Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA RA VPN, iPad, PC

Hello,

I apologize if this has already been asked.  If you see a thread asking this same question, please link.

I am currently overseas and wish to setup my home (US) ASA 5505 with two VPN profiles; one full tunnel, one split tunnel.  This would enable me to connect from either my PC or iPad and access my things at home (split-tunnel), or reach websites sourcing from my US address (full-tunnel).

I would prefer to go about this configuration via CLI as I am not too familiar with the GUI.

My first question is just a basic:  What am I going for?  Remote Access VPN with multiple groups?  AnyConnect?  Eazy VPN?  I'm not sharp on the ASA platform, so any help would be appreciated.  I would very much like to use the iPad's built in IPSEC VPN option (labeled "Cisco").

Thanks for any help

-Scott

ASA 5505 9.1(1)

Everyone's tags (7)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

ASA RA VPN, iPad, PC

Do you mean to give your VPN users internet access while using full tunneling? then yes you would to do a NAT and also allow the ASA to send traffic out the same interface it was received on.

network object VPN

subnet 192.168.1.0 255.255.255.0

nat (outside,outside) dynamic interface

same-security-traffic permit intra-interface

-- Please remember to rate and select a correct answer
8 REPLIES
New Member

ASA RA VPN, iPad, PC

I've been messing with the configuration and this is what I have.  I am able to successfully authenticate via my iPad and obtain an IP from the vpnPool.  However, I can only ping the inside interface IP (192.168.0.250), nothing else.

Right now I'm focusing on the Full Tunnel (hairpin) configuration.  I know I'm missing something with NAT, but I'm not sure what...

ip local pool vpnPool 192.168.0.210-192.168.0.220 mask 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.250 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

no pim

!

boot system disk0:/asa911-k8.bin

!

access-list outsideIN extended permit icmp any4 any4 object-group DM_INLINE_ICMP_1

!

asdm image disk0:/asdm-711-52.bin

!

nat (inside,outside) source static VPN-SOURCE VPN-SOURCE destination static VPN-DESTINATION-1 VPN-DESTINATION-1

nat (inside,outside) source static VPN-SOURCE VPN-SOURCE destination static VPN-DESTINATION-2 VPN-DESTINATION-2

!

object network obj_any

nat (inside,outside) dynamic interface

access-group outsideIN in interface outside

!

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-3DES-SHA

!

crypto ca trustpool policy

crypto isakmp nat-traversal 3600

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

!

dhcpd address 192.168.0.100-192.168.0.200 inside

dhcpd dns 4.2.2.6 4.2.2.2 interface inside

dhcpd domain local.lan interface inside

dhcpd update dns both interface inside

dhcpd enable inside

!

webvpn

anyconnect-essentials

group-policy Full_Tunnel internal

group-policy Full_Tunnel attributes

vpn-tunnel-protocol ssl-clientless

group-policy Split_Tunnel internal

group-policy Split_Tunnel attributes

vpn-tunnel-protocol ssl-clientless

webvpn

  smart-tunnel tunnel-policy tunnelspecified homeNetwork

username scott password .. encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

address-pool vpnPool

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group groupFullTunnel type remote-access

tunnel-group groupFullTunnel general-attributes

address-pool vpnPool

default-group-policy Full_Tunnel

tunnel-group groupFullTunnel ipsec-attributes

ikev1 pre-shared-key *****

!

Excuse all the random config.  I made the mistake of trying the wizard.  I prefer CLI.
Side note, can I remove those 'crypto ikev policty' statements?

Thanks for any help

VIP Green

ASA RA VPN, iPad, PC

One thing is that you will have connection issues because the VPN pool is on the same subnet as the inside network.  The inside network will think it is directly connected  and never send the traffic to the ASA to be routed to the VPN.  To get around this you could either subnet the current IP allocation or assign a comletely separate subnet to the VPN (192.168.1.0/24 for example).

As for the NAT I am uncertain what you mean by VPN-SOURCE and VPN-DESTINATION.  If the VPN-SOURCE is the VPN IP and VPN-DESTINATION is the LAN then the NAT statement is backwards and should read something like this:

nat (inside,outside) source static VPN-DESTINATION-1 VPN-DESTINATION-1 destination static VPN-SOURCE VPN-SOURCE

-- Please remember to rate and select a correct answer
Bronze

ASA RA VPN, iPad, PC

You need to exempt the VPN clients from NAT. Try adding:

object network lan-subnet

subnet 192.168.0.0 255.255.255.0


nat (inside,outside) source static lan-subnet lan-subnet destination static lan-subnet lan-subnet

If that doesn't work have a look at this pdf guide -

http://www.vpntracker.com/cms_components/media/vpnt/VPNT_Interop_Howtos/1101/CiscoASA.pdf

It's for a Mac IPsec client but I've found that the configuration works perfectly well with the iPhone/iPad built-in Cisco IPsec client connecting to an ASA5505. The CLI commands are at the end of the document.

New Member

ASA RA VPN, iPad, PC

Thank you for the replies.

You're right in that I should have a different subnet for the vpnPool.  I changed it to this:

ip local pool vpnPool 192.168.1.200-192.168.1.220 mask 255.255.255.0

I also added the following lines based on second reply:

object network vpn-subnet

subnet 192.168.1.0 255.255.255.0

nat (inside,outside) source static vpn-subnet vpn-subnet destination static vpn-subnet vpn-subnet

When I connect, I now obtain the new pool of IP's, but I'm in the same spot as before.  I can ping the inside interface IP, but that's it.

Marius, those VPN-SOURCE objects are defined for a site-to-site VPN I've been playing with.  I shouldn't have included that in this effort, my apologies.

I now get the following log message when I connect to the VPN and try to ping:

5Aug 17 201314:10:03305013192.168.1.200LOCAL192.168.0.252
Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.1.200(LOCAL\scott) dst inside:192.168.0.252 (type 8, code 0) denied due to NAT reverse path failure

It's obvious a NAT issue, I'm just unsure of the solution...

Thanks again for the help

Bronze

ASA RA VPN, iPad, PC

It is not necessary to have a different subnet but if you do then I think the statement should be:

nat (inside,outside) source static lan-subnet lan-subnet destination static vpn-subnet vpn-subnet

Look at the linked document I sent - it breaks down the process into steps that I think are easy to follow.

New Member

ASA RA VPN, iPad, PC

Thank you.  Very helpful PDF and it really outlines it for you.  I like that only the subject configuration is shown.

I can now connect with my iPad and ping internal IP's, which is a lot further than where I was.

Now I just need to figure out the hairpin part.  Allowing my iPad to use my Firewalls connection as it's source.

Is this also a simple NAT config?

VIP Green

ASA RA VPN, iPad, PC

Do you mean to give your VPN users internet access while using full tunneling? then yes you would to do a NAT and also allow the ASA to send traffic out the same interface it was received on.

network object VPN

subnet 192.168.1.0 255.255.255.0

nat (outside,outside) dynamic interface

same-security-traffic permit intra-interface

-- Please remember to rate and select a correct answer
New Member

ASA RA VPN, iPad, PC

Sweet!  That was it.  I can now browse from my iPad with my home ASA as the source.

Thank both of you much for the help!  I really need to read up on NAT; it's always been my weak point.  The syntax is boggling.

Thanks again

605
Views
5
Helpful
8
Replies