Home | Net Issues | Net How To | Wireless | Case Studies | Articles | Forums | Services | Donations | Careers | About Us | Contact Us|
Web Cisco
 

Example of ASA VPN with IAS Authentication

ASA Version 7.0(6)

!

hostname chicagotech

domain-name chicagotech.net

names

dns-guard

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address x.x.x.198 255.255.255.224

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 192.168.101.4 255.255.255.0

!

interface Ethernet0/2

 nameif DMZ

 security-level 50

 ip address 172.16.252.254 255.255.255.0

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 management-only

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 192.168

.198.0 255.255.255.0

access-list DMZ_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.

198.0 255.255.255.0

access-list DMZ_nat0_outbound extended permit ip any 192.168.198.0 255.255.255.0

access-list test_splitTunnelAcl standard permit any

access-list outside_access_out extended permit tcp any host x.x.x.198 eq 3389

access-list VNP198_splitTunnelAcl standard permit any

access-list inside_nat0_outbound_V1 extended permit ip any 192.168.198.0 255.255.255.0

access-list VPN198_splitTunnelAcl standard permit any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

ip local pool vpn198 192.168.198.10-192.168.198.254 mask 255.255.255.0

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (outside) 10 192.168.198.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound_V1

nat (DMZ) 0 access-list DMZ_nat0_outbound

nat (DMZ) 10 172.16.0.0 255.255.0.0

static (inside,outside) tcp interface 3389 10.0.3.2 3389 netmask 255.255.255.255

access-group outside_access_out in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.193 1

route DMZ 10.0.0.0 255.255.0.0 172.16.252.2 1

route DMZ 192.168.254.0 255.255.255.0 172.16.252.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

url-list ts "TS" http://10.0.3.2

port-forward TS 3389 10.0.3.2 3389 TS

aaa-server IASIP12 protocol radius

aaa-server IASIP12 (DMZ) host 10.0.0.12

 timeout 30

 key xxxxxxxx

group-policy test internal

group-policy test attributes

 wins-server value 10.0.0.29 10.0.0.19

 dns-server value 10.0.0.29 10.0.0.19

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value test_splitTunnelAcl

 default-domain value chicagotech.net

 webvpn

group-policy VPN123 internal

group-policy VPN123 attributes

 wins-server value 10.0.0.29 10.0.0.19

 dns-server value 10.0.0.29 10.0.0.19

 default-domain value chicagotech.net

 webvpn

group-policy DfltGrpPolicy attributes

 banner none

 wins-server none

 dns-server none

 dhcp-network-scope none

 vpn-access-hours none

 vpn-simultaneous-logins 3

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec webvpn

 password-storage disable

 ip-comp disable

 re-xauth disable

 group-lock none

 pfs disable

 ipsec-udp disable

 ipsec-udp-port 10000

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list none

 default-domain none

 split-dns none

 secure-unit-authentication disable

 user-authentication disable

 user-authentication-idle-timeout 30

 ip-phone-bypass disable

 leap-bypass disable

 nem disable

 backup-servers keep-client-config

 client-firewall none

 client-access-rule none

 webvpn

  functions url-entry

  port-forward-name value Application Access

group-policy VPN198 internal

group-policy VPN198 attributes

 wins-server value 10.0.0.29 10.0.0.19

 dns-server value 10.0.0.29 10.0.0.19

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value VPN198_splitTunnelAcl

 default-domain value chicagotech.net

 webvpn

vpn-group-policy VPN123

 webvpn

vpn-group-policy VPN123

 webvpn

http server enable

http 172.16.252.0 255.255.255.0 DMZ

http 10.0.0.0 255.255.0.0 DMZ

http 192.168.1.0 255.255.255.0 management

http redirect inside 8080

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map management_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto map management_map 65535 ipsec-isakmp dynamic management_dyn_map

crypto map management_map interface management

isakmp enable outside

isakmp enable management

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal  20

tunnel-group VPN123 type ipsec-ra

tunnel-group VPN123 ipsec-attributes

 pre-shared-key *

 authorization-dn-attributes use-entire-name

tunnel-group test type ipsec-ra

tunnel-group test general-attributes

 address-pool vpn198

 default-group-policy test

tunnel-group test ipsec-attributes

 pre-shared-key *

tunnel-group VPN198 type ipsec-ra

tunnel-group VPN198 general-attributes

 address-pool vpn198

 authentication-server-group IASIP12

 authentication-server-group (DMZ) IASIP12 LOCAL

 default-group-policy VPN198

tunnel-group VPN198 ipsec-attributes

 pre-shared-key *

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 172.16.0.0 255.255.0.0 DMZ

telnet 10.0.0.0 255.255.0.0 DMZ

telnet 192.168.1.0 255.255.255.0 management

telnet timeout 5

ssh x.x.x.208 255.255.255.255 outside

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd dns 4.2.2.1

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

ntp authenticate

ntp server 71.13.91.122 source outside

ntp server 204.152.184.138 source outside prefer

: end

[OK]

chicagotech#

 

 

Post your questions, comments, feedbacks and suggestions

Contact a consultant

Related Topics

 

 

  This web is provided "AS IS" with no warranties.
Copyright © 2002-2007 ChicagoTech.net, All rights reserved. Unauthorized reproduction forbidden.