Network Job Stuff – ASA 8.2 to 8.3+ equivalent config example, ASA Anyconnect (working) Template!

Posted on by Loopy

ASA_Paint

Not for the R/S exams, but real world info that will probably help many engineers, Thank you again Marufu for this equivalency / mapping between 8.2 and 8.3+!!!

 

@@@@@@@ PORT FORWARDONG ASA 8.2 CODE @@@@@@@@@ 
port forward using the outside interface to inside address of 172.16.2.14 for ports 15515 and 15516, the outside interface address is 24.111.34.202 

 

static (inside,outside) tcp interface 15515 172.16.2.14 15515 netmask 255.255.255.255 
static (inside,outside) tcp interface 15516 172.16.2.14 15516 netmask 255.255.255.255 
access-list inboundtraffic line 1 extended permit tcp any host 24.111.34.202 eq 15516
access-list inboundtraffic line 2 extended permit tcp any host 24.111.34.202 eq 15515

 

@@@@@@@ PORT FORWARDONG ASA 8.3 and above CODE @@@@@@@@@ 

 

object network clean 
host 10.100.0.46 
nat (inside,outside) static interface service tcp 3389 3392 

access-list acl_allow_in extended permit tcp any4 object clean eq 3389

 

NOW AN EUQAL CONCISE AND AMAZING EXAMPLE OF ANYCONNECT CONFIGS!

Big thank you to Alex M from my job for this config example, that I now pass along to the next network engineer scrambling to find a template example for Anyconnect Configuration that is STRAIGHT FORWARD:

 

ANYCONNECT CONFIG:
object-group network client-nets
network-object 192.168.255.0 255.255.255.0
object-group network vpn-nets
group-object client-nets
eixt

access-list outboundtraffic permit ip object-group local-nets object-group vpn-nets
access-list clientmatch permit ip object-group local-nets object-group client-nets

nat (inside,outside) source static any any destination static client-nets client-nets no-proxy-arp route-lookup

webvpn
port 40444
enable outside
anyconnect image disk0:/anyconnect-win-4.3.05017-k9.pkg
svc enable
tunnel-group-list enable
exit

ip local pool vpnpool 192.168.255.10-192.168.255.50 mask 255.255.255.0

group-policy genericvpn internal
group-policy genericvpn attributes
dns-server value 172.16.0.10
split-tunnel-policy tunnelspecified
split-tunnel-network-list value clientmatch
vpn-tunnel-protocol ssl-client ssl-clientless
exit
tunnel-group genericvpn type remote-access
tunnel-group genericvpn general-attributes
authentication-server-group LOCAL
address-pool vpnpool
default-group-policy genericvpn
exit
tunnel-group genericvpn webvpn-attributes
group-url https://100.100.100.100:40444/g3ner1cVPN enable
exit

crypto ipsec transform-set aes256sha esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set aes256sha
crypto map vpnmap 255 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside
crypto ikev1 enable outside
crypto isakmp enable outside
crypto isakmp identity address
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 43200
exit

 

You could actually just change a few values, and paste that into the CLI, thanks again for that awesome template Alex!!!

Wanted to throw some work notes up before they get lost, may throw more up as time goes on, for now back to the CCNP GRIND!!!

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s