Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IpSec VPN Client configuration on ASA 5510

I want to configure Cisco ASA 5510 for cisco vpn clients using CLI,, Please refer me any suitable configuration using CLI..

--

Regards,

Junaid

18 REPLIES
Cisco Employee

Re: IpSec VPN Client configuration on ASA 5510

New Member

Re: IpSec VPN Client configuration on ASA 5510

Your configuration looks fine, I am using ASA software version 7.0(7)

Device Manager version 5.0(7)

My device is not getting some commands, from

  • Issue this command:

    ASA-AIP-CLI(config)#tunnel-group hillvalleyvpn ipsec-ra
  • to onward, 
  • Please advise
  • Cisco Employee

    Re: IpSec VPN Client configuration on ASA 5510

    There is typo in the document.

    The following line:

    tunnel-group hillvalleyvpn ipsec-ra

    should say:
    tunnel-group hillvalleyvpn type ipsec-ra

    New Member

    Re: IpSec VPN Client configuration on ASA 5510

    Yes you are right, I already found the correct command with the keyword (type), now I am facing a problem, my internal network is not accessible via vpn connection,

    I connect using cisco VPn client and it connects successfully, but It is not accessing my application or ping my internal network, maybe here split tunneling is required.. what do u say ?

    I found a document perhaps specified by you, ASA/PIX: Allow Split Tunneling for VPN Clients on the ASA Configuration Example,, I followed the steps specified in this document but there is no effect,

    In the standard ACL, I replaced the example ip with my servers vlan network i.e. 192.168.1.0 but it doesn't work, then I also permitted my vpnpool ip subnet 192.168.55.0, but the result is same,,,

    My ASA is configured with 3 interfaces, inside, outside and DMZ, server are in DMZ,,

    DMZ security level 50

    Inside security level 100

    outside security level 0

    outside network ip 192.168.75.0

    DMZ network 192.168.1.0

    My objective is to access the servers in DMZ interface.

    Please advise

    --

    Regards,

    Junaid

    Cisco Employee

    Re: IpSec VPN Client configuration on ASA 5510

    You would also need to configure NAT exemption for DMZ as follows:

    access-list dmz-nonat permit ip 192.168.1.0 255.255.255.0 192.168.55.0 255.255.255.0

    nat (DMZ) 0 access-list dmz-nonat

    Hope that resolves it.

    New Member

    Re: IpSec VPN Client configuration on ASA 5510

    Yes,, Its working fine right now,,,my internal network is accessible now,  thanks again,,,,

    Now I am concerned with my NAT rule, which I was previously using in my Cisco Router 2811, VPN Clients were also connecting with 2811, now I have removed it and using ASA as gateway and VPN clients are connecting with ASA,,

    The NAT rule which I was using in Cisco Router 2811

    ip nat inside source static tcp 192.168.1.15 80 interface FastEthernet0/1 80

    by using this command, I was able to use my web application, Now I want to use it with ASA,

    Please advise,,

    --

    Regards,

    Junaid

    Cisco Employee

    Re: IpSec VPN Client configuration on ASA 5510

    What public ip address do you want to use to NAT 192.168.1.15? Would it be the ASA outside interface ip adddress?

    If it is, then you would need to configure the following:

    static (DMZ,outside) tcp interface 80 192.168.1.15 80 netmask 255.255.255.255

    And on the outside interface, you would need to configure ACL to allow TCP/80 in.

    New Member

    Re: IpSec VPN Client configuration on ASA 5510

    ASA outside interface is a private ip ,, 192.168.75.2

    Above then ASA, I am using a internet link load balancing device Tp-link TL-R488T, I have configured its 3 interfaces with 3 internet connections having different live ip subnets,

    TP-link local interface ip 192.168.75.1

    Cisco Employee

    Re: IpSec VPN Client configuration on ASA 5510

    where are you looking to NAT the server at?

    New Member

    Re: IpSec VPN Client configuration on ASA 5510

    I am looking to nat the server at all my three available internet connections live ips,

    1, 202.59.68.226

    2, 58.27.232.18

    3, 58.27.233.210

    all three internet links are configured on TP-link and internet link load balancing is performing,

    Tp-link's local Ip connected with ASA is 192.168.75.1

    My users will access the web application via internet by entering any of above mentioned live ip address.. when they will enter any live ip in browser, they will be redirected to my server 192.168.1.15 placed in DMZ

    New Member

    Re: IpSec VPN Client configuration on ASA 5510

    Thanks dear,

    Your advised NAT command is working perfectly, My web application server is accessible now from internet,

    Now I am concerned with my ACL placed in outside interface

    access-list outside_to_dmz extended permit ip any any

    access-list outside_to_dmz extended permit tcp any any

    access-group outside_to_dmz in interface outside

    by applying this acl, all ports are open for every kind of traffic, I want to restrict it only for VPN, TCP 80, TCP Remote Desktop 3389 only,,

    Please advise which ports should be open for VPN client...

    --

    Regards,

    Junaid

    Cisco Employee

    Re: IpSec VPN Client configuration on ASA 5510

    Since the VPN is terminated on the ASA itself, you do not need to open any specific ports. The ASA will automatically allow the VPN ports since it's terminated on itself.

    New Member

    Re: IpSec VPN Client configuration on ASA 5510

    Fine,

    I have applied an access-list to restrict some users to go over the internet

    access-list Internet extended permit ip 192.168.10.111 any

    access-list Internet extended permit ip 192.168.10.4 any

    access-group Internet out interface outside

    this acl should allow only two hosts to exit over the internet while all other local ips should be denied, but when I apply this acl to outside out interface, my internet stops working on allowed ips,

    whats the issue?

    This is my last query, I am very thankful to you,

    --

    Regards,


    Junaid

    Cisco Employee

    Re: IpSec VPN Client configuration on ASA 5510

    Please apply the access-list in the inbound direction on the internal interface.

    Assuming that the user is on inside interface, pls apply as follows:

    access-group Internet in interface inside

    New Member

    Re: IpSec VPN Client configuration on ASA 5510

    Nope,,

    By applying this ACL, all other applications has stopped working, Inside yours are unable to access resources in DMZ,

    I want, inside users to give access to only DMZ but they should not pass outside interface

    Cisco Employee

    Re: IpSec VPN Client configuration on ASA 5510

    For inside to DMZ access, you would also need to add the following ACL:

    access-list Internet extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

    New Member

    Re: IpSec VPN Client configuration on ASA 5510

    And where, which interface in/out this ACL will be applied? DMZ ?

    Can you please explain if we apply an ACL at outside interface out like

    access-list Internet extended permit ip host 192.168.10.111 any

    and apply it

    access-group Internet out interface outside

    by applying only this acl should allow only host 192.168.10.111 to go over the Internet and all the others should be denied by implicit deny,,

    what do u say ?

    Secondly, VPN connection speed is very slow, It was quite excellent while I was using on Cisco 2811 router,

    New Member

    Re: IpSec VPN Client configuration on ASA 5510

    The application over VPN connection is very slow, and the delay in ping is 700ms ,, what is the issue ?

    13919
    Views
    20
    Helpful
    18
    Replies
    CreatePlease login to create content