Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

VPDN ON ASA 5505

Hello guys,

Could someone from you help me to implement the configuration i have on a  soho 91 router to ASA 5505.

I will remove 10.10.10.1/24 from my inside network since as far as i am  concern it was only implemented like this for security reasons.

I will use dhcp for my clients on 10.0.0.0/24 network.

Also i would be grateful if you could explain to me how actually vpdn works  in my scenario.. from what i see in the configuration , since i didn't visit the  remote site (only the hq) ...remote clients connect to hq using dial-in  connection ..they receive ip on the same network 10.0.0.0/24 to be able to work  with a program that hq is using..is this a layer 2 tunneling method? can i  implement something different using asa but still be able to use the 10.0.0.0/24  network? as far as i know to configure anyconnect you have to create a different  subnet for the remote clients..this is not what i need since they have to be on  the same subnet as the hq.. are there are any other methods/options i can use  for vpn?  The other site is using only ISP'S router and access the internet,  nothing special.

Below is the configuration

Current configuration : 3447 bytes
!
version 12.3

hostname test
!
boot-start-marker
boot-end-marker
!
no logging  buffered

!
username Admin password 7 [x]
username s password 7 [y]
aaa  new-model
!
!
aaa authentication login default local
aaa  authentication login CON none
aaa authentication ppp default local
aaa  session-id common
ip subnet-zero
ip name-server [name server]
ip dhcp  excluded-address 10.0.0.254
!
ip dhcp pool CLIENT
   network 10.0.0.0  255.255.255.0
   default-router 10.0.0.254
   domain-name  [domain-name]
   dns-server 10.0.0.1
   lease 0 2
!
!
ip inspect  name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip  inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout  3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp  timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp  timeout 3600
ip inspect name myfw h323 timeout 3600
vpdn  enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
   protocol pptp
  virtual-template 1
!
!
!
!
!
no crypto  isakmp enable
!
!
!
interface Ethernet0
description CRWS  Generated text. Please do not delete this:10.0.0.254-255.255.255.0
ip  address 10.0.0.254 255.255.255.0 secondary
ip address 10.10.10.1  255.255.255.0
ip nat inside
no ip mroute-cache
no cdp  enable
hold-queue 32 in
!
interface Ethernet1
ip address [public  ipr] 255.255.255.252
ip access-group 111 in
ip nat outside
ip  inspect myfw out
no ip mroute-cache
duplex auto
no cdp  enable
!
interface Virtual-Template1
ip unnumbered Ethernet0
peer  default ip address pool pptp
ppp authentication chap
!
ip local pool  pptp 10.0.0.245 10.0.0.250
ip classless
ip route 0.0.0.0 0.0.0.0 [public  gateway]
ip http server
no ip http secure-server
ip nat inside source  list 102 interface Ethernet1 overload
ip nat inside source static tcp  10.0.0.1 80 interface Ethernet1 80
!
!
access-list 23 permit 10.0.0.0  0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 102  permit ip 10.0.0.0 0.0.0.255 any
access-list 111 permit icmp any any  administratively-prohibited
access-list 111 permit icmp any any  echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit  icmp any any packet-too-big
access-list 111 permit icmp any any  time-exceeded
access-list 111 permit icmp any any traceroute
access-list  111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps  any eq bootpc
access-list 111 permit udp any eq bootps any eq  bootps
access-list 111 permit udp any eq domain any
access-list 111 permit  esp any any
access-list 111 permit udp any any eq isakmp
access-list 111  permit udp any any eq 10000
access-list 111 permit tcp any any eq  www
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp  any any eq 139
access-list 111 permit udp any any eq  netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list  111 permit gre any any
access-list 111 deny   ip any any
no cdp  run
!
control-plane
!
!
line con 0
exec-timeout 120 0
no  modem enable
transport preferred all
transport output all
stopbits  1
line aux 0
transport preferred all
transport output all
line vty  0 4
access-class 23 in
exec-timeout 120 0
length 0
transport  preferred all
transport input all
transport output all
!
scheduler  max-task-time 5000
!
end

351
Views
0
Helpful
0
Replies
CreatePlease to create content