Ez vpn on Asa 5506

This comment was posted to reddit on Sep 24, 2017 at 8:56 am and was deleted within 9 hour(s) and 7 minutes.

Ez vpn on Asa 5506

SERVER CONFIG:

ASA Version 9.1(6) ! hostname LAB-FW01 domain-name my domain.com enable password ***** encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain names ip local pool VPNpool 10.224.10.10-10.224.10.20 mask 255.255.255.0 ! interface Ethernet0/0 description Egress for lab nameif outside security-level 0 ip address 172.16.3.2 255.255.255.252 ! interface Ethernet0/1 description Lab internal nameif inside security-level 100 ip address 172.16.4.1 255.255.255.0 ! _ ! ftp mode passive dns server-group DefaultDNS domain-name mydomain.com same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network NETWORK_OBJ_10.224.10.0_27 subnet 10.224.10.0 255.255.255.224 object network NETWORK_OBJ_172.16.4.0_24 subnet 172.16.4.0 255.255.255.0 access-list EZVPN splitTunnelAcl standard permit 172.16.4.0 255.255.255.0 access-list outside_access_in extended permit icmp any any pager lines 24 logging enable logging asdm informational mtu management 1500 mtu outside 1500 mtu inside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source dynamic any interface access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 172.16.3.1 1 ——— dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL aaa authorization command LOCAL aaa authorization exec LOCAL auto-enable ! crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto ca trustpool policy crypto ikev1 enable outside crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 ! dhcpd address 172.16.4.10-172.16.4.100 inside dhcpd auto_config outside interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy EZVPN internal group-policy EZVPN attributes dns-server value 8.8.8.8 vpn-tunnel-protocol ikev1 split-tunnel-policy tunnelspecified split-tunnel-network-list value EZVPN_splitTunnelAcl default-domain value mydomain.com username REMOTE-USER password remotepass encrypted privilege 0 username REMOTE-USER attributes vpn-group-policy EZVPN tunnel-group EZVPN type remote-access tunnel-group EZVPN general-attributes address-pool VPN_pool default-group-policy EZVPN tunnel-group EZVPN ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp !

REMOTE CONFIG:

hostname REMOTE-ASA domain-name companydomain.com enable password ******* encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain names

! interface GigabitEthernet1/1 description Outside interface DHCP nameif outside security-level 0 ip address dhcp setroute ! interface GigabitEthernet1/2 description Inside Interface nameif inside security-level 100 ip address 192.168.215.1 255.255.255.0 ! ! interface Management1/1 description Manangement interface management-only nameif management security-level 50 ip address 172.16.1.254 255.255.255.192 ! boot system disk0:/asa982-lfbff-k8.SPA ftp mode passive dns server-group DefaultDNS domain-name company domain.com same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list outside_access_in extended permit icmp any any pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-781-150.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 nat (inside,outside) source dynamic any interface access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 172.17.2.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL ! no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ! console timeout 0 vpnclient server 172.16.3.2 vpnclient mode client-mode vpnclient vpngroup EZVPN password ***** vpnclient username REMOTE-USER password ***** vpnclient management clear vpnclient enable dhcp-client client-id interface outside dhcpd auto_config outside vpnclient-wins-override ! dhcpd address 192.168.215.5-192.168.215.200 inside dhcpd auto_config outside interface inside dhcpd option 3 ip 192.168.215.1 interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy DfltGrpPolicy attributes vpn-idle-timeout none dynamic-access-policy-record DfltAccessPolicy ! ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect dns preset_dns_map policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum client auto message-length maximum 512 no tcp-inspection

/r/networking Thread Parent

Ez vpn on Asa 5506

Recently removed from /r/networking

More Random Comments