Oct 28, 2013
Client IPSEC VPN Configurations on a Cisco ASA 5500
Below I've put together a rough configuration of what I did to build my own home Remote Access VPN on a Cisco ASA5505. I really put this up for my own personal reference, but feel free to post any questions. Most of this may seem vague if you're unfamiliar with the ASA platform/configurations.
Basic Crypto configurations required for my example:
Declare the P2 encryption to be used:
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
Crypto Map is named "outside_map" and applied to the outside interface:
crypto map outside_map interface outside
I also used ikev1:
crypto ikev1 enable outside
Phase 1 configuration:
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Have a local user account to test with:
username cisco password cisco privilege 15
Beginning of configuration:
Create the Objects that reference your internal networks and User IP Pool:
object network obj-vpn-users
subnet 192.168.99.0 255.255.255.248
object network obj-internal
subnet 192.168.1.0 255.255.255.0
Create the ACLs that will be applied to the user at time of VPN authentication:
access-list ACL_USER extended permit ip 192.168.99.0 255.255.255.248 192.168.1.0 255.255.255.0
Create the Split Tunnel ACLs:
access-list ACL_Split-tunnel-USER standard permit 192.168.1.0 255.255.255.0
Create the IP Pool for VPN assignment:
ip local pool POOL_USER 192.168.99.2-192.168.99.6 mask 255.255.255.248
Create the No NAT policy for inside traffic to reach the VPN user (make sure that this is in your configuration before any dynamic PAT policy:
nat (inside,outside) source static obj-internal obj-internal destination static obj-vpn-users obj-vpn-users description USER_VPN
Create a dynamic map to support the VPN connection from any location and set the transform-set and reverse-route:
crypto dynamic-map VPN-USER 1 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map VPN-USER 1 set reverse-route
crypto map outside_map 999 ipsec-isakmp dynamic VPN-USER
Configure the Group Policy:
group-policy GP_USER internal
group-policy GP_USER attributes
vpn-filter value ACL_USER
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL_Split-tunnel-USER
Finally Create your tunnel group specifying the group policy and pre shared key:
tunnel-group VPN-USER type remote-access
tunnel-group VPN-USER general-attributes
address-pool POOL_USER
default-group-policy GP_USER
tunnel-group VPN-USER ipsec-attributes
ikev1 pre-shared-key cisco123
Oct 25, 2013
Port Redirection in Linux
Here's a simple Port Redirection example in Linux, I use this a lot in "work around" solutions, because it's essentially a static PAT without the need for network equipment.
From your Linux host the command is:
ssh localhost -L <LocalListeningIP>:<LocalListeningPort>:<RemoteServerIP>:<RemoteServerPort> -N
- localhost : This simply initiates the ssh session to the localhost for the port redirection to take affect.
- "-L": The switch to trigger the port redirection and accept the following variables
- LocalListeningIP : The IP address that you want to listen on. This can be 0.0.0.0 if you want to listen to all local IPs on the system
- LocalListeningPort : The TCP Port that you want to listen to. This can be any port. Your internal systems will target this to reach the remote server's port.
- RemoteServerIP : The remote server's IP address that your internal systems will be targeting and redirected to.
- RemoteServerPort : The remote server's listening Port that your internal systems will need to reach.
- "-N" : This tells the system not to execute any commands once the ssh session is established.
Subscribe to:
Posts (Atom)