Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

First attempt configuring ASA and desperately needing assistance 1

Status
Not open for further replies.
Plethora

Plethora

Technical User
Jan 15, 2010
6
US
Our network guy was terminated and I've been tasked with configuring a new ASA as soon as possible. I have very limited experience but with some help I'm sure I can get it up.

I have a Cisco ASA 5510 with version 7.0 running. The device currently only has a port opened for an ftp server. I need to configure it so that I can access the Internet from inside as well as allow remote access VPN into the network with active directory user authentication. I've downloaded Cisco's CLI configuration guide but there's just so much in there that it confuses the heck out of me. I think most of the stuff doesn't pertain to what I need. I'm scheduled for some Cisco training in two weeks but in the meantime I'm really hoping one of you nice folks could help me out. It would be sincerely appreciated.

Here's my current config:


ASA Version 7.0(7)
!
hostname myciscoasa
domain-name MY-DOMAIN
enable password 4IV.065LOTN9aGJT encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 209.xxx.xx.xxx 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.48.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd M9cxT1S8fTjV5618 encrypted
ftp mode passive
access-list 101 extended permit ip 192.168.48.0 255.255.255.0 10.100.10.0 255.255.255.0
access-list 102 extended permit tcp any host 209.xxx.xx.xxx eq 22
pager lines 24
logging enable
mtu outside 1500
mtu inside 1500
ip local pool myvpnpool 10.100.10.1-10.100.10.254
no failover
icmp deny any outside
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (outside) 1 10.100.10.0 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 209.xxx.xx.xxx 192.168.48.252 netmask 255.255.255.255
access-group 102 in interface outside
route outside 0.0.0.0 0.0.0.0 209.xxx.xx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy MY-DOMAIN internal
group-policy MY-DOMAIN attributes
wins-server value 192.168.48.2
dns-server value 192.168.48.2
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
default-domain value MY-DOMAIN
secure-unit-authentication disable
nem enable
webvpn
username asauser password zg.0S79DBanhNdv3 encrypted
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set reverse-route
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 43200
tunnel-group myvpngroup type ipsec-ra
tunnel-group myvpngroup general-attributes
address-pool myvpnpool
tunnel-group myvpngroup ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.48.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
Cryptochecksum:6f5fecc6174760c62cb1ab6a6626be3e
 
Sort by date Sort by votes
1) I would most definitely upgrade the code to 8.2.2
2) Change this global (outside) 10 interface to global (outside) 1 interface
3) Are you planning on using RADIUS or LDAP to authenticate the remote access users??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Thank you for your help unclerico. The global (outside) 1 interface did the trick.

I believe I want to use RADIUS for authentication. I've installed IAS on my domain controller.

Would it be best to update to 8.2.2 now or wait until I have it configured? Currently I have remote access VPN user a group user/psdw working and Internet connectivity. I think all I need now is to get the proper authentication in place.

One other question. How do I enable it so that when I connect using VPN that I can still have Internet connectivity from my own machine? When I connect now I lose my Internet connection from my home/work computer?

Thanks again for your help.
 
Upvote 0 Downvote
The sooner that you upgrade the better, IMHO.

For RAIDUS, you'll need to do the following:
1) Create a global group in AD. add all individuals that will be permitted to use the RA VPN in this group (or create multiple groups if you want to have certain people get access to one policy and certain people to get access to another policy)
2) Add a new client to IAS matching the IP of the ASA
3) Create a new Remote Access Policy in IAS. Match on the Client-Ip-Address (inside interface of the ASA), Windows Group (the one that you created in Step 1), and NAS-Port-Type Virtual (VPN). For Authentication place a checkmark next to Unecrypted. Under Advanced remove Framed and Service. I like to assign users their group-policy from RADIUS so on the Advanced tab I add a Class attribute and place OU=<group_policy_name> in the string field. This attribute will be passed back to the ASA and assigned during authentication. Be sure you either add this policy above the two default policies (Domain Users and Domain Computers) or remove the two default policies
4) On the ASA add this:
Code: 
ASA(config)# aaa-server <aaa-server-group-name> protocol radius
ASA(config)# aaa-server <aaa-server-group-name> (inside) host <ip-address-of-radius-server> <pre-shared-key>
ASA(config)# tunnel-group myvpngroup general-attributes
ASA(config-tunnel-general)# authentication-server-group <aaa-server-group-name>
ASA(config-tunnel-general)# default-group-policy MY-DOMAIN
How do I enable it so that when I connect using VPN that I can still have Internet connectivity from my own machine
Click to expand...
You need to either configure split-tunneling (security risk, more efficient) or tunnel all traffic over the VPN (highly secure, less efficient)

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Hi unclerico,

I've setup the IAS server as you suggested above (and per this However, for some reason I still fail when I try to connect with one of the users that is configured per the instructions. Here's what I have in my config pertaining to setting up radius:



access-list 101 extended permit ip 192.168.48.0 255.255.255.0 10.100.10.0 255.255.255.0

ip local pool myvpnpool 10.100.10.1-10.100.10.254

aaa-server vpn protocol radius
aaa-server vpn host 192.168.48.2
key xxxxxxxxxx

group-policy MY-DOMAIN internal
group-policy MY-DOMAIN attributes
wins-server value 192.168.48.2
dns-server value 192.168.48.2
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
default-domain value MY-DOMAIN.COM
secure-unit-authentication disable
nem enable
webvpn

username vpnuser password ypJbVLmYa3QI3jLM encrypted

tunnel-group myvpngroup type ipsec-ra
tunnel-group myvpngroup general-attributes
address-pool myvpnpool
authentication-server-group vpn
default-group-policy MY-DOMAIN
tunnel-group myvpngroup ipsec-attributes
pre-shared-key *
 
Upvote 0 Downvote
I'm such an idiot! I guess it helps when you actually start the service in IAS. I'm now able to log in with individual user accounts.

Now onto the split tunnel. Any easy config suggestions? I'll see what I can dig up on Google and give it a shot. It's always nice though to have someone help you out and I really do appreciate you assistance unclerico.
 
Upvote 0 Downvote
i found how to configure the split tunnel and it works. however, i broke something :) I can vpn in and access the internet from my local machine but now I can't RDP or ping the servers I need access to.

 
Upvote 0 Downvote
can you post your new config??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
579
Sameer258
Sameer258
acabezas2014
  • Locked
  • Question
Configuring ASA for Network Segmentation
Replies
1
Views
220
acabezas2014
acabezas2014
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
519
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
393
gkreg
gkreg
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
562
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top