ASA 5525 9.1 Remote access VPN

Ali Bahnam · ‎11-26-2013

Dears,

Kindly I tried to configure remote access vpn on ASA9.1 but it didn't work, Anyway can you please post any configuration steps

Appreciate your support,

Regards,

Ali Bahnam · ‎11-27-2013

Please any help??

Below the sh run and still having the error message (reason 412):-

HQ-ASA(config)#

HQ-ASA(config)# sh ru

: Saved

:

ASA Version 9.1(1)

!

hostname HQ-ASA

enable password .h2T1va7bpb/xWzw encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

ip local pool testpool 30.30.30.1-30.30.30.15

!

interface GigabitEthernet0/0

nameif outside

security-level 50

ip address 10.11.1.2 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.11.2.2 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/7

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

shutdown

nameif management

security-level 100

no ip address

!

boot system disk0:/asa911-smp-k8.bin

ftp mode passive

object network Local-Lan

subnet 10.10.0.0 255.255.0.0

object network VPN-Pool

subnet 30.30.30.0 255.255.255.0

object network Net_10.10.0.0

subnet 10.10.0.0 255.255.0.0

object network Net_10.11.0.0

subnet 10.11.0.0 255.255.0.0

object network Net_192.168.0.0

subnet 192.168.0.0 255.255.0.0

object network Net_172.16.0.0

subnet 172.16.0.0 255.255.0.0

object-group network inside_network

network-object 10.10.0.0 255.255.0.0

network-object 10.11.0.0 255.255.0.0

network-object 172.16.0.0 255.255.0.0

network-object 192.168.0.0 255.255.0.0

object-group network outside

network-object host 10.11.1.2

access-list internal extended permit ip any any

access-list internal extended permit icmp any any

access-list external extended permit icmp any any

access-list external extended permit ip any any

access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 30.30.30.0 255.255.255

.0

access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 30.30.30.0 255.255.25

5.0

access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 30.30.30.0 255.255.2

55.0

access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 30.30.30.0 255.255.255

.0

access-list nat0 extended permit ip object VPN-Pool 10.10.0.0 255.255.0.0

access-list nat0 extended permit ip object VPN-Pool 10.11.0.0 255.255.0.0

access-list nat0 extended permit ip object VPN-Pool 172.16.0.0 255.255.0.0

access-list nat0 extended permit ip object VPN-Pool 192.168.0.0 255.255.0.0

access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 object VPN-Pool

access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 object VPN-Pool

access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 object VPN-Pool

access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 object VPN-Pool

access-list split-acl standard permit 10.10.0.0 255.255.0.0

access-list split-acl standard permit 10.11.0.0 255.255.0.0

access-list split-acl standard permit 192.168.0.0 255.255.0.0

access-list split-acl standard permit 172.16.0.0 255.255.0.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source dynamic any interface

nat (any,inside) source static VPN-Pool VPN-Pool destination static Net_10.10.0.

0 Net_10.10.0.0

nat (any,inside) source static VPN-Pool VPN-Pool destination static Net_10.11.0.

0 Net_10.11.0.0

nat (any,inside) source static VPN-Pool VPN-Pool destination static Net_192.168.

0.0 Net_192.168.0.0

nat (any,inside) source static VPN-Pool VPN-Pool destination static Net_172.16.0

.0 Net_172.16.0.0

access-group internal in interface outside

access-group external in interface inside

route outside 0.0.0.0 0.0.0.0 10.11.1.1 1

route inside 10.10.0.0 255.255.0.0 10.11.2.1 1

route inside 172.16.0.0 255.255.0.0 10.11.2.1 1

route inside 192.168.0.0 255.255.0.0 10.11.2.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set FirstSet esp-3des esp-sha-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto ca trustpool policy

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1

group-policy testgroup internal

group-policy testgroup attributes

vpn-filter value nat0

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value nat0

username cisco password 3USUcOPFUiMCO4Jk encrypted

tunnel-group testgroup type remote-access

tunnel-group testgroup general-attributes

address-pool testpool

default-group-policy testgroup

tunnel-group testgroup ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:d9350a145595b903911cb6223630e7b6

: end

HQ-ASA(config)#

Marius Gunnerud · ‎11-27-2013

Hi,

What isn't working? Are you unable to establish a connection? Are you able to establish a connection but traffic is not passing?

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎11-27-2013

Your NAT exempt statements are a bit off. You have configured them in the wrong direction. Change them to the following:

nat (inside,outside) source static Net_10.10.0.0 Net_10.10.0.0 destination static VPN-Pool VPN-Pool

nat (inside,outside) source static Net_10.11.0.0 Net_10.11.0.0 destination static VPN-Pool VPN-Pool

nat (inside,outside) source static Net_192.168.0.0 Net_192.168.0.0 destination static VPN-Pool VPN-Pool

nat (inside,outside) source static Net_172.16.0.0 Net_172.16.0.0 destination static VPN-Pool VPN-Pool

--
Please remember to select a correct answer and rate helpful posts

Ali Bahnam · ‎11-27-2013

Thanks for your reply,

The vpn client I cannot establish connection.

For the NAT I will sdd it and update you.

Regards,

Marius Gunnerud · ‎11-28-2013

Here is a working configuration.

ip local pool testpool 30.30.30.1-30.30.30.15

crypto ipsec ikev1 transform-set MYSET esp-aes esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set MYSET

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto ikev1 enable outside

crypto ikev1 policy 65535

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

group-policy testgroup internal

group-policy testgroup attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

username cisco password cisco

tunnel-group testgroup type remote-access

tunnel-group testgroup general-attributes

address-pool testpool

default-group-policy testgroup

tunnel-group testgroup ipsec-attributes

ikev1 pre-shared-key cisco

--
Please remember to select a correct answer and rate helpful posts

Ali Bahnam · ‎11-28-2013

Dear,

Now the configuration that you sent I have to add ACL on it to permit the internal traffic to the VPN pooll network.

Also for the static NAT I should keep it or move it??

Regards,

Marius Gunnerud · ‎11-28-2013

Keep the NAT exempt statements.

I am not sure which ACL you are refering to. If you are refering to the interface ACL, you are already permitting all traffic from the inside out.

By the way, if this ASA is in a live environment, you should most definately remove the permit IP any any on the outside interface.

access-list internal extended permit ip any any

access-list internal extended permit icmp any any

access-list external extended permit icmp any any

access-list external extended permit ip any any

access-group internal in interface outside

access-group external in interface inside

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts

Ali Bahnam · ‎11-28-2013

I'm refering for this ACL: