Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
366
Views
0
Helpful
2
Replies

VPN on ASA 5505 can't work

fanghe1979
Level 1
Level 1

‎06-30-2008 03:20 AM

i have a ASA 5505 up and running, and i want build it as a VPN server. Here's the config. I really need to get this up and going tomorrow. Thanks for any help.

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address dhcp

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name mm-server.local

access-list mm_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.192 255.255.255.192

access-list inside_nat0_outbound extended permit ip any 192.168.1.192 255.255.255.192

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool RemotecLIENTpOOL 192.168.1.200-192.168.1.255 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.2.107 255.255.255.255 outside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs group1

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.254 inside

dhcpd enable inside

!

group-policy mm internal

group-policy mm attributes

vpn-tunnel-protocol IPSec

username test password xxxencrypted privilege 0

username test attributes

vpn-group-policy mm

tunnel-group mm type ipsec-ra

tunnel-group mm general-attributes

address-pool RemotecLIENTpOOL

default-group-policy Maravon

tunnel-group mm ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

asdm image disk0:/asdm-524.bin

no asdm history enable

Labels:
0 Helpful
2 Replies 2

kaachary
Cisco Employee
Cisco Employee

‎06-30-2008 07:20 AM

The config looks good. Is it not working for you.

Also, for vpn clients coming from behind a nat/pat device, add this to the config :

cry isa nat-t

Aprat from that, you should be good to go.

0 Helpful

whiteford
Level 1
Level 1
In response to kaachary

‎07-04-2008 07:08 AM

Also (add my 10 pence worth) by default "sysopt conenction permit-vpn" is set to allow trusted VPN traffic pass through without the need of ACE's. Sometimes I have found this to be turned off meaning you need ACE's which is my preffered method anyway for security and control :)

Just don't like the way a all VPN's are completely trusted by the ASA by default.

0 Helpful
Customers Also Viewed These Support Documents