Help Remote VPN trên ASA 5520

[sonnd]

Hi all

Mong các bạn giúp...về vấn đề VPN trên ASA 5520

Mô hình mạng như sau
Internet---->ASA---->ISA---->LAN

Các bạn cho mình hỏi có cách nào VPN Client từ ASA qua IAS vào mang LAN hay không?
ngoài cách tao VPN default thì mình có cần thêm command nào nữa không?
Trên IAS (route mode) có cần Open cái gì để cho phép VPN từ ngoài vào khong?
Hiên nay VPN vô chỉ đi được vào DMZ thôi, còn LAN thì pó tay.


Thanks all

[dangquangminh]

Hiện giờ VPN client đã đi đến được LAN giữa ASA và ISA chưa? Chức năng của ISA server trong sơ đồ này để làm gì?

[sonnd]

ISA lam route mode (yêu cầu của khách hàng để lai đề làm Proxy ), giua ASA và ISA em chia subnet/30 VPN vẩn chưa vào được tới ISA.

[stupid_boy]

cảm phiền bạn post cái cấu hình của thằng ASA lên luôn dc không để mọi ng dể check lại.

[sonnd]

Em gởi cấu hình, các anh xem giup..

ASA Version 8.0(3)
!
hostname Atlas-ASA-FW
enable password b0I5dEziXMY3ELg9 encrypted
names
name 192.168.253.2 WEB_FTP_Srv
!
interface GigabitEthernet0/0
description LAN
nameif Inside
security-level 100
ip address 192.168.253.246 255.255.255.252
!
interface GigabitEthernet0/1
description Out Internet (to Ascenlink)
nameif outside
security-level 0
ip address 192.168.253.253 255.255.255.252
!
interface GigabitEthernet0/2
description DMZ Zone
nameif dmz
security-level 50
ip address 192.168.253.1 255.255.255.240
!
interface GigabitEthernet0/3
description Backup LAN
nameif inside_backup
security-level 100
ip address 192.168.253.250 255.255.255.252
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.5.1 255.255.255.0
management-only
!
passwd b0I5dEziXMY3ELg9 encrypted
ftp mode passive
clock timezone ICT 7
object-group network Internal
network-object 192.168.0.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.253.244 255.255.255.252
object-group network ServerDMZ
network-object host WEB_FTP_Srv
network-object 192.168.253.0 255.255.255.240
object-group service Web-FTP tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
object-group network SpecialHost_to_DMZ
network-object host 192.168.0.57
network-object host 192.168.0.58
network-object host 192.168.0.90
network-object host 192.168.0.93
network-object host 192.168.0.94
access-list nonat extended permit ip object-group Internal host WEB_FTP_Srv
access-list nonat extended permit ip 192.168.253.0 255.255.255.240 172.16.1.0 255.255.255.224
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list Internal_Access extended permit tcp object-group Internal host WEB_FTP_Srv object-group Web-FTP
access-list Internal_Access extended permit ip object-group Internal any
access-list Outside_Access extended permit tcp any host WEB_FTP_Srv eq https
access-list Outside_Access extended permit tcp any host WEB_FTP_Srv eq www
access-list Outside_Access extended permit tcp any host WEB_FTP_Srv eq ftp
access-list Outside_Access extended permit tcp any host WEB_FTP_Srv eq ftp-data
access-list Outside_Access extended permit icmp any any echo-reply
access-list Outside_Access extended permit icmp any any unreachable
access-list DMZ_Access extended permit ip object-group ServerDMZ any
pager lines 24
mtu Inside 1500
mtu outside 1500
mtu dmz 1500
mtu inside_backup 1500
mtu management 1500
ip local pool VPN_POOL 172.16.1.1-172.16.1.30 mask 255.255.255.224
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat (Inside) 0 access-list nonat
nat (dmz) 0 access-list DMZ_Access
static (dmz,outside) 192.168.253.0 192.168.253.0 netmask 255.255.255.240
static (Inside,outside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (Inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (Inside,outside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,outside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
access-group Internal_Access in interface Inside
access-group Outside_Access in interface outside
access-group DMZ_Access in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.253.254 1
route Inside 192.168.0.0 255.255.255.0 192.168.253.245 1
route Inside 192.168.1.0 255.255.255.0 192.168.253.245 1
route Inside 192.168.2.0 255.255.255.0 192.168.253.245 1
route Inside 192.168.3.0 255.255.255.0 192.168.253.245 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.253.0 255.255.255.0 inside_backup
http 192.168.0.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.0.0 255.255.255.0 Inside
telnet 192.168.1.0 255.255.255.0 Inside
telnet 192.168.2.0 255.255.255.0 Inside
telnet 192.168.3.0 255.255.255.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
group-policy atlasvpn internal
group-policy atlasvpn attributes
wins-server value 192.168.0.1 192.168.0.74
dns-server value 192.168.0.1 192.168.0.74
vpn-tunnel-protocol IPSec
default-domain value atlas.com
username mrchinh password s.wJlRS//IMrGrk7 encrypted privilege 0
username mrchinh attributes
vpn-group-policy atlasvpn
tunnel-group atlasvpn type remote-access
tunnel-group atlasvpn general-attributes
address-pool VPN_POOL
default-group-policy atlasvpn
tunnel-group atlasvpn ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e90c1cb8df087d8d10e3cb23b452df26
: end
Atlas-ASA-FW(config)#

[thanhnam0707]

Bạn Stupid_boy coi dùm sơ đồ mạng,đưa ra ý tưởng giải quyết trước,chưa gì đỏi coi cấu hình rùi,hiện tại là đã vào DMZ nhưng chưa vào đc Lan,
Tks,

[dangquangminh]

bạn Sonnd xem xét hai phương án sau:

1. Bỏ hẳn ISA server, chức năng authentication proxy cũng có thể thực hiện trên ASA.
2. NẾu khách hàng vẫn kiên quyết dùng ISA, chuyển server ISA ra DMZ.

[sonnd]

Neu đưa ISA ra DMZ thì cả 2 mô hình có gì khác biệt và có lợi gì không?
còn nếu để theo mo hình cũ thì không có cách giải quyết hả thầy. vì họ muốn như thế.

Thanks Thầy Minh

[thanhnam0707]

Đưa ISA ra DMZ làm proxy cho Lan,vì nguyên tắc Server phải tập trung ở DMZ để dể quản lý,
Tks,

[dangquangminh]

Network Diagram

The VPN Client is located on a typical SOHO network and connects across the Internet to the main office.

Background Information

Unlike a classic split tunneling scenario in which all Internet traffic is sent unencrypted, when you enable local LAN access for VPN Clients it permits those clients to communicate unencrypted with only devices on the network on which they are located. For example, a VPN Client that is allowed local LAN access while connected to the ASA from home is able to print to its own printer, but not access the Internet without first sending the traffic over the tunnel.


An access list is used in order to allow local LAN access in much the same way that split tunneling is configured on the ASA. However, instead of defining which networks should be encrypted, the access list in this case defines which networks should not be encrypted. Also, unlike the split tunneling scenario, the actual networks in the list do not need to be known. Instead, the ASA supplies a default network of 0.0.0.0/255.255.255.255 which is understood to mean the local LAN of the VPN Client.


When the VPN Client is connected and configured for local LAN access, you cannot print or browse by name on the local LAN. However, you can browse or print by IP address. See the Troubleshooting section of this document for more information as well as workarounds for this situation.
Configure Local LAN Access for VPN Clients

Complete these two tasks in order to allow VPN Clients access to their local LAN while connected to the VPN Concentrator:

• Configure the ASA via the Adaptive Security Device Manager (ASDM) or Configure the ASA via the CLI
• Configure the VPN Client

Configure the ASA via the ASDM

Complete these steps in the ASDM to allow VPN Clients to have local LAN access while connected to the ASA:

1. Choose Configuration > VPN > General > Group Policy and select the Group Policy that you wish to enable local LAN access in. Then click Edit.
   
2. Choose the Client Configuration tab.
   
3. Uncheck the Inherit box for Split Tunnel Policy and chose Exclude Network List Below.
   
4. Uncheck the Inherit box for Split Tunnel Network List and then click Manage in order to launch the ACL Manager.
   
5. Within the ACL Manager choose Add > Add ACL... in order to create a new access list.
   
6. Provide a name for the ACL and click OK.
   
7. Once the ACL is created, choose Add > Add ACE... in order to add an Access Control Entry (ACE).
   
8. Define the ACE that corresponds to the local LAN of the client.
   
   1. Choose Permit.
   2. Choose an IP Address of 0.0.0.0
   3. Choose a Netmask of 255.255.255.255.
   4. (Optional) Provide a description.
   5. Click OK.
      
   
   
9. Click OK in order to exit the ACL Manager.
   
10. Be sure that the ACL you just created is selected for Split Tunnel Network List.
    
11. Click OK in order to return to the Group Policy configuration.
    
12. Click Apply and then Send (if required) in order to send the commands to the ASA.
    

Configure the ASA via CLI

Rather than use the ASDM, you can complete these steps in the ASA CLI in order to allow VPN Clients to have local LAN access while connected to the ASA:

1. Enter configuration mode.
   
   ciscoasa>enable
   Password:
   ciscoasa#configure terminal
   ciscoasa(config)#
2. Create the access list to allow local LAN access.
   
   ciscoasa(config)#access-list Local_LAN_Access remark VPN Client Local LAN Access
   ciscoasa(config)#access-list Local_LAN_Access standard permit host 0.0.0.0
3. Enter Group Policy configuration mode for the policy that you wish to modify.
   
   ciscoasa(config)#group-policy hillvalleyvpn attributes
   ciscoasa(config-group-policy)#
4. Specify the split tunnel policy. In this case the policy is excludespecified.
   
   ciscoasa(config-group-policy)#split-tunnel-policy excludespecified
5. Specify the split tunnel access list. In this case, the list is Local_LAN_Access.
   
   ciscoasa(config-group-policy)#split-tunnel-network-list value Local_LAN_Access
6. Issue this command:
   
   ciscoasa(config)#tunnel-group hillvalleyvpn general-attributes
7. Associate the group policy with the tunnel group
   
   ciscoasa(config-tunnel-ipsec)# default-group-policy hillvalleyvpn
8. Exit the two configuration modes.
   
   ciscoasa(config-group-policy)#exit
   ciscoasa(config)#exit
   ciscoasa#
9. Save the configuration to non-volatile RAM (NVRAM) and press Enter when prompted to specify the source filename.
   
   ciscoasa#copy running-config startup-config
   
   Source filename [running-config]?
   Cryptochecksum: 93bb3217 0f60bfa4 c36bbb29 75cf714a
   
   3847 bytes copied in 3.470 secs (1282 bytes/sec)
   ciscoasa#

Configure the VPN Client

Complete these steps in the VPN Client in order to allow the client to have local LAN access while connected to the ASA.

1. Choose your existing connection entry and click Modify.
   
2. Go to the Transport tab and check Allow Local LAN Access. Click Save when you are done.
   

Verify

Follow the steps in these sections in order to verify your configuration.

• Connect with the VPN Client
• View the VPN Client Log
• Test Local LAN Access with Ping

Connect with the VPN Client

Connect your VPN Client to the VPN Concentrator in order to verify your configuration.

1. Choose your connection entry from the list and click Connect.
   
2. Enter your credentials.
   
3. Choose Status > Statistics... in order to display the Tunnel Details window where you can inspect the particulars of the tunnel and see traffic flowing. You can also see that Local LAN is enabled in the Transport section.
   
4. Go to the Route Details tab in order to see the routes to which the VPN Client still has local access.
   In this example, the VPN Client is allowed local LAN access to 192.168.0.0/24 while all other traffic is encrypted and sent across the tunnel.
   

View the VPN Client Log

When you examine the VPN Client log, you can determine whether or not the parameter that allows local LAN access is set. In order to view the log, go to the Log tab in the VPN Client. Then click on Log Settings in order to adjust what is logged. In this example, IKE is set to 3- High while all other log elements are set to 1 - Low.

Cisco Systems VPN Client Version 4.0.5 (Rel)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

1 14:20:09.532 07/27/06 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 172.22.1.160.


!--- Output is supressed


18 14:20:14.188 07/27/06 Sev=Info/5 IKE/0x6300005D
Client sending a firewall request to concentrator

19 14:20:14.188 07/27/06 Sev=Info/5 IKE/0x6300005C
Firewall Policy: Product=Cisco Systems Integrated Client,
Capability= (Centralized Protection Policy).

20 14:20:14.188 07/27/06 Sev=Info/5 IKE/0x6300005C
Firewall Policy: Product=Cisco Intrusion Prevention Security Agent,
Capability= (Are you There?).

21 14:20:14.208 07/27/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 172.22.1.160

22 14:20:14.208 07/27/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 172.22.1.160

23 14:20:14.208 07/27/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 172.22.1.160

24 14:20:14.208 07/27/06 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.0.1.50

25 14:20:14.208 07/27/06 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

26 14:20:14.208 07/27/06 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

27 14:20:14.208 07/27/06 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

28 14:20:14.208 07/27/06 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems,
Inc ASA5510 Version 7.2(1) built by root on Wed 31-May-06 14:45

!--- Local LAN access is permitted and the local LAN is defined.

29 14:20:14.238 07/27/06 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_INCLUDE_LOCAL_LAN (# of local_nets),
value = 0x00000001

30 14:20:14.238 07/27/06 Sev=Info/5 IKE/0x6300000F
LOCAL_NET #1
subnet = 192.168.0.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0

!--- Output is supressed.

Test Local LAN Access with Ping

An additional way to test that the VPN Client still has local LAN access while tunneled to the VPN Concentrator is to use the ping command at the Windows command line. The local LAN of the VPN Client is 192.168.0.0/24 and another host is present on the network with an IP address of 192.168.0.3.

C:\>ping 192.168.0.3
Pinging 192.168.0.3 with 32 bytes of data:

Reply from 192.168.0.3: bytes=32 time<1ms TTL=255
Reply from 192.168.0.3: bytes=32 time<1ms TTL=255
Reply from 192.168.0.3: bytes=32 time<1ms TTL=255
Reply from 192.168.0.3: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.0.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms