08-23-2010 09:32 AM
I set up my firewall with a local authentication for a regular dynamic VPN set up, but I need to change it to authenticate it with the server. The server is set up and ready to go but I want to be sure the firewall will be too.
Here is my config:
ASA# sh run
: Saved
:
ASA Version 8.3(1)
hostname ASA
domain-name mydomain.local
enable password GmSL9emLLUC2J7jz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group pppoe_group
ip address pppoe setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name mydomain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-vpnPool
subnet 192.168.101.0 255.255.255.0
object network SERVER01
host 192.168.*.*
object network obj-Internal-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network SERVER02
host 192.168.*.*
object network SERVER03
host 192.168.*.*
object network obj-OutsideIP
host 74.164.148.6
access-list splittunnel standard permit 192.168.1.0 255.255.255.0
access-list outside_in extended permit ip 192.168.101.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_in extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list outside_in extended permit tcp any host 192.168.*.* eq www
access-list outside_in extended permit tcp any host 192.168.*.* eq https
access-list outside_in extended permit tcp any host 192.168.*.* eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.101.50-192.168.101.100
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj-Internal-192.168.1.0 obj-Internal-192.168.1.0 destination static obj-vpnPool obj-vpnPool
object network obj_any
nat (inside,outside) dynamic interface
object network SERVER01
nat (inside,outside) static interface service tcp smtp smtp
object network SERVER02
nat (inside,outside) static interface service tcp www www
object network SERVER03
nat (inside,outside) static interface service tcp https https
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set transform-set ESP-3DES-MD5
crypto dynamic-map RA-VPN 1 set security-association lifetime seconds 28800
crypto dynamic-map RA-VPN 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set reverse-route
crypto map RA-VPN 65535 ipsec-isakmp dynamic RA-VPN
crypto map RA-VPN interface outside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 10
crypto isakmp ipsec-over-tcp port 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname emailaddress@bellsouth.net
vpdn group pppoe_group ppp authentication pap
vpdn username emailaddress@bellsouth.net password *****
dhcpd dns 192.168.*.* 4.2.2.2
dhcpd lease 8400
dhcpd ping_timeout 750
dhcpd domain mydomain.local
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
priority-queue inside
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy examplevpn internal
group-policy examplevpn attributes
dns-server value 192.168.*.* 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value mydomain.local
username vicky password 9fO.vlLc77pAFoHp encrypted privilege 15
username otherusers password hhckff6QokyoRdar encrypted privilege 10
username examplevpn password IKg0RMHfprF6Ya3u encrypted
username admin password DwCTJcBn.Q0dDe9z encrypted privilege 15
username admin attributes
vpn-group-policy examplevpn
tunnel-group RA-VPN type remote-access
tunnel-group examplevpn type remote-access
tunnel-group examplevpn general-attributes
address-pool vpnpool
authorization-server-group (outside) LOCAL
default-group-policy examplevpn
tunnel-group examplevpn ipsec-attributes
pre-shared-key *****
class-map global-class
match default-inspection-traffic
class-map class_sip_tcp
match port tcp eq sip
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect tftp
inspect sunrpc
inspect xdmcp
inspect sip
inspect icmp
inspect ipsec-pass-thru
inspect ip-options
class class_sip_tcp
inspect sip
service-policy global_policy global
prompt hostname context
Cryptochecksum:3edb25d4a550f0394e8c1936ab3326ad
Is what I have below all I have to add/ is it correct?
aaa-server RADIUSvpn protocol radius
max-failed-attempts 5
aaa-server vpn (DMZ) host 172.16.1.1
retry-interval 1
timeout 30
key cisco123
tunnel-group RA-VPN type remote-access
tunnel-group RA-VPN general-attributes
address-pool vpnpool
authentication-server-group RADIUSvpn
I am still relatively new to firewalls and find some of the online help overwhelming at times. Please help,
Vicky
Solved! Go to Solution.
08-31-2010 05:43 AM
Can you comapre the config with this doc and see if missing something maybe?
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml
Use the troubleshoot area in the doc to find the correct DN, I think you are missing a part in the DN string. Sorry for the late response
08-23-2010 10:02 AM
It looks ok, Please check this
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c18ff.shtml
Its much easier through ASDM. A good way to test if your autehntication is setup fine is to use the test option as mentioend in the document. If the test fails then run the following debugs on ASA and it will tell why it is faling
debug aaa authentication
debug radius all
08-23-2010 10:12 AM
Most people tell me how much easier it is with the ASDM but I have always been more comfortable in the CLI as that is all I use. Also if I use ASDM at work I will kind of get frowned upon as they all use the CLI.
You have any ideas on the CLI version of the commands?
08-23-2010 10:19 AM
Sure, ultimately it comes to you, whatever you feel comfortable with. The document I mentioned also has the relavent comamnd line.
08-23-2010 11:00 AM
Ok last question on this (I hope) Using the link you gave me and based on the information (the sh run) is what I have below correct?
!--- Configure the AAA Server group.
ciscoasa(config)# aaa-server RADIUS_SERVER_GROUP protocol RADIUS
ciscoasa(config-aaa-server-group)# exit
!--- Configure the AAA Server. (192.168.*.* being the server IP)
ciscoasa(config)# aaa-server RADIUS_SERVER_GROUP (inside) host 192.168.*.*
ciscoasa(config-aaa-server-host)# key secretkey
ciscoasa(config-aaa-server-host)# exit
!--- Configure the tunnel group to use the new AAA setup. (examplevpn being the group authentication name)
ciscoasa(config)# tunnel-group examplevpn general-attributes
ciscoasa(config-tunnel-general)# authentication-server-group RADIUS_SERVER_GROUP
And getting rid of the other commands that make it LOCAL authentication. Leaving me with the following config (please, please, please check the config thoroughly, I dont want to mess this up)
ASA# sh run
: Saved
:
ASA Version 8.3(1)
hostname ASA
domain-name mydomain.local
enable password GmSL9emLLUC2J7jz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group pppoe_group
ip address pppoe setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name mydomain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-vpnPool
subnet 192.168.101.0 255.255.255.0
object network SERVER01
host 192.168.*.*
object network obj-Internal-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network SERVER02
host 192.168.*.*
object network SERVER03
host 192.168.*.*
object network obj-OutsideIP
host 74.164.148.6
access-list splittunnel standard permit 192.168.1.0 255.255.255.0
access-list outside_in extended permit ip 192.168.101.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_in extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list outside_in extended permit tcp any host 192.168.*.* eq www
access-list outside_in extended permit tcp any host 192.168.*.* eq https
access-list outside_in extended permit tcp any host 192.168.*.* eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.101.50-192.168.101.100
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj-Internal-192.168.1.0 obj-Internal-192.168.1.0 destination static obj-vpnPool obj-vpnPool
object network obj_any
nat (inside,outside) dynamic interface
object network SERVER01
nat (inside,outside) static interface service tcp smtp smtp
object network SERVER02
nat (inside,outside) static interface service tcp www www
object network SERVER03
nat (inside,outside) static interface service tcp https https
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS_SERVER_GROUP protocol RADIUS
aaa-server RADIUS_SERVER_GROUP (inside) host 192.168.*.*
key secretkey
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set transform-set ESP-3DES-MD5
crypto dynamic-map RA-VPN 1 set security-association lifetime seconds 28800
crypto dynamic-map RA-VPN 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set reverse-route
crypto map RA-VPN 65535 ipsec-isakmp dynamic RA-VPN
crypto map RA-VPN interface outside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 10
crypto isakmp ipsec-over-tcp port 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname emailaddress@bellsouth.net
vpdn group pppoe_group ppp authentication pap
vpdn username emailaddress@bellsouth.net password *****
dhcpd dns 192.168.*.* 4.2.2.2
dhcpd lease 8400
dhcpd ping_timeout 750
dhcpd domain mydomain.local
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
priority-queue inside
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy examplevpn internal
group-policy examplevpn attributes
dns-server value 192.168.*.* 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value mydomain.local
username vicky password 9fO.vlLc77pAFoHp encrypted privilege 15
username otherusers password hhckff6QokyoRdar encrypted privilege 10
username examplevpn password IKg0RMHfprF6Ya3u encrypted
username admin password DwCTJcBn.Q0dDe9z encrypted privilege 15
username admin attributes
vpn-group-policy examplevpn
tunnel-group RA-VPN type remote-access
tunnel-group examplevpn type remote-access
tunnel-group examplevpn general-attributes
address-pool vpnpool
authentication-server-group RADIUS_SERVER_GROUP
default-group-policy examplevpn
tunnel-group examplevpn ipsec-attributes
pre-shared-key *****
class-map global-class
match default-inspection-traffic
class-map class_sip_tcp
match port tcp eq sip
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect tftp
inspect sunrpc
inspect xdmcp
inspect sip
inspect icmp
inspect ipsec-pass-thru
inspect ip-options
class class_sip_tcp
inspect sip
service-policy global_policy global
prompt hostname context
Cryptochecksum:3edb25d4a550f0394e8c1936ab3326ad
That right?
Thanks,
Vicky
08-23-2010 08:35 PM
Yes it looks correct. Its easy as it sounds
08-24-2010 09:31 AM
After speaking with the server guy at my work and also looking over another config, I saw that it included LDAP. The server guy told me that Active Directory automatically uses LDAP. So this being said, if the following changes to my configuration correct?
aaa-server TACACS+ Protocol tacacs+ <------- Do I even need this? Im not using Ciscos protocols here am I?
aaa-server RADIUS_SERVER_GROUP protocol RADIUS
aaa-server LDAP_SERVER_GROUP protocol ldap
aaa-server LDAP_SERVER_GROUP (inside) host 192.168.*.*
ldap-base-dn dc=mydomain <--------- Do I need to add ",dc=local"? if the domain name is mydomain.local?
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=administrator, cn=users, dc=mydomain <--------- Do I need to add ",dc=local"? if the domain name is mydomain.local?
server-type microsoft
key secretkey <---------- Do I even need this? Concidering I have the ldap-login-password I mean.
And obviously changing the following:
tunnel-group RA-VPN type remote-access
tunnel-group examplevpn type remote-access
tunnel-group examplevpn general-attributes
address-pool vpnpool
authentication-server-group LDAP_SERVER_GROUP
By the way, thank you in all your help with this, it has been very helpful
Vicky
08-25-2010 07:06 AM
Any updates? I really need this config sorted
08-25-2010 08:54 AM
Hi Vicky,
What exactly you want to use? LDAP, RADIUS or TACACS? Your RADIUS server confing was correct if RADIUS server is setup fine, it should work.
08-25-2010 09:58 AM
I have a Microsoft 2008 server running RADIUS. But Microsoft uses LDAP, which is why I asked
was wondering.
08-26-2010 07:47 PM
I don't know how it's done on an MS RADIUS server, but in our setup the VPN does
not talk LDAP, it talks RADIUS to the RADIUS server and the RADIUS server in turn
talks ldap/smbauth to the LDAP and Active Directory servers respectively.
You should get that process cleared up with your server guys. On the VPN
side it looks like this:
vpdn group DefaultRAGroup localname foo
vpdn group DefaultRAGroup ppp authentication pap
dynamic-access-policy-record DfltAccessPolicy
aaa-server xxx protocol radius
aaa-server xxx (management) host XX.XX.XX.XX
key *****
authentication-port 1812
no vpn-addr-assign aaa
no vpn-addr-assign local
group-policy DfltGrpPolicy attributes
dhcp-network-scope YY.YY.YY.YY
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-default-routes
intercept-dhcp 255.255.0.0 enable
user-authentication enable
address-pools value vpn-ras1-defaultpool
tunnel-group DefaultRAGroup general-attributes
user-authentication enable
address-pools value vpn-ras1-defaultpool
authentication-server-group xxx
authentication-server-group (outside) xxx
dhcp-server ZZ.ZZ.ZZ.ZZ
strip-realm
strip-group
username-from-certificate use-entire-name
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
...once the RADIUS server is configured you should be able to see it up with:
#show aaa-server xxx
Server Group: xxx
Server Protocol: radius
Server Address: XX.XX.XX.XX
Server port: 1812(authentication), 1646(accounting)
Server status: ACTIVE, Last transaction at 22:35:17 edt Thu Aug 26 2010
Number of pending requests 0
Average round trip time 33ms
Number of authentication requests 1970
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 1899
Number of rejects 54
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 17
Number of unrecognized responses 0
...often you cannot test real authentication but you can at least ensure the
"Number of authentication requests" and "Number of rejects" increments
usingt the command:
# test aaa-server authentication xxx host XX.XX.XX.XX username foo password foo
INFO: Attempting Authentication test to IP address
ERROR: Authentication Rejected: AAA failure
...if you've got communication problems between the VPN and RADIUS server, you'll
get a timeout instead of a Rejected.
Once you have that working you are pretty much done on the VPN side and it's
all down to taming the RADIUS server configs.
08-25-2010 11:21 AM
Ok so I got the config in there (Keeping the LOCAL commands so I dont interupt the current VPNs too much) and I am running the "test aaa-server authentication LDAP_SERV_GROUP host 192.168.*.*" command to test the usernames and password authentication (had to change the AAA group name to LDAP_SERV_GROUP instead of the other as the other was too long) . However it is coming up as failing. This is my output:
Username: administrator
Password: ********
INFO: Attempting Authentication test to IP address <192.168.*.*> (timeout: 12 seconds)
[3420] Session Start
[3420] New request Session, context 0xc9de1448, reqType = Authentication
[3420] Fiber started
[3420] Creating LDAP context with uri=ldap://192.168.*.*:389
[3420] Connect to LDAP server: ldap://192.168.*.*:389, status = Successful
[3420] supportedLDAPVersion: value = 3
[3420] supportedLDAPVersion: value = 2
[3420] Binding as Administrator
[3420] Performing Simple authentication for Administrator to 192.168.*.*
[3420] LDAP Search:
Base DN = [dc=mydomain ]
Filter = [sAMAccountName=administrator]
Scope = [SUBTREE]
[3420] Request for administrator returned code (10) Referral
[3420] Fiber exit Tx=286 bytes Rx=608 bytes, status=-1
[3420] Session End
ERROR: Authentication Rejected: Unspecified
Its not due to bad authentication as it is coming up with the code (10) Referral (or so I assume)
I did change my AAA to "ldap-login-dn cn=Administrator, cn=Users, dc=mydomain, dc=local"
instead of "ldap-login-dn cn=administrator, cn=users, dc=mydomain"
Because the following output was the result of not having the "dc=local" at the end
But the output was:
ASA# test aaa-server authentication LDAP_SERV_GROUP host 192.168.*.*
Username: administrator
Password: ********
INFO: Attempting Authentication test to IP address <192.168.*.*> (timeout: 12 seconds)
[3419] Session Start
[3419] New request Session, context 0xc9de1448, reqType = Authentication
[3419] Fiber started
[3419] Creating LDAP context with uri=ldap://192.168.*.*:389
[3419] Connect to LDAP server: ldap://192.168.*.*:389, status = Successful
[3419] supportedLDAPVersion: value = 3
[3419] supportedLDAPVersion: value = 2
[3419] Binding as administrator
[3419] Performing Simple authentication for administrator to 192.168.*.*
[3419] Simple authentication for administrator returned code (49) Invalid credentials
[3419] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[3419] Fiber exit Tx=204 bytes Rx=567 bytes, status=-2
[3419] Session End
ERROR: Authentication Server not responding: AAA Server has been removed
I am still looking stuff up and troubleshooting, mainly using "debug ldap 255" and obviously I double checked my credientials were correct by using the command line command "dsquery user -samid administrator" on the server
Any ideas though?
08-31-2010 05:43 AM
Can you comapre the config with this doc and see if missing something maybe?
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml
Use the troubleshoot area in the doc to find the correct DN, I think you are missing a part in the DN string. Sorry for the late response
08-31-2010 07:49 AM
Yes you were right. Here is the complete working config in case someone needs help like I did. Thanks for the help guys
ASA# sh run
: Saved
:
ASA Version 8.3(1)
hostname
domain-name mydomain.local
enable password GmSL9emLLUC2J7jz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group pppoe_group
ip address pppoe setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name mydomain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-vpnPool
subnet 192.168.101.0 255.255.255.0
-----------Same server, 1 per protocol-------------
object network SERVER01
host 192.168.*.*
object network obj-Internal-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network SERVER02
host 192.168.*.*
object network SERVER03
host 192.168.*.*
object network obj-OutsideIP
host 73.*.*.*
access-list splittunnel standard permit 192.168.1.0 255.255.255.0
access-list outside_in extended permit ip 192.168.101.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_in extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list outside_in extended permit tcp any host 192.168.*.* eq www
access-list outside_in extended permit tcp any host 192.168.*.* eq https
access-list outside_in extended permit tcp any host 192.168.*.* eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.101.50-192.168.101.100
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj-Internal-192.168.1.0 obj-Internal-192.168.1.0 destination static obj-vpnPool obj-vpnPool
object network obj_any
nat (inside,outside) dynamic interface
object network SERVER01
nat (inside,outside) static interface service tcp smtp smtp
object network SERVER02
nat (inside,outside) static interface service tcp www www
object network SERVER03
nat (inside,outside) static interface service tcp https https
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RA_SERVER_GROUP protocol radius
aaa-server LDAP_SERV_GROUP protocol ldap
aaa-server LDAP_SERV_GROUP (inside) host 192.168.*.*
ldap-base-dn dc=mydomain, dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ***** <----Password of the server
ldap-login-dn cn=Administrator, cn=Users, dc=mydomain, dc=local
server-type microsoft
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set transform-set ESP-3DES-MD5
crypto dynamic-map RA-VPN 1 set security-association lifetime seconds 28800
crypto dynamic-map RA-VPN 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set reverse-route
crypto map RA-VPN 65535 ipsec-isakmp dynamic RA-VPN
crypto map RA-VPN interface outside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 10
crypto isakmp ipsec-over-tcp port 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname emailaddress@bellsouth.net
vpdn group pppoe_group ppp authentication pap
vpdn username emailaddress@bellsouth.net password *****
dhcpd dns 192.168.*.* 4.2.2.2
dhcpd lease 8400
dhcpd ping_timeout 750
dhcpd domain mydomain.local
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
priority-queue inside
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy examplevpn internal
group-policy examplevpn attributes
dns-server value 192.168.*.* 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value mydomain.local
username otherusers password hhckff6QokyoRdar encrypted privilege 10
username examplevpn password IKg0RMHfprF6Ya3u encrypted
username admin password DwCTJcBn.Q0dDe9z encrypted privilege 15
username admin attributes
vpn-group-policy examplevpn
username Vicky password kVVIdKLCZanWt.w6 encrypted privilege 15
username Vicky attributes
vpn-group-policy examplevpn
tunnel-group RA-VPN type remote-access
-----------TUNNEL GROUP FOR THE LOCAL TUNNEL-------------
tunnel-group examplevpn type remote-access
tunnel-group examplevpn general-attributes
address-pool vpnpool
authorization-server-group (outside) LOCAL
default-group-policy examplevpn
tunnel-group examplevpn ipsec-attributes
pre-shared-key *****
-----------TUNNEL GROUP FOR THE RADIUS/LDAP TUNNEL-------------
tunnel-group Radiusvpn type remote-access
tunnel-group Radiusvpn general-attributes
address-pool vpnpool
authentication-server-group LDAP_SERV_GROUP
tunnel-group Radiusvpn ipsec-attributes
pre-shared-key *****
class-map global-class
match default-inspection-traffic
class-map class_sip_tcp
match port tcp eq sip
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect tftp
inspect sunrpc
inspect xdmcp
inspect sip
inspect icmp
inspect ipsec-pass-thru
inspect ip-options
class class_sip_tcp
inspect sip
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:be674163196f614ba3efb4d766a27603
: end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: