×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

migration from asa 5505 to asa 5510

Unanswered Question
Jun 27th, 2012
User Badges:

my company has the asa 5505 working as the remote access vpn server. my company needs more licenses for vpn than the asa 5505 give it. because of my company purchased the asa 5510. i must migrate configuration from the asa 5505 to the asa 5510. i exported configuration file from asa 5505. i made the changes on them and imported them in the asa 5510. my asa5510 doesn't work. why? can we help me? i puted configuration files from asa 5505 and 5510

thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Thu, 06/28/2012 - 02:47
User Badges:
  • Super Bronze, 10000 points or more

Hi,


For one I dont see any NAT configurations on your ASA5510 (Basic PAT and the NAT Exempt configuration for VPN)


Also you are using a global access-list that doesnt really allow any traffic other TFTP? Other traffic is probably getting blocked. Personally I avoid using global access list like a plague.


Also you seem to have made the ASA software jump from your old 8.2 to 8.4


This means that access-list and NAT configurations are way different from what you have been used to with software 8.2 on the ASA5505


- Jouni

goran ljubic Thu, 06/28/2012 - 03:15
User Badges:

can we help me. how configuring nat and acl for my vpn connection? thanks

Jouni Forss Thu, 06/28/2012 - 03:25
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Looking at your old ASA 5505 8.2 software version configuration it seems you should do the following


First I would suggest starting of with access-list per interface and not a global access-list. I guess this is a matter of taste so its optional.


ACCESS-LIST CHANGES


no access-group global_access global

no access-list global_access extended permit udp user LOCAL\192.168.1.3 any any eq tftp



access-list INSIDE-IN remark Allow traffic from LAN

access-list INSIDE-IN permit ip 192.168.0.0 255.255.255.0 any


access-group INSIDE-IN in interface inside



NAT CONFIGURATIONS


- Basic PAT


object-group network PAT-SOURCE-NETWORKS

description Source networks for PAT

network-object 192.168.0.0 255.255.255.0


nat (inside,outside) after-auto source dynamic PAT-SOURCE-NETWORKS interface



- NAT exempt for VPN


object network VPN-POOL

description VPN Client pool

subnet 192.168.50.0 255.255.255.0


object network LAN-NETWORK

description LAN Network

subnet 192.168.0.0 255.255.255.0


nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL



The above should get you started with basic config.


Please rate the post if it was helpful


- Jouni

goran ljubic Tue, 07/03/2012 - 01:31
User Badges:

i made config file for my asa 5510. what you thing about this file? can i start vpn connection and i change my asa 5505 with asa5510?

thanks


Result of the command: "show run"



: Saved

:

ASA Version 8.4(2)

!

hostname asa5510

domain-name dri.local

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 178.x.x.x 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.10 255.255.255.0

management-only

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name dri.local

no access-group global_access global

no access-list global_access extended permit udp user LOCAL\192.168.1.3 any any eq tftp

access-list INSIDE-IN remark Allow traffic from LAN

access-list INSIDE-IN permit ip 192.168.0.0 255.255.255.0 any

access-group INSIDE-IN in interface inside

object-group network PAT-SOURCE-NETWORKS

description Source networks for PAT

network-object 192.168.0.0 255.255.255.0

nat (inside,outside) after-auto source dynamic PAT-SOURCE-NETWORKS interface

object network VPN-POOL

description VPN Client pool

subnet 192.168.50.0 255.255.255.0

object network LAN-NETWORK

description LAN Network

subnet 192.168.0.0 255.255.255.0

nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOLpager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group global_access global

route outside 0.0.0.0 0.0.0.0 178.x.x.178 1

route outside 0.0.0.0 0.0.0.0 178.x.x.177 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

action terminate

dynamic-access-policy-record dripolisa

aaa-server DRI protocol ldap

aaa-server DRI (inside) host 192.168.0.20

ldap-base-dn DC=dri,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=dragan urukalo,OU=novisad,OU=sektor2,OU=REVIZIJA,DC=dri,DC=local

server-type microsoft

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.0.14-192.168.0.45 inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy drivpn internal

group-policy drivpn attributes

dns-server value 192.168.0.20 192.168.0.254

vpn-simultaneous-logins 10

vpn-idle-timeout 30

vpn-tunnel-protocol ikev1

default-domain value dri.local

username driadmin password AojCAMO/soZo8W.W encrypted privilege 15

tunnel-group drivpn type remote-access

tunnel-group drivpn general-attributes

address-pool vpnadrese

authentication-server-group DRI

default-group-policy drivpn

tunnel-group drivpn ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect http

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:5fe62ac95bd337424b6952baf1bb5e17

: end

goran ljubic Tue, 07/03/2012 - 02:34
User Badges:

i import configuration in asa and my running confiruation is


ASA Version 8.4(2)

!

hostname asa5510

domain-name dri.local

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 178.x.x.x 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.10 255.255.255.0

management-only

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name dri.local

object network VPN-POOL

subnet 192.168.50.0 255.255.255.0

description VPN Client pool

object network LAN-NETWORK

subnet 192.168.0.0 255.255.255.0

description LAN Network

object-group network PAT-SOURCE-NETWORKS

description Source networks for PAT

network-object 192.168.0.0 255.255.255.0

access-list INSIDE-IN remark Allow traffic from LAN

access-list INSIDE-IN extended permit ip 192.168.0.0 255.255.255.0 any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

nat (inside,outside) after-auto source dynamic PAT-SOURCE-NETWORKS interface

access-group INSIDE-IN in interface inside

route outside 0.0.0.0 0.0.0.0 178.x.x.178 1

route outside 0.0.0.0 0.0.0.0 178.x.x.177 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

action terminate

dynamic-access-policy-record dripolisa

aaa-server DRI protocol ldap

aaa-server DRI (inside) host 192.168.0.20

ldap-base-dn DC=dri,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=dragan urukalo,OU=novisad,OU=sektor2,OU=REVIZIJA,DC=dri,DC=local

server-type microsoft

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.0.14-192.168.0.45 inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy drivpn internal

group-policy drivpn attributes

dns-server value 192.168.0.20 192.168.0.254

vpn-simultaneous-logins 10

vpn-idle-timeout 30

vpn-tunnel-protocol ikev1

default-domain value dri.local

username driadmin password AojCAMO/soZo8W.W encrypted privilege 15

tunnel-group drivpn type remote-access

tunnel-group drivpn general-attributes

address-pool vpnadrese

authentication-server-group DRI

default-group-policy drivpn

tunnel-group drivpn ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect http

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:4d4577afbf90588f7378df22c4d2d225

: end



what do you think?

goran ljubic Wed, 07/04/2012 - 09:57
User Badges:

i tryed that i use vpn client for connecting on my asa5510. i can logon but i can't access my resource on local network 192.168.0.0/24. my configuration on asa5510 is:


Result of the command: "show runn"



: Saved

:

ASA Version 8.4(2)

!

hostname asa5510

domain-name dri.local

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 178.x.x.178 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.10 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name dri.local

object network VPN-POOL

subnet 192.168.50.0 255.255.255.0

description VPN Client pool

object network LAN-NETWORK

subnet 192.168.0.0 255.255.255.0

description LAN Network

object-group network PAT-SOURCE-NETWORKS

description Source networks for PAT

network-object 192.168.0.0 255.255.255.0

access-list INSIDE-IN remark Allow traffic from LAN

access-list INSIDE-IN extended permit tcp 192.168.0.0 255.255.255.0 any

access-list INSIDE-IN extended permit ip object VPN-POOL object LAN-NETWORK

access-list inside_access_out extended permit icmp object VPN-POOL object LAN-NETWORK echo-reply

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

nat (inside,outside) after-auto source dynamic PAT-SOURCE-NETWORKS interface

access-group INSIDE-IN in interface inside

access-group inside_access_out out interface inside

route outside 0.0.0.0 0.0.0.0 178.x.x.177 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

action terminate

dynamic-access-policy-record dripolisa

aaa-server DRI protocol ldap

aaa-server DRI (inside) host 192.168.0.20

ldap-base-dn DC=dri,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=dragan urukalo,OU=novisad,OU=sektor2,OU=REVIZIJA,DC=dri,DC=local

server-type microsoft

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.0.14-192.168.0.45 inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy drivpn internal

group-policy drivpn attributes

dns-server value 192.168.0.20 192.168.0.254

vpn-simultaneous-logins 10

vpn-idle-timeout 30

vpn-tunnel-protocol ikev1 l2tp-ipsec

default-domain value dri.local

username driadmin password AojCAMO/soZo8W.W encrypted privilege 15

tunnel-group drivpn type remote-access

tunnel-group drivpn general-attributes

address-pool vpnadrese

authentication-server-group DRI

authentication-server-group (inside) DRI

authentication-server-group (outside) DRI

authorization-server-group DRI

default-group-policy drivpn

tunnel-group drivpn ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect http

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:38c7540e27ed313b9f3387ca49371753

: end

what i do? how i can access from my vpn client to local resources. i changed access rules but nothing

Jouni Forss Thu, 07/05/2012 - 02:20
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I cant see the NAT Exempt configuration on your ASA configuration of the previous post


The configuration was this


object network VPN-POOL

description VPN Client pool

subnet 192.168.50.0 255.255.255.0


object network LAN-NETWORK

description LAN Network

subnet 192.168.0.0 255.255.255.0


nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL



I can see the "object" created but not the NAT configuration


- Jouni

Jouni Forss Thu, 07/05/2012 - 02:23
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Also you dont need another access-list for the inside interface (the one in "out" direction")


I think by default the ASA lets through all traffic thats coming from VPN Client or L2L VPN hosts


So the VPN Client connections to LAN network should go through without changing any rules.


You can remove the


access-list inside_access_out extended permit icmp object VPN-POOL object LAN-NETWORK echo-reply


access-group inside_access_out out interface inside


Because basically that access-list is already blocking all traffic BUT echo-reply from the VPN Client to the LAN network.


But as I said you also lack the NAT Exempt configuration


- Jouni

goran ljubic Thu, 07/05/2012 - 02:39
User Badges:

can you tell me how i make nat exemption on asa 8.4. i don't how?

command '

nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL' doesn't the nat exemption?

i have this nat in my asdm


thank's

goran ljubic Thu, 07/05/2012 - 02:55
User Badges:

i putted command in my config file '

nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL'

but i can't access to my local resources


Result of the command: "show runn"



: Saved

:

ASA Version 8.4(2)

!

hostname asa5510

domain-name dri.local

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 178.x.x.178 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.10 255.255.255.0

management-only

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name dri.local

object network VPN-POOL

subnet 192.168.50.0 255.255.255.0

description VPN Client pool

object network LAN-NETWORK

subnet 192.168.0.0 255.255.255.0

description LAN Network

object-group network PAT-SOURCE-NETWORKS

description Source networks for PAT

network-object 192.168.0.0 255.255.255.0

access-list INSIDE-IN remark Allow traffic from LAN

access-list INSIDE-IN extended permit ip 192.168.0.0 255.255.255.0 any

access-list Split_Tunnel_List extended permit ip 192.168.0.0 255.255.255.0 any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL

!

nat (inside,outside) after-auto source dynamic PAT-SOURCE-NETWORKS interface

access-group INSIDE-IN in interface inside

route outside 0.0.0.0 0.0.0.0 178.x.x.177 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

action terminate

dynamic-access-policy-record dripolisa

aaa-server DRI protocol ldap

aaa-server DRI (inside) host 192.168.0.20

ldap-base-dn DC=dri,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=dragan urukalo,OU=novisad,OU=sektor2,OU=REVIZIJA,DC=dri,DC=local

server-type microsoft

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.0.14-192.168.0.45 inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy drivpn internal

group-policy drivpn attributes

dns-server value 192.168.0.20 192.168.0.254

vpn-simultaneous-logins 10

vpn-idle-timeout 30

vpn-tunnel-protocol ikev1 l2tp-ipsec

split-tunnel-network-list value Split_Tunnel_List

default-domain value dri.local

username driadmin password AojCAMO/soZo8W.W encrypted privilege 15

tunnel-group drivpn type remote-access

tunnel-group drivpn general-attributes

address-pool vpnadrese

authentication-server-group DRI

default-group-policy drivpn

tunnel-group drivpn ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect http

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:db2d230f39f1c58de098465f2bc77a03

: end

Actions

This Discussion

Related Content