+ Post New Thread
Results 1 to 5 of 5
Wireless Networks Thread, VPN with Cisco ASA5505 and SBS 2003 in Technical; Let me preface this by saying that I am not great with Cisco, I am much more comfortable in the ...
  1. #1

    Join Date
    Mar 2009
    Location
    Chicago
    Posts
    25
    Thank Post
    9
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    VPN with Cisco ASA5505 and SBS 2003

    Let me preface this by saying that I am not great with Cisco, I am much more comfortable in the MS server environment but I inherited this setup and am trying to figure it out best I can.

    Basically, I am trying to setup a VPN and use my DC as a RADIUS server. Below is my running config (I used the Cisco VPN wizard to attempt to setup the VPN). On my server I got IAS with a remote access policy allowing VPN access when 'NAS-port type match Virtual VPN" and the user is part of the VPN security group.

    Here is run config, i changed public IP's, domain name and passwords out of paronia, lol.

    : Saved
    : Written by enable_15 at 11:39:33.231 UTC Thu Apr 2 2009
    !
    ASA Version 7.2(2)
    !
    hostname ciscoasa
    domain-name companyXYZ.local
    enable password AvFxOc5r.eXgcyRR encrypted
    names
    name 192.168.1.2 DC101 description AD/WWW/Mail
    name 212.32.226.162 mail
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 212.32.226.163 255.255.255.248
    !
    interface Vlan3
    no forward interface Vlan1
    nameif dmz
    security-level 50
    no ip address
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd AvFxOc5r.eXgcyRR encrypted
    ftp mode passive
    dns server-group DefaultDNS
    domain-name companyXYZ.local
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group service VNC tcp
    port-object range 5900 5900
    object-group service RDP tcp
    description Microsoft Terminal Services
    port-object range 3389 3389
    access-list acl_out extended permit icmp any any
    access-list acl_out remark SMTP mail access
    access-list acl_out extended permit tcp any host mail eq smtp
    access-list acl_out remark VNC remote desktop access
    access-list acl_out extended permit tcp any host mail eq 5900
    access-list acl_out remark web access
    access-list acl_out extended permit tcp any host mail eq www
    access-list acl_out remark secure web access
    access-list acl_out extended permit tcp any host mail eq https
    access-list acl_out remark pop3 mail access
    access-list acl_out extended permit tcp any host mail eq pop3
    access-list acl_out remark Microsoft Terminal Services Access
    access-list acl_out extended permit tcp any host mail object-group RDP
    access-list acl_out extended permit tcp any host mail eq imap4
    access-list inside_nat0_outbound extended permit ip any 192.168.1.192 255.255.255.224
    access-list 110 extended permit tcp host mail host DC101 eq 3389
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    ip local pool company-vpn 192.168.1.200-192.168.1.223 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) mail DC101 netmask 255.255.255.255
    access-group acl_out in interface outside
    route outside 0.0.0.0 0.0.0.0 212.32.226.161 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server DC101 protocol nt
    aaa-server DC101 host DC101
    timeout 5
    nt-auth-domain-controller DC101
    group-policy company-vpn internal
    group-policy company-vpn attributes
    dns-server value 192.168.1.2
    vpn-tunnel-protocol IPSec
    default-domain value companyXYZ.local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !
    dhcpd address DC101-192.168.1.129 inside
    !

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:092c077512dd971312a16f6fbcf6346f
    : end

  2. #2

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    I'm not a Cisco expert, sorry. The Windows Event Log can be very revealing when dealing with radius though, have you looked at it yet?

  3. #3

    Join Date
    Mar 2009
    Location
    Chicago
    Posts
    25
    Thank Post
    9
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    yah, i dont even see any related events. Which makes me think the ASA is not talking to serve. Which is why i think something is wrong with ASA.

  4. #4

    Join Date
    Aug 2008
    Location
    London
    Posts
    5
    Thank Post
    0
    Thanked 3 Times in 2 Posts
    Rep Power
    0
    Hi Jim,

    I have my ASAs setup to directly query the DC using LDAP, rather than go via a RADIUS server:

    aaa-server Windows_LDAP protocol ldap
    aaa-server Windows_LDAP (inside) host x.x.x.x
    server-port 636
    ldap-base-dn OU=xx,DC=xx,DC=xx,DC=xx,DC=xx
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *
    ldap-login-dn CN=xx,OU=xx,OU=xx,OU=xx,DC=xx,DC=xxx,DC=xx,DC=xx
    ldap-over-ssl enable
    server-type microsoft

    The ASDM 6.1 GUI in conjunction with ASA 8.04 is considerably more useful than the v7 stuff you're using, by the way...

    Chris.
    Last edited by ChrisCole; 23rd April 2009 at 10:28 AM.

  5. Thanks to ChrisCole from:

    -Jim (23rd April 2009)

  6. #5

    Join Date
    Mar 2009
    Location
    Chicago
    Posts
    25
    Thank Post
    9
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by ChrisCole View Post
    Hi Jim,

    I have my ASAs setup to directly query the DC using LDAP, rather than go via a RADIUS server:

    aaa-server Windows_LDAP protocol ldap
    aaa-server Windows_LDAP (inside) host x.x.x.x
    server-port 636
    ldap-base-dn OU=xx,DC=xx,DC=xx,DC=xx,DC=xx
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *
    ldap-login-dn CN=xx,OU=xx,OU=xx,OU=xx,DC=xx,DC=xxx,DC=xx,DC=xx
    ldap-over-ssl enable
    server-type microsoft

    The ASDM 6.1 GUI in conjunction with ASA 8.04 is considerably more useful than the v7 stuff you're using, by the way...

    Chris.
    thanx. Yes, I am in process of updating both ASA and ASDM. I will try again once I get them all updated.

SHARE:
+ Post New Thread

Similar Threads

  1. SBS 2003 POP Connector Timing
    By Number6 in forum Windows Server 2000/2003
    Replies: 5
    Last Post: 27th February 2009, 10:10 PM
  2. Cisco VPN and SP3
    By EduTech in forum Wireless Networks
    Replies: 5
    Last Post: 23rd October 2008, 09:11 AM
  3. SBS 2003 - Where is this setting
    By IA76 in forum Windows
    Replies: 4
    Last Post: 22nd July 2008, 11:40 AM
  4. Connect using CISCO VPN on pre-logon
    By FN-GM in forum How do you do....it?
    Replies: 1
    Last Post: 22nd May 2008, 08:21 PM
  5. Replies: 8
    Last Post: 13th February 2006, 03:05 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •