ASA 5520 with VPN issue

[td1031]

I have VPN users setup to terminate to my ASA with radius to active directory. I can get the IPsec Cisco clients to work but not microsoft clients with L2TP.

I also have an issue with vpn users being able to access boxes in the DMZ. We have most of the web servers in a DMZ off the ASA and our developers need to be able to VPN to the ASA and work on boxes in the DMZ.

If anyone has any ideas or if you need to see some configs let me know.

 

[Supergrrover]

Need to have a look. Can you post a config off your ASA?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[td1031]

ASA Version 7.2(1)
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xx.xx.xx.92 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.163.253 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 75
ip address 192.168.63.1 255.255.255.0
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif Clients
security-level 50
ip address 192.168.160.1 255.255.255.0

access-list Clients extended permit ip any any
access-list nonat extended permit ip 192.168.63.0 255.255.255.0 192.168.206.0 255.255.255.0
access-list VPNUsers extended permit ip 192.168.63.0 255.255.255.0 192.168.206.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list outside_cryptomap extended permit ip any 192.168.206.0 255.255.255.0
access-list windowsvpnaccess_splitTunnelAcl standard permit any
access-list outside_cryptomap_1 extended permit ip any 192.168.206.0 255.255.255.0
pager lines 24
logging buffered informational
logging asdm informational
logging host inside 192.168.163.38
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu Clients 1500
ip local pool ipsh_vpn_pool 192.168.206.1-192.168.206.254
failover
failover lan unit primary
failover lan interface Failover GigabitEthernet0/3
failover link Failover GigabitEthernet0/3
failover interface ip Failover 192.168.221.1 255.255.255.0 standby 192.168.221.2
icmp permit any echo-reply outside
icmp permit any inside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xx.xx.43.66 192.168.175.48 netmask 255.255.255.255
static (inside,DMZ) 192.168.175.0 192.168.175.0 netmask 255.255.255.0
static (inside,DMZ) 192.168.163.0 192.168.163.0 netmask 255.255.255.0
static (inside,Clients) 192.168.163.0 192.168.163.0 netmask 255.255.255.0
static (inside,Clients) 192.168.175.0 192.168.175.0 netmask 255.255.255.0
static (DMZ,outside) xx.xx.43.67 192.168.63.202 netmask 255.255.255.255
static (DMZ,outside) xx.xx.43.68 192.168.63.203 netmask 255.255.255.255
static (DMZ,outside) xx.xx.43.75 192.168.63.200 netmask 255.255.255.255
static (DMZ,outside) xx.xx.43.69 192.168.63.204 netmask 255.255.255.255
static (DMZ,outside) xx.xx.43.70 192.168.63.201 netmask 255.255.255.255
static (DMZ,outside) xx.xx.43.72 192.168.63.220 netmask 255.255.255.255
static (DMZ,outside) xx.xx.43.73 192.168.63.221 netmask 255.255.255.255
static (DMZ,outside) xx.xx.43.74 192.168.63.222 netmask 255.255.255.255
static (DMZ,outside) xx.xx.43.80 192.168.63.223 netmask 255.255.255.255
static (DMZ,outside) xx.xx.43.71 192.168.63.214 netmask 255.255.255.255

 

[td1031]

more....
access-group outside_acl in interface outside
access-group dmz_acl in interface DMZ
access-group Clients in interface Clients
route outside 0.0.0.0 0.0.0.0 xx.xx.43.65 1
route inside 192.168.175.0 255.255.255.0 192.168.163.254 1
route inside 192.168.80.0 255.255.255.0 192.168.163.254 1
route inside 10.200.8.217 255.255.255.255 192.168.163.254 1
route inside 10.200.8.219 255.255.255.255 192.168.163.254 1
route inside 192.168.180.0 255.255.255.0 192.168.163.254 1
route Clients 204.194.123.0 255.255.255.0 192.168.160.10 1
route Clients 204.194.129.0 255.255.255.0 192.168.160.10 1
route Clients 204.194.125.0 255.255.255.0 192.168.160.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth host 192.168.175.26
timeout 5
key xxxx!@#$
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.163.215 192.168.163.102
dns-server value 192.168.175.26 192.168.175.25
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value transmarkets
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server value 192.168.175.26 192.168.175.25
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy vpnaccess internal
group-policy vpnaccess attributes
wins-server value 192.168.163.215 192.168.163.102
dns-server value 192.168.175.26 192.168.175.25
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain value transmarkets
group-policy windowsvpnaccess internal
group-policy windowsvpnaccess attributes
wins-server value 192.168.163.215 192.168.163.102
dns-server value 192.168.175.26 192.168.175.25
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value windowsvpnaccess_splitTunnelAcl
default-domain value xxxxxxxx
username xxxx password CEYbNdURb13N3X1a encrypted
http server enable

 

[td1031]

more I am stripping out some of the stuff you dont need to see, Access lists for VPN tunnels etc.

tunnel-group DefaultRAGroup general-attributes
address-pool ipsh_vpn_pool
authentication-server-group partnerauth
authentication-server-group (outside) partnerauth
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group vpnaccess type ipsec-ra
tunnel-group vpnaccess general-attributes
address-pool ipsh_vpn_pool
authentication-server-group (outside) partnerauth
default-group-policy vpnaccess
tunnel-group vpnaccess ipsec-attributes
pre-shared-key *
tunnel-group vpnaccess ppp-attributes
authentication pap
tunnel-group windowsvpnaccess type ipsec-ra
tunnel-group windowsvpnaccess general-attributes
address-pool ipsh_vpn_pool
authentication-server-group partnerauth
default-group-policy windowsvpnaccess
tunnel-group windowsvpnaccess ipsec-attributes
pre-shared-key *
tunnel-group windowsvpnaccess ppp-attributes
authentication pap
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:64db2625a810237c14e7b952008b4951
: end

 

[td1031]

Hope I didnt miss anything you need to see in the config post. I left some of the stuff out that doesnt have anything to do with my question. Currently the group vpnaccess works for the cisco client. Some of the other groups like windowsvpnaccess were created with the ASDM interface in an attempt to get the windows client working. Alot of that could probably be taken out now. If you were wondering about all that other vpn stuff in there that is where it came back.

 

[Supergrrover]

Since you don't have all VPN traffic bypass the ACL's, these would be helpful - outside_acl; dmz_acl - also all the crypto statements.

Another good thing to start is to take out all the stuff that you know doesn't work with the VPNs and start fresh. (your default group policy, webvpn and the like.)

For the VPN users to access the DMZ, since you have nat-control enabled you need a translation from their subnet to the DMZ
static (inside,DMZ) 192.168.206.0 192.168.206.0 netmask 255.255.255.0 (Make sure that this is not denied back in your ACL)

Here are the basic steps for l2tp - once you can get the tunnel up, then add the split tunnel and other attributes for group policy

crypto ipsec transform-set l2tpVPN transport
group-policy l2tp-gp general-attrib
dns value IP#1 IP#2
wins value IP#1 IP#2
vpn-tunnel-proto l2tp-ipsec
tunnel-group l2tp-tg type ipsec-ra
tunnel-group l2tp-tg general-attrib
address-pool ipsh_vpn_pool (i would give them their own pool)
group-policy l2tp-gp
authentication-server-group SERVER-GROUP
tunnel-group l2tp-tg ppp-attrib
authen ppp|chap|ms-chapv1|ms-chapv2 (add each one to get it working and them take them off one by one to see which it iws actually using)_
l2tp tunnel hello #SECS
crypto isakmp nat-trans 30

Give that a try.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[td1031]

Here are the ACL's


access-list outside_acl extended permit icmp any host xx.xx.43.66
access-list outside_acl extended permit tcp any host xx.xx.43.66 eq smtp
access-list outside_acl extended permit tcp any host xx.xx.43.66 eq www
access-list outside_acl extended permit tcp any host xx.xx.43.66 eq https
access-list outside_acl extended permit tcp any host xx.xx.43.66 eq pop3
access-list outside_acl extended permit tcp any host xx.xx.43.66 eq imap4
access-list outside_acl extended permit tcp any host xx.xx.43.66 eq domain
access-list outside_acl extended permit tcp any host xx.xx.43.67 eq domain
access-list outside_acl extended permit tcp any host xx.xx.43.67 eq smtp
access-list outside_acl extended permit tcp any host xx.xx.43.67 eq pop3
access-list outside_acl extended permit tcp any host xx.xx.43.68 eq smtp
access-list outside_acl extended permit tcp any host xx.xx.43.68 eq domain
access-list outside_acl extended permit tcp any host xx.xx.43.75 eq www
access-list outside_acl extended permit tcp any host xx.xx.43.75 eq https
access-list outside_acl extended permit tcp any host xx.xx.43.69 eq domain
access-list outside_acl extended permit tcp any host xx.xx.43.69 eq smtp
access-list outside_acl extended permit tcp any host xx.xx.43.70 eq domain
access-list outside_acl extended permit tcp any host xx.xx.43.70 eq smtp
access-list outside_acl extended permit tcp any host xx.xx.43.70 eq 1223
access-list outside_acl extended permit tcp any host xx.xx.43.71 eq https
access-list outside_acl extended permit tcp any host xx.xx.43.71 eq www
access-list outside_acl extended permit tcp any host xx.xx.43.71 eq 990
access-list outside_acl extended permit tcp any host xx.xx.43.72 eq www
access-list outside_acl extended permit tcp any host xx.xx.43.72 eq https
access-list outside_acl extended permit tcp any host xx.xx.43.73 eq https
access-list outside_acl extended permit tcp any host xx.xx.43.73 eq www
access-list outside_acl extended permit tcp any host xx.xx.43.74 eq www
access-list outside_acl extended permit tcp any host xx.xx.43.74 eq https
access-list outside_acl extended permit tcp any host xx.xx.43.80 eq www
access-list outside_acl extended permit tcp any host xx.xx.43.80 eq https
access-list outside_acl extended permit udp any host xx.xx.43.67 eq domain
access-list outside_acl extended permit udp any host xx.xx.43.68 eq domain
access-list outside_acl extended permit udp any host xx.xx.43.69 eq domain
access-list outside_acl extended permit udp any host xx.xx.43.70 eq domain
access-list outside_acl extended permit tcp any host xx.xx.43.71 eq ftp
access-list outside_acl extended permit tcp any host xx.xx.43.71 eq ftp-data
access-list outside_acl extended permit tcp any host xx.xx.43.70 eq 4444
access-list outside_acl extended permit tcp any host xx.xx.43.70 eq 4445
access-list outside_acl extended permit tcp any host xx.xx.43.70 eq 617
access-list outside_acl extended permit tcp any host xx.xx.43.71 eq 989
access-list outside_acl extended permit tcp any host xx.xx.43.71 eq 12000
access-list outside_acl extended permit tcp any host xx.xx.43.71 eq 12001
access-list outside_acl extended permit tcp any host xx.xx.43.71 eq 12003
access-list outside_acl extended permit tcp any host xx.xx.43.71 eq 12004
access-list outside_acl extended permit tcp any host xx.xx.43.71 eq 12005
access-list dmz_acl extended permit icmp any any
access-list dmz_acl extended permit ip any any

 

[td1031]

It took the command but gave me this error back on the static map.
static (inside,DMZ) 192.168.206.0 192.168.206.0 netmask 255.255.255.0
INFO: Global address overlaps with NAT exempt configuration

 

[Supergrrover]

Can the VPN now access the DMZ?
Have you tried redoing the l2tp?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[td1031]

VPN still does not have access to the DMZ. I have not tried the L2TP setup yet. I will try that this morning

 

[Supergrrover]

OK, I will set up mine to try a few things. Do you need to have the IP's from the VPN not be translated when contacting the DMZ, or is having them NATed OK?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[td1031]

I would prefer to not NAT the addresses.

 

[td1031]

What version are you running my ASA doesnt like these two commands

crypto ipsec transform-set l2tpVPN transport
group-policy l2tp-gp general-attrib

 

[Supergrrover]

Sorry, that was off a 6x. Below are links for the 7.2 code -

For the VPN access to the DMZ, here is a link to a l2l vpn. The changes shouldn't be much to make it a VPN client. The idea is the same.

http://www.cisco.com/en/US/products...s_configuration_example09186a00806a5cea.shtml

I will set this up this weekend in the lab and let you know if I find anything too off with it.

If you can, take out all the non-working vpn client stuff and repost your config. I think I am getting messed up hopping around the config pieces. We'll try to get the DMZ access working first and then add on from there.

Here is the link to the l2tp for windows there are some registry changes.

http://www.cisco.com/en/US/products...s_configuration_example09186a00807213a7.shtml

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[td1031]

I got the DMZ working.

I am at the point to make everyone use the cisco client for VPN access. The setup for L2TP seems extremely involved.