ASA Config Needs some Help....
TimParker
config. It was recommended by someone (Darren -- Thanks). That I post
a config and see what anyone sees that I have done wrong...
What I am attempting to do with this config....this ASA is in our Main
office. It will be handling remote VPN connections from about 10-15
remote users with laptops. I am currently testing this myself with the
5.0.02 client on Windows 7 all "real" users will be Windows XP with
that client.
It also will be handling 2 site-to-site VPN's to our two remote
offices. I currently have one of the sites up and "working" I haven't
changed all the gateways and such there yet, but I can see the router
in the remote location from my desktop which is currently using the
ASA as its gateway (this way I can see what works and what doesn't).
For the remote user VPN, I have it so that it will connect from my
home and I can see the IKE and IPSEC tunnels go live in the ASDM when
I connect, but I can't get to anything. I created a rule to allow me
to supposedly get to my work desktop using Remote Desktop, but it
doesn't connect.
So if you have some time and wouldn't mind, look this over and let me
know how far off base I am. I hope I have given enough background on
what I am trying to do.
Oh, the network structure is such that, the main office is one range
(192.168.16.x - all servers, workstations, printers, routers, etc) and
the remote offices each have their own (192.168.116.x and
192.168.216.x -- the first one is the one that is currently partially
active with the router that I can see).
Thank you all for any help and guidance you can offer.
Tim
Result of the command: "sh run"
: Saved
:
ASA Version 7.2(4)
!
hostname MOPS-ASA-5505
domain-name mops-ohio.local
enable password PASSWORDREMOVED encrypted
passwd PASSWORDREMOVED encrypted
names
name a.b.c.195 ASA_5505 description Firewall
name 192.168.116.0 Columbus-Net description Columbus Subnet
name 192.168.16.0 Lancaster-Net description Lancaster Subnet
name 192.168.216.0 LickingCounty-Net description Licking County Subnet
name a.b.c.194 External_Web_Mail_Server description
External_Web_Mail_Server
name 192.168.18.3 Internal_Web_Mail_Server description
Internal_Web_Mail_Server
name d.e.f.200 VPNUser_Tim_Home description Tim Parker - Home IP
name g.h.i.195 Router_Columbus description Cisco 871 - Columbus
name j.k.l.178 Router_LickingCounty description Cisco 871 - Licking
County
name 192.168.16.95 VPNPool1
name 192.168.16.35 Tim_Work_Computer description WKSTN0020
name 192.168.16.5 MOPSSRV05 description Mail, Backup Server
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.16.9 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ASA_5505 255.255.255.248
!
interface Vlan12
nameif dmz
security-level 10
ip address 192.168.18.9 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.16.3
name-server 192.168.16.6
domain-name mops-ohio.local
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
protocol-object esp
protocol-object ah
object-group network VPNRemote-Admin
description Administrative Users
network-object host VPNUser_Tim_Home
object-group network Router_RemoteOffices
description Remote Offices Router for Site-to-Site VPN
network-object host Router_Columbus
network-object host Router_LickingCounty
object-group network VPN_Pool_IP
network-object host VPNPool1
object-group service WindowsRemoteDesktop tcp
port-object eq 3389
object-group network DM_INLINE_NETWORK_1
network-object host Tim_Work_Computer
network-object host MOPSSRV05
object-group service DM_INLINE_UDP_1 udp
port-object eq netbios-dgm
port-object eq netbios-ns
access-list outside_access_in extended permit object-group TCPUDP
object-group Router_RemoteOffices host ASA_5505
access-list outside_access_in extended permit tcp host VPNPool1 object-
group DM_INLINE_NETWORK_1 object-group WindowsRemoteDesktop
access-list outside_access_in extended deny tcp any host ASA_5505 eq
telnet
access-list outside_access_in extended permit udp host VPNPool1 any
object-group DM_INLINE_UDP_1
access-list outside_access_in extended permit udp host VPNPool1 any eq
pim-auto-rp
access-list mops-vpn_splitTunnelAcl standard permit Lancaster-Net
255.255.255.0
access-list outside_1_cryptomap extended permit ip Lancaster-Net
255.255.255.0 Columbus-Net 255.255.255.0
access-list inside_nat0_outbound extended permit ip Lancaster-Net
255.255.255.0 Columbus-Net 255.255.255.0
access-list inside_nat0_outbound extended permit ip Lancaster-Net
255.255.255.0 LickingCounty-Net 255.255.255.0
access-list inside_nat0_outbound extended permit ip Lancaster-Net
255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip Lancaster-Net
255.255.255.0 LickingCounty-Net 255.255.255.0
access-list outside_3_cryptomap extended permit ip Lancaster-Net
255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip host VPNPool1
any
pager lines 24
logging enable
logging asdm informational
logging from-address myemail@someplacecom
logging recipient-address mye...@someplace.com level errors
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool Testing VPNPool1-192.168.16.98 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound outside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 a.b.c.193 1
route outside 192.168.116.1 255.255.255.255 Router_Columbus 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server VPN_Authent protocol kerberos
aaa-server VPN_Authent (inside) host 192.168.16.3
kerberos-realm MOPS-OHIO
aaa-server VPN_Authorz protocol ldap
aaa-server VPN_Authorz (inside) host 192.168.16.3
ldap-base-dn ou=All MOPS Users
ldap-scope subtree
ldap-naming-attribute uid
server-type microsoft
http server enable
http Lancaster-Net 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer Router_Columbus
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer Router_LickingCounty
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs group1
crypto map outside_map 3 set peer VPNUser_Tim_Home
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
telnet Tim_Work_Computer 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.16.3 192.168.16.6
dhcpd wins 192.168.16.3
dhcpd domain mops-ohio.local
dhcpd auto_config outside
dhcpd option 3 ip 192.168.16.9
!
group-policy mops-vpn internal
group-policy mops-vpn attributes
wins-server value 192.168.16.3
dns-server value 192.168.16.3 192.168.16.6
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value mops-vpn_splitTunnelAcl
default-domain value mops-ohio.local
address-pools value Testing
group-policy Site2Site-Columbus internal
group-policy Site2Site-Columbus attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
username timparker password PASSWORDREMOVED encrypted privilege 15
username timparker attributes
vpn-group-policy mops-vpn
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group g.h.i.195 type ipsec-l2l
tunnel-group g.h.i.195 general-attributes
default-group-policy Site2Site-Columbus
tunnel-group g.h.i.195 ipsec-attributes
pre-shared-key *
tunnel-group mops-vpn type ipsec-ra
tunnel-group mops-vpn general-attributes
default-group-policy mops-vpn
tunnel-group mops-vpn ipsec-attributes
pre-shared-key *
tunnel-group j.k.l.178 type ipsec-l2l
tunnel-group j.k.l.178 ipsec-attributes
pre-shared-key *
!
!
smtp-server 192.168.16.5
prompt hostname context
Cryptochecksum:REMOVED
: end
Artie Lange
> ip local pool Testing VPNPool1-192.168.16.98 mask 255.255.255.0
I would recommend using a DHCP pool for your remote clients in a
different subnet, such as 192.168.17.0/24
> nat (inside) 0 access-list inside_nat0_outbound
You are bypassing NAT for ACL inside_nat0_outbound, you need to include
your remote VPN DHCP pool in this ACL.
for example,
access-list inside_nat0_outbound permit ip 192.168.0.17.0 255.255.255.0
192.168.16.0 255.255.255.0
TimParker
changes today. I am home due to snow/ice so its a Cisco Day!