Basic ASA configuration

oli356

oli356

oli356

Soldato
Joined
10 Jan 2010
Posts
5,319
Location
Reading
Hi all,

I'm trying to get an SSL-VPN up on an ASA, I know how to do this configuration but I can't figure out how to get the ASA to work 'correctly'. Never used this platform before.

vLBVtXG.jpg.png


Image to help. (where it says public IP, that should also say G 0/0 and not on the switch).

So I have the management interface configured with 9.9.6.4/24 which connects directly to a L3 switch which does all of the management routing.
Int g 0/0 has a public IP and I've named the port 'external'
Int g 0/1 has 9.9.3.253 as the IP which goes to the same L3 switch. This is called internal.

When I use ping management x.x.x.x I can ping around the 9.9.6.0/24 network as I need to. (it would be nice to ping 9.9.0.0/16, but routing conflicts come later)

I can also ping onto the internet from the external port with the public IP.

Now the 9.9.3.0/24 network is the range of IP addresses I want to give out for the VPN connection.
When I try and ping internal x.x.x.x though I can only ping the L3 switch, 9.9.3.254 and nothing else, not even another SVI on the l3 switch.

This is annoying me... any suggestions?? Thanks

Code: 
interface Management0/0
 management-only
 nameif Management
 security-level 100
 ip address 9.9.6.4 255.255.255.0

SSL-VPN# sh run int g 0/0
!
interface GigabitEthernet0/0
 nameif external
 security-level 50
 ip address PUBLIC_IP  255.255.255.240

SSL-VPN# sh run int g 0/1
!
interface GigabitEthernet0/1
 nameif internal
 security-level 50
 ip address 9.9.3.253 255.255.255.0

SSL-VPN# sh run | i route
route external 0.0.0.0 0.0.0.0 PUBLIC_IP_GATEWAY 1
route internal 9.9.0.0 255.255.0.0 9.9.3.254 1
 
Last edited:
For a start you need to amend the security level on your external interface to lower than the internal - ideally 0.

We'll also need a full sanitised config because only seeing part of it means that what we have here is just guess work.

- GP
 
Thanks Ghost, will do that for a start... Sure, I assumed there is like a standard default config hence not adding all of it. I haven't changed anything else manually apart from what I attached.

Code: 
SSL-VPN# sh run
: Saved
:
ASA Version 9.1(3)
!
hostname SSL-VPN
enable password ******** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
 nameif external
 security-level 0
 ip address PUBLIC_IP 255.255.255.240
!
interface GigabitEthernet0/1
 nameif internal
 security-level 50
 ip address 9.9.3.253 255.255.255.0
!
<snip interfaces as not in use>
!
interface Management0/0
 management-only
 nameif Management
 security-level 100
 ip address 9.9.6.4 255.255.255.0
!
ftp mode passive
pager lines 24
mtu external 1500
mtu Management 1500
mtu internal 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route external 0.0.0.0 0.0.0.0 PUBLIC_GATEWAY 1
route internal 9.9.0.0 255.255.0.0 9.9.3.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 26
  subscribe-to-alert-group configuration periodic monthly 26
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5e4efbd6066c7491742bb885bff24874
: end
 
OK just re-read that a bit. You say you want users who connect to the Anyconnect VPN to get an IP on the 9.9.3.0/24 network? If that's the case then you need to create a pool and remove the range from that interface of the firewall, you wouldn't set it to an interface.

What's an example IP you're trying to ping through the switch and what's the routing table on the switch like?

- GP
 
I've had an Any-Connect setup running on IOS (2921)
Code: 
svc address-pool "pool-svc" netmask 255.255.255.0
ip local pool pool-svc 9.9.10.1 9.9.10.252
GigabitEthernet0/1.120     9.9.10.253
Here we had 1 IP address on the box itself and then the pool was 9.9.10.1 - 252. For example my PC is now using 9.9.10.50.
I thought this would be the same on the ASA. I'm not even starting the AnyConnect configuration until I've understood this bit.

Code: 
SSL-VPN# ping management 9.9.6.219
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.6.219, timeout is 2 seconds:
!!!!!
SSL-VPN# ping internal 9.9.6.219
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.6.219, timeout is 2 seconds:
????
As for the routing table on the switch it doesn't matter so much, it's all static routes and connected interfaces... here's a snippet.
Code: 
C       9.9.0.0/24 is directly connected, Vlan110
C       9.9.1.0/24 is directly connected, Vlan111
C       9.9.3.0/24 is directly connected, Vlan113
C       9.9.5.0/24 is directly connected, Vlan115
C       9.9.6.0/24 is directly connected, Vlan116
C       9.9.7.0/24 is directly connected, Vlan117
C       9.9.8.0/24 is directly connected, Vlan118
C       9.9.9.0/24 is directly connected, Vlan119
C       9.9.10.0/24 is directly connected, Vlan120
The example above was just trying to ping a Windows server, it works fine on the management interface but not the internal one.
The switch can ping the server from the vlan interface also
Code: 
Switch#ping 9.9.6.219 source vl 113

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.6.219, timeout is 2 seconds:
Packet sent with a source address of 9.9.3.254
!!!!!

Feel silly how I can't figure this one out :p
 
Last edited:
Just put the full configuration back on. My laptop is getting 9.9.3.1 as expected and can ping 8.8.8.8 onto the internet as it's not going over the tunnel. Though I can't ping anything on the 9.9.x.x network.

Code: 
hostname SSL-VPN
enable password ***** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool AnyConnect-POOL 9.9.3.1-9.9.3.252 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif external
 security-level 0
 ip address PUBLIC_IP 255.255.255.240
!
interface GigabitEthernet0/1
 nameif internal
 security-level 50
 ip address 9.9.3.253 255.255.255.0
!
!
interface Management0/0
 management-only
 nameif Management
 security-level 100
 ip address 9.9.6.4 255.255.255.0
!
ftp mode passive
object network NETWORK_OBJ_9.9.3.0_24
 subnet 9.9.3.0 255.255.255.0
access-list SPLIT_TUNNEL_ACL remark To access all inbound mgmt
access-list SPLIT_TUNNEL_ACL standard permit 9.9.0.0 255.255.0.0
pager lines 24
mtu external 1500
mtu Management 1500
mtu internal 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (internal,external) source static any any destination static NETWORK_OBJ_9.9.3.0_24 NETWORK_OBJ_9.9.3.0_24 no-proxy-arp route-lookup
route external 0.0.0.0 0.0.0.0 PUBLIC_GATEWAY 1
route internal 9.9.0.0 255.255.0.0 9.9.3.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ACS protocol tacacs+
aaa-server ACS (Management) host 9.9.6.233
 timeout 5
 key *****
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable external
 anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.02026-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux-3.1.02026-k9.pkg 3
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_AnyConnect-VPN internal
group-policy GroupPolicy_AnyConnect-VPN attributes
 wins-server none
 dns-server value 9.9.6.231 9.9.6.232
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_TUNNEL_ACL
 default-domain value dmz.lab
username admin password uOxuG2EKbLbVqlG4 encrypted privilege 15
tunnel-group AnyConnect-VPN type remote-access
tunnel-group AnyConnect-VPN general-attributes
 address-pool AnyConnect-POOL
 authentication-server-group ACS
 default-group-policy GroupPolicy_AnyConnect-VPN
tunnel-group AnyConnect-VPN webvpn-attributes
 group-alias AnyConnect-VPN enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 26
  subscribe-to-alert-group configuration periodic monthly 26
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e8263a8f91a61e46be17c529408207c7
: end
 
Yamahahahahaha said:
Have you got ICMP ECHO v4 enabled on the Windows Server? It's disabled by default.
Click to expand...
I can ping it from other devices, either way I can't ping anything else. Linux machines, IOS machines, XR machines... anything :) So the Windows settings are irrelevant.

Thanks
 
Unless I'm not reading it right (it's early, I've not had coffee, etc) it doesn't look like you've got any firewall rules setup. The only ACL you have is for split tunnel, but that won't permit traffic through the ASA which is first and foremost a firewall.

Turn on syslog going and have it output to syslog or use the asdm console to output the logs as it's really useful, you should see the traffic getting dropped.

I've not really done VPN on these yet, but I would imagine you'd need an outside access in ACL from your VPN network to your internal network ranges and then things should start working.
 
Hmmm, sorry just noticed that your inside interface contains the same ip ranges as the VPN pool... You could try putting a static route on the l3 switch for one of the clients via the IP address of the firewall.
Sounds odd I know, but don't forget that the clients are 'behind' the FW interface so won't respond to arp etc. so it's worth a shot...
 
GhostlyPea said:
As per my earlier post - put either the network or the clients on a separate subnet

- GP
Click to expand...
But surely I can't give out addresses to the clients on a network which doesn't exist on that ASA itself.

I noticed something this morning while sitting with an engineer. I could ping 9.9.1.50 for example (from internal).. the only thing i couldn't ping is 9.9.6.x because the management interface was using this.

Since then I've scrapped the mgmt interface and only using 2 gig ports. It appears to be working, just need to play with profiles so users on RDP sessions can connect as we will need to connect via our laptops to our DMZ and then from our servers behind the DMZ to another network also behind a DMZ... ;)
 
Chief Wiggum said:
Unless I'm not reading it right (it's early, I've not had coffee, etc) it doesn't look like you've got any firewall rules setup. The only ACL you have is for split tunnel, but that won't permit traffic through the ASA which is first and foremost a firewall.

Turn on syslog going and have it output to syslog or use the asdm console to output the logs as it's really useful, you should see the traffic getting dropped.

I've not really done VPN on these yet, but I would imagine you'd need an outside access in ACL from your VPN network to your internal network ranges and then things should start working.
Click to expand...
hmm, I did a few basic ping tests earlier and that worked... haven't tried anything more though. I really want this to be as simple as possible. As soon as we have IPSEC GRE, l2tvp3 tunnels going out of the network to the customer we hit firewalls.. They basically block EVERYTHING and have to permit anything.. Testing if tunnels are up is a pain because of this.

Need to work on this tonight anyway.
 
oli356 said:
But surely I can't give out addresses to the clients on a network which doesn't exist on that ASA itself.

I noticed something this morning while sitting with an engineer. I could ping 9.9.1.50 for example (from internal).. the only thing i couldn't ping is 9.9.6.x because the management interface was using this.

Since then I've scrapped the mgmt interface and only using 2 gig ports. It appears to be working, just need to play with profiles so users on RDP sessions can connect as we will need to connect via our laptops to our DMZ and then from our servers behind the DMZ to another network also behind a DMZ... ;)
Click to expand...

I think you need to do some more reading on how this technology works. The entire idea is that the VPN pool is NOT on an internal range. There are lots of reasons, security being one.

- GP
 
Right, I think I get what your coming from.

Our network is a test network, we have 13 racks full of equipment (UCS, Nexus, ASR etc) to test a solution. We needed connectivity to third party sites and to allow any protocols we want. Our corporate IT block so many things so we ended up getting our own leased line into our remote DMZ. It is totally isolated from our corporate network.

We therefore have an internet connection coming straight into a rack and an AnyConnect VPN (2921s) these are assigned a public IP. Connected off this 2921 we have a 3750 switch performing L3 routing for the mgmt of the network. As shown in the picture in the original post. We currently perform NAT on these 2921s as well.
The 3750 holds all of the gateways for the VLANs which windows/linux servers use as well as the management IP addresses on the devices under test.

The whole purpose of the VPN is to allow users anywhere on the internet to get onto these test devices which are somewhere on the internet behind what we call our DMZ.

Therefore we have the Public IPs and the other side is just a management network (9.9/16)... there isn't a firewall or anything connected to a corporate network.

Hope this makes it clearer.
 
Last edited:
Everything appears to be working apart from 1 major problem... user authentication. Its done via TACACS to an ACS server.

I run the tacacs test from ASDM and it is successful, I try and login via the https://..... and it just says login failed. But in ACS I see the successful authentication trend going up for TACACS.

I rebooted the ASA and managed to login with 1 account, I refresh the page and try another and denied... I try the original account and it gets denied!? This is just making no sense at all.

Edit: .... ;) licensing problem lol. Oh dear. Managed to find a CCIE in Security from TAC and asked him to take a quick look.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom