HomeRichweb Firewall Administration ServicesRichweb sgw (Secure GateWay) firewallsIPSEC Config for OpenBSD to Cisco ASA 8.2.x

Cisco ASA5505 Map VPN Clients to DMZ Lan

In this configuration we have an ASA5505 that connects a customer lan to the ISP. The customer has added a vendor that needs remote access to a server that is installed in a DMZ. The server should not have access back to the main customer network, but the vendor needs to have access into the server via a vpn client, and the customer will access the server via https (tcp port 443) and RDP.

interface Vlan1
description internal network
nameif inside
security-level 100
ip address 192.168.1.10 255.255.255.0

interface Vlan4
nameif vendorlan
security-level 20
ip address 192.168.240.1 255.255.255.0
!

interface Ethernet0/0
description outside interface
switchport access vlan 2

interface Ethernet0/1
description inside interface customer LAN

interface Ethernet0/4
description vendor vlan connects to vendor server 192.168.240.10
switchport access vlan 4
!

boot system disk0:/asa822-k8.bin

same-security-traffic permit intra-interface

access-list split_tunnel standard permit 192.168.240.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

! acl entries for vendor server:
access-list inet_in extended permit tcp any host a.b.57.84 eq 3389
access-list inet_in extended permit tcp any host a.b.57.84 eq https

! vpn ip pools:
ip local pool sslvpnpool 192.168.240.240-192.168.240.247
ip local pool ipsecvpnpool 192.168.240.230-192.168.240.237

global (outside) 1 interface

nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (vendorlan) 0 access-list nonat

access-group inet_in in interface outside
route outside 0.0.0.0 0.0.0.0 a.b.56.1 1

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

management-access inside

group-policy VendorPolicy internal
group-policy VendorPolicy attributes
banner value Unauthorized access prohibited
dns-server value 8.8.4.4
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value vendorlan.customer.local
vlan none
address-pools value ipsecvpnpool

! This user is shared between IPSEC AND SSLVPN Access:
username testvpn password my.password
username testvpn attributes
password-storage enable
service-type remote-access

! IPSEC clients will connect to this ASA with Group Auth radio button checked,
! Group Name Vendor and Group Password is group.secret
tunnel-group Vendor type remote-access
tunnel-group Vendor general-attributes
address-pool ipsecvpnpool
default-group-policy VendorPolicy
tunnel-group Vendor ipsec-attributes
pre-shared-key group.secret

! SSL VPN Configs:

Setup ca authority, trustpoint and self signed cert:

crypto key generate rsa label sslvpnkeypair

crypto ca trustpoint localtrust
enrollment self
fqdn vpn.domain.local
subject-name CN=vpn.domain.local
keypair sslvpnkeypair
crypto ca enroll localtrust noconfirm

crypto ca trustpoint localtrust
crl configure
ssl trust-point localtrust outside

webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.1025-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.1025-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
banner value Customer Vendor VPN
banner value Unauthorized access prohibited
dns-server value 8.8.4.4
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value vendorlan.customer.local
vlan none
address-pools value sslvpnpool

tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLVPN
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable

The split tunnel policy is also shared between both SSL and IPSEC configs.

Setup static nats:
static (vendorlan,outside) a.b.57.84 192.168.240.10 netmask 255.255.255.255
static (inside,vendorlan) 192.168.240.10 192.168.240.10 netmask 255.255.255.255

When VPN clients connect they will not be able to get internet access, they will not be able to initiate connections to 192.168.1.x customer main lan either. They will be able to connect to 192.168.240.10 vendor server only.

Inside 192.168.1.x clients will be able to make HTTPS connections to 192.168.240.10. There is an internal router (192.168.1.1) that has a static route for 192.168.240.x pointed at the ASA as well. This is not necessary for the configuration to work; it is there both to document the path to the .240 lan, as well as possibly redistribute into the IGP at a later date so a remote LAN 192.168.2.x can also make HTTPS connections to the vendor server.