Upload
nguyen-ngoc-anh
View
217
Download
0
Embed Size (px)
Citation preview
8/10/2019 ASA 8.4 RAVPN with static IP address .pdf
1/6
ASA 8.4 Static IP Addressing for IPSec VPN Client
with CLI Configuration Example
Introduction
This document describes how to configure the Cisco 5500 Series Adaptive Security
Appliance (ASA) version 8.4 to provide the Static IP address to the VPN client with the CLI.
Network Diagram
InternetCloud
Remote VPN user
ASA 8.4 Running
Easy VPN Server
Inside Network
192.168.100.0/24
VPN Pool- 192.168.200.0/24
In the above example user sitting in internet and accessing the remote access VPN which is
configured in ASA running 8.4 .The user authentication is configured on ASA local database.
8/10/2019 ASA 8.4 RAVPN with static IP address .pdf
2/6
Configure the ASA with CLI
ASA Version 8.4(2)
!
!--- Specify the hostname for the Security Appliance.
hostname VPNASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!--- Configure the outside and inside interfaces.
interface GigabitEthernet0
nameif outside
security-level 0
ip address 172.16.100.1 255.255.255.252
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!--- Output is suppressed.
ftp mode passive
access-list SPLIT standard permit 192.168.100.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool VPN_POOL 192.168.200.1-192.168.200.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
8/10/2019 ASA 8.4 RAVPN with static IP address .pdf
3/6
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 172.16.100.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set RA_TRANS esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set ikev1 transform-set RA_TRANS
crypto map C_MAP 1 ipsec-isakmp dynamic DYN_MAP
crypto map C_MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
8/10/2019 ASA 8.4 RAVPN with static IP address .pdf
4/6
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
no vpn-addr-assign dhcp
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy RA_VPN_POLICY internal
group-policy RA_VPN_POLICY attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT
!--- specify the IP address to assign to a particular user, use the
vpn-framed-ip-addresscommand
!--- in username mode
username cisco1 password cyWfuUmL2Zk6mo1z encrypted
username cisco1 attributes
vpn-framed-ip-address 192.168.200.200 255.255.255.0
username cisco password tFYoQRmQ0Ydz4Sg2 encrypted
username cisco attributes
vpn-framed-ip-address 192.168.200.100 255.255.255.0
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
address-pool VPN_POOL
authorization-server-group LOCAL
default-group-policy RA_VPN_POLICY
tunnel-group RA_VPN ipsec-attributes
ikev1 pre-shared-key cisco123
!
8/10/2019 ASA 8.4 RAVPN with static IP address .pdf
5/6
!
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:8f09564f08a6685f588841a13ea0e785
: end
In the above configuration example , there are 2 users created ( cisco & cisco 1 ) and each are
statically assigned with 192.168.200.100 & 192.168.200.200 accordingly.
Verification
This example shows the VPN user trying to connect using username cisco
VPNASA# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.16.255.27
8/10/2019 ASA 8.4 RAVPN with static IP address .pdf
6/6
Type : user Role : responder
Rekey : no State : AM_ACTIVE
The above command displays the public IP address of the VPN client
VPNASA# show crypto ipsec sa user cisco
username: cisco
Crypto map tag: DYN_MAP, seq num: 1, local addr: 172.16.100.1
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.200.100/255.255.255.255/0/0)
current_peer: 172.16.255.27, username: cisco
dynamic allocated peer ip: 192.168.200.100
This output shows that the client has been assigned with an IP of 192.168.200.100 for the username
cisco
Debug
The below debug shows the connectivity status and address assignment
VPNASA# debug crypto ikev1 7
Oct 14 12:36:20 [IKEv1 DEBUG]Group = RA_VPN, Username = cisco, IP = 172.16.255.27, Obtained IP
addr (192.168.200.100) prior to initiating Mode Cfg (XAuth enabled)
Oct 14 12:36:20 [IKEv1 DEBUG]Group = RA_VPN, Username = cisco, IP = 172.16.255.27, Sending
subnet mask (255.255.255.0) to remote client
Oct 14 12:36:20 [IKEv1]Group = RA_VPN, Username = cisco, IP = 172.16.255.27, Assigned private IP
address 192.168.200.100 to remote user