Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Windows VPN client remote access

Status
Not open for further replies.
aquila125

aquila125

MIS
Jan 12, 2005
109
BE
Hi all,

is it possible to use the default windows vpn client to connect to our ASA 5510 (7.2)? I can't seem to get it working...

Is it possible to use PPTP? I found some information on L2TP/IPSEC. I created the CRYPTO stuff, and the tunnel-groups, but it seems that they are interfering with the normal working of the firewall (if i allow any ip address to connect through vpn, nothing else works since it all goes through crypto i guess...)

I can post our config if necessary...

This is a test setup since we'r currently using pix 6.something
 
Sort by date Sort by votes
Doh! I had my access-list backwards... now it's all working..
 
Upvote 0 Downvote
Hi Aquila125!

I'm not trying to take the work out of it but my company wants to implement the same scenario... would you be able to provide me with a scrubbed copy of the acl logic showing how you did this? or some screen shots if done in ASDM?

any info would be greatly appreciated
geranimo
 
Upvote 0 Downvote
Hi!

We got it working at last!! This is our config (only the VPN entries are shown, and the IP addresses (external) have been cleared:

Code: 
: Saved
:
ASA Version 7.2(2)
!
hostname MyFirewall
domain-name mydomain
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address externalIP 255.255.255.192 
!
interface Ethernet0/1 
 nameif inside
 security-level 100
 ip address 192.168.40.1 255.255.248.0 
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 description LAN/STATE Failover Interface
!
interface Management0/0
 nameif management
 security-level 0
 ip address 10.205.1.100 255.255.255.0
 management-only
!
ftp mode passive
dns server-group DefaultDNS
 domain-name OUR.DOMAIN
access-list acl_outside extended permit udp any host firewallIP eq 1701
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool clientVPNpool 192.168.44.1-192.168.47.254 mask 255.255.248.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_outside in interface outside
route outside 0.0.0.0 0.0.0.0 GATEWAY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 192.168.40.5
 dns-server value 192.168.40.5
 vpn-tunnel-protocol IPSec l2tp-ipsec
 default-domain value OUR.DOMAIN
username test password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted
username test attributes
 vpn-group-policy DefaultRAGroup
 vpn-tunnel-protocol l2tp-ipsec
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 10.205.1.0 255.255.255.0 management
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group DefaultRAGroup general-attributes
 address-pool ClientVPNpool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
smtp-server 192.168.40.6
prompt hostname context
Cryptochecksum:387f527f378249e3b1df367ebbf2ba85
: end

it took us a while to get it working, and there are no good examples on the net.. so here it is.. enjoy!
 
Upvote 0 Downvote
We used that example, but it has some shortcommings. If you use that code, you can't connect to the firewall (ping and stuff).. We changed the code a bit to make sure all normal traffic still works.
 
Upvote 0 Downvote
What do you mean?

"We changed the code a bit to make sure all normal traffic still works."


What else were you trying to accomplish/ what changes did you make?


Just curious...







Free Firewall/Network/Systems Support-
 
Upvote 0 Downvote
If you implement the example you can't ping the firewall anymore. SSH to the firewall also doesn't work.
We removed the 105 access list and the reference to it in the dynamic map to make ik work as we want it to. Now we can connect to the firewall with the VPN, and all other traffic to it also works.

we are cisco noobs :D
 
Upvote 0 Downvote
Hmm.. seems like we were to early with the celebrations..

We installed the firewall in our datacenter (still as test) but now the VPN doesn't work anymore. Well, it still works if we connect to it from a computer in the same subnet as the external interface, but if we try to connect to it from our office (seperate internet connection), we don't even get past 'Connecting'. Anybody now what we are doing wrong? I don't see any error messages in the firewalls..
 
Upvote 0 Downvote
Extra info: I can ping the firewall from our external office...
 
Upvote 0 Downvote
This problem was solved. We had a Nortel VPN Client installed on the test machine that didn't allow VPN traffic by another client.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
860
intel233
intel233
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
235
Russtoleum
Russtoleum
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
365
gkittelson
gkittelson
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
293
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top