03-03-2009 10:12 AM - edited 03-11-2019 08:00 AM
I'm tasked with designing a remote access solution through an ASA v8.0 and I started by creating a text file with configuration details like group-policy, tunnel-groups, crypto (the text file looks as if you typed show run)⦠I'm tasked with only the remote access portion of solution, not the full ACL, NAT statements.
Can someone please proof-read what I have so far? Attached is a basic net diagram that will be the completed project.
I have questions on the following:
1. What should the object-groups be if this firewall configured for remote-access?
2. How do I configure the split-tunneling portion?
3. Do I need more or less group-policies and tunnel-groups?
a. There is very little difference between the uservpn and engvpn groups
If anyone can help, I will be most appreciative. Keep in mind I'm still working on which commands to use so some of the config commands are missing.
BillyBob
03-03-2009 10:13 AM
object-groups ?????
!
ip local pool uservpnpool 172.30.0.1-172.30.0.254 mask 255.255.255.0
ip local pool engvpnpool 172.30.1.1-172.30.1.254 mask 255.255.255.0
!
access-lists split_tunnel_list1 standard permit x.x.x.x 255.x.x.x
access-lists split_tunnel_listx ????
access-lists nonat extended permit ip any 192.168.x.x 255.255.255.x
access-lists nonat extended permit ip any 192.168.x.x 255.255.255.x
access-lists nonat extended permit ip any 192.168.252.0 255.255.255.0
access-lists ?????
!
global (Airband) 1 interface
nat (Inside) 0 access-list nonat
nat (Inside) 1 192.168.0.0 255.255.0.0
!
webvpn
enable XO
enable Airband
svc image disk0:/ anyconnect-win-2.2.pkg 1
svc image disk0:/ anyconnect-linux...pkg2
svc image disk0:/ anyconnect-mac.....pkg3
svc enable
!
crypto isakmp policy 1 authentication pre-share
crypto isakmp policy 1 encryption aes-256
crypto isakmp policy 1 hash sha
crypto isakmp policy 1 group 2
crypto isakmp policy 1 lifetime 86400
crypto isakmp enable ISP1
crypto isakmp enable ISP2
crypto ipsec transform-set transform_set_namex esp-aes-256 esp-sha-hmac
crypto dynamic-map dyn_map_nameX set transform-set transform_set_nameX
crypto dynamic-map dyn_map_nameX set pfs group2
crypto map map_namex 65534 ipsec-isakmp dynamic dyn_map_nameX
crypto map map_namex interface ISP2_interface
!
username ???? (in a couple of weeks, I will add an ACS server and start using ldap authentication)
!
group-policy uservpn_policy1 internal
group-policy uservpn_policy1 attributes
banner value xxxxxxxx
banner value Autorized Persons Only!
dns-server value 192.168.x.x 192.168.x.x
vpn-tunnel-protocol webvpn
vpn-idle-timeout 30
vpn-session-timeout 30
split-tunnel-policy tunnelspecified
split-network-list value split_tunnel_list1
default-domain value domain_name
webvpn
default-domain value domain_name
split-dns value ????
!
group-policy engvpn_policy1 internal
group-policy engvpn_policy1 attributes
banner value xxxxxxxxx
banner value Autorized Persons Only!
dns-server value 192.168.x.x 192.168.x.x
vpn-tunnel-protocol webvpn
vpn-idle-timeout 30
vpn-session-timeout 30
split-tunnel-policy tunnelspecified
split-network-list value split_tunnel_list1
default-domain value domain_name
webvpn
default-domain value domain_name
split-dns value ??????
!
group-policy ssl_policy internal
group-policy ssl_policy attributes
banner value xxxxxxxx
banner value Autorized Persons Only!
dns-server value 192.168.x.x 192.168.x.x
vpn-tunnel-protocol webvpn
vpn-idle-timeout 30
vpn-session-timeout 30
split-tunnel-policy tunnelspecified
split-network-list value split_tunnel_list1
default-domain value domain_name
webvpn
url-list havent read documentation yet
svc keep-installer
svc keepalive
svc rekey
!
tunnel-group uservpn_tunnel type remote-access
tunnel-group uservpn_tunnel general-attributes
address-pool uservpnpool
default-group-policy uservpn_policy1
tunnel-group uservpn_tunnel webvpn-attributes
tunnel-group uservpn_tunnel ipsec-attributes
pre-shared-key XXXXXXXX
isakmp keepalive threshold 360 retry 10
!
tunnel-group engvpn_tunnel type remote-access
tunnel-group engvpn_tunnel general-attributes
address-pool engvpnpool
default-group-policy engvpn_policy1
tunnel-group engvpn_tunnel webvpn-attributes
tunnel-group engvpn_tunnel ipsec-attributes
pre-shared-key XXXXXXXX
isakmp keepalive threshold 360 retry 10
!
tunnel-group ssl_tunnel type remote-access
tunnel-group ssl_tunnel general-attributes
address-pool engvpnpool
default-group-policy ssl_policy
tunnel-group ssl_tunnel webvpn-attributes
tunnel-group ssl_tunnel ipsec-attributes
pre-shared-key XXXXXXXX
isakmp keepalive threshold 360 retry 10
03-04-2009 06:29 AM
bump
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide