jjohnston1127 Fri, 05/15/2009 - 05:56
User Badges:
  • Silver, 250 points or more

For the site-to-site VPN I'll post the Cisco configuration documentation so you can understand what's going on and how it works and view the configuration.


Site-to-Site VPN between ASA 5505s:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml


Remote Access VPN with ASA 5505:



1. Create a VPN pool for the vpn. This network should not be routed throughout your network already.


ip local pool vpnpool 192.168.200.1-192.168.200.62 mask 255.255.255.192


2. Create an access-list for split tunnel access. It should include the networks you want to be able to reach across the VPN.


access-list split standard permit 192.168.10.0 255.255.255.0

access-list split standard permit 192.168.11.0 255.255.255.0

access-list split standard permit 192.168.1.0 255.255.255.0

access-list split standard permit 192.168.100.0 255.255.255.0


3. Add entry to your NONAT access list and make sure your nat exemption is configured.


access-list nonat extended permit ip any 192.168.200.0 255.255.255.192


nat (inside) 0 access-list nonat




4. Create a group-policy for the VPN


group-policy IPSecVPN internal

group-policy IPSecVPN attributes

wins-server value 192.168.10.10 192.168.10.11

dns-server value 192.168.10.10 192.168.10.11

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split

default-domain value yourdomain.local


5. Create the tunnel group and assign a pre-shared key for group authentication.



tunnel-group IPSecVPN type remote-access

tunnel-group IPSecVPN general-attributes

address-pool vpnpool

default-group-policy IPSecVPN

tunnel-group IPSecVPN ipsec-attributes

pre-shared-key Pre$haredk3y



6. Create a PCF configuration profile with the IPSec VPN client. Group name would be IPSecVPN, password would be Pre$haredk3y and the remote peer IP is obviously the outside address of your firewall.


Hope this helps.

ntmanjunath Sun, 05/17/2009 - 23:21
User Badges:

Thanks for the VPN site to site configuration.

I have created the VPN site to client configuration as you told and it's not working.Please find the below configuration and let me know if anything has to be add.



ASA Version 7.2(4)

!

hostname ASA5505-FW

domain-name default.domain.invalid

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 172.26.8.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.97.37.221 255.255.255.0

!

interface Vlan3

no nameif

no security-level

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone IST 5 30

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list 100 extended permit tcp any host 10.97.37.229 eq 3389

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit tcp any host 10.97.37.229 eq 445

access-list 100 extended permit tcp any host 10.97.37.221 eq telnet

access-list 100 extended permit tcp any host 10.97.37.229 eq ftp

access-list nonat extended permit ip any 192.168.200.0 255.255.255.192

pager lines 24

logging enable

logging timestamp

logging console alerts

logging monitor informational

logging buffered errors

logging trap notifications

logging history emergencies

logging asdm informational

logging mail alerts

logging device-id ipaddress inside

logging host inside 172.26.8.3

mtu inside 1500

mtu outside 1500

ip local pool vpnpool 192.168.200.1-192.168.200.62 mask 255.255.255.192

ip audit attack action

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 10.97.37.229 172.26.8.3 netmask 255.255.255.255

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 10.97.37.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

snmp-server host inside 172.26.8.3 community Airtel

no snmp-server location

no snmp-server contact

snmp-server community Airtel

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

telnet 10.97.37.0 255.255.255.0 outside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd auto_config inside

!


group-policy IPSecVPN internal

group-policy IPSecVPN attributes

dns-server value 10.88.40.11 10.96.40.12

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

default-domain value netsol.com

tunnel-group IPsecVPN type ipsec-ra

tunnel-group IPsecVPN general-attributes

address-pool vpnpool

default-group-policy IPSecVPN

tunnel-group IPSecVPN type ipsec-ra

tunnel-group IPSecVPN ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp




jjohnston1127 Mon, 05/18/2009 - 06:16
User Badges:
  • Silver, 250 points or more

What happens when you attempt to launch the connection from the VPN client? Does it connect, or does it give you an error?


If it connects, I'm guessing it is probably a routing issue. Since you used my network I used in the example, 192.168.200.0/26 instead of something that may be routed already, you will probably need to install a route in your internal network pointing that network to the ASA firewall.

Actions

This Discussion