Announcement

Collapse
No announcement yet.

setting up VPN with ASA5505 and SBS 2003

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • setting up VPN with ASA5505 and SBS 2003

    Let me preface this by saying that I am not great with Cisco, I am much more comfortable in the MS server environment but I inherited this setup and am trying to figure it out best I can.

    Basically, I am trying to setup a VPN and use my DC as a RADIUS server. Below is my running config (I used the Cisco VPN wizard to attempt to setup the VPN). On my server I got IAS with a remote access policy allowing VPN access when 'NAS-port type match Virtual VPN" and the user is part of the VPN security group.

    Here is run config, i changed public IP's, domain name and passwords out of paronia, lol.

    : Saved
    : Written by enable_15 at 11:39:33.231 UTC Thu Apr 2 2009
    !
    ASA Version 7.2(2)
    !
    hostname ciscoasa
    domain-name companyXYZ.local
    enable password AvFxOc5r.eXgcyRR encrypted
    names
    name 192.168.1.2 DC101 description AD/WWW/Mail
    name 212.32.226.162 mail
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 212.32.226.163 255.255.255.248
    !
    interface Vlan3
    no forward interface Vlan1
    nameif dmz
    security-level 50
    no ip address
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd AvFxOc5r.eXgcyRR encrypted
    ftp mode passive
    dns server-group DefaultDNS
    domain-name companyXYZ.local
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group service VNC tcp
    port-object range 5900 5900
    object-group service RDP tcp
    description Microsoft Terminal Services
    port-object range 3389 3389
    access-list acl_out extended permit icmp any any
    access-list acl_out remark SMTP mail access
    access-list acl_out extended permit tcp any host mail eq smtp
    access-list acl_out remark VNC remote desktop access
    access-list acl_out extended permit tcp any host mail eq 5900
    access-list acl_out remark web access
    access-list acl_out extended permit tcp any host mail eq www
    access-list acl_out remark secure web access
    access-list acl_out extended permit tcp any host mail eq https
    access-list acl_out remark pop3 mail access
    access-list acl_out extended permit tcp any host mail eq pop3
    access-list acl_out remark Microsoft Terminal Services Access
    access-list acl_out extended permit tcp any host mail object-group RDP
    access-list acl_out extended permit tcp any host mail eq imap4
    access-list inside_nat0_outbound extended permit ip any 192.168.1.192 255.255.255.224
    access-list 110 extended permit tcp host mail host DC101 eq 3389
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    ip local pool company-vpn 192.168.1.200-192.168.1.223 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) mail DC101 netmask 255.255.255.255
    access-group acl_out in interface outside
    route outside 0.0.0.0 0.0.0.0 212.32.226.161 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server DC101 protocol nt
    aaa-server DC101 host DC101
    timeout 5
    nt-auth-domain-controller DC101
    group-policy company-vpn internal
    group-policy company-vpn attributes
    dns-server value 192.168.1.2
    vpn-tunnel-protocol IPSec
    default-domain value companyXYZ.local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !
    dhcpd address DC101-192.168.1.129 inside
    !

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:092c077512dd971312a16f6fbcf6346f
    : end

  • #2
    Re: setting up VPN with ASA5505 and SBS 2003

    Do you get errors in the event log?
    What happens when you try and authenticate?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: setting up VPN with ASA5505 and SBS 2003

      Hi,

      Your configuration is missing a few crucial lines
      The following links should help you:

      (Example)
      hxxp://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.sht ml

      hxxp://crazyvlan.blogspot.com/2008/02/vpn-and-radius-with-cisco-asa-and.html

      Greetz

      Jaap

      Comment

      Working...
      X