I am new to the ASA series. Usually use a pix, but the client requested this.
We are having a few issues.
1)We have set up access list to allow outside access to internal ip cameras using certain ports, as well as the server using rdp.
Have I created the rules correctly?
2)I set up NAT for forward their outside ip to the internal ip cameras on certain ports and ips. I only did two of these, but can not get them to work. Please help.
3)Set up remote vpn access with split tunneling. When we connect to the vpn it kills the internet on the local computer.
Thanks so much for the help!!!
ASA Version 7.2(2)
!
hostname AAH
domain-name AAHDOMAIN1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.141 255.255.255.252
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name AAHDOMAIN1
same-security-traffic permit intra-interface
access-list AAH_splitTunnelAcl standard permit host 192.168.100.0
access-list outside_access_in extended permit tcp any host 192.168.100.9 eq 9222
access-list outside_access_in extended permit tcp any host 192.168.100.29 eq 9221
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.8 eq
9224
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.7 eq
9223
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.15
eq 9228
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.16
eq 9229
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.50
eq 9230
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.52
eq 9231
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.53
eq 9226
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.51
eq 9227
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.54
eq 9225
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.26
eq 9232
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.31
eq 9233
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.0 eq
www
access-list outside_access_in extended permit tcp any host 192.168.100.100 eq smtp
access-list AAH2_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool 192.168.101.2-192.168.101.33 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 9222 192.168.100.9 9222 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.100.100 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.142 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy AAH2 internal
group-policy AAH2 attributes
dns-server value 192.168.100.100
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value AAH2_splitTunnelAcl
default-domain value AAHDOMAIN1.LAN
group-policy AAH internal
group-policy AAH attributes
dns-server value 192.168.100.100
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
split-tunnel-network-list value AAH_splitTunnelAcl
default-domain value AAHDOMAIN1.LAN
username admin password Qj3Pp7sMnHwX0nfZ encrypted privilege 0
username admin attributes
vpn-group-policy AAH
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group AAH type ipsec-ra
tunnel-group AAH general-attributes
address-pool vpnpool
default-group-policy AAH
tunnel-group AAH ipsec-attributes
pre-shared-key *
tunnel-group AAH2 type ipsec-ra
tunnel-group AAH2 general-attributes
address-pool vpnpool
default-group-policy AAH2
tunnel-group AAH2 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e9a92aa49eae6e7d25e3ff41664b4335
: end
We are having a few issues.
1)We have set up access list to allow outside access to internal ip cameras using certain ports, as well as the server using rdp.
Have I created the rules correctly?
2)I set up NAT for forward their outside ip to the internal ip cameras on certain ports and ips. I only did two of these, but can not get them to work. Please help.
3)Set up remote vpn access with split tunneling. When we connect to the vpn it kills the internet on the local computer.
Thanks so much for the help!!!
ASA Version 7.2(2)
!
hostname AAH
domain-name AAHDOMAIN1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.141 255.255.255.252
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name AAHDOMAIN1
same-security-traffic permit intra-interface
access-list AAH_splitTunnelAcl standard permit host 192.168.100.0
access-list outside_access_in extended permit tcp any host 192.168.100.9 eq 9222
access-list outside_access_in extended permit tcp any host 192.168.100.29 eq 9221
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.8 eq
9224
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.7 eq
9223
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.15
eq 9228
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.16
eq 9229
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.50
eq 9230
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.52
eq 9231
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.53
eq 9226
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.51
eq 9227
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.54
eq 9225
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.26
eq 9232
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.31
eq 9233
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.141 host 192.168.100.0 eq
www
access-list outside_access_in extended permit tcp any host 192.168.100.100 eq smtp
access-list AAH2_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool 192.168.101.2-192.168.101.33 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 9222 192.168.100.9 9222 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.100.100 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.142 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy AAH2 internal
group-policy AAH2 attributes
dns-server value 192.168.100.100
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value AAH2_splitTunnelAcl
default-domain value AAHDOMAIN1.LAN
group-policy AAH internal
group-policy AAH attributes
dns-server value 192.168.100.100
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
split-tunnel-network-list value AAH_splitTunnelAcl
default-domain value AAHDOMAIN1.LAN
username admin password Qj3Pp7sMnHwX0nfZ encrypted privilege 0
username admin attributes
vpn-group-policy AAH
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group AAH type ipsec-ra
tunnel-group AAH general-attributes
address-pool vpnpool
default-group-policy AAH
tunnel-group AAH ipsec-attributes
pre-shared-key *
tunnel-group AAH2 type ipsec-ra
tunnel-group AAH2 general-attributes
address-pool vpnpool
default-group-policy AAH2
tunnel-group AAH2 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e9a92aa49eae6e7d25e3ff41664b4335
: end