Versions Compared

Old Version 2

changes.mady.by.user Adam Melong

Saved on

compared with

New Version Current

changes.mady.by.user Adam Melong

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Table of Contents

Table of Contents

ASA

How to configure VPN

Creating NAT Translations

8.3 and Up

  1. Create Server Object to Translate (Layer 4 Translation)

    Code Block
    object-group service SERVER_Services tcp
 port-object eq 3389
 port-object eq ident
object network SERVER-3389
 host 172.32.100.5
 nat (inside,outside) static interface service tcp 3389 3389
object network SERVER-ident
 host 172.32.100.5
 nat (inside,outside) static interface service tcp ident ident

  2. Create Access List to allow Services to server (Layer 3 Translation)

    Code Block
    access-list outside_access_in extended permit tcp any host SERVER object-group SERVER_Services

Note that the Host is the Server INTERNAL IP. When the Layer 4 is triggered, it will then verify against the access list of the translation. Put simply, by defining the host in the nat object translation, it uses that field as a type of "Private key" that links to the next step in the translation process.

8.2 and Below

  1. Create Server Objects to Translate (Layer 4 Translation)

    Code Block
    object-group service SERVER_Services tcp
 port-object eq 3389
 port-object range 6100 6199
 port-object eq ident
object-group service NETWORK_SERVICES tcp
 group-object SERVER_Services
 group-object SERVER2_Services
 group-object SERVER3_Services
access-list outside_access_in extended permit tcp any host OUTSIDE_IP object-group NETWORK_SERVICES

  2. Create Access List to allow Services to Server (Layer 3 Translation)

    Code Block
    static (inside,outside) tcp interface ident SERVER ident netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 SERVER 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 6103 SERVER 6103 netmask 255.255.255.255 
static (inside,outside) tcp interface 80 SERVER2 80 netmask 255.255.255.255

How to configure VPN

Site-Site

  1. Define the Networks 

    Code Block
    themeRDark
    object-group network Remote_VPN
 network-object 10.10.10.0 255.255.255.0
 network-object 10.20.20.0 255.255.255.0
object-group network Remote_Internal
 network-object 172.16.1.0 255.255.255.0
 network-object 172.16.2.0 255.255.255.0
 network-object 172.16.3.0 255.255.255.0
 network-object 172.16.4.0 255.255.255.0
 network-object 172.18.0.0 255.255.0.0
object-group network Remote_Combined
 group-object Remote_VPN
 group-object Remote_Internal

  2. Create the Crypto Map ACL

    Code Block
    themeRDark
    access-list outside_cryptomap_1 extended permit ip INTERNAL_NETWORK 255.255.255.0 object-group Remote_Combined

  3. Create the No-Nat ACL (Networks/hosts to which the packets should not be changed)

    Code Block
    themeRDark
    access-list VPNNONAT extended permit ip INTERNAL_NETWORK 255.255.255.0 object-group Remote_Combined

  4. Apply the No-NAT

    Code Block
    themeRDark
    nat (inside) 0 access-list VPNNONAT

  5. Create a Transform set

    Code Block
    themeRDark
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

  6. Create the Crypto Map

    Code Block
    themeRDark
    crypto map MELONGCryptoMaps 1 match address outside_cryptomap_1
crypto map MELONGCryptoMaps 1 set peer 1.1.1.1
crypto map MELONGCryptoMaps 1 set transform-set ESP-AES-256-SHA
crypto map MELONGCryptoMaps interface outside 

  7. Enable isakmp on interface

    Code Block
    themeRDark
    crypto isakmp enable outside

  8. Create isakmp policies (Note, the policy number is for priority. The highest number first, and then tries lower policies after)

    Code Block
    themeRDark
    crypto isakmp policy 50
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

  9. Create policy for Tunnel-Group (Site-Site hosts)

    Code Block
    group-policy Site2Site internal
group-policy Site2Site attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 

  10. Apply Tunnel-Group and Attributes

    Code Block
    tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
 default-group-policy Site2Site
tunnel-group 1.1.1.1  ipsec-attributes
 pre-shared-key PASSWORD 



Configure Split-DNS Resolution

Code Block
ciscoasa# config t
ciscoasa(config)# group-policy POLICY attributes
ciscoasa(config-group-policy)# split-dns value internal.local extenralexternal.com

Troubleshooting

Debugs debug ISAKMP SA negotiations:

debug crypto isakmp sa <debug level>

Password Recovery

Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance

...

*Table of Contents* {toc} h1. First Header h1. Second Header {rate}
Code Block
hostname(config)# copy running-config startup-config
Wiki Markup
Adding Self Signed Certificates
Via GUI
  1. Open the ASDM and Navigate to the Configuration Button>Click Remote Access VPN (At the bottom)>Drop down Certificate Management>Click Identify Certificates 
    1. Image Added
  2. In the right Pane, click on the Add Button 
    1. Image Added
  3. Name the certificate, Check the "Add a new identity certificate" radial, Add check marks 
    1. Image Added
  4. Afterwards, Navigate to Device Management>Advanced>SSL Settings 
    1. Image Added
  5. From here, remove any Active Algorithms that you do not want, choose the outside interface that you will access the VPN through and click Edit, choose the self-signed certificate in the drop down list for Primary Enrolled Certificate and click OK
    1. Image Added
  6. Apply & Save