ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
crenatovb
New Member
Posts:
1
Joined:
Mon Aug 04, 2014 7:40 am
Certs:
CCNA Network and CCNA Security

Remote Access VPN - Authentication Active Directory

Mon Aug 04, 2014 7:44 am

Hello,

I need a help from you.

I'm setting up a VPN (Client to Site) and am unable to connect the client.

Log in ASDM:

Code: Select all
6|Aug 04 2014|00:06:23|302016|192.168.136.3|57257|239.255.255.250|1900|Teardown UDP connection 526 for outside:192.168.136.3/57257 to identity:239.255.255.250/1900 duration 0:00:00 bytes 0
6|Aug 04 2014|00:06:23|302015|192.168.136.3|57257|239.255.255.250|1900|Built inbound UDP connection 526 for outside:192.168.136.3/57257 (192.168.136.3/57257) to identity:239.255.255.250/1900 (239.255.255.250/1900)


Configuring the ASA:

Code: Select all
ciscoasa# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif inside
 security-level 0
 ip address 192.168.135.253 255.255.255.0
!
interface GigabitEthernet1
 nameif outside
 security-level 0
 ip address 192.168.136.253 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address

!

interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network net-remote-access
 subnet 192.168.137.0 255.255.255.0
 description Rede Remota
object network NETWORK_OBJ_192.168.135.0_24
 subnet 192.168.135.0 255.255.255.0
object network NETWORK_OBJ_192.168.137.0_25
 subnet 192.168.137.0 255.255.255.128
object network TRTES_VPN_hosts
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit udp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit udp any any
access-list ACLTRTES standard permit 192.168.135.0 255.255.255.0
access-list ACLTRTES standard permit 192.168.136.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteVPN_Pool 192.168.137.0-192.168.137.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.135.0_24 NETWORK_OBJ_192.168.135.0_24 destination static NETWORK_OBJ_192.168.137.0_25 NETWORK_OBJ_192.168.137.0_25 no-proxy-arp route-lookup
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map LDAP_memberOf
  map-name  memberOf Group-Policy
  map-value memberOf CN=groupVPN,OU=Group,DC=trtes,DC=local groupVPN
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAPSERVERS protocol ldap
aaa-server LDAPSERVERS (inside) host 192.168.135.2
 ldap-base-dn dc=trtes,dc=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=administrator,cn=Users,dc=trtes,dc=local
 server-type microsoft
 ldap-attribute-map LDAP_memberOf
user-identity default-domain LOCAL
http server enable
http 192.168.135.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share

 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
group-policy NoAccess internal
group-policy NoAccess attributes
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
 address-pools none
group-policy RemoteAccess_Grp internal
group-policy RemoteAccess_Grp attributes
 wins-server value 192.168.135.2
 dns-server value 192.168.135.2
 vpn-simultaneous-logins 100
 vpn-tunnel-protocol ikev1 ikev2
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACLTRTES
 default-domain value trtes.local
 address-pools value RemoteVPN_Pool
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group RemoteAccess_TunnelGroup type remote-access
tunnel-group RemoteAccess_TunnelGroup general-attributes
 address-pool RemoteVPN_Pool
 authentication-server-group LDAPSERVERS LOCAL
 authorization-server-group LDAPSERVERS
 default-group-policy NoAccess
 authorization-required
tunnel-group RemoteAccess_TunnelGroup ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable

Cryptochecksum:6f2435bc00f831475a7249652bc8d5db
: end
ciscoasa#


I believe the problem is related to NAT. Can anyone help me?

Thank you very much.

User avatar
wirerat
Post Whore
Posts:
5340
Joined:
Tue Mar 31, 2009 4:15 pm
Certs:
More than none

Re: Remote Access VPN - Authentication Active Directory

Mon Aug 04, 2014 8:22 am

Code tags inserted.
"See packet, be packet, you are packet. Ignore all else!" -The Networker
packetsdropped.wordpress.com

ski
Senior Member
Posts:
303
Joined:
Sat Mar 31, 2012 5:01 pm
Certs:
CCNA CCNP CCIP CCNA Security

Re: Remote Access VPN - Authentication Active Directory

Mon Aug 04, 2014 1:15 pm

the error message is related to ipv6 autoconfiguration :P destionation port 1900 :)
inside should be THE higher security level interface than any other (usually 100), outside 0.
You do not have a default route so the clients cannot connect to your ASA.


Return to Cisco Security

Who is online

Users browsing this forum: IvyRow, JackRow, LisaRow and 69 guests