09-20-2010 04:39 AM
I am very new to the ASA, I have a working VPN, now i want to open 4 ports (6735, 6736, 2029, 1434)
and to enable ping to my server from a vpn client. Is there anyway i can easily do this using ASDM. If not possible how best can i tackle this.
!
ASA Version 7.2(4)
!
hostname pretoria
domain-name default.domain.invalid
enable password yiRw5ideotZmWUDS0 encrypted
passwd 6KFQasNIilI.2KFCA encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.5.12.5 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object host 10.5.12.100
network-object host 192.168.1.10
network-object host 10.5.12.5
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
access-list HQ-TUNNEL_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.5.112.0 255.255.255.224
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any object-group DM_INLINE_NETWORK_1 log debugging
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any log debugging
pager lines 24
logging enable
logging asdm debugging0.
mtu inside 1500
mtu outside 1500
ip local pool VPN-POOL1 10.5.112.1-10.5.112.30 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 10.5.12.100 192.168.1.10 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.5.12.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 213.193.45.233 255.255.255.255 outside
http 10.5.12.11 255.255.255.255 outside
http 67.165.22.34 255.255.255.255 outside
http 192.168.1.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
.
.
.
.
.
!
dhcpd address 192.168.1.2-192.168.1.50 inside
dhcpd enable inside
!
group-policy HQ-TUNNEL internal
group-policy HQ-TUNNEL attributes
dns-server value 213.193.43.4
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value HQ-TUNNEL_splitTunnelAcl
username admin password HEH5MDcPeRt4KaUW encrypted
username HQ-User1 password LoNCAAClgPoPODsS encrypted privilege 0
username HQ-User1 attributes
vpn-group-policy HQ-TUNNEL
tunnel-group HQ-TUNNEL type ipsec-ra
tunnel-group HQ-TUNNEL general-attributes
address-pool VPN-POOL1
default-group-policy HQ-TUNNEL
tunnel-group HQ-TUNNEL ipsec-attributes
pre-shared-key Pret0ri@
!
!
prompt hostname context
Cryptochecksum:7zm4e45f146604386d9e3eac38531a6d
: end
09-20-2010 04:43 AM
From your current vpn configuration, you should be able to ping and access those ports since you haven't configured any vpn-filter to only allow
specific ports.
You would need to make sure that the internal hosts that you are trying to ping has the windows firewall turn off because it normally does not allow inbound connection from different subnets.
09-20-2010 04:57 AM
There is no internal firewall in place. I uninstalled the symantec endpoint firewall that was there and disabled windows firewall. I cant ping still
09-20-2010 05:01 AM
Also enable icmp inspection under your global_policy:
policy-map global_policy
class inspection_default
inspect icmp
09-20-2010 05:43 AM
Using the packet tracer on the ADSM, it looks like all icmp packet are going through, but i cant ping from the client. What about opening the ports i mentioned. How easily can i do that?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide