Announcement

Collapse
No announcement yet.

VPN server config need to b completed

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • VPN server config need to b completed

    hello everyone

    iam trying to configure VPN server on our ASA 5520 to allow some users from outside to access our servers or edge server on DMZ or clients workstations.
    actully when i use cisco vpn client software it shows me "connected" but i cant ping or access any server or workstation inside the network.
    please can anyone help to complete this ? i think i miss something need to b added like access-lists or something.
    this is my configurations :

    ASA5520# sho run
    : Saved
    :
    ASA Version 7.0(7)
    !
    hostname ASA5520
    domain-name mydomain.com
    enable password QfuqYHdfatTt3AazcyR encrypted
    names
    dns-guard
    !
    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    ip address 213.x.x.109 255.255.255.0
    !
    interface GigabitEthernet0/1
    nameif inside
    security-level 100
    ip address 192.168.1.110 255.255.255.0
    !
    interface GigabitEthernet0/2
    nameif DMZ
    security-level 50
    ip address 172.x.x.1 255.255.255.0
    !
    interface GigabitEthernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    shutdown
    nameif management
    security-level 100
    ip address 192.168.100.50 255.255.255.0
    management-only
    !
    passwd bWynhNAxeuWqXNuM encrypted
    ftp mode passive
    dns domain-lookup outside
    dns domain-lookup inside
    dns name-server 212.xx.19
    dns name-server 212x.x.20
    dns name-server 208.67.222.222
    dns name-server 208.67.220.220
    access-list inside_access_in extended permit ip any any
    access-list acl-out extended permit icmp any any
    access-list acl-out extended permit tcp any host 213.x.x.163 eq 995
    access-list acl-out extended permit tcp any host 213.x.x.163 eq 587
    access-list acl-out extended permit tcp any host 213.x.x.163 eq www
    access-list acl-out extended permit tcp any host 213.x.x.163 eq citrix-ica
    access-list acl-out extended permit tcp any host 213.x.x.163 eq 2598
    access-list acl-out extended permit tcp any host 213.x.x.163 eq https
    access-list acl-out extended permit tcp any host 213.x.x.163 eq smtp
    access-list DMZ_access_in extended permit ip any any
    access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq smtp
    access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq 50389
    access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq 50636
    access-list DMZ_access_in extended permit tcp any any
    access-list DMZ_access_in extended permit tcp any host 213.x.x.162 eq 3389
    access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.2
    55.255.0
    access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.2
    55.255.0
    access-list inside_to_DMZ extended permit ip 192.168.1.0 255.255.255.0 172.x.x.
    0 255.255.255.0
    pager lines 24
    logging enable
    logging console debugging
    logging class ids buffered alerts
    logging class session buffered alerts
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    mtu management 1500
    ip local pool testpool 10.10.0.10-10.10.0.20
    no failover
    asdm image disk0:/asdm-507.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_to_DMZ
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (DMZ) 1 0.0.0.0 0.0.0.0
    static (inside,outside) 213.x.x.163 192.168.1.6 netmask 255.255.255.255
    static (DMZ,outside) 213.x.x.163 172.x.x.10 netmask 255.255.255.255
    static (DMZ,outside) 213.x.x.162 172.x.x.11 netmask 255.255.255.255
    access-group acl-out in interface outside
    access-group inside_access_in in interface inside
    access-group DMZ_access_in in interface DMZ
    route outside 0.0.0.0 0.0.0.0 213.x.x.161 1
    route inside 192.168.100.0 255.255.255.0 192.168.1.100 1
    route inside 192.168.6.0 255.255.255.0 213.x.x.161 1
    route inside 192.168.0.0 255.255.255.0 192.168.1.100 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    username testuser password IqY6lTColo8VIF24 encrypted
    username support password KkVKaDRNAom0ONXd encrypted
    username yassin password ZVE6/cqQY.NQNaTX encrypted
    username cisco password 3USUcOPFUiMCO4Jk encrypted
    http server enable
    http 0.0.0.0 0.0.0.0 inside
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
    crypto dynamic-map dyn1 1 set transform-set FirstSet
    crypto dynamic-map dyn1 1 set reverse-route
    crypto map mymap 1 ipsec-isakmp dynamic dyn1
    crypto map mymap interface outside
    isakmp enable outside
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption 3des
    isakmp policy 1 hash sha
    isakmp policy 1 group 2
    isakmp policy 1 lifetime 43200
    tunnel-group testgroup type ipsec-ra
    tunnel-group testgroup general-attributes
    address-pool testpool
    tunnel-group testgroup ipsec-attributes
    pre-shared-key *
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd lease 3600
    dhcpd ping_timeout 50
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    policy-map global-policy
    class inspection_default
    !
    service-policy global_policy global
    Cryptochecksum:b22539fefdbd84a5c07c42dcdb89e3fe

  • #2
    Re: VPN server on ASA5520 config need to b completed

    Well you have two options from what I see.

    Add these to lines to the "inside_to_DMZ" access-list
    access-list inside_to_DMZ extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.2
    55.255.0
    access-list inside_to_DMZ extended permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.2
    55.255.0


    Or

    Add this line to the "nonat" access-list
    access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.x.x.
    0 255.255.255.0


    And do a "nat 0 access-list nonat"
    CCNA, Network+

    Comment

    Working...
    X