Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8202
Views
0
Helpful
33
Replies

Cisco Easy VPN Configuration for ASA 5515-X version 9.1

Go to solution
Rizwan
Level 1
Level 1

‎08-19-2014 04:40 AM

Hi, 

I want to configure Easy vpn on ASA 5515-X firewall IOS version 9.1 and I don't want to use asdm. 

Please let me know the configuration. Thanks. 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Rizwan

‎08-25-2014 05:31 AM

> How it is possible to access firewall using VPN?

"management-access inside"

View solution in original post

0 Helpful
33 Replies 33

Go to solution
Karsten Iwen
VIP
VIP

‎08-19-2014 05:18 AM

The Cisco VPN-client which is used by EasyVPN is EOL and a new deployment shouldn't be based on that. Better go for AnyConnect. If you still want to configure EasyVPN, here is an example:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/68795-asa-remotevpn-asdm.html

The syntax changed slightly but the concepts are the same.

More info and the actual syntax is shown in the config-guide:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_remote_access.html

0 Helpful

Go to solution
Rizwan
Level 1
Level 1
In response to Karsten Iwen

‎08-20-2014 12:36 AM

Please also send me anyconnect VPN configuration

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Rizwan

‎08-20-2014 12:51 AM

It's all found in the config-guide:

If you want to go the easy way, take the VPN-wizard and look at what gots configured there. That can be extended to your needs then.

0 Helpful

Go to solution
Rizwan
Level 1
Level 1
In response to Karsten Iwen

‎08-20-2014 03:35 AM

I have configured EZ vpn and my client is connected but internet stops working and I am unable to access my local LAN. 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Rizwan

‎08-20-2014 03:44 AM

My crystal ball tells me that you missed to configure Split-tunneling and/or your NAT/NAT-exemption is wrong.

But sometimes even these crystal balls are wrong, so it could help to see what your actual config is. ;-)

0 Helpful

Go to solution
Rizwan
Level 1
Level 1
In response to Karsten Iwen

‎08-20-2014 04:25 AM

I configured split tunneling and after that internet is working fine. 

When I use same subnet for VPN users and LAN users and exemt nat LAN  is also accessible but when I use different subnet for my VPN users LAN is not accessible.  I think NAT exempt is not required in second case. how to configure it without NAT exempt. 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Rizwan

‎08-20-2014 05:06 AM

>I think NAT exempt is not required in second case. how to configure it without NAT exempt. 

It's very unlikely that you don't need NAT-exemption. Just compare traffic from inside LAN to the VPN-pool if that matches any of the NAT-rules. Typically there is a NAT rule at the end of your NAT-config  for (inside,outside)  where the whole traffic gets NAT/PAT for internet-access. If this rule is matched, then it can't work.

0 Helpful

Go to solution
Rizwan
Level 1
Level 1
In response to Karsten Iwen

‎08-21-2014 01:48 AM

I am getting following error message in asdm logs after manual configuration and VPN is not connecting

 

Group = RAS-MEDIA, Username = rizwan, IP = 182.180.114.243, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.50.100/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Rizwan

‎08-21-2014 04:03 AM

Probably your crypto-map and/or crypto access-lists are wrong.

0 Helpful

Go to solution
Rizwan
Level 1
Level 1
In response to Karsten Iwen

‎08-21-2014 04:16 AM

y VPN is connected but unable to access local LAN. Following is my configuration 

 

ASA Version 9.1(1) 
!
hostname Medialogic-ASA
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPN_POL 192.168.50.100-192.168.50.150 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 202.x.x.x 255.255.255.240 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 172.20.57.1 255.255.0.0 
!
interface GigabitEthernet0/2
 shutdown
 nameif DMZ
 security-level 50
 no ip address
!             
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.100.1 255.255.255.0 
!
ftp mode passive
object network INSIDE_HOSTS
 subnet 172.20.0.0 255.255.0.0
object network NETWORK_OBJ_172.20.0.0_16
 subnet 172.20.0.0 255.255.0.0
object network NETWORK_OBJ_192.168.50.0_24
 subnet 192.168.50.0 255.255.255.0
access-list RAS-MEDIA_splitTunnelAcl standard permit 172.20.0.0 255.255.0.0 
pager lines 24
logging enable
logging console warnings
logging asdm warnings
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu backup 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic INSIDE_HOSTS interface
nat (inside,outside) source static NETWORK_OBJ_172.20.0.0_16 NETWORK_OBJ_172.20.0.0_16 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 202.x.x.x 1

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 192.168.100.0 255.255.255.0 management
http 172.20.58.59 255.255.255.255 inside
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
 
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 172.20.58.59 255.255.255.255 inside
ssh timeout 5
console timeout 0
threat-detection rate icmp-drop rate-interval 600 average-rate 5555 burst-rate 50
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy RAS-MEDIA internal
group-policy RAS-MEDIA attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RAS-MEDIA_splitTunnelAcl
username vpn password ipT92iBMo5fLIuiz encrypted
username umer password mTnGSw0kCnDHr780 encrypted
username rizwan password /BCII2dYm.UXESdU encrypted
tunnel-group RAS-MEDIA type remote-access
tunnel-group RAS-MEDIA general-attributes
 address-pool VPN_POL
 default-group-policy RAS-MEDIA
tunnel-group RAS-MEDIA ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
Cryptochecksum:a7744507f7cb4255faaba0a829f64155
: end

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Rizwan

‎08-21-2014 04:25 AM

The NAT-rules are in the wrong order. They are processed top-down and the exemption has to be on the top of the list. 

0 Helpful

Go to solution
Rizwan
Level 1
Level 1
In response to Karsten Iwen

‎08-21-2014 04:34 AM

I have changed the order but still not working, LAN is not accessible

0 Helpful

Go to solution
Rizwan
Level 1
Level 1
In response to Karsten Iwen

‎08-21-2014 05:14 AM

Is there any route required for VPN pool 192.168.50.0/24

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Rizwan

‎08-21-2014 05:33 AM

Is the ASA the centrag internet-gateway? then no extra routing is needed.

Is your client behind a NAT/PAT? the you have to reenable NAT-traversal:

crypto isakmp nat-traversal
 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents