Announcement

Collapse
No announcement yet.

New to ASA's... 5505 VPN setup?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • New to ASA's... 5505 VPN setup?

    So we have an ASA 5505 sitting on the shelf that we want to setup as a remote access VPN connection for a couple people in our IT department. I created a VLAN on our core switch today as VLAN 19 (ip address 172.19.0.1 /16). Here is how it will be connected--

    ISP Router ---> External Switch ---> ASA5505 ---> Cisco 4510R Core Switch


    The outside interface (et0/0) connected to the external switch will have one of our public IP's assigned to it. The inside interface (et0/1) will be assigned 172.19.0.2. I plan to have DHCP configured on the ASA handing out addresses from 172.19.0-3--172.19.0.10

    I added the route to our core switch as follows so we can get around the network--

    router eigrp 1
    network 172.19.0.0

    I plan on tackling the ASA tomorrow. Is there anything in particular I need to look out for? Does this look like it will work? I have never configured one of these before but by searching around the 'net, it seems rather daunting.

  • #2
    Re: New to ASA's... 5505 VPN setup?

    Yeah you can do that. First I would get internet access up and going. You will need some nat rules on the ASA for translation. Also make sure your upstream switch and the ISP router have a route back to your public ip address. ASA can be tricky to work with especially with vpn's. I would use the ASDM (gui interface) to configure the vpn if not all of the config. Cisco gui has gotten alot better over the years.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: New to ASA's... 5505 VPN setup?

      Ok I got it setup for SSL VPN. I keep getting a "login failed" message.

      : Saved
      :
      ASA Version 8.3(1)
      !
      hostname ciscoasa
      domain-name port-orange.org
      enable password xxxxxxxx encrypted
      passwd xxxxx encrypted
      names
      !
      interface Vlan1
      nameif inside
      security-level 100
      ip address 172.19.0.2 255.255.0.0
      !
      interface Vlan2
      nameif outside
      security-level 0
      ip address (removed) 255.255.255.0
      !
      interface Ethernet0/0
      switchport access vlan 2
      !
      interface Ethernet0/1
      !
      interface Ethernet0/2
      !
      interface Ethernet0/3
      !
      interface Ethernet0/4
      !
      interface Ethernet0/5
      !
      interface Ethernet0/6
      !
      interface Ethernet0/7
      !
      ftp mode passive
      clock timezone EST -5
      clock summer-time EDT recurring
      dns domain-lookup inside
      dns server-group DefaultDNS
      name-server 192.168.5.19
      domain-name mycompany.org
      same-security-traffic permit inter-interface
      same-security-traffic permit intra-interface
      object network obj_any
      subnet 0.0.0.0 0.0.0.0
      object network NATexempt
      description Exempt address pool for NAT translation
      access-list eigrpACL_FR standard permit 172.20.0.0 255.255.0.0
      access-list inside_access_in extended permit icmp any any
      access-list outside_access_in extended permit ip any any
      pager lines 24
      logging enable
      logging asdm informational
      mtu inside 1500
      mtu outside 1500
      ip local pool ITVPNpool 172.19.0.15-172.19.0.25 mask 255.255.0.0
      icmp unreachable rate-limit 1 burst-size 1
      icmp permit any inside
      no asdm history enable
      arp timeout 14400
      nat (inside,outside) source dynamic any interface
      !
      object network obj_any
      nat (inside,outside) dynamic interface
      access-group inside_access_in in interface inside
      access-group outside_access_in in interface outside
      !
      router eigrp 1
      network 172.19.0.0 255.255.0.0
      network 172.20.0.0 255.255.0.0
      network 192.168.5.0 255.255.255.0
      !
      timeout xlate 3:00:00
      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
      timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
      timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
      timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
      timeout tcp-proxy-reassembly 0:01:00
      dynamic-access-policy-record DfltAccessPolicy
      http server enable
      http 172.19.0.0 255.255.0.0 inside
      http 172.20.0.0 255.255.0.0 inside
      http 192.168.5.0 255.255.255.0 inside
      no snmp-server location
      no snmp-server contact
      snmp-server enable traps snmp authentication linkup linkdown coldstart
      crypto ipsec security-association lifetime seconds 28800
      crypto ipsec security-association lifetime kilobytes 4608000
      no vpn-addr-assign aaa
      no vpn-addr-assign local
      telnet timeout 5
      ssh timeout 5
      console timeout 0
      dhcpd auto_config outside
      !
      dhcpd address 172.19.0.6-172.19.0.37 inside
      dhcpd dns 192.168.5.19 192.168.5.39 interface inside
      dhcpd domain mycompany.org interface inside
      dhcpd enable inside
      !

      threat-detection basic-threat
      threat-detection statistics host
      threat-detection statistics port
      threat-detection statistics protocol
      threat-detection statistics access-list
      no threat-detection statistics tcp-intercept
      webvpn
      enable outside
      svc enable
      group-policy DfltGrpPolicy attributes
      vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
      username user password xxxxxxx encrypted privilege 0
      username user attributes
      vpn-group-policy DfltGrpPolicy
      tunnel-group ITVPN type remote-access
      tunnel-group ITVPN general-attributes
      address-pool ITVPNpool
      !
      class-map inspection_default
      match default-inspection-traffic
      !
      !
      policy-map type inspect dns preset_dns_map
      parameters
      message-length maximum client auto
      message-length maximum 512
      policy-map global_policy
      class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      !
      service-policy global_policy global
      prompt hostname context
      Cryptochecksum:1b284c684dbad5a000596e8c6879e13f
      : end
      no asdm history enable
      Last edited by kynov; 6th July 2010, 14:40.

      Comment

      Working...
      X