Setting up VPN on ASA 5505

[mletendre]

I am trying to set up a VPN with our ASA 5505 to allow one remote user to access files on our network. We have set up the ASA before and has been working as a firewall without issue.

I have tried the VPN wizard with remote access. selecting Cisco VPN Client (I had the end user download Cisco VPN client 5.0)

Now if I choose a pre-share key I do not know how to put that information into the client software as it asks for

I left the NAT translation part of the wizard blank

connection entry
Description
host ( I assume this is the static default IP from my ISP)

Use group authentication
Username (I put the username I specified while setting in the VPN Wizard)
Password (again when I set up the wizard)

I think the client is where I am running into a wall.

 

[unclerico]

Using group authentication you should just need to provide the host name, the group name, and the group password that you used when setting up the vpn group on the ASA.

Here's the VPN Client user guide (I know it's for 4.6 but I can't find anything for 5.0):

http://www.cisco.com/en/US/docs/sec...pn_client46/win/user/guide/vc4.html#wp1082622

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[mletendre]

That would be great but I don't see where to define a group/password on the ASA set up. I see group policy but there are no passwords to define

 

[Staticfactory]

You need to use the tunnel-group name and associated pre-shared key as the "Group Authentication" information in the Cisco VPN client. Once you connect to the host using this information, it should prompt you for the local username and password that you configured.

 

[mletendre]

GREAT! does anyone know if there is away for me to test this internally? I figure if i am already on this side of the firewall and I have that set to the outside address it wouldnt work right. I dont want to wait till I get home tonight to try it but may have to.

 

[mletendre]

Hey great news, I was able to get in!

Now the trouble is when the user clicks on the "My Network Places" and tries to view all the computers, it only shows the work group they are on (as stated in their Control panel ->System on their local machine)

How am I able to get them to view the entire network?

 

[mletendre]

Still can not see any of the network, but it seems like I am there....

Any ideas why I can not view any other computers or workgroups?

 

[mletendre]

as requested here is my show run for the ASA5505. I am using the remoteaccess tunneling group


ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
no names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 75.150.xx.xx 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 68.87.71.226
name-server 68.87.73.242
domain-name default.domain.invalid
dns server-group Primary
name-server 68.87.71.226
name-server 68.67.73.242
access-list http-list extended permit ip any any
access-list inbound extended permit tcp any host 75.150.xx.xx eq 3389
access-list inbound extended permit ip any host 75.150.xx.xx
access-list inbound extended permit tcp any host 75.150.xx.xx
access-list inbound extended permit icmp any any
access-list inside_nat0_outbound extended permit ip any host 192.168.1.52
access-list capture1 extended permit ip any host 75.150.97.18
access-list capture1 extended permit ip host 75.150.xx.xx any
access-list inside_nat0_outbound_1 extended permit ip any 192.168.1.0 255.255.255.0
!
tcp-map tmap
exceed-mss allow
!
pager lines 12
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool nsaremote 192.168.1.120-192.168.1.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 75.150.xx.xx 192.168.1.52 netmask 255.255.255.255
static (inside,outside) 75.150.xx.xx 192.168.1.141 netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 75.150.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto ca trustpoint remote
enrollment terminal
password *
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
client-update enable
telnet 192.168.1.131 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd wins 192.168.1.141
!
dhcprelay server 192.168.1.31 inside

!
class-map http
match access-list http-list
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 2000
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class http
set connection advanced-options tmap
!
service-policy global_policy global
group-policy remoteaccess internal
group-policy remoteaccess attributes
wins-server value 192.168.1.141
dns-server value 68.87.71.226 68.87.73.242
vpn-tunnel-protocol IPSec
group-policy nsaremote internal
group-policy nsaremote attributes
vpn-tunnel-protocol IPSec
username rsteele password Q.vPSpFXcdY4Itmb encrypted privilege 0
username rsteele attributes
vpn-group-policy remoteaccess
vpn-framed-ip-address 192.168.1.23 255.255.255.0
tunnel-group nsaremote type ipsec-ra
tunnel-group nsaremote general-attributes
address-pool nsaremote
default-group-policy nsaremote
tunnel-group nsaremote ipsec-attributes
pre-shared-key *
tunnel-group remoteaccess type ipsec-ra
tunnel-group remoteaccess general-attributes
address-pool nsaremote
default-group-policy remoteaccess
tunnel-group remoteaccess ipsec-attributes
pre-shared-key *
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context