2
CISCO ASA VPN Internet Access
Hallo ich hab ein Probelm wenn sich ein Externer VPN Client auf die ASA Connected hat kommt er nicht mehr ins Internet.
Allow Local Lan Access oder Nat Traversal hab ich schon eingstellt aber irgendwie klappts noch nicht
Vielleicht hat einer eine Idee, anbei die Config
greetz Tobi
ciscoasa(config)# sh run
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 1r0Rdadsadssst5BaktWqxhfa encrypted
passwd 2sdadsKFQnbNIdI.2KYOU encrypted
names
name 192.168.142.99 Exchange
name +++++++++ owa
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.142.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DSL
ip address pppoe setroute
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp any host owa eq smtp
access-list outside_access_in extended permit tcp any host owa eq https
access-list outside_access_in extended permit tcp any host owa eq www
access-list outside_access_in extended permit tcp any host owa eq ident
access-list NONAT extended permit ip 192.168.142.0 255.255.255.0 192.168.156.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.152.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 192.168.142.0 255.255.255.0 192.168.156.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any host 192.168.156.1
access-list *_splitTunnelAcl standard permit any
access-list Local_LAN_Access remark VPN Client Local LAN Access
access-list Local_LAN_Access standard permit host 0.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpn-* 192.168.156.5
ip local pool Pool-* 192.168.152.1-192.168.152.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.142.0 255.255.255.0 tcp 1024 1024
static (inside,outside) tcp interface www Exchange www netmask 255.255.255.255 tcp 1024 1024
static (inside,outside) tcp interface https Exchange https netmask 255.255.255.255 tcp 1024 1024
static (inside,outside) tcp interface smtp Exchange smtp netmask 255.255.255.255 tcp 1024 1024
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server * protocol nt
aaa-server * (inside) host Exchange
nt-auth-domain-controller 192.168.142.99
http server enable
http 192.168.142.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set schluessel esp-3des esp-sha-hmac
crypto dynamic-map dynmap 99 set transform-set schluessel
crypto dynamic-map dynmap 119 set pfs group1
crypto dynamic-map dynmap 119 set transform-set schluessel
crypto dynamic-map dynmap 139 set pfs group1
crypto dynamic-map dynmap 139 set transform-set schluessel
crypto map newmap 31 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpdn group DSL request dialout pppoe
vpdn group DSL localname *
vpdn group DSL ppp authentication pap
vpdn username * password *
dhcpd auto_config outside
dhcpd update dns both override
!
ntp server 141.2.21.74 source outside prefer
group-policy * internal
group-policy * attributes
wins-server value 192.168.142.1
dns-server value 192.168.142.1
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 10 retry 10
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 10
tunnel-group TunnelGroup1 type ipsec-ra
tunnel-group TunnelGroup1 general-attributes
address-pool Pool-*
authentication-server-group *
default-group-policy *
tunnel-group TunnelGroup1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:20be731eddbfd6362407841b3554ea6c
: end
Allow Local Lan Access oder Nat Traversal hab ich schon eingstellt aber irgendwie klappts noch nicht
Vielleicht hat einer eine Idee, anbei die Config
greetz Tobi
ciscoasa(config)# sh run
- Saved
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 1r0Rdadsadssst5BaktWqxhfa encrypted
passwd 2sdadsKFQnbNIdI.2KYOU encrypted
names
name 192.168.142.99 Exchange
name +++++++++ owa
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.142.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DSL
ip address pppoe setroute
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp any host owa eq smtp
access-list outside_access_in extended permit tcp any host owa eq https
access-list outside_access_in extended permit tcp any host owa eq www
access-list outside_access_in extended permit tcp any host owa eq ident
access-list NONAT extended permit ip 192.168.142.0 255.255.255.0 192.168.156.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.152.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 192.168.142.0 255.255.255.0 192.168.156.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any host 192.168.156.1
access-list *_splitTunnelAcl standard permit any
access-list Local_LAN_Access remark VPN Client Local LAN Access
access-list Local_LAN_Access standard permit host 0.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpn-* 192.168.156.5
ip local pool Pool-* 192.168.152.1-192.168.152.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.142.0 255.255.255.0 tcp 1024 1024
static (inside,outside) tcp interface www Exchange www netmask 255.255.255.255 tcp 1024 1024
static (inside,outside) tcp interface https Exchange https netmask 255.255.255.255 tcp 1024 1024
static (inside,outside) tcp interface smtp Exchange smtp netmask 255.255.255.255 tcp 1024 1024
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server * protocol nt
aaa-server * (inside) host Exchange
nt-auth-domain-controller 192.168.142.99
http server enable
http 192.168.142.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set schluessel esp-3des esp-sha-hmac
crypto dynamic-map dynmap 99 set transform-set schluessel
crypto dynamic-map dynmap 119 set pfs group1
crypto dynamic-map dynmap 119 set transform-set schluessel
crypto dynamic-map dynmap 139 set pfs group1
crypto dynamic-map dynmap 139 set transform-set schluessel
crypto map newmap 31 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpdn group DSL request dialout pppoe
vpdn group DSL localname *
vpdn group DSL ppp authentication pap
vpdn username * password *
dhcpd auto_config outside
dhcpd update dns both override
!
ntp server 141.2.21.74 source outside prefer
group-policy * internal
group-policy * attributes
wins-server value 192.168.142.1
dns-server value 192.168.142.1
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 10 retry 10
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 10
tunnel-group TunnelGroup1 type ipsec-ra
tunnel-group TunnelGroup1 general-attributes
address-pool Pool-*
authentication-server-group *
default-group-policy *
tunnel-group TunnelGroup1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:20be731eddbfd6362407841b3554ea6c
: end
Share on Facebook
Share on Twitter
Share on Reddit
Share on LinkedinPlease also mark the comments that contributed to the solution of the article
Content-Key: 141708
Url: https://administrator.de/contentid/141708
Printed on: April 19, 2024 at 10:04 o'clock
2 Comments
Latest comment
Hi,
du kannst unter"Remot Access VPN" --> "Network Access" --> "Group Policy" einstellen welcher Traffic durch den Tunnel geleitet werden soll. Im Falle von "Tunnel all Networks" wird auch der Internet-Traffic der VPN-Clients sobald diese verbunden sind durch den VPN-Tunnel zu deiner ASA geschickt.
Also entweder die Policy auf "Tunnel Network List bellow" stellen, oder auf der ASA enstprechende Koniguration vornehmen.
cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml#diag
mfg
Antos
du kannst unter"Remot Access VPN" --> "Network Access" --> "Group Policy" einstellen welcher Traffic durch den Tunnel geleitet werden soll. Im Falle von "Tunnel all Networks" wird auch der Internet-Traffic der VPN-Clients sobald diese verbunden sind durch den VPN-Tunnel zu deiner ASA geschickt.
Also entweder die Policy auf "Tunnel Network List bellow" stellen, oder auf der ASA enstprechende Koniguration vornehmen.
cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml#diag
mfg
Antos
Außerdem kann ein Blick ins Logg mit show logg und entsprechend aktiviertem Debugging nicht schaden, denn da siehst du sofort wo es kneift..
