No announcement yet.

WebVPN config - ASA5510

  • Filter
  • Time
  • Show
Clear All
new posts

  • WebVPN config - ASA5510

    Hi all,

    I am a little confused as to what needs to be done to get the clientless SSL vpn working on an ASA5510.

    I've copied my config below:

    I want to have a terminal server accessible through the ASA, and would also like for user to login with their windows credentials if possible.

    Any ideas/guides for configuration would be great.

    Thanks in advance for the help.


    ================================================== ======
    hostname CISCOASA5510
    domain-name domain.local
    enable password m7TYfUPUfR/2yAtc encrypted
    passwd m7TYfUPUfR/2yAtc encrypted
    interface Ethernet0/0
    nameif inside
    security-level 100
    ip address
    interface Ethernet0/1
    nameif outside
    security-level 0
    ip address
    interface Ethernet0/2
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address
    ftp mode passive
    clock timezone GMT/BST 0
    clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup inside
    dns domain-lookup outside
    dns domain-lookup management
    dns server-group DefaultDNS
    domain-name domain.local
    same-security-traffic permit intra-interface
    object-group service RDP tcp
    description MS RDP
    port-object eq 3389
    object-group service RDP_COMPANY-DB tcp
    description RDP to COMPANY-DB
    port-object eq 3391
    access-list INTERNET_access_in extended permit tcp 80.177
    access-list outside_access_in extended permit tcp any host eq 338
    access-list outside_access_in extended permit tcp any host eq smt
    access-list outside_access_in extended permit tcp any host eq 339
    access-list outside_access_in extended permit tcp host host 80.177
    .230.114 eq 3391
    access-list outside_access_in extended permit tcp any host eq 339
    access-list outside_access_in extended permit tcp any host eq 339
    access-list outside_access_in extended permit tcp any host eq www

    access-list inside_nat0_outbound extended permit ip 10.0.
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu management 1500
    ip local pool VPN_POOL mask
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (inside) 101 interface
    global (outside) 101 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 101
    nat (outside) 101
    static (inside,outside) tcp interface 3389 3389 netmask

    static (inside,outside) tcp interface smtp smtp netmask

    static (inside,outside) tcp interface 3390 3389 netmask

    static (inside,outside) tcp interface 3391 3389 netmask

    static (inside,outside) tcp interface 3392 3389 netmask
    static (inside,outside) tcp interface 3393 3389 netmask
    static (inside,outside) tcp interface www www netmask
    access-group outside_access_in in interface outside
    route outside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http management
    http management
    http redirect management 80
    snmp-server host management community public udp-port 161
    no snmp-server location
    no snmp-server contact
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet management
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config management
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    enable inside
    enable outside
    internal-password enable
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    dns-server value
    vpn-tunnel-protocol l2tp-ipsec webvpn
    default-domain value domain.local
    group-policy DfltGrpPolicy attributes
    group-lock value DefaultWEBVPNGroup
    url-list value Default
    username COMPANYVPN password iX7qp+2V/yCQw9CHmmutGw== nt-encrypted privilege 0
    username COMPANYVPN attributes
    vpn-group-policy DefaultRAGroup
    url-list value Default
    tunnel-group DefaultRAGroup general-attributes
    address-pool VPN_POOL
    default-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    service-policy global_policy global
    prompt hostname context
    : end

    ================================================== ==

  • #2
    Re: WebVPN config - ASA5510

    What exactly are you wanting? Do you want users to sign into WebVPN with their Windows credentials and then be able to access RDP?

    If so, I may be able to help. I have WebVPN enabled with different groups hiting Windows 2003 RADIUS server, which passes back their group name. The group signifies what type of access they have once AAA has occured.

    If that's what you want, I'll try to get the config for you.



    • #3
      Re: WebVPN config - ASA5510

      Hi Sean,

      Thats exactly it!