01-30-2008 02:14 AM - edited 02-21-2020 03:30 PM
I'm having a tough time getting remote VPN to work with my ASA 5510.
I know there may be some problems with this config... Any advice would be greatly appreciated.
!
interface Ethernet0/0
nameif outside
security-level 2
ip address 238.198.111.178 255.255.255.248
rip send version 1
!
interface Ethernet0/1
nameif inside
security-level 90
ip address 10.100.1.1 255.255.255.0
!
boot system disk0:/asa721-k8.bin
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Morbo_Services tcp
port-object eq ftp-data
port-object eq ftp
port-object eq ssh
port-object eq www
access-list buzznetRA_splitTunnelAcl standard permit any
access-list outside_access_in extended permit ip interface outside 10.100.1.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list DefaultRAGroup2_splitTunnelAcl standard permit any
access-list outside_cryptomap extended permit ip any 10.100.1.48 255.255.255.240
ip local pool BNVPN_IP_Pool 10.100.1.50-10.100.1.60 mask 255.255.255.255
nat-control
global (outside) 200 interface
nat (inside) 200 10.100.1.0 255.255.255.0
nat (management) 0 access-list management_nat0_outbound
static (inside,outside) 38.98.11.179 10.100.1.2 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside
route outside 0.0.0.0 0.0.0.0 38.98.11.177 1
!
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server value 10.100.1.2
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value buzznetRA_splitTunnelAcl
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value BNVPN_IP_Pool
client-firewall none
client-access-rule none
username asadowsky password ****== nt-encrypted privilege 0
username john password ****== nt-encrypted privilege 0
username john attributes
vpn-group-policy DfltGrpPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.100.1.0 255.255.255.0 inside
crypto ipsec transform-set VPNTRANS esp-3des esp-sha-hmac
crypto ipsec transform-set VPNTRANS mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set VPNTRANS
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map interface inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
tunnel-group DefaultRAGroup general-attributes
address-pool BNVPN_IP_Pool
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
peer-id-validate cert
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
authorization-server-group LOCAL
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
service-policy global_policy global
02-01-2008 01:50 PM
access-list inside-nonat permit ip 10.100.1.0 255.255.255.0 10.100.1.0 255.255.255.0
nat (inside) 0 access-list inside-nonat
Your vpn range is on the same network, which should work fine, but you could just as easily use an internal DHCP server at that point.
This is under the assumption that you're even authenticating. Are you? You should probably turn on logging and post the results of that as well.
02-01-2008 08:22 PM
I figured it out! I had been trying to authenticate against a PSK *AND* a cert. That was keeping me from successfully authenticating. And, as if that wasn't enough, my IP pool was in the same subnet as my internal network - something I learned that was incorrect.
Many thanks for checking in!
Adam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide