cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17992
Views
20
Helpful
18
Replies

IpSec VPN Client configuration on ASA 5510

junshah22
Level 1
Level 1

I want to configure Cisco ASA 5510 for cisco vpn clients using CLI,, Please refer me any suitable configuration using CLI..

--

Regards,

Junaid

18 Replies 18

Your configuration looks fine, I am using ASA software version 7.0(7)

Device Manager version 5.0(7)

My device is not getting some commands, from

  • Issue this command:

    ASA-AIP-CLI(config)#tunnel-group hillvalleyvpn ipsec-ra
  • to onward, 
  • Please advise
  • There is typo in the document.

    The following line:

    tunnel-group hillvalleyvpn ipsec-ra

    should say:
    tunnel-group hillvalleyvpn type ipsec-ra

    Yes you are right, I already found the correct command with the keyword (type), now I am facing a problem, my internal network is not accessible via vpn connection,

    I connect using cisco VPn client and it connects successfully, but It is not accessing my application or ping my internal network, maybe here split tunneling is required.. what do u say ?

    I found a document perhaps specified by you, ASA/PIX: Allow Split Tunneling for VPN Clients on the ASA Configuration Example,, I followed the steps specified in this document but there is no effect,

    In the standard ACL, I replaced the example ip with my servers vlan network i.e. 192.168.1.0 but it doesn't work, then I also permitted my vpnpool ip subnet 192.168.55.0, but the result is same,,,

    My ASA is configured with 3 interfaces, inside, outside and DMZ, server are in DMZ,,

    DMZ security level 50

    Inside security level 100

    outside security level 0

    outside network ip 192.168.75.0

    DMZ network 192.168.1.0

    My objective is to access the servers in DMZ interface.

    Please advise

    --

    Regards,

    Junaid

    You would also need to configure NAT exemption for DMZ as follows:

    access-list dmz-nonat permit ip 192.168.1.0 255.255.255.0 192.168.55.0 255.255.255.0

    nat (DMZ) 0 access-list dmz-nonat

    Hope that resolves it.

    Yes,, Its working fine right now,,,my internal network is accessible now,  thanks again,,,,

    Now I am concerned with my NAT rule, which I was previously using in my Cisco Router 2811, VPN Clients were also connecting with 2811, now I have removed it and using ASA as gateway and VPN clients are connecting with ASA,,

    The NAT rule which I was using in Cisco Router 2811

    ip nat inside source static tcp 192.168.1.15 80 interface FastEthernet0/1 80

    by using this command, I was able to use my web application, Now I want to use it with ASA,

    Please advise,,

    --

    Regards,

    Junaid

    What public ip address do you want to use to NAT 192.168.1.15? Would it be the ASA outside interface ip adddress?

    If it is, then you would need to configure the following:

    static (DMZ,outside) tcp interface 80 192.168.1.15 80 netmask 255.255.255.255

    And on the outside interface, you would need to configure ACL to allow TCP/80 in.

    ASA outside interface is a private ip ,, 192.168.75.2

    Above then ASA, I am using a internet link load balancing device Tp-link TL-R488T, I have configured its 3 interfaces with 3 internet connections having different live ip subnets,

    TP-link local interface ip 192.168.75.1

    where are you looking to NAT the server at?

    I am looking to nat the server at all my three available internet connections live ips,

    1, 202.59.68.226

    2, 58.27.232.18

    3, 58.27.233.210

    all three internet links are configured on TP-link and internet link load balancing is performing,

    Tp-link's local Ip connected with ASA is 192.168.75.1

    My users will access the web application via internet by entering any of above mentioned live ip address.. when they will enter any live ip in browser, they will be redirected to my server 192.168.1.15 placed in DMZ

    Thanks dear,

    Your advised NAT command is working perfectly, My web application server is accessible now from internet,

    Now I am concerned with my ACL placed in outside interface

    access-list outside_to_dmz extended permit ip any any

    access-list outside_to_dmz extended permit tcp any any

    access-group outside_to_dmz in interface outside

    by applying this acl, all ports are open for every kind of traffic, I want to restrict it only for VPN, TCP 80, TCP Remote Desktop 3389 only,,

    Please advise which ports should be open for VPN client...

    --

    Regards,

    Junaid

    Since the VPN is terminated on the ASA itself, you do not need to open any specific ports. The ASA will automatically allow the VPN ports since it's terminated on itself.

    Fine,

    I have applied an access-list to restrict some users to go over the internet

    access-list Internet extended permit ip 192.168.10.111 any

    access-list Internet extended permit ip 192.168.10.4 any

    access-group Internet out interface outside

    this acl should allow only two hosts to exit over the internet while all other local ips should be denied, but when I apply this acl to outside out interface, my internet stops working on allowed ips,

    whats the issue?

    This is my last query, I am very thankful to you,

    --

    Regards,


    Junaid

    Please apply the access-list in the inbound direction on the internal interface.

    Assuming that the user is on inside interface, pls apply as follows:

    access-group Internet in interface inside

    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: