11-26-2013 06:56 AM - edited 02-21-2020 07:20 PM
Dears,
Kindly I tried to configure remote access vpn on ASA9.1 but it didn't work, Anyway can you please post any configuration steps
Appreciate your support,
Regards,
11-27-2013 12:42 AM
Please any help??
Below the sh run and still having the error message (reason 412):-
HQ-ASA(config)#
HQ-ASA(config)# sh ru
: Saved
:
ASA Version 9.1(1)
!
hostname HQ-ASA
enable password .h2T1va7bpb/xWzw encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool testpool 30.30.30.1-30.30.30.15
!
interface GigabitEthernet0/0
nameif outside
security-level 50
ip address 10.11.1.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.11.2.2 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
nameif management
security-level 100
no ip address
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
object network Local-Lan
subnet 10.10.0.0 255.255.0.0
object network VPN-Pool
subnet 30.30.30.0 255.255.255.0
object network Net_10.10.0.0
subnet 10.10.0.0 255.255.0.0
object network Net_10.11.0.0
subnet 10.11.0.0 255.255.0.0
object network Net_192.168.0.0
subnet 192.168.0.0 255.255.0.0
object network Net_172.16.0.0
subnet 172.16.0.0 255.255.0.0
object-group network inside_network
network-object 10.10.0.0 255.255.0.0
network-object 10.11.0.0 255.255.0.0
network-object 172.16.0.0 255.255.0.0
network-object 192.168.0.0 255.255.0.0
object-group network outside
network-object host 10.11.1.2
access-list internal extended permit ip any any
access-list internal extended permit icmp any any
access-list external extended permit icmp any any
access-list external extended permit ip any any
access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 30.30.30.0 255.255.255
.0
access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 30.30.30.0 255.255.25
5.0
access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 30.30.30.0 255.255.2
55.0
access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 30.30.30.0 255.255.255
.0
access-list nat0 extended permit ip object VPN-Pool 10.10.0.0 255.255.0.0
access-list nat0 extended permit ip object VPN-Pool 10.11.0.0 255.255.0.0
access-list nat0 extended permit ip object VPN-Pool 172.16.0.0 255.255.0.0
access-list nat0 extended permit ip object VPN-Pool 192.168.0.0 255.255.0.0
access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 object VPN-Pool
access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 object VPN-Pool
access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 object VPN-Pool
access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 object VPN-Pool
access-list split-acl standard permit 10.10.0.0 255.255.0.0
access-list split-acl standard permit 10.11.0.0 255.255.0.0
access-list split-acl standard permit 192.168.0.0 255.255.0.0
access-list split-acl standard permit 172.16.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
nat (any,inside) source static VPN-Pool VPN-Pool destination static Net_10.10.0.
0 Net_10.10.0.0
nat (any,inside) source static VPN-Pool VPN-Pool destination static Net_10.11.0.
0 Net_10.11.0.0
nat (any,inside) source static VPN-Pool VPN-Pool destination static Net_192.168.
0.0 Net_192.168.0.0
nat (any,inside) source static VPN-Pool VPN-Pool destination static Net_172.16.0
.0 Net_172.16.0.0
access-group internal in interface outside
access-group external in interface inside
route outside 0.0.0.0 0.0.0.0 10.11.1.1 1
route inside 10.10.0.0 255.255.0.0 10.11.2.1 1
route inside 172.16.0.0 255.255.0.0 10.11.2.1 1
route inside 192.168.0.0 255.255.0.0 10.11.2.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
group-policy testgroup internal
group-policy testgroup attributes
vpn-filter value nat0
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nat0
username cisco password 3USUcOPFUiMCO4Jk encrypted
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
address-pool testpool
default-group-policy testgroup
tunnel-group testgroup ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d9350a145595b903911cb6223630e7b6
: end
HQ-ASA(config)#
11-27-2013 01:17 AM
Hi,
What isn't working? Are you unable to establish a connection? Are you able to establish a connection but traffic is not passing?
--
Please rate all helpful posts
11-27-2013 01:24 AM
Your NAT exempt statements are a bit off. You have configured them in the wrong direction. Change them to the following:
nat (inside,outside) source static Net_10.10.0.0 Net_10.10.0.0 destination static VPN-Pool VPN-Pool
nat (inside,outside) source static Net_10.11.0.0 Net_10.11.0.0 destination static VPN-Pool VPN-Pool
nat (inside,outside) source static Net_192.168.0.0 Net_192.168.0.0 destination static VPN-Pool VPN-Pool
nat (inside,outside) source static Net_172.16.0.0 Net_172.16.0.0 destination static VPN-Pool VPN-Pool
11-27-2013 12:16 PM
Thanks for your reply,
The vpn client I cannot establish connection.
For the NAT I will sdd it and update you.
Regards,
11-28-2013 12:01 AM
Here is a working configuration.
ip local pool testpool 30.30.30.1-30.30.30.15
crypto ipsec ikev1 transform-set MYSET esp-aes esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set MYSET
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ikev1 enable outside
crypto ikev1 policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
group-policy testgroup internal
group-policy testgroup attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
username cisco password cisco
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
address-pool testpool
default-group-policy testgroup
tunnel-group testgroup ipsec-attributes
ikev1 pre-shared-key cisco
11-28-2013 05:46 AM
Dear,
Now the configuration that you sent I have to add ACL on it to permit the internal traffic to the VPN pooll network.
Also for the static NAT I should keep it or move it??
Regards,
11-28-2013 07:09 AM
Keep the NAT exempt statements.
I am not sure which ACL you are refering to. If you are refering to the interface ACL, you are already permitting all traffic from the inside out.
By the way, if this ASA is in a live environment, you should most definately remove the permit IP any any on the outside interface.
access-list internal extended permit ip any any
access-list internal extended permit icmp any any
access-list external extended permit icmp any any
access-list external extended permit ip any any
access-group internal in interface outside
access-group external in interface inside
--
Please rate all helpful posts
11-28-2013 01:16 PM
I'm refering for this ACL:
access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 30.30.30.0 255.255.255
.0
access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 30.30.30.0 255.255.25
5.0
access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 30.30.30.0 255.255.2
55.0
access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 30.30.30.0 255.255.255
.0
access-list nat0 extended permit ip object VPN-Pool 10.10.0.0 255.255.0.0
access-list nat0 extended permit ip object VPN-Pool 10.11.0.0 255.255.0.0
access-list nat0 extended permit ip object VPN-Pool 172.16.0.0 255.255.0.0
access-list nat0 extended permit ip object VPN-Pool 192.168.0.0 255.255.0.0
access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 object VPN-Pool
access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 object VPN-Pool
access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 object VPN-Pool
access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 object VPN-Pool
access-list split-acl standard permit 10.10.0.0 255.255.0.0
access-list split-acl standard permit 10.11.0.0 255.255.0.0
access-list split-acl standard permit 192.168.0.0 255.255.0.0
access-list split-acl standard permit 172.16.0.0 255.255.0.0
11-28-2013 01:21 PM
Yes the ACLs you have configured for the NAT exempt and split tunneling need to be kept.
--
Please remember to rate and choose a correct answer
12-01-2013 01:24 PM
Still facing the same issue (error reason 412 remote peer no longer responding).
I'm using cisco vpn client version 5.0 so please advice if I have change it to new version ??
below the updated sh run:-
: Saved
:
ASA Version 9.1(1)
!
hostname HQ-ASA
enable password .h2T1va7bpb/xWzw encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool testpool 30.30.30.1-30.30.30.15
!
interface GigabitEthernet0/0
nameif outside
security-level 50
ip address 10.11.1.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.11.2.2 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
<--- More --->
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
<--- More --->
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
nameif management
security-level 100
no ip address
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
object network Local-Lan
subnet 10.10.0.0 255.255.0.0
object network VPN-Pool
subnet 30.30.30.0 255.255.255.0
object network Net_10.10.0.0
subnet 10.10.0.0 255.255.0.0
object network Net_10.11.0.0
subnet 10.11.0.0 255.255.0.0
<--- More --->
object network Net_192.168.0.0
subnet 192.168.0.0 255.255.0.0
object network Net_172.16.0.0
subnet 172.16.0.0 255.255.0.0
object-group network inside_network
network-object 10.10.0.0 255.255.0.0
network-object 10.11.0.0 255.255.0.0
network-object 172.16.0.0 255.255.0.0
network-object 192.168.0.0 255.255.0.0
object-group network outside
network-object host 10.11.1.2
access-list internal extended permit ip any any
access-list internal extended permit icmp any any
access-list external extended permit icmp any any
access-list external extended permit ip any any
access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 30.30.30.0 255.255.255.0
access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 30.30.30.0 255.255.255.0
access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 30.30.30.0 255.255.255.0
access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 30.30.30.0 255.255.255.0
access-list nat0 extended permit ip object VPN-Pool 10.10.0.0 255.255.0.0
access-list nat0 extended permit ip object VPN-Pool 10.11.0.0 255.255.0.0
access-list nat0 extended permit ip object VPN-Pool 172.16.0.0 255.255.0.0
access-list nat0 extended permit ip object VPN-Pool 192.168.0.0 255.255.0.0
access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 object VPN-Pool
<--- More --->
access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 object VPN-Pool
access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 object VPN-Pool
access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 object VPN-Pool
access-list split-acl standard permit 10.10.0.0 255.255.0.0
access-list split-acl standard permit 10.11.0.0 255.255.0.0
access-list split-acl standard permit 192.168.0.0 255.255.0.0
access-list split-acl standard permit 172.16.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static Net_10.10.0.0 Net_10.10.0.0 destination static VPN-Pool VPN-Pool
nat (inside,outside) source static Net_10.11.0.0 Net_10.11.0.0 destination static VPN-Pool VPN-Pool
nat (inside,outside) source static Net_192.168.0.0 Net_192.168.0.0 destination static VPN-Pool VPN-Pool
nat (inside,outside) source static Net_172.16.0.0 Net_172.16.0.0 destination static VPN-Pool VPN-Pool
access-group internal in interface outside
<--- More --->
access-group external in interface inside
route outside 0.0.0.0 0.0.0.0 10.11.1.1 1
route inside 10.10.0.0 255.255.0.0 10.11.2.1 1
route inside 172.16.0.0 255.255.0.0 10.11.2.1 1
route inside 192.168.0.0 255.255.0.0 10.11.2.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set MYSET esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set MYSET
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
<--- More --->
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
<--- More --->
ssl encryption des-sha1
group-policy testgroup internal
group-policy testgroup attributes
vpn-filter value nat0
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nat0
username cisco password 3USUcOPFUiMCO4Jk encrypted
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
address-pool testpool
default-group-policy testgroup
tunnel-group testgroup ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
<--- More --->
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e7eb95646e1b6a2e70d6481c561265d9
: end
HQ-ASA#
12-01-2013 02:38 PM
Is this in a lab or private network environment? I ask because your outside interface 10.11.1.2 is a private address that will only be reachable via internal clients. If there is an upstream NAT on another device (the 10.11.1.1 gateway perhaps?) you may be having issues there.
12-02-2013 12:17 AM
Are you connecting to the VPN from the inside network? You have applied the crypto map to the inside interface, which will not work if you are trying to connect to it from a location located off the outside interface.
crypto map inside_map interface inside
make the following changes to your configuration and then test again:
no crypto map inside_map interface inside
no crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
--
Please remember to rate and select a correct answer
12-08-2013 03:08 AM
Dear Marius,
I did all the required changes but still facing the same issue (error 412 remote peer no longer respond)
By the way I did static NAt on the reouter to redirect to ASA outside IP (ip nat inside source static 10.11.1.2 X.X.X.X)
Below new ASA sh run:-
HQ-ASA(config)# sh ru
: Saved
:
ASA Version 9.1(1)
!
hostname HQ-ASA
enable password .h2T1va7bpb/xWzw encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool testpool 30.30.30.1-30.30.30.15
!
interface GigabitEthernet0/0
nameif outside
security-level 50
ip address 10.11.1.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.11.2.2 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
nameif management
security-level 100
no ip address
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
object network Local-Lan
subnet 10.10.0.0 255.255.0.0
object network VPN-Pool
subnet 30.30.30.0 255.255.255.0
object network Net_10.10.0.0
subnet 10.10.0.0 255.255.0.0
object network Net_10.11.0.0
subnet 10.11.0.0 255.255.0.0
object network Net_192.168.0.0
subnet 192.168.0.0 255.255.0.0
object network Net_172.16.0.0
subnet 172.16.0.0 255.255.0.0
object-group network inside_network
network-object 10.10.0.0 255.255.0.0
network-object 10.11.0.0 255.255.0.0
network-object 172.16.0.0 255.255.0.0
network-object 192.168.0.0 255.255.0.0
object-group network outside
network-object host 10.11.1.2
access-list internal extended permit ip any any
access-list internal extended permit icmp any any
access-list external extended permit icmp any any
access-list external extended permit ip any any
access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 30.30.30.0 25
.0
access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 30.30.30.0 2
5.0
access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 30.30.30.0
55.0
access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 30.30.30.0 25
.0
access-list nat0 extended permit ip object VPN-Pool 10.10.0.0 255.255.0
access-list nat0 extended permit ip object VPN-Pool 10.11.0.0 255.255.0
access-list nat0 extended permit ip object VPN-Pool 172.16.0.0 255.255.
access-list nat0 extended permit ip object VPN-Pool 192.168.0.0 255.255
access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 object VPN-Po
access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 object VPN-Po
access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 object VPN-
access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 object VPN-P
access-list split-acl standard permit 10.10.0.0 255.255.0.0
access-list split-acl standard permit 10.11.0.0 255.255.0.0
access-list split-acl standard permit 192.168.0.0 255.255.0.0
access-list split-acl standard permit 172.16.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static Net_10.10.0.0 Net_10.10.0.0 destinat
c VPN-Pool VPN-Pool
nat (inside,outside) source static Net_10.11.0.0 Net_10.11.0.0 destinat
c VPN-Pool VPN-Pool
nat (inside,outside) source static Net_192.168.0.0 Net_192.168.0.0 dest
tatic VPN-Pool VPN-Pool
nat (inside,outside) source static Net_172.16.0.0 Net_172.16.0.0 destin
tic VPN-Pool VPN-Pool
access-group internal in interface outside
access-group external in interface inside
route outside 0.0.0.0 0.0.0.0 10.11.1.1 1
route inside 10.10.0.0 255.255.0.0 10.11.2.1 1
route inside 172.16.0.0 255.255.0.0 10.11.2.1 1
route inside 192.168.0.0 255.255.0.0 10.11.2.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set MYSET esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
group-policy testgroup internal
group-policy testgroup attributes
vpn-filter value nat0
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nat0
username cisco password 3USUcOPFUiMCO4Jk encrypted
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
address-pool testpool
default-group-policy testgroup
tunnel-group testgroup ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:73f3eecf4b2dcbbde341d28ab989a946
: end
HQ-ASA(config)#
HQ-ASA(config)# sh ru
: Saved
:
ASA Version 9.1(1)
!
hostname HQ-ASA
enable password .h2T1va7bpb/xWzw encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool testpool 30.30.30.1-30.30.30.15
!
interface GigabitEthernet0/0
nameif outside
security-level 50
ip address 10.11.1.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.11.2.2 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
nameif management
security-level 100
no ip address
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
object network Local-Lan
subnet 10.10.0.0 255.255.0.0
object network VPN-Pool
subnet 30.30.30.0 255.255.255.0
object network Net_10.10.0.0
subnet 10.10.0.0 255.255.0.0
object network Net_10.11.0.0
subnet 10.11.0.0 255.255.0.0
object network Net_192.168.0.0
subnet 192.168.0.0 255.255.0.0
object network Net_172.16.0.0
subnet 172.16.0.0 255.255.0.0
object-group network inside_network
network-object 10.10.0.0 255.255.0.0
network-object 10.11.0.0 255.255.0.0
network-object 172.16.0.0 255.255.0.0
network-object 192.168.0.0 255.255.0.0
object-group network outside
network-object host 10.11.1.2
access-list internal extended permit ip any any
access-list internal extended permit icmp any any
access-list external extended permit icmp any any
access-list external extended permit ip any any
access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 30.30.30.0 25
.0
access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 30.30.30.0 2
5.0
access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 30.30.30.0
55.0
access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 30.30.30.0 25
.0
access-list nat0 extended permit ip object VPN-Pool 10.10.0.0 255.255.0
access-list nat0 extended permit ip object VPN-Pool 10.11.0.0 255.255.0
access-list nat0 extended permit ip object VPN-Pool 172.16.0.0 255.255.
access-list nat0 extended permit ip object VPN-Pool 192.168.0.0 255.255
access-list nat0 extended permit ip 10.10.0.0 255.255.0.0 object VPN-Po
access-list nat0 extended permit ip 10.11.0.0 255.255.0.0 object VPN-Po
access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 object VPN-
access-list nat0 extended permit ip 172.16.0.0 255.255.0.0 object VPN-P
access-list split-acl standard permit 10.10.0.0 255.255.0.0
access-list split-acl standard permit 10.11.0.0 255.255.0.0
access-list split-acl standard permit 192.168.0.0 255.255.0.0
access-list split-acl standard permit 172.16.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static Net_10.10.0.0 Net_10.10.0.0 destinat
c VPN-Pool VPN-Pool
nat (inside,outside) source static Net_10.11.0.0 Net_10.11.0.0 destinat
c VPN-Pool VPN-Pool
nat (inside,outside) source static Net_192.168.0.0 Net_192.168.0.0 dest
tatic VPN-Pool VPN-Pool
nat (inside,outside) source static Net_172.16.0.0 Net_172.16.0.0 destin
tic VPN-Pool VPN-Pool
access-group internal in interface outside
access-group external in interface inside
route outside 0.0.0.0 0.0.0.0 10.11.1.1 1
route inside 10.10.0.0 255.255.0.0 10.11.2.1 1
route inside 172.16.0.0 255.255.0.0 10.11.2.1 1
route inside 192.168.0.0 255.255.0.0 10.11.2.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set MYSET esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
group-policy testgroup internal
group-policy testgroup attributes
vpn-filter value nat0
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nat0
username cisco password 3USUcOPFUiMCO4Jk encrypted
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
address-pool testpool
default-group-policy testgroup
tunnel-group testgroup ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:73f3eecf4b2dcbbde341d28ab989a946
: end
HQ-ASA(config)#
Appreciate your Support,
12-08-2013 07:24 AM
I still come back to my earlier question - is your outside address 10.11.1.2 accessible (independent of VPN access) to your remote access clients?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide