No announcement yet.

New to ASA's... 5505 VPN setup?

  • Filter
  • Time
  • Show
Clear All
new posts

  • New to ASA's... 5505 VPN setup?

    So we have an ASA 5505 sitting on the shelf that we want to setup as a remote access VPN connection for a couple people in our IT department. I created a VLAN on our core switch today as VLAN 19 (ip address /16). Here is how it will be connected--

    ISP Router ---> External Switch ---> ASA5505 ---> Cisco 4510R Core Switch

    The outside interface (et0/0) connected to the external switch will have one of our public IP's assigned to it. The inside interface (et0/1) will be assigned I plan to have DHCP configured on the ASA handing out addresses from 172.19.0-3--

    I added the route to our core switch as follows so we can get around the network--

    router eigrp 1

    I plan on tackling the ASA tomorrow. Is there anything in particular I need to look out for? Does this look like it will work? I have never configured one of these before but by searching around the 'net, it seems rather daunting.

  • #2
    Re: New to ASA's... 5505 VPN setup?

    Yeah you can do that. First I would get internet access up and going. You will need some nat rules on the ASA for translation. Also make sure your upstream switch and the ISP router have a route back to your public ip address. ASA can be tricky to work with especially with vpn's. I would use the ASDM (gui interface) to configure the vpn if not all of the config. Cisco gui has gotten alot better over the years.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)


    • #3
      Re: New to ASA's... 5505 VPN setup?

      Ok I got it setup for SSL VPN. I keep getting a "login failed" message.

      : Saved
      ASA Version 8.3(1)
      hostname ciscoasa
      enable password xxxxxxxx encrypted
      passwd xxxxx encrypted
      interface Vlan1
      nameif inside
      security-level 100
      ip address
      interface Vlan2
      nameif outside
      security-level 0
      ip address (removed)
      interface Ethernet0/0
      switchport access vlan 2
      interface Ethernet0/1
      interface Ethernet0/2
      interface Ethernet0/3
      interface Ethernet0/4
      interface Ethernet0/5
      interface Ethernet0/6
      interface Ethernet0/7
      ftp mode passive
      clock timezone EST -5
      clock summer-time EDT recurring
      dns domain-lookup inside
      dns server-group DefaultDNS
      same-security-traffic permit inter-interface
      same-security-traffic permit intra-interface
      object network obj_any
      object network NATexempt
      description Exempt address pool for NAT translation
      access-list eigrpACL_FR standard permit
      access-list inside_access_in extended permit icmp any any
      access-list outside_access_in extended permit ip any any
      pager lines 24
      logging enable
      logging asdm informational
      mtu inside 1500
      mtu outside 1500
      ip local pool ITVPNpool mask
      icmp unreachable rate-limit 1 burst-size 1
      icmp permit any inside
      no asdm history enable
      arp timeout 14400
      nat (inside,outside) source dynamic any interface
      object network obj_any
      nat (inside,outside) dynamic interface
      access-group inside_access_in in interface inside
      access-group outside_access_in in interface outside
      router eigrp 1
      timeout xlate 3:00:00
      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
      timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
      timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
      timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
      timeout tcp-proxy-reassembly 0:01:00
      dynamic-access-policy-record DfltAccessPolicy
      http server enable
      http inside
      http inside
      http inside
      no snmp-server location
      no snmp-server contact
      snmp-server enable traps snmp authentication linkup linkdown coldstart
      crypto ipsec security-association lifetime seconds 28800
      crypto ipsec security-association lifetime kilobytes 4608000
      no vpn-addr-assign aaa
      no vpn-addr-assign local
      telnet timeout 5
      ssh timeout 5
      console timeout 0
      dhcpd auto_config outside
      dhcpd address inside
      dhcpd dns interface inside
      dhcpd domain interface inside
      dhcpd enable inside

      threat-detection basic-threat
      threat-detection statistics host
      threat-detection statistics port
      threat-detection statistics protocol
      threat-detection statistics access-list
      no threat-detection statistics tcp-intercept
      enable outside
      svc enable
      group-policy DfltGrpPolicy attributes
      vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
      username user password xxxxxxx encrypted privilege 0
      username user attributes
      vpn-group-policy DfltGrpPolicy
      tunnel-group ITVPN type remote-access
      tunnel-group ITVPN general-attributes
      address-pool ITVPNpool
      class-map inspection_default
      match default-inspection-traffic
      policy-map type inspect dns preset_dns_map
      message-length maximum client auto
      message-length maximum 512
      policy-map global_policy
      class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      service-policy global_policy global
      prompt hostname context
      : end
      no asdm history enable
      Last edited by kynov; 6th July 2010, 14:40.