09-18-2008 01:16 PM - edited 02-21-2020 03:57 PM
ASA 5510. Outside NIC connected to ISP with real internet IP addresses. Inside NIC connected to DMZ 172.17.193.0/24 with address 172.17.193.100.
ISA 2006 SP1. Outside NIC connected to 172.17.193.0/24 DMZ with address 172.17.193.1 Inside NIC connected to UAT 44.44.44.0/24 with address 44.44.44.109.
After a VPN user connects to the ASA (gets a 192.168.20.0/24 IP address), I want the VPN user to be able to RDC into a 2008 server in the 44.44.44.0/24 network.
I know I have to enable RDC inbound on the ISA...but I'm not sure what I have to do on the ASA.
ciscoasa# sh run
: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
enable password xxx
passwd xxx
names
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address outside_ip 255.255.255.240
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 172.17.x.x.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot config disk0:/exit
ftp mode passive
clock timezone mst -7
clock summer-time mdt recurring
access-list split_tunnel_list standard permit 172.17.193.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.193.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inbound_on_outside extended permit icmp any any
access-list inbound_on_outside extended permit tcp any host outside_ip eq 5555
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnuserspool 192.168.20.101-192.168.20.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.17.193.0 255.255.255.0
static (inside,outside) tcp outside_ip 5555 172.17.193.96 5555 netmask 255.255.255.255
access-group inbound_on_outside in interface outside
route outside 0.0.0.0 0.0.0.0 isp_gw 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.20.0 255.255.255.0 inside
http 172.17.193.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set firstset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set firstset
crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp nat-traversal 3600
telnet timeout 5
ssh 172.17.193.0 255.255.255.0 inside
ssh 192.168.20.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
Solved! Go to Solution.
09-19-2008 04:56 AM
You will also need to route VPN pool to UAT device beside making those access list changes .
ON ASA
route inside 44.44.44.0 255.255.255.0 172.17.193.1
And route for VPN pool 192.168.20.0/24 pointing back to ASA on ISA device .
If you do not have default route on UAT device pointing back back to ISA device
then you will need define a route for VPN pool 192.168.20.0/24 pointing back to ASA on UAT device also.
HTH
Saju
Pls rate helpful posts
09-18-2008 01:16 PM
dhcpd address 172.17.193.201-172.17.193.254 inside
dhcpd dns 172.17.193.6 interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.128.5.210 source outside
group-policy vpnuserspolicy internal
group-policy vpnuserspolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_list
address-pools value vpnuserspool
username admin password xxx encrypted privilege 15
username admin attributes
vpn-group-policy vpnuserspolicy
tunnel-group vpnusersgroup type remote-access
tunnel-group vpnusersgroup general-attributes
default-group-policy vpnuserspolicy
tunnel-group vpnusersgroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
ciscoasa#
09-18-2008 05:57 PM
Hello,
Just add one more line to Split tunnel acl and Nat exemption acl.
Your ACL should look like as following:
access-list split_tunnel_list standard permit 172.17.193.0 255.255.255.0
access-list split_tunnel_list standard permit 44.44.44.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.193.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 44.44.44.0 255.255.255.0 192.168.20.0 255.255.255.0
Once implemented then try to connect vpn client and check .
HTH
Saju
Pls rate helpful posts
09-19-2008 04:56 AM
You will also need to route VPN pool to UAT device beside making those access list changes .
ON ASA
route inside 44.44.44.0 255.255.255.0 172.17.193.1
And route for VPN pool 192.168.20.0/24 pointing back to ASA on ISA device .
If you do not have default route on UAT device pointing back back to ISA device
then you will need define a route for VPN pool 192.168.20.0/24 pointing back to ASA on UAT device also.
HTH
Saju
Pls rate helpful posts
09-23-2008 08:59 AM
Thanks..exactly what I'm looking for!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: