Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASA 8.4 and VPN Client for Public Internet VPN on a Stick Configuration Example

So i just installed a new ASA running 8.4 has a new way of doing nat so here is an example config of how to setup a VPN on a stick.

I just wasted the better half of a night figuring this out. So i decieded to share the info since cisco has updated there documentation of this.

Reason for Doc: VPN Client Need Access to you inside network and also internet access via the VPN.

Old way to configure this is here Cisco document for ASA 7.2 http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00805734ae.shtml

Old Way

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1 172.16.43.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

New Way 8.4(2) and UP

same-security-traffic permit intra-interface

nat (inside,outside) source dynamic RFC1918 interface

nat (outside,inside) source static NET-VPNPOOL NET-VPNPOOL

nat (outside,outside) source dynamic NET-VPNPOOL interface

Full Example

! Allow traffic from the VPN "outside" to the Internet "outside" - AKA intra interface traffic

same-security-traffic permit intra-interface

! PRIVATE IP SPACE DEFINED BY RFC 1918
object-group network RFC1918
network-object 192.168.0.0 255.255.0.0
network-object 172.16.0.0 255.240.0.0
network-object 10.0.0.0 255.0.0.0

! VPN POOL
object-group network NET-VPNPOOL
network-object 172.16.43.0 255.255.255.0

! NORMAL NAT FROM INSIDE TO INTERNET
nat (inside,outside) source dynamic RFC1918 interface

! VPN to INSIDE AKA KEEP THE SAME ADDRESS
nat (outside,inside) source static NET-VPNPOOL NET-VPNPOOL

! VPN CLIENT NEEDS INTERNET TOO
nat (outside,outside) source dynamic NET-VPNPOOL interface


!VPN CONFIGURATION
!----------------------------------

! IP POOL
ip local pool VPN-POOL 172.16.43.1-172.16.43.254 mask 255.255.255.0

! TRANS SET
crypto ipsec ikev1 transform-set CIMCO_MAN_TRANS esp-3des esp-md5-hmac


crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set CIMCO_MAN_TRANS

! INJECT THE VPN CLIENT'S IP INTO THE LOCAL ROUTING TABLE USING OSPF/RIP - I USE OSPF Internally
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

! APPLY THE CRYPTO MAP TO THE OUTSIDE INTERFACE
crypto map OUTSIDE_MAP interface outside

crypto ikev1 enable outside
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

group-policy VPNCLIENT internal
group-policy VPNCLIENT attributes
! USE MY DNS SERVER (Optional)
dns-server value 192.168.1.2 192.168.1.3
vpn-tunnel-protocol ikev1
! FORCE THE VPNCLIENT TO TUNNEL ALL TRAFFIC
split-tunnel-policy tunnelall

tunnel-group VPNCLIENT type remote-access
tunnel-group VPNCLIENT general-attributes
address-pool VPN-POOL
default-group-policy VPNCLIENT
tunnel-group VPNCLIENT ipsec-attributes
ikev1 pre-shared-key shhhh!!!!
! (OPTIONAL) DISABLE PROMPTING OF A USERNAME AND PASSWORD - I LEAVE THIS OFF FOR TESTING
ikev1 user-authentication none

Comments
New Member

Thank you very much for this config, very usefull.

I was with one similar situation and it help me very much.

Fabrice

Thank you very much for this configuration, I just tested for my customer and work as a charm..

New Member

Thanks Thanks Thanks

New Member

Thanks.

Very useful.

New Member

This works great but how you set it up with a no nat?  Say I want my folks who VPN in to be able to access things on the LAN but still allow them surf the web through the ASA?

I go this so far

ip local pool VPNPOOL 192.168.0.101-192.168.0.125

object network obj-192.168.0.0
 subnet 192.168.0.0 255.255.255.0

nat (inside,outside) source dynamic obj-192.168.0.0 interface
nat (outside,inside) source static obj-192.168.0.0 obj-192.168.0.0
nat (outside,outside) source dynamic obj-192.168.0.0 interface

group-policy DefaultRAGroup attributes
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1
 password-storage disable
 pfs enable
 split-tunnel-policy tunnelall

BUT none of my traffic makes it to the LAN with any of these:

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (any,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp
nat (outside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (outside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup

I wonder if I have to play with the " split-tunnel-policy tunnelall" line??

Any help would be great thanks

ST

New Member

This works great but how you set it up with a no nat?  Say I want my folks who VPN in to be able to access things on the LAN but still allow them surf the web through the ASA?

I go this so far

ip local pool VPNPOOL 192.168.0.101-192.168.0.125

object network obj-192.168.0.0
 subnet 192.168.0.0 255.255.255.0

nat (inside,outside) source dynamic obj-192.168.0.0 interface
nat (outside,inside) source static obj-192.168.0.0 obj-192.168.0.0
nat (outside,outside) source dynamic obj-192.168.0.0 interface

group-policy DefaultRAGroup attributes
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1
 password-storage disable
 pfs enable
 split-tunnel-policy tunnelall

BUT none of my traffic makes it to the LAN with any of these:

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (any,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp
nat (outside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (outside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup

I wonder if I have to play with the " split-tunnel-policy tunnelall" line??

Any help would be great thanks

ST

New Member

This works great but how you set it up with a no nat?  Say I want my folks who VPN in to be able to access things on the LAN but still allow them surf the web through the ASA?

I go this so far

ip local pool VPNPOOL 192.168.0.101-192.168.0.125

object network obj-192.168.0.0
 subnet 192.168.0.0 255.255.255.0

nat (inside,outside) source dynamic obj-192.168.0.0 interface
nat (outside,inside) source static obj-192.168.0.0 obj-192.168.0.0
nat (outside,outside) source dynamic obj-192.168.0.0 interface

group-policy DefaultRAGroup attributes
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1
 password-storage disable
 pfs enable
 split-tunnel-policy tunnelall

 

BUT none of my traffic makes it to the LAN with any of these:

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (any,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp
nat (outside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (outside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup

 

I wonder if I have to play with the " split-tunnel-policy tunnelall" line??

 

Any help would be great thanks

ST

 

12375
Views
30
Helpful
7
Comments