|
Question : Problem with remote access VPN with ASA 5510
|
|
Hello Lads,
I'm having some issues with people connecting remotely to the new ASA I configured, here goes;
hostname ciscoasa domain-name enable password names dns-guard ! interface Ethernet0/0 nameif Outside security-level 0 ip address 1.2.3.4 5.5.5.5 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd boot system disk0:/asa721-k8.bin ftp mode passive dns server-group DefaultDNS domain-name object-group service Server-03 tcp-udp port-object range 3389 3389 port-object range 1723 1723 port-object range 443 443 port-object range www www port-object range 38561 38561 object-group service Server-33 tcp-udp port-object range 2253 2255 port-object range 1718 1720 port-object range 49152 49159 access-list Outside_access_out extended permit ip 1.2.3.4 5.5.5.5 any access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 any access-list Outside_access_in extended permit tcp any object-group Server-03 host 1.2.3.4 access-list Outside_access_in extended permit tcp any host 1.2.3.4 access-list Outside_access_in extended permit icmp any 1.2.3.4 5.5.5.5 access-list Outside_access_in extended permit ip x.x.x.x 255.255.255.240 host 192.168.0.1 access-list Outside_access_in extended permit udp x.x.x.x 255.255.255.240 host 192.168.0.1 access-list Local_LAN_Access standard permit any access-list officevpn_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.252 access-list Outside_cryptomap_dyn_20_1 extended permit ip any 192.168.100.0 255.255.255.0 access-list Outside_cryptomap extended permit ip any 192.168.100.0 255.255.255.252 pager lines 24 logging enable logging asdm informational mtu Outside 1500 mtu inside 1500 mtu management 1500 ip local pool VPN_Pool 192.168.100.1-192.168.100.2 mask 255.255.255.0 asdm image disk0:/asdm521.bin no asdm history enable arp timeout 14400 nat-control global (Outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 192.168.0.0 255.255.255.0 static (inside,Outside) x.x.x.x 192.168.0.3 netmask 255.255.255.255 static (inside,Outside) x.x.x.x 192.168.0.33 netmask 255.255.255.255 static (inside,Outside) 192.168.0.1 192.168.0.1 netmask 255.255.255.255 access-group Outside_access_in in interface Outside access-group Outside_access_out out interface Outside access-group inside_access_in in interface inside route Outside 0.0.0.0 0.0.0.0 x.x.x.x 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute group-policy officevpn internal group-policy officevpn attributes dns-server value x.x.x.x x.x.x.x vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value officevpn_splitTunnelAcl username x password x privilege 15 username x password x privilege 0 username lawrence attributes vpn-group-policy officevpn aaa authentication telnet console LOCAL aaa authentication enable console LOCAL aaa authentication ssh console LOCAL http server enable http x.x.x.x Outside http 192.168.0.0 255.255.255.0 inside http 192.168.1.0 255.255.255.0 management snmp-server host Outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-DES-SHA crypto map Outside_map 20 ipsec-isakmp dynamic Outside_dyn_map crypto map Outside_map interface Outside crypto isakmp enable Outside crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400 tunnel-group officevpn type ipsec-ra tunnel-group officevpn general-attributes address-pool VPN_Pool default-group-policy officevpn tunnel-group officevpn ipsec-attributes pre-shared-key * telnet x.x.x.x x.x.x.x Outside telnet timeout 5 ssh x.x.x.x x.x.x.x Outside ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:d5b7fd12caf660b713a54267b702650f : end
Thanks.
|
Answer : Problem with remote access VPN with ASA 5510
|
|
It should work with your existing transform set (DES-SHA), but try adding this one to see if your VPN client is having trouble with that transform set:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac <---define the new transform set with 3DES instead of DES no crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-DES-SHA <---take off the old transform set crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA <---associate the new transform set crypto isakmp nat-traversal <---allows VPN clients to connect from behind another NAT device
Give these a go and see what you get...
|
|
|
|