05-07-2009 06:47 PM - edited 03-11-2019 08:29 AM
hello,
in my connection Remote VPN there requred route or we directly give connection from ASA 5540. is it possible.
05-08-2009 09:45 AM
hello mitang
not sure what your question is, but as far as the routing is concerned, the laptop connecting vpn, will have a logical interface set, which will send all default packets to this network adaptor, which would ultimately hit your asa 5540 box.. u dont need to define explicit routing to be pushed for your vpn clients.. incase you dont want all your traffic through the VPN, you can use split tunneling to force only certain traffic through the VPN..
Hope this helps.. all the best.. rate replies if found useful..
Raj
05-08-2009 06:36 PM
Thank you Raj,
for this information is ok.
But i want to know more about while i devloped VPN remote connection from client(through internet ) to asa 5540.
what ip i should given to VPN Lan card.
05-09-2009 07:01 PM
hello Raj,
i describe my n/w then u tell me what i do configure on ASA.
My inside n/w:192.168.10.1
My dmz n/w : 192.168.1.0
now i want to access my inside server system to internet through and access via VPN.
so what ip i give to ip pool while i configure VPN for remote access?
what i configure in client VPN and also tell me client side any requriment?
05-10-2009 10:46 AM
so what ip i give to ip pool while i configure VPN for remote access?
Mitang,
Your VPN pool network can be any private RFC1918 network, preferably a network that is not the same as your inside or DMZ subnets to easy troubleshooting in invent of issues. Create your VPN pool network, for sake of example assume you will use 10.20.20.0/24 for RA VPN.
So you will have
1- inside n/w:192.168.10.1
2- dmz n/w : 192.168.1.0
and
3- VPN RA network 10.20.20.0/24
If not done so create VPN tunnel and assign the VPN Pool network to that tunnel Here is a link with examples in creating and assigning pool network to tunnel names.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml
now i want to access my inside server system to internet through and access via VPN.
after you have created the RA tunnel with respective IP local pool for RA to that tunnel work on access list
to allow the traffic to DMZ network 10.20.20.0/24 from VPN pool network.
Create nonat exempt rules - ACLs and nat exempt statements .
you can either allow whole VPN pool access to DMZ network by:
access-list NONAT_traffic extended permit ip 192.168.1.0 255.255.255.0 10.20.20.0 255.255.255.0
or you can allow VPN pool Network access to one DMZ host,assume DMZ server is 192.168.1.X:
access-list NONAT_traffic extended permit ip host 192.168.1.X 10.20.20.0 255.255.255.0
apply nonat exempt rull in your DMZ interface as:
nat (dmz) 0 access-list NONAT_traffic
////////////////////////////
Same principle applies if you required down the road access hosts in your inside interface for RA VPN pool network.
access-list NONAT_traffic extended permit ip host 192.168.10.0 10.20.20.0 255.255.255.0
nat (inside) 0 access-list NONAT_traffic
what i configure in client VPN and also tell me client side any requriment?
Your RA vpn users will obiously need Cisco VPN Client Software loaded on their machines,you will need to provide them with tunnel group name and password to authenticate the tunnel, you did not mention users authentication but the link provided above gives examples of creating local users account localy on the ASA or if you will be using IAS RADIUS windows AD for user authen there are other configuration requirements needed for that on the tunnel shown here.
Hope this helps
Regards
05-10-2009 07:57 PM
hi.
thank you.
i had created but i could not connect with my n/w to that server.
below i give log of client VPN.
and i give u what i made in ASA 5540 configuration.
This is my ASA 5540 configuration.
access-list INSIDE_nat0_outbound line 1 extended permit ip host 192.168.10.108 10.20.20.0 255.255.255.240
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
username user password XEaJpJFaYvDqZKxJ encrypted privilege 0
username user attributes
vpn-group-policy testgroup
ip local pool test 10.20.20.0-10.20.20.15 mask 255.255.255.240
group-policy testgroup internal
group-policy testgroup attributes
dns-server value 203.124.20.100
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
default-group-policy testgroup
address-pool test
tunnel-group testgroup ipsec-attributes
pre-shared-key #123*
isakmp policy 10 authen pre-share
isakmp policy 10 encrypt 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
no crypto dynamic-map outside_dyn_map 20 set nat-t-disable
no crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
This is my client configuration.
Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
89 09:18:57.468 05/11/09 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 10.20.20.0.
90 09:18:57.468 05/11/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 10.20.20.0
91 09:18:57.890 05/11/09 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
92 09:18:57.890 05/11/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
93 09:19:02.890 05/11/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
94 09:19:02.890 05/11/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 10.20.20.0
95 09:19:07.890 05/11/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
96 09:19:07.890 05/11/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 10.20.20.0
97 09:19:12.890 05/11/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
98 09:19:12.890 05/11/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 10.20.20.0
99 09:19:17.890 05/11/09 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=E37BCC570A0B52E6 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
100 09:19:18.390 05/11/09 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=E37BCC570A0B52E6 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
101 09:19:18.390 05/11/09 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
102 09:19:18.390 05/11/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
103 09:19:18.390 05/11/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
104 09:19:18.390 05/11/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
105 09:19:18.390 05/11/09 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Plz suggest me whr ido change so i get to connection.
05-10-2009 09:21 PM
89 09:18:57.468 05/11/09 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 10.20.20.0.
Mitang,
Just to make sure before we go fruther, are you VPNing in from outside your network? as this above log output from vpn client got me confused as it seems is attempting connection to 10.20.20.0 , connection should be towards vpn gateway which is your ASA5540 oustide interface IP address.. could you confirm PLS.
In your VPN client software when you configure NEW connections entry under HOST field you should place your ASA5540 outside IP address which is your Ipsec termination point, again as it seems to me based on the VPN log you are placing 10.20.20.0.
Regards
05-10-2009 10:53 PM
yes i want to VPNing outside n/w like broadband internet connection.
10.20.20.0 is my ip local pool.
ok now what i configure in asa so i got logs from asa.
When i give VPN clint to my Outside interface IP then its give me below logs.
5|May 11 2009 11:56:46|713904: IP = (VPN client User Ip), Aggressive Mode connections disabled on interface... dropping pkt
5|May 11 2009 11:56:41|713904: IP = 192.168.100.2(VPN client User Ip), Aggressive Mode connections disabled on interface... dropping pkt
5|May 11 2009 11:56:36|713904: IP = 192.168.100.2(VPN client User Ip), Aggressive Mode connections disabled on interface... dropping pkt
5|May 11 2009 11:56:31|713904: IP = 192.168.100.2(VPN client User Ip), Aggressive Mode connections disabled on interface... dropping pkt
6|May 11 2009 11:56:31|302015: Built inbound UDP connection 763351 for outside:192.168.100.2/4969 (192.168.100.2/4969) to NP Identity Ifc:outside interface/500 (Outside interface/500)
5|May 11 2009 11:56:15|713904: IP = 192.168.100.2(VPN client User Ip), Aggressive Mode connections disabled on interface... dropping pkt
05-10-2009 11:12 PM
Do you have this command configured on your ASA? "crypto isakmp am-disable"
If so, you need to "no" it out.
Info -> http://www.cisco.com/en/US/customer/docs/security/asa/asa72/command/reference/c5_72.html#wp2067847
05-11-2009 02:07 AM
Thank you.
i got to connect my VPN client.
Thankyou for support
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: