Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco ASA 5510 and VPN Configuration

Status
Not open for further replies.

pjscott13

Technical User
Mar 12, 2008
37
AU
We have a Cisco ASA and an ISA server setup as shown in the attached network (testing network.gif). We are attempting to get VPN clients to connect to the Internal network. VPN is being terminated at the external interface of the ASA. From the ASA we are trying to get the VPN client to access the Windows 2008 Server on the Internal Network.

In CONFIG1 (below) I have successfully setup a VPN on the ASA and the VPN client is successfully able to access the Windows 2003 Server located in the DMZ network between the ASA and ISA. That same server is also able to access the Windows 2008 Server located on the Internal Network. This suggests that rules I have setup are fine for the ISA server (I have just added the VPN range of IP addresses to these rules).

Now I have changed the ASA config a bit so that I can attempt to get the VPN client to access the Internal network and the Windows 2008 Server. The current config is below as CONFIG2. I am unable to get the VPN client to access the Windows 2008 Server on the Internal Network. I might also add that when I monitor traffic on the ISA server, I do not see any DIRECT traffic from the VPN client hitting the ISA server’s external interface, either an accepted or denied connection.

Can anyone suggest what might be missing from our ASA configuration so that ALL VPN TRAFFIC is forwarded to our ISA server?
____________________________________________________________
CONFIG1
-------
: Saved
: Written by enable_15 at 11:08:36.359 EST Tue Jul 1 2008
!
ASA Version 7.0(7)
!
hostname SYDASA01
domain-name domain.com
enable password XXXX encrypted
names
name X.X.X.X GXS_Server description GXS VPN Server
name 172.16.16.1 ISA_Server description Internal ISA Server
dns-guard
!
interface Ethernet0/0
description UNUSED Connection
shutdown
nameif outside1
security-level 0
ip address X.X.X.X 255.255.255.252
!
interface Ethernet0/1
description Internet Connection
nameif outside2
security-level 0
ip address X.X.X.X 255.255.255.252
!
interface Ethernet0/2
description Internal (DMZ Network)
nameif inside
security-level 100
ip address 172.16.16.2 255.255.255.0
!
interface Management0/0
description Management Port Only
nameif management
security-level 0
ip address 10.10.10.1 255.255.255.248
management-only
!
passwd XXXX encrypted
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
object-group service WebAccess tcp
description HTTP/HTTPS access
port-object eq www
port-object eq https
object-group service DNS tcp-udp
description DNS Group
port-object range domain domain
object-group service GXS_TCP tcp
description Group for GXS TCP Protocols
port-object range 264 264
object-group service GXS_UDP udp
description Group for GXS UDP Protocols
port-object range 2746 2746
port-object range isakmp isakmp
access-list outside2_access_in remark Allow Inbound HTTP Access to ISA Server only.
access-list outside2_access_in extended permit tcp any interface outside2 eq www
access-list outside2_access_in remark Allow Inbound SMTP (TCP 25) Access to ISA Server only.
access-list outside2_access_in extended permit tcp any eq smtp interface outside2 eq smtp
access-list outside2_access_in remark Allow Inbound HTTPS (TCP 443) Access to ISA Server only.
access-list outside2_access_in extended permit tcp any interface outside2 eq https
access-list inside_access_in remark Allow SMTP Outbound (TCP 25) from ISA Server only.
access-list inside_access_in extended permit tcp host ISA_Server any eq smtp
access-list inside_access_in remark Allow DNS Outbound (UDP 53) from ISA Server only.
access-list inside_access_in extended permit udp host 172.16.16.10 any eq domain
access-list inside_access_in remark Allow Web Access Outbound (HTTP/HTTPS) from ISA Server only.
access-list inside_access_in extended permit tcp 172.16.16.0 255.255.255.0 any object-group WebAccess
access-list inside_access_in remark Allow Outbound FTP (TCP 23) from ISA Server only.
access-list inside_access_in extended permit tcp host ISA_Server any eq ftp
access-list inside_access_in remark Allow NTP Outbound (UDP 123) from ISA Server only.
access-list inside_access_in extended permit udp host ISA_Server any eq ntp
access-list inside_access_in remark Allow Outbound GXS VPN Connection TCP Rule (TCP 264) from ISA Server only.
access-list inside_access_in extended permit tcp host ISA_Server host GXS_Server object-group GXS_TCP
access-list inside_access_in remark Allow Outbound GXS VPN Connection UDP Rule (UDP 500/2746) from ISA Server only.
access-list inside_access_in extended permit udp host ISA_Server host GXS_Server object-group GXS_UDP
access-list inside_access_in extended permit ip 172.16.16.0 255.255.255.0 192.168.118.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.16.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.16.0 255.255.255.0 192.168.118.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging asdm informational
logging from-address sydasa01@domain.com
logging recipient-address administrator@domain.com level errors
logging device-id hostname
logging host inside 192.168.18.67
mtu outside1 1500
mtu outside2 1500
mtu inside 1500
mtu management 1500
ip local pool TS_VPN_ADD_POOL 192.168.118.100-192.168.118.149 mask 255.255.255.0
asdm image disk0:/asdm-507.bin
asdm location GXS_Server 255.255.255.255 outside2
asdm location ISA_Server 255.255.255.255 inside
asdm location 172.16.16.0 255.255.255.0 outside2
asdm location 192.168.118.0 255.255.255.0 outside2
no asdm history enable
arp timeout 14400
nat-control
global (outside2) 10 interface
nat (outside2) 10 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 172.16.16.0 255.255.255.0
static (inside,outside2) tcp interface 255.255.255.255
static (inside,outside2) tcp interface smtp ISA_Server smtp netmask 255.255.255.255
static (inside,outside2) tcp interface https ISA_Server https netmask 255.255.255.255
access-group outside2_access_in in interface outside2
access-group inside_access_in in interface inside
route outside2 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy TS_VPN_GRP internal
group-policy TS_VPN_GRP attributes
dns-server value 172.16.16.10
default-domain value domain.com
webvpn
username T-User password XXXX encrypted privilege 0
username T-User attributes
vpn-group-policy TS_VPN_GRP
webvpn
http server enable
http 10.10.10.0 255.255.255.248 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside2_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside2_map 65535 ipsec-isakmp dynamic outside2_dyn_map
crypto map outside2_map interface outside2
isakmp enable outside2
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group TS_VPN_GRP type ipsec-ra
tunnel-group TS_VPN_GRP general-attributes
address-pool TS_VPN_ADD_POOL
default-group-policy TS_VPN_GRP
tunnel-group TS_VPN_GRP ipsec-attributes
pre-shared-key Terminal-User-951
telnet timeout 5
ssh timeout 5
console timeout 5
dhcpd address 172.16.16.20-172.16.16.99 inside
dhcpd dns 172.16.16.10
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain domain.com
dhcpd option 3 ip 172.16.16.2
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 192.168.18.1
Cryptochecksum:d5000242a22ff2b8b6447648822c6361
: end

____________________________________________________________
CONFIG2
-------
: Saved
: Written by enable_15 at 15:35:18.170 EST Tue Jul 1 2008
!
ASA Version 7.0(7)
!
hostname SYDASA01
domain-name domain.com
enable password XXXX encrypted
names
name X.X.X.X GXS_Server description GXS VPN Server
name 172.16.16.1 ISA_Server description Internal ISA Server
dns-guard
!
interface Ethernet0/0
description UNUSED Connection
shutdown
nameif outside1
security-level 0
ip address X.X.X.X 255.255.255.252
!
interface Ethernet0/1
description Internet Connection
nameif outside2
security-level 0
ip address X.X.X.X 255.255.255.252
!
interface Ethernet0/2
description Internal (DMZ Network)
nameif inside
security-level 100
ip address 172.16.16.2 255.255.255.0
!
interface Management0/0
description Management Port Only
nameif management
security-level 0
ip address 10.10.10.1 255.255.255.248
management-only
!
passwd XXXX encrypted
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
object-group service WebAccess tcp
description HTTP/HTTPS access
port-object eq www
port-object eq https
object-group service DNS tcp-udp
description DNS Group
port-object range domain domain
object-group service GXS_TCP tcp
description Group for GXS TCP Protocols
port-object range 264 264
object-group service GXS_UDP udp
description Group for GXS UDP Protocols
port-object range 2746 2746
port-object range isakmp isakmp
access-list outside2_access_in remark Allow Inbound HTTP Access to ISA Server only
access-list outside2_access_in extended permit tcp any interface outside2 eq www
access-list outside2_access_in remark Allow Inbound SMTP (TCP 25) Access to ISA Server only.
access-list outside2_access_in extended permit tcp any eq smtp interface outside2 eq smtp
access-list outside2_access_in remark Allow Inbound HTTPS (TCP 443) Access to ISA Server only.
access-list outside2_access_in extended permit tcp any interface outside2 eq https
access-list inside_access_in remark Allow SMTP Outbound (TCP 25) from ISA Server only.
access-list inside_access_in extended permit tcp host ISA_Server any eq smtp
access-list inside_access_in remark Allow DNS Outbound (UDP 53) from DNS Server only.
access-list inside_access_in extended permit udp host 192.168.18.1 any eq domain
access-list inside_access_in remark Allow DNS Outbound (UDP 53) from WIN2K3 Server only.
access-list inside_access_in extended permit udp host 172.16.16.10 any eq domain
access-list inside_access_in remark Allow Web Access Outbound (HTTP/HTTPS) from perimeter network only.
access-list inside_access_in extended permit tcp 172.16.16.0 255.255.255.0 any object-group WebAccess
access-list inside_access_in remark Allow Outbound FTP (TCP 23) from ISA Server only.
access-list inside_access_in extended permit tcp host ISA_Server any eq ftp
access-list inside_access_in remark Allow NTP Outbound (UDP 123) from ISA Server only.
access-list inside_access_in extended permit udp host ISA_Server any eq ntp
access-list inside_access_in remark Allow Outbound GXS VPN Connection TCP Rule (TCP 264) from ISA Server only.
access-list inside_access_in extended permit tcp host ISA_Server host GXS_Server object-group GXS_TCP
access-list inside_access_in remark Allow Outbound GXS VPN Connection UDP Rule (UDP 500/2746) from ISA Server only.
access-list inside_access_in extended permit udp host ISA_Server host GXS_Server object-group GXS_UDP
access-list inside_access_in extended permit ip 192.168.18.0 255.255.255.0 192.168.118.0 255.255.255.0
access-list inside_access_in extended permit ip 172.16.16.0 255.255.255.0 192.168.118.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.16.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.16.0 255.255.255.0 192.168.118.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.18.0 255.255.255.0 192.168.118.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.118.0 255.255.255.0 192.168.118.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging asdm informational
logging from-address sydasa01@domain.com
logging recipient-address administrator@domain.com level errors
logging device-id hostname
logging host inside 192.168.18.67
mtu outside1 1500
mtu outside2 1500
mtu inside 1500
mtu management 1500
ip local pool TS_VPN_ADD_POOL 192.168.118.100-192.168.118.149 mask 255.255.255.0
asdm image disk0:/asdm-507.bin
asdm location GXS_Server 255.255.255.255 outside2
asdm location ISA_Server 255.255.255.255 inside
asdm location 172.16.16.0 255.255.255.0 outside2
asdm location 192.168.118.0 255.255.255.0 outside2
no asdm history enable
arp timeout 14400
nat-control
global (outside2) 10 interface
nat (outside2) 10 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 172.16.16.0 255.255.255.0
nat (inside) 10 192.168.18.0 255.255.255.0
static (inside,outside2) tcp interface 255.255.255.255
static (inside,outside2) tcp interface smtp ISA_Server smtp netmask 255.255.255.255
static (inside,outside2) tcp interface https ISA_Server https netmask 255.255.255.255
access-group outside2_access_in in interface outside2
access-group inside_access_in in interface inside
route outside2 0.0.0.0 0.0.0.0 X.X.X.X 1
route inside 0.0.0.0 0.0.0.0 172.16.16.1 tunneled
route inside 192.168.18.0 255.255.255.0 ISA_Server 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy TS_VPN_GRP internal
group-policy TS_VPN_GRP attributes
dns-server value 192.168.18.1
default-domain value domain.com
webvpn
username T-User password XXXXX encrypted privilege 0
username T-User attributes
vpn-group-policy TS_VPN_GRP
webvpn
http server enable
http 10.10.10.0 255.255.255.248 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside2_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside2_map 65535 ipsec-isakmp dynamic outside2_dyn_map
crypto map outside2_map interface outside2
isakmp enable outside2
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group TS_VPN_GRP type ipsec-ra
tunnel-group TS_VPN_GRP general-attributes
address-pool TS_VPN_ADD_POOL
default-group-policy TS_VPN_GRP
tunnel-group TS_VPN_GRP ipsec-attributes
pre-shared-key Terminal-User-951
telnet timeout 5
ssh timeout 5
console timeout 5
dhcpd address 172.16.16.20-172.16.16.99 inside
dhcpd dns 172.16.16.10
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain domain.com
dhcpd option 3 ip 172.16.16.2
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 192.168.18.1
Cryptochecksum:c8604d70e8a23e3cf7be74222c6ce6c1
: end
 
I will need to confirm this but I believe that security levels are still enforced on VPN traffic. If so, since you are going directly to the Windows server instead of ISA, you will need a new static for the server translating it to itself. To confirm this, look for "no translation group" in your logs. It might also be helpful to turn on IPSEC debugging (debug crypto ipsec ) to get more insight on how its handling the packets. Checking the current xlates (sh xlate | grep <windows server ip>) might reveal some useful info. And lastly creating a capture on the egrees interface for that traffic might also help. Just make sure that your capture catches both directions.

IT Security news and information
In plain English
 
Hi Desperado618,

Thanks for the message. I did end up getting this working properly. The issue was that I had the checkpoint securemote vpn client installed on my client pc as well as the cisco vpn client. there seems to be some compatibility issues with having both installed. As soon as I had uninstalled the SecuRemote client everything started to work as it was expected.

 
Ahh yeah thats pretty common. It has to do with the Virtual adapter installed by Secure Remote. There is a band-aid fix that will allow both to work properly.
Glad everything is working for you

IT Security news and information
In plain English
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top