Versions Compared

Old Version 11

changes.mady.by.user Adam Melong

Saved on

compared with

New Version Current

changes.mady.by.user Adam Melong

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

  1. Create Server Object to Translate (Layer 4 Translation)

    Code Block
    object-group service SERVER_Services tcp
 port-object eq 3389
 port-object eq ident
object network SERVER-3389
 host 172.32.100.5
 nat (inside,outside) static interface service tcp 3389 3389
object network SERVER-ident
 host 172.32.100.5
 nat (inside,outside) static interface service tcp ident ident

  2. Create Access List to allow Services to server (Layer 3 Translation)

    Code Block
    access-list outside_access_in extended permit tcp any host SERVER object-group SERVER_Services

Note that the Host is the Server INTERNAL IP. When the Layer 4 is triggered, it will then verify against the access list of the translation. Put simply, by defining the host in the nat object translation, it uses that field as a type of "Private key" that links to the next step in the translation process.

8.2 and Below

  1. Create Server Objects to Translate (Layer 4 Translation)

    Code Block
    object-group service SERVER_Services tcp
 port-object eq 3389
 port-object range 6100 6199
 port-object eq ident
object-group service NETWORK_SERVICES tcp
 group-object SERVER_Services
 group-object SERVER2_Services
 group-object SERVER3_Services
access-list outside_access_in extended permit tcp any host OUTSIDE_IP object-group NETWORK_SERVICES

  2. Create Access List to allow Services to Server (Layer 3 Translation)

    Code Block
    static (inside,outside) tcp interface ident SERVER ident netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 SERVER 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 6103 SERVER 6103 netmask 255.255.255.255 
static (inside,outside) tcp interface 80 SERVER2 80 netmask 255.255.255.255

...

Code Block
ciscoasa# config t
ciscoasa(config)# group-policy POLICY attributes
ciscoasa(config-group-policy)# split-dns value internal.local extenralexternal.com

Troubleshooting

debug ISAKMP SA negotiations

...

Code Block
hostname(config)# copy running-config startup-config

Adding Self Signed Certificates

Via GUI

  1. Open the ASDM and Navigate to the Configuration Button>Click Remote Access VPN (At the bottom)>Drop down Certificate Management>Click Identify Certificates 
    1. Image Added
  2. In the right Pane, click on the Add Button 
    1. Image Added
  3. Name the certificate, Check the "Add a new identity certificate" radial, Add check marks 
    1. Image Added
  4. Afterwards, Navigate to Device Management>Advanced>SSL Settings 
    1. Image Added
  5. From here, remove any Active Algorithms that you do not want, choose the outside interface that you will access the VPN through and click Edit, choose the self-signed certificate in the drop down list for Primary Enrolled Certificate and click OK
    1. Image Added
  6. Apply & Save