Home | Net Issues | Net How To | Wireless | Case Studies | Articles | Forums | Services | Donations | Careers | About Us | Contact Us|

Web Cisco
 

Example of 3 VPN Groups on ASA

 

In the following example, we create 3 VPN groups, VPN198, CVPN198 and VPN1. The VPN198 client can access the remote network resources, local network and the Internet via the local router. The CVPN198 client can access the remote network and the Internet via remote gateway but not local network. VPN1 can be established by only one user and access one  remote computer (Note: we setup access rule in PIX to limit to one IP address).

 

ASA Version 7.0(6)
!
hostname ASA5510
domain-name chicagotech.net
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.198 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.101.4 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 172.16.252.254 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only

ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 192.168.198.0 255.255.255.0
access-list DMZ_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.198.0 255.255.255.0
access-list DMZ_nat0_outbound extended permit ip any 192.168.198.0 255.255.255.0
access-list DMZ_nat0_outbound extended permit ip host 10.0.0.11 host 192.168.199.1
access-list test_splitTunnelAcl standard permit any
access-list outside_access_out extended permit tcp any host x.x.x.198 eq 3389
access-list inside_nat0_outbound_V1 extended permit ip any 192.168.198.0 255.255.255.0
access-list VPN198_splitTunnelAcl standard permit 10.0.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool vpn198 192.168.198.10-192.168.198.254 mask 255.255.255.0
ip local pool vpn199 192.168.199.1 mask 255.255.255.255
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (outside) 10 192.168.198.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound_V1
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 10 172.16.0.0 255.255.0.0
static (inside,outside) tcp interface 3389 10.0.3.2 3389 netmask 255.255.255.255
access-group outside_access_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
route DMZ 10.0.0.0 255.255.0.0 172.16.252.2 1
route DMZ 192.168.254.0 255.255.255.0 172.16.252.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
url-list ts "TS" http://10.0.0.11
port-forward TS 3389 10.0.0.11 3389 TS
aaa-server IASIP12 protocol radius
aaa-server IASIP12 (DMZ) host 10.0.0.12
timeout 30
key c0urt
group-policy CVPN1 internal
group-policy test internal
group-policy test attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test_splitTunnelAcl
webvpn
group-policy CVPN198 internal
group-policy CVPN198 attributes
wins-server value 10.0.0.29 10.0.0.19
dns-server value 10.0.0.29 10.0.0.19
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN198_splitTunnelAcl
default-domain value chicagotech.net
webvpn
group-policy DfltGrpPolicy attributes
banner none
wins-server value 10.0.0.29 10.0.0.19
dns-server value 10.0.0.29 10.0.0.19
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy VPN198 internal
group-policy VPN198 attributes
wins-server value 10.0.0.29 10.0.0.19
dns-server value 10.0.0.29 10.0.0.19
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN198_splitTunnelAcl
default-domain value chicagotech.net
webvpn

vpn-group-policy CVPN198
webvpn

vpn-group-policy CVPN198
webvpn
vpn-group-policy CVPN198
webvpn

http server enable

http 172.16.252.0 255.255.255.0 DMZ
http 10.0.0.0 255.255.0.0 DMZ
http 192.168.1.0 255.255.255.0 management
http redirect outside 8080
http redirect inside 8080
http redirect DMZ 80
http redirect management 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map management_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map management_map 65535 ipsec-isakmp dynamic management_dyn_map
crypto map management_map interface management
isakmp enable outside
isakmp enable management
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
address-pool vpn198
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group CVPN198 type ipsec-ra
tunnel-group CVPN198 general-attributes
address-pool vpn198
authentication-server-group IASIP12 LOCAL
authentication-server-group (DMZ) IASIP12 LOCAL
tunnel-group CVPN198 ipsec-attributes
pre-shared-key *
authorization-dn-attributes use-entire-name
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
address-pool vpn199
authentication-server-group IASIP12 LOCAL
authentication-server-group (DMZ) IASIP12 LOCAL
default-group-policy CVPN198
tunnel-group test ipsec-attributes
pre-shared-key *
tunnel-group VPN198 type ipsec-ra
tunnel-group VPN198 general-attributes
address-pool vpn198
authentication-server-group IASIP12
authentication-server-group (DMZ) IASIP12 LOCAL
default-group-policy VPN198
tunnel-group VPN198 ipsec-attributes
pre-shared-key *
tunnel-group CVPN1 type ipsec-ra
tunnel-group CVPN1 general-attributes
address-pool vpn199
authentication-server-group (DMZ) none
default-group-policy CVPN198
strip-group
tunnel-group CVPN1 ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 74.8.8.142 255.255.255.255 outside
telnet 172.16.0.0 255.255.0.0 DMZ
telnet 10.0.0.0 255.255.0.0 DMZ
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh x.x.x.208 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 4.2.2.1
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp authenticate
ntp server 71.13.91.122 source outside
ntp server 204.152.184.138 source outside prefer

: end
[OK]

 

 

Post your questions, comments, feedbacks and suggestions

Contact a consultant

Related Topics

 

 

  This web is provided "AS IS" with no warranties.
Copyright © 2002-2007 ChicagoTech.net, All rights reserved. Unauthorized reproduction forbidden.