Announcement

Collapse
No announcement yet.

remote access VPN access config

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • remote access VPN access config

    Hi All,

    I've setup remote VPN access with RADIUS auth. on my cisco ASA 5505 box. I can connect/authenticate OK but then i cannot access any internal resources and I cannot figure out why.

    Config below:

    hostname companyUK-gw
    domain-name company.inc
    enable password password encrypted
    names
    name 172.31.48.64 vpn-clientpool
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    speed 100
    duplex full
    !
    interface Ethernet0/2
    speed 100
    duplex full
    !
    interface Ethernet0/3
    speed 100
    duplex full
    !
    interface Ethernet0/4
    speed 100
    duplex full
    !
    interface Ethernet0/5
    speed 100
    duplex full
    !
    interface Ethernet0/6
    speed 100
    duplex full
    !
    interface Ethernet0/7
    speed 100
    duplex full
    !
    passwd password encrypted
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
    domain-name company.inc
    same-security-traffic permit intra-interface
    object-group network testSitetoSite
    description testSitetoSite
    network-object 172.19.90.0 255.255.255.0
    access-list acl_outside extended permit icmp any any
    access-list acl_inside extended permit ip any any
    access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
    access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.19.90.0 255.255.255.0
    access-list nonat extended permit ip any 192.168.1.96 255.255.255.224
    access-list tunnel extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
    access-list tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.19.90.0 255.255.255.0
    access-list Moon-VPN_splitTunnelAcl standard permit any
    pager lines 24
    logging enable
    logging monitor debugging
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool VPN-pool 172.31.48.65-172.31.48.78 mask 255.255.255.240
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-61557.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (outside) 1 vpn-clientpool 255.255.255.240
    access-group acl_inside in interface inside
    access-group acl_outside in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server Moon-VPN protocol radius
    aaa-server Moon-VPN host 192.168.1.254
    timeout 5
    key *******
    http server enable
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map vpn 1 match address outside_1_cryptomap
    crypto map vpn 1 set peer IP address
    crypto map vpn 1 set transform-set ESP-3DES-SHA
    crypto map vpn 10 match address tunnel
    crypto map vpn 10 set peer IP address
    crypto map vpn 10 set transform-set ESP-AES-256-SHA
    crypto map vpn 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map vpn interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800

    console timeout 0
    management-access inside
    dhcpd dns 10.0.0.102 10.0.0.107
    dhcpd wins 10.0.0.102 10.0.0.107
    dhcpd lease 1048575
    dhcpd auto_config outside
    !
    dhcpd address 192.168.1.2-192.168.1.33 inside
    !

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    group-policy Moon-VPN internal
    group-policy Moon-VPN attributes
    dns-server value 192.168.1.254
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Moon-VPN_splitTunnelAcl
    default-domain value company.inc
    tunnel-group IP address type ipsec-l2l
    tunnel-group IP address ipsec-attributes
    pre-shared-key *
    tunnel-group IP address type ipsec-l2l
    tunnel-group IP address ipsec-attributes
    pre-shared-key *
    tunnel-group Moon-VPN type ipsec-ra
    tunnel-group Moon-VPN general-attributes
    address-pool VPN-pool
    authentication-server-group Moon-VPN
    default-group-policy Moon-VPN
    tunnel-group Moon-VPN ipsec-attributes
    pre-shared-key *
    tunnel-group Moon-VPN ppp-attributes
    authentication ms-chap-v2
    prompt hostname context

    Any help would be greatly appreciated!

  • #2
    Re: remote access VPN access config

    Give this a try:

    Code:
    access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.31.48.65 255.255.255.240
    CCNA, Network+

    Comment

    Working...
    X