03-03-2009 07:30 AM - edited 02-21-2020 04:10 PM
I'm tasked with designing a remote access solution through an ASA v8.0 and I started by creating a text file with configuration details like group-policy, tunnel-groups, crypto (the text file looks as if you typed show run)⦠I'm tasked with only the remote access portion of solution, not the full ACL, NAT statements.
Can someone please proof-read what I have so far? Attached is a basic net diagram that will be the completed project.
I have questions on the following:
1. What should the object-groups be if this firewall configured for remote-access?
2. How do I configure the split-tunneling portion?
3. Do I need more or less group-policies and tunnel-groups?
a. There is very little difference between the uservpn and engvpn groups
If anyone can help, I will be most appreciative. Keep in mind I'm still working on which commands to use so some of the config commands are missing.
BillyBob
03-03-2009 07:30 AM
object-groups ?????
!
ip local pool uservpnpool 172.30.0.1-172.30.0.254 mask 255.255.255.0
ip local pool engvpnpool 172.30.1.1-172.30.1.254 mask 255.255.255.0
!
access-lists split_tunnel_list1 standard permit x.x.x.x 255.x.x.x
access-lists split_tunnel_listx ????
access-lists nonat extended permit ip any 192.168.x.x 255.255.255.x
access-lists nonat extended permit ip any 192.168.x.x 255.255.255.x
access-lists nonat extended permit ip any 192.168.252.0 255.255.255.0
access-lists ?????
!
global (Airband) 1 interface
nat (Inside) 0 access-list nonat
nat (Inside) 1 192.168.0.0 255.255.0.0
!
webvpn
enable XO
enable Airband
svc image disk0:/ anyconnect-win-2.2.pkg 1
svc image disk0:/ anyconnect-linux...pkg2
svc image disk0:/ anyconnect-mac.....pkg3
svc enable
!
crypto isakmp policy 1 authentication pre-share
crypto isakmp policy 1 encryption aes-256
crypto isakmp policy 1 hash sha
crypto isakmp policy 1 group 2
crypto isakmp policy 1 lifetime 86400
crypto isakmp enable ISP1
crypto isakmp enable ISP2
crypto ipsec transform-set transform_set_namex esp-aes-256 esp-sha-hmac
crypto dynamic-map dyn_map_nameX set transform-set transform_set_nameX
crypto dynamic-map dyn_map_nameX set pfs group2
crypto map map_namex 65534 ipsec-isakmp dynamic dyn_map_nameX
crypto map map_namex interface ISP2_interface
!
username ???? (in a couple of weeks, I will add an ACS server and start using ldap authentication)
!
group-policy uservpn_policy1 internal
group-policy uservpn_policy1 attributes
banner value xxxxxxxx
banner value Autorized Persons Only!
dns-server value 192.168.x.x 192.168.x.x
vpn-tunnel-protocol webvpn
vpn-idle-timeout 30
vpn-session-timeout 30
split-tunnel-policy tunnelspecified
split-network-list value split_tunnel_list1
default-domain value domain_name
webvpn
default-domain value domain_name
split-dns value ????
!
group-policy engvpn_policy1 internal
group-policy engvpn_policy1 attributes
banner value xxxxxxxxx
banner value Autorized Persons Only!
dns-server value 192.168.x.x 192.168.x.x
vpn-tunnel-protocol webvpn
vpn-idle-timeout 30
vpn-session-timeout 30
split-tunnel-policy tunnelspecified
split-network-list value split_tunnel_list1
default-domain value domain_name
webvpn
default-domain value domain_name
split-dns value ??????
!
group-policy ssl_policy internal
group-policy ssl_policy attributes
banner value xxxxxxxx
banner value Autorized Persons Only!
dns-server value 192.168.x.x 192.168.x.x
vpn-tunnel-protocol webvpn
vpn-idle-timeout 30
vpn-session-timeout 30
split-tunnel-policy tunnelspecified
split-network-list value split_tunnel_list1
default-domain value domain_name
webvpn
url-list havent read documentation yet
svc keep-installer
svc keepalive
svc rekey
!
tunnel-group uservpn_tunnel type remote-access
tunnel-group uservpn_tunnel general-attributes
address-pool uservpnpool
default-group-policy uservpn_policy1
tunnel-group uservpn_tunnel webvpn-attributes
tunnel-group uservpn_tunnel ipsec-attributes
pre-shared-key XXXXXXXX
isakmp keepalive threshold 360 retry 10
!
tunnel-group engvpn_tunnel type remote-access
tunnel-group engvpn_tunnel general-attributes
address-pool engvpnpool
default-group-policy engvpn_policy1
tunnel-group engvpn_tunnel webvpn-attributes
tunnel-group engvpn_tunnel ipsec-attributes
pre-shared-key XXXXXXXX
isakmp keepalive threshold 360 retry 10
!
tunnel-group ssl_tunnel type remote-access
tunnel-group ssl_tunnel general-attributes
address-pool engvpnpool
default-group-policy ssl_policy
tunnel-group ssl_tunnel webvpn-attributes
tunnel-group ssl_tunnel ipsec-attributes
pre-shared-key XXXXXXXX
isakmp keepalive threshold 360 retry 10
03-04-2009 06:30 AM
bump
03-24-2009 05:07 PM
Another simple way ,,,,,really easier,,,accomplish same task,,,,regular router,,,ex 1800 or 2800 series router.....example:
IE......
crypto map Jump-Man ipsec-isakmp
{ BUILD YOUR OWN ISAKMP }
interface FastEthernet0
description : Internet interface
ip address 1.1.1.1 255.255.255.252
ip nat outside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
crypto map Jump-Man
ip nat inside source list 101 interface FastEthernet0 overload
ip nat pool pool-108 10.10.21.128 10.10.21.254 prefix-length 25
1 - BUILD YOUR ISAKMP
2- ROUTE OUT PROPERLY
3- THEN NAT.....
4- YOU CAN SPLIT THE TRAFFIC HERE ALSO !!!
5- SOMETIMES...YOU MAY HAVE TO REMOVE THE CRYPTO MAP THEN REAPPLY TO BRING THE TUNNEL UP TO GET THE NAT WORKING,,,,VICE VERSA.
6 - OR IF YOU BUILD A BGP NEIGHBOR...YOU NAT THRU YOUR TUNNEL INTERFACE.
YOU CAN SPLIT TUNNEL ON ASA.....MY RECOMMENDATION WOULD BE TO USE ASA MORE AS YOUR FIREWALL & ACL'S IN THIS SOLUTION.
TAKE THE BURDEN OFF ASA FOR VPN AS SINGLE POINT OF FAILURE. OR USE ASA FOR CISCO CLIENTS....ASA IS VERY GOOD....
IF YOU DECIDE TO USE ROUTER FOR SPLIT-TUNNELING AND NEED HELP WITH CONFIG....BUILD MOST OF YOUR CONFIG AND JUST REACH ME OFF-LINE IF YOU NEED " to bring tunnel up & split routes .............setarcosus@yahoo.com
03-24-2009 01:46 PM
is this "task" you are doing for a charitable organization or for another type of bussiness purpose?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide