Table of Contents

Creating NAT Translations

8.3 and Up

  1. Create Server Object to Translate (Layer 4 Translation)

    object-group service SERVER_Services tcp
 port-object eq 3389
 port-object eq ident
object network SERVER-3389
 host 172.32.100.5
 nat (inside,outside) static interface service tcp 3389 3389
object network SERVER-ident
 host 172.32.100.5
 nat (inside,outside) static interface service tcp ident ident

  2. Create Access List to allow Services to server (Layer 3 Translation)

    access-list outside_access_in extended permit tcp any host SERVER object-group SERVER_Services

Note that the Host is the Server INTERNAL IP. When the Layer 4 is triggered, it will then verify against the access list of the translation. Put simply, by defining the host in the nat object translation, it uses that field as a type of "Private key" that links to the next step in the translation process.

8.2 and Below

  1. Create Server Objects to Translate (Layer 4 Translation)

    object-group service SERVER_Services tcp
 port-object eq 3389
 port-object range 6100 6199
 port-object eq ident
object-group service NETWORK_SERVICES tcp
 group-object SERVER_Services
 group-object SERVER2_Services
 group-object SERVER3_Services
access-list outside_access_in extended permit tcp any host OUTSIDE_IP object-group NETWORK_SERVICES

  2. Create Access List to allow Services to Server (Layer 3 Translation)

    static (inside,outside) tcp interface ident SERVER ident netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 SERVER 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 6103 SERVER 6103 netmask 255.255.255.255 
static (inside,outside) tcp interface 80 SERVER2 80 netmask 255.255.255.255

How to configure VPN

Site-Site

  1. Define the Networks 

    object-group network Remote_VPN
 network-object 10.10.10.0 255.255.255.0
 network-object 10.20.20.0 255.255.255.0
object-group network Remote_Internal
 network-object 172.16.1.0 255.255.255.0
 network-object 172.16.2.0 255.255.255.0
 network-object 172.16.3.0 255.255.255.0
 network-object 172.16.4.0 255.255.255.0
 network-object 172.18.0.0 255.255.0.0
object-group network Remote_Combined
 group-object Remote_VPN
 group-object Remote_Internal

  2. Create the Crypto Map ACL

    access-list outside_cryptomap_1 extended permit ip INTERNAL_NETWORK 255.255.255.0 object-group Remote_Combined

  3. Create the No-Nat ACL (Networks/hosts to which the packets should not be changed)

    access-list VPNNONAT extended permit ip INTERNAL_NETWORK 255.255.255.0 object-group Remote_Combined

  4. Apply the No-NAT

    nat (inside) 0 access-list VPNNONAT

  5. Create a Transform set

    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

  6. Create the Crypto Map

    crypto map MELONGCryptoMaps 1 match address outside_cryptomap_1
crypto map MELONGCryptoMaps 1 set peer 1.1.1.1
crypto map MELONGCryptoMaps 1 set transform-set ESP-AES-256-SHA
crypto map MELONGCryptoMaps interface outside 

  7. Enable isakmp on interface

    crypto isakmp enable outside

  8. Create isakmp policies (Note, the policy number is for priority. The highest number first, and then tries lower policies after)

    crypto isakmp policy 50
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

  9. Create policy for Tunnel-Group (Site-Site hosts)

    group-policy Site2Site internal
group-policy Site2Site attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 

  10. Apply Tunnel-Group and Attributes

    tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
 default-group-policy Site2Site
tunnel-group 1.1.1.1  ipsec-attributes
 pre-shared-key PASSWORD 



Configure Split-DNS Resolution

ciscoasa# config t
ciscoasa(config)# group-policy POLICY attributes
ciscoasa(config-group-policy)# split-dns value internal.local external.com

Troubleshooting

debug ISAKMP SA negotiations

debug crypto isakmp sa <debug level>

Password Recovery

Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance

To recover from the loss of passwords, perform the following steps:

--------------------------------------------------------------------------------
Step 1 Connect to the security appliance console port according to the "Accessing the Command-Line Interface" section on page 2-1.

Step 2 Power off the security appliance, and then power it on.

Step 3 During the startup messages, press the Escape key when prompted to enter ROMMON.

Step 4 To set the security appliance to ignore the startup configuration at reload, enter the following command:

rommon #1> confreg
The security appliance displays the current configuration register value, and asks if you want to change the value:

Current Configuration Register: 0x00000011
Configuration Summary:
  boot TFTP image, boot default image from Flash on netboot failure
Do you wish to change this configuration? y/n [n]:
Step 5 Record your current configuration register value, so you can restore it later.

Step 6 At the prompt, enter Y to change the value.

The security appliance prompts you for new values.

Step 7 Accept the default values for all settings, except for the "disable system configuration?" value; at that prompt, enter Y.

Step 8 Reload the security appliance by entering the following command:

rommon #2> boot
The security appliance loads a default configuration instead of the startup configuration.

Step 9 Enter privileged EXEC mode by entering the following command:

hostname> enable

Step 10 When prompted for the password, press Return.

The password is blank.

Step 11 Load the startup configuration by entering the following command:

hostname# copy startup-config running-config

Step 12 Enter global configuration mode by entering the following command:

hostname# configure terminal

Step 13 Change the passwords in the configuration by entering the following commands, as necessary:

hostname(config)# password password
hostname(config)# enable password password
hostname(config)# username name password password

Step 14 Change the configuration register to load the startup configuration at the next reload by entering the following command:

hostname(config)# config-register value
Where value is the configuration register value you noted in Step 5. 0x1 is the default configuration register. For more information about the configuration register, see the Cisco Security Appliance Command Reference.

Step 15 Save the new passwords to the startup configuration by entering the following command:

hostname(config)# copy running-config startup-config

Adding Self Signed Certificates

Via GUI

  1. Open the ASDM and Navigate to the Configuration Button>Click Remote Access VPN (At the bottom)>Drop down Certificate Management>Click Identify Certificates 
  2. In the right Pane, click on the Add Button 
  3. Name the certificate, Check the "Add a new identity certificate" radial, Add check marks 
  4. Afterwards, Navigate to Device Management>Advanced>SSL Settings 
  5. From here, remove any Active Algorithms that you do not want, choose the outside interface that you will access the VPN through and click Edit, choose the self-signed certificate in the drop down list for Primary Enrolled Certificate and click OK
  6. Apply & Save
  • No labels