like your home/remote-site Public IP address (or a range if you're on a dynamic DSL service). This will reduce your attack surface.

In the past 2 years i've been quite lucky to have access to 2 ASA5510's, so have been able to "practice" offline - recently i configured failover on them and can take the standby unit out of the live network to play with. Despite the general bad feeling from many other users of ASA's on the newer 8.4, i actually love it! The only real pain i found was getting my head around the new object-based NAT, as my NAT skills are not really that good. Once i got used to it, it makes far more sense and gives more flexibility that previous versions. I also like IKEv2 over v1, as the security and performance is supposed to be better. One thing i am having difficulty with (and have given up with!) is that our French site is managed by an outsourced network engineer who insists on Juniper. I've not problem with that, only that i have never layed hands on Juniper, so don't know anything about them..IKEv2 is supported on the Netscreen, but from what i can see, Cisco ASA requires a remote and local PSK, where Juniper support apparently said they only supported a single PSK for the tunnel...i simply could not get this working, so have stuck with v1 for this site.

If you have any other questions, feel free to ask. I've spent a lot of time trawling the net for useful information from many other techies at way higher levels than myself and am grateful for their posts and am glad to help others out with my experience.

FYI, i implemented this today: if you are using RADIUS and are dishing out IP's to your clients from the ASA pools and also want to create specific ACL's for network-admin traffic for configuring devices remotely (i.e. TFTP and SSH etc), but you are using the same group-policy for yourself and non-admin users, i found that you can specify a static ip address in the "Dial-In" tab in Windows 2008R2 for your user account - this over-rides the IP assignment from the ASA pool.

Good luck with everything:-)

Stuart