 |
Home | Net Issues | Net How To | Wireless | Case Studies | Articles | Forums | Services | Donations | Careers | About Us | Contact Us| |
|
Example Configuration of Cisco ASA VPN with AD Authentication ASA Version 7.0(6) ! hostname CHICAGOTECHVPN domain-name chicagotech.net names dns-guard ! interface Ethernet0/0 nameif
outside security-level
0 ip
address x.x.x.198 255.255.255.224 ! interface Ethernet0/1 nameif
inside security-level
100 ip
address 192.168.101.4 255.255.255.0 ! interface Ethernet0/2 nameif
DMZ security-level
50 ip
address 172.16.252.254 255.255.255.0 ! interface Management0/0 nameif
management security-level
100 ip
address 192.168.1.1 255.255.255.0 management-only ! ftp mode passive same-security-traffic permit
intra-interface access-list inside_nat0_outbound extended
permit ip 10.0.0.0 255.255.0.0 192.168.198.0 255.255.255.0 access-list DMZ_nat0_outbound extended
permit ip 172.16.0.0 255.255.0.0 192.168.198.0 255.255.255.0 access-list test_splitTunnelAcl standard
permit any access-list outside_access_out extended
permit tcp any host x.x.x.198 eq 3389 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu DMZ 1500 mtu management 1500 ip local pool vpn198
192.168.198.10-192.168.198.254 mask 255.255.255.0 icmp permit any outside icmp permit any inside asdm image disk0:/asdm506.bin no asdm history enable arp timeout 14400 global (outside) 10 interface nat (outside) 10 192.168.198.0
255.255.255.0 nat (DMZ) 0 access-list DMZ_nat0_outbound nat (DMZ) 10 172.16.0.0 255.255.0.0 static (inside,outside) tcp interface 3389
10.0.3.2 3389 netmask 255.255.255.255 access-group outside_access_out in
interface outside route outside 0.0.0.0 0.0.0.0 x.x.x.193 1 route DMZ 10.0.0.0 255.255.0.0 172.16.252.2
1 route DMZ 192.168.254.0 255.255.255.0
172.16.252.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00
udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225
1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00
sip_media 0:02:00 timeout uauth 0:05:00 absolute url-list ts "TS" http://10.0.3.2 port-forward TS 3389 10.0.3.2 3389 TS aaa-server AD protocol kerberos aaa-server AD (DMZ) host 10.0.0.29 kerberos-realm
CHICAGOTECH.NET group-policy test internal group-policy test attributes wins-server
value 10.0.0.29 10.0.0.19 dns-server
value 10.0.0.29 10.0.0.19 split-tunnel-policy
tunnelspecified split-tunnel-network-list
value test_splitTunnelAcl default-domain
value chicagotech.net webvpn group-policy VPN198 internal group-policy VPN198 attributes wins-server
value 10.0.0.29 10.0.0.19 dns-server
value 10.0.0.29 10.0.0.19 default-domain
value chicagotech.net webvpn group-policy DfltGrpPolicy attributes banner
none wins-server
none dns-server
none dhcp-network-scope
none vpn-access-hours
none vpn-simultaneous-logins
3 vpn-idle-timeout
30 vpn-session-timeout
none vpn-filter
none vpn-tunnel-protocol
IPSec webvpn password-storage
disable ip-comp
disable re-xauth
disable group-lock
none pfs
disable ipsec-udp
disable ipsec-udp-port
10000 split-tunnel-policy
tunnelspecified split-tunnel-network-list
none default-domain
none split-dns
none secure-unit-authentication
disable user-authentication
disable user-authentication-idle-timeout
30 ip-phone-bypass
disable leap-bypass
disable nem
disable backup-servers
keep-client-config client-firewall
none client-access-rule
none webvpn
functions url-entry
port-forward-name value Application Access vpn-group-policy VPN198 webvpn vpn-group-policy VPN198 webvpn http server enable http 172.16.252.0 255.255.255.0 DMZ http 10.0.0.0 255.255.0.0 DMZ http 192.168.1.0 255.255.255.0 management http redirect inside 8080 no snmp-server location no snmp-server contact snmp-server enable traps snmp
authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA
esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set
transform-set ESP-3DES-SHA crypto dynamic-map management_dyn_map 20
set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp
dynamic outside_dyn_map crypto map outside_map interface outside crypto map management_map 65535
ipsec-isakmp dynamic management_dyn_map crypto map management_map interface
management isakmp enable outside isakmp enable management isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp nat-traversal
20 tunnel-group VPN198 type ipsec-ra tunnel-group VPN198 general-attributes address-pool
(inside) vpn198 address-pool
(DMZ) vpn198 address-pool
vpn198 authentication-server-group
AD LOCAL authentication-server-group
(inside) none authentication-server-group
(DMZ) AD LOCAL authorization-server-group
LOCAL default-group-policy
VPN198 tunnel-group VPN198 ipsec-attributes pre-shared-key
* authorization-dn-attributes
use-entire-name tunnel-group test type ipsec-ra tunnel-group test general-attributes address-pool
vpn198 default-group-policy
test tunnel-group test ipsec-attributes pre-shared-key
* no vpn-addr-assign aaa no vpn-addr-assign dhcp telnet 172.16.0.0 255.255.0.0 DMZ telnet 10.0.0.0 255.255.0.0 DMZ telnet 192.168.1.0 255.255.255.0 management telnet timeout 5 ssh x.x.x.208 255.255.255.255 outside ssh timeout 5 console timeout 0 management-access inside dhcpd address 192.168.1.2-192.168.1.254
management dhcpd dns 4.2.2.1 dhcpd lease 3600 dhcpd ping_timeout 50 dhcpd enable management ! class-map inspection_default match
default-inspection-traffic ! ! policy-map global_policy class
inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp ! service-policy global_policy global : end [OK] Post your questions, comments, feedbacks and suggestions Related Topics How to configure ASA VPN using the AD authentication
|
|
|
|
This web is provided "AS IS" with no
warranties.
Copyright © 2002-2007
ChicagoTech.net,
All rights reserved. Unauthorized reproduction forbidden.