Windows VPN client remote access

[aquila125]

Hi all,

is it possible to use the default windows vpn client to connect to our ASA 5510 (7.2)? I can't seem to get it working...

Is it possible to use PPTP? I found some information on L2TP/IPSEC. I created the CRYPTO stuff, and the tunnel-groups, but it seems that they are interfering with the normal working of the firewall (if i allow any ip address to connect through vpn, nothing else works since it all goes through crypto i guess...)

I can post our config if necessary...

This is a test setup since we'r currently using pix 6.something

 

[aquila125]

Doh! I had my access-list backwards... now it's all working..

 

[geranimo666]

Hi Aquila125!

I'm not trying to take the work out of it but my company wants to implement the same scenario... would you be able to provide me with a scrubbed copy of the acl logic showing how you did this? or some screen shots if done in ASDM?

any info would be greatly appreciated
geranimo

 

[aquila125]

Hi!

We got it working at last!! This is our config (only the VPN entries are shown, and the IP addresses (external) have been cleared:

: Saved
:
ASA Version 7.2(2)
!
hostname MyFirewall
domain-name mydomain
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address externalIP 255.255.255.192 
!
interface Ethernet0/1 
 nameif inside
 security-level 100
 ip address 192.168.40.1 255.255.248.0 
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 description LAN/STATE Failover Interface
!
interface Management0/0
 nameif management
 security-level 0
 ip address 10.205.1.100 255.255.255.0
 management-only
!
ftp mode passive
dns server-group DefaultDNS
 domain-name OUR.DOMAIN
access-list acl_outside extended permit udp any host firewallIP eq 1701
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool clientVPNpool 192.168.44.1-192.168.47.254 mask 255.255.248.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_outside in interface outside
route outside 0.0.0.0 0.0.0.0 GATEWAY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 192.168.40.5
 dns-server value 192.168.40.5
 vpn-tunnel-protocol IPSec l2tp-ipsec
 default-domain value OUR.DOMAIN
username test password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted
username test attributes
 vpn-group-policy DefaultRAGroup
 vpn-tunnel-protocol l2tp-ipsec
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 10.205.1.0 255.255.255.0 management
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group DefaultRAGroup general-attributes
 address-pool ClientVPNpool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
smtp-server 192.168.40.6
prompt hostname context
Cryptochecksum:387f527f378249e3b1df367ebbf2ba85
: end

it took us a while to get it working, and there are no good examples on the net.. so here it is.. enjoy!

 

[NetworkGhost]

Just an FYI. Below is a link for a configuration example of L2TP with Cisco ASA

http://www.cisco.com/en/US/products...s_configuration_example09186a00807213a7.shtml

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx

 

[aquila125]

We used that example, but it has some shortcommings. If you use that code, you can't connect to the firewall (ping and stuff).. We changed the code a bit to make sure all normal traffic still works.

 

[NetworkGhost]

What do you mean?

"We changed the code a bit to make sure all normal traffic still works."


What else were you trying to accomplish/ what changes did you make?


Just curious...







Free Firewall/Network/Systems Support-

http://firewalls.ath.cx

 

[aquila125]

If you implement the example you can't ping the firewall anymore. SSH to the firewall also doesn't work.
We removed the 105 access list and the reference to it in the dynamic map to make ik work as we want it to. Now we can connect to the firewall with the VPN, and all other traffic to it also works.

we are cisco noobs

 

[NetworkGhost]

Ah ok. Thanks. Was just curious.

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx

 

[aquila125]

Hmm.. seems like we were to early with the celebrations..

We installed the firewall in our datacenter (still as test) but now the VPN doesn't work anymore. Well, it still works if we connect to it from a computer in the same subnet as the external interface, but if we try to connect to it from our office (seperate internet connection), we don't even get past 'Connecting'. Anybody now what we are doing wrong? I don't see any error messages in the firewalls..

 

[aquila125]

Extra info: I can ping the firewall from our external office...

 

[aquila125]

This problem was solved. We had a Nortel VPN Client installed on the test machine that didn't allow VPN traffic by another client.