Archive for August, 2015

A database availability group (DAG) is a high availability and data recovery feature of Exchange Server.It’s introduced with Exchange 2010.DAG member server can host a copy of mailbox database from any other servers in DAG.DAG member provide automatic recovery from database failures ( disk,server, or network)

In this example i created DAG with two members (m1 and m2)

Untitled8

It’s advisable (but not neccessary)  to have separate DAG subnet (replication network),in this example,subnet 10.10.10.0 was used as replication network.If DAG replication network is configured,it needs to be exempted from DNS registration

Check box Register this connection’s addresses in DNS has to be unchecked

Untitled10

192.168.0.0 is LAN (MAPI) network in which client computers are connected.

Prestaging CNO in Active Directory

One of the first steps in DAG configuration is to pre-stage Cluster Name Object (CNO) in Active Directory.CNO is needed for providing an identity to DAG and cluster.CNO is computer object in AD.

On domain controller,create new computer object,add Full Control permissons to Exchange Trusted Subsystem and first DAG member (m1)

Exchange Trusted Subsystem is a highly privileged group and has read/write access to every Exchange-related object in all Exchange-prepared domains in the forest

Untitled10

Enable Advanced Featurs,(it’s neccessary to enable security tab in newly created object)

Untitled10

Click on security tab,add Exchange Trusted Subsystem and m1  (check computers in object types) in and give it full control

Untitled10

Untitled10

And finally disable dag computer account:

Untitled10

Configuring witness server (quorum.ja.com)

Witness server is used to host shared folder for DAG and is used to maintain an quorum (configuration in a failover cluster that determines the number of failures that the cluster can sustain while still remaining online)

More about quorum:http://blogs.msdn.com/b/clustering/archive/2011/05/27/10169261.aspx

Witness server is only used when there is an even number of nodes in the DAG (vote counts).You can use domain controller as witness server but it is not recommended.A DAG member can not be configured as witness server.A DAG must  have “quorum” to mount databases and if it loses it, mailbox database won’t be mounted.Each DAG member participate in “voting”.Formula for calculating enough number of vote members to maintain the cluster online is (number of nodes / 2) +1. In our case,with 2 nodes,we need 2 online members for cluster to be up and running.In normal circumstances,witness is not needed,because we have 2 DAG members online,but if one of DAG nodes goes down,remaining DAG member will use our witness server to maintain cluster online.(Witness gives it’s “vote”).But,if we restart the witness server,database will dismount until failed DAG member goes online again.

We must add Exchange Trusted Subsystem to local administrators group on witness server.In this example,quorum.ja.com is witness server.In run box,type lusrmgr.msc and add Exchange Trusted Subsystem to local administrators group:

Untitled10

On witness server,open ports for file and print sharing,port 135 (for RPC connection) and RemoteAdmin

netsh firewall set service RemoteAdmin enable
netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135

Untitled10

Creating DAG

Using ECP:

Click Servers-Database Availability Groups (+) sign

Untitled10

Enter dag name,witness server,path to shared folder on witness server (you don’t need to create that folder manually,it will be created automatically), and dag IP address (it’s address from LAN-MAPI network)

Untitled10

Using PowerShell:

[PS] C:\Users\administrator.JA\Desktop>New-DatabaseAvailabilityGroup -Name dag -WitnessServer quorum.ja.com -WitnessDirectory c:\DAG -DatabaseAvailabilityGroupIpAddresses 192.168.0.60

Note! if you get error that “The Exchange Trusted Subsystem is not a member of the local Administrators group on specified witness server <ServerName>.”,and you addedd Trusted subsystem to local Admin group,just ignore that warning

https://support.microsoft.com/en-us/kb/2644540

On witness server,shared DAG folder is created automatically,CNO object dag,we have created earlier,have full share permissions.(That’s why we have added Exchange Trusted Subsystem into Local Admins group on witnes server)

Untitled10

Adding DAG members

We now need to add m1 and m2 as DAG members

Using ECP:

Click marked (“cog” sign with server simbol)

Untitled10

Click + and add DAG members

Untitled10

Powershell:

[PS] C:\Users\administrator.JA\Desktop>Add-DatabaseAvailabilityGroupServer -Identity dag -MailboxServer m1
[PS] C:\Users\administrator.JA\Desktop>Add-DatabaseAvailabilityGroupServer -Identity dag -MailboxServer m2

Untitled

On both DAG members (m1 and m2),Failover cluster is installed,with Node and File Share Majority.

Untitled

Configuring Database Copies

During Exchange install,mailbox database “Mailbox Database 0677329633” was created.We want to replicate this database to m2 DAG member Exchange server (no databases exist)

using ECP:

click servers-databases-select database we want to replicate and then click on “three dots”

Untitled

Click on Add Database copy

Untitled

Type database name,click browse and select server to which you want to replicate database (m2).Activation preference number

(During database activation, when multiple database copies satisfy the criteria for activating, the Activation Preference Number is used to decide which database copy is to be activated) is automatically increased to next available number-2.(m1 already host the database with preference number of 1)

Untitled

Powershell:

[PS] C:\Users\administrator.JA\Desktop>Add-MailboxDatabaseCopy -Identity "Mailbox Database 0677329633" -MailboxServer m2 -ActivationPreference 2

Untitled1

On m2,database folder is automatically created:

Untitled5

In Exchange Control Panel,we can see that database is hosted on both servers

Untitled3

Or with PowerShell:

[PS] C:\Users\administrator.JA\Desktop>Get-MailboxDatabaseCopyStatus -Identity "Mailbox Database 0677329633" | ft

Untitled6

Moving Database Copy between DAG members

In this example,we will move “Mailbox Database 0677329633” from m1 to m2.It is planned “switchover”

Using ECP:

on m1 select the database and click Activate

Untitled

Powershell:

[PS] C:\Users\administrator.JA\Desktop>Move-ActiveMailboxDatabase "Mailbox Database 0677329633" -ActivateOnServer m2 -MountDialOverride:None -Confirm:$false

Untitled7
-MountDialOverride:None-m2 mounts the database using its own defined database auto mount dial settings
-MountDialOverride:GoodAvailability-the database automatically mounts immediately after a failover if the copy queue length is less than or equal to six. The copy queue length is the number of logs recognized by the passive copy that needs to be replicated. If the copy queue length is more than six, the database doesn’t automatically mount. When the copy queue length is less than or equal to six, Exchange attempts to replicate the remaining logs to the passive copy and mounts the database.
-MountDialOverride:BestAvailability-the database automatically mounts immediately after a failover if the copy queue length is less than or equal to 12
-MountDialOverride:Lossless- the database doesn’t automatically mount until all logs that were generated on the active copy have been copied to the passive copy.

Conclusion

DAGs only provide high availability for mailbox databases not for the other Exchange Server role.Database availability groups provide high availabilty solutions in single data center environments,but are not suited in stretched DAGs.

Advertisements

Autodiscover service automatically configures Outlook and some mobile phones automatically.The Autodiscover service returns the following information to the client:

-The user’s display name

-Separate connection settings for internal and external connectivity

-The location of the user’s Mailbox server

-The URLs for various Outlook features such as free/busy information, Unified Messaging, and the offline address book

-Outlook Anywhere server settings

More about Autodiscover:https://technet.microsoft.com/en-us/library/bb332063(EXCHG.80).aspx

For users on internal network,autodiscover service works without any settings,but for users out of corporate network,for autodiscover to configure clients,we must install SAN (Subject alternate name)certificates on Exchange server.In SAN certificates we must specify public name of exchange server, the OWA, Outlook Anywhere, Activesync names,and the Autodiscover name.(http://exchangeserverpro.com/exchange-server-2013-ssl-certificates/).These certificates must be obtained from third party CA’s (Certification Authorities).

I got Exchange up and running in previous blog.In this one i will configure autodiscover for users outside of internal network.I used certificate from https://www.startssl.com.You get free certificate,but for only one domain name.

Requesting a certificate

I created certificate request for mejl.bigfirm.info (public name for my Exchange server)

On Exchange,in IE address type https://servername/ecp,go to server-certificates and click plus signs (+)

Untitled10

choose create a request for a certificate from a certification authority and click next

Untitled10

Choose name and click next

Untitled10

click next again

Untitled10

click browse,choose you Exchange server and click next

Untitled10

Here specify external and internal URL’s for autodiscovery,activesync,OWA (Outlook Web Access),offline address book (OAB),

Untitled10

and on this one,specify domain names which will be seen in certificates,because free certificate i going to issue accepts only one name,i set name for my server,if you are to create request for SAN certificate,here you can add names for OWA,autodiscovery and exchange server itself

Untitled10

Fill these fields to satisfy your needs and click next

Untitled10

Specify location for request file and click finish

Untitled10

Go to https://www.startssl.com sign up,click Certificates wizard tab,from certificates target choose web server and click continue

Untitled10

Click skip (we already created request)

Untitled10

Paste content of 1.req file and click continue

Untitled10

click next,and choose name for certificate

Untitled10

It takes about half an hour for cert to be ready,we get mail info.

In meanwhile,import StartSSL Root CA to Exchange server and all client machines which needs outlook configuration when outside corporate network:

Click toolbox-StartCom CA certificates

Untitled10

click  Server Certificate Bundle with CRLs (PEM encoded) and save it to your computer

Untitled10

On client computers and Exchange server,import these certificates into trusted root certification authorities container

Untitled10

Untitled10

Verify CA are in place:

Untitled10

On Exchange Server,after importing StartSSL’s CA,set internal and external URL’s for all virtual directories (i chose same name for internal and external

Untitled10

Untitled10

Obtaining server certificates

When we got mail that startssl cert is ready,go to Toolbox-retrive certificate and choose certificate from drop-down menu

Untitled10

Untitled10

Copy certificate (From –BEGIN CERTIFICATE —- including –END CERTIFICATE— to Exchange server,to file with .CER extension

Untitled10

Issue the certificate,from ECP,click complete,enter path to file with CER extension

Untitled10

Because autodiscover.bigfirm.info is not in the certificate,i had to create SRV record for autodiscover service on public DNS server

Untitled10

  • Priority:the priority of this target host. A client must attempt to contact the target host with the lowest-numbered priority it can reach.The range is 0-65535.
  • Weight: a load-balancing mechanism. When selecting a target host among those that have the same priority, the chance of trying this one first should be proportional to its weight. Larger weights SHOULD be given a proportionately higher probability of being selected. The range is 0-65535.

Check SRV record:

Untitled10

Testing

First try to access autodiscover.xml file from browser,if you get this page,it means that autodiscover service works.Error code 600 is shown because autodiscover service expects an HTTP POST command from Outlook, and not an HTTP GET  from Internet Explorer.

Untitled10

Untitled10

One nice tool for testing autodiscovery is Microsoft Remote Connectivity analyzer (https://testconnectivity.microsoft.com)

Tool first check https://bigfirm.info/Autodiscover/Autodiscover.xml.

then tries redirect check: GET http://autodiscover.bigfirm.info/Autodiscover/Autodiscover.xml

then tried to locate  DNS SRV lookup for _autodiscover._tcp.bigfirm.info, if it exists, the “mejlovi.bigfirm.info” is returned.Autodiscover posts request to https://mejlovi.bigfirm.info/autodiscover/autodiscover.xml.

Untitled3

Untitled4

Untitled5

Outlook should be able to configure acount automatically now

Building Home Lab for Exchange 2013

Posted: August 16, 2015 in Exchange

In this blog i installed Exchange Server 2013 as Hyper-V guest.In this blog we will configure Exchange to receive and send mails.I stumbled accross two issues:I have dynamic IP and was unable to send mails (got blacklisted),and i had to,for incoming messages,to forward port 25 to another one (1194) on router my ISP gave me (192.168.0.45 is IP address of my Exchange Server)

Untitled6

To send emails to outside world i found SMTP relay service on this blog http://www.wallacetech.co.uk/?p=573

So,on my exchange i created new send connector

Untitled7

Untitled7

Untitled7

Untitled7

This connector will send messages for all domains (*) and will use dc.bigfirm.biz (DC and Exchange is installed on this server,in production environment this shold be avoided)

For internal users to receive mail,we need to create receive connector,i used PowerShell:

[PS] C:\Windows\system32>New-ReceiveConnector "my receive connector" -Bindings 192.168.0.45:1194 -RemoteIPRanges 0.0.0.0
-255.255.255.255 -RequireTLS $false -ProtocolLoggingLevel verbose -PermissionGroups anonymoususers -MaxMessageSize 38MB
-MaxLocalHopCount 12

This connector will listen on 192.168.0.45 (exchange server address,port 1194),for any IP addess (0.0.0.0-255.255.255.255),logging is enabled,and max allowed email size is 38 MB),MaxLocalHopCount parameter specifies the maximum number of local hops that a message can take before the message is rejected by the Receive connector

I created AD domain named bigfirm.biz,it’s for local use only i have not registered this domain.

But,for this lab i bought bigfirm.info domain from GoDaddy,to test mail flow.During Excange install,i specified bigfirm.biz as default accepted domain.Accepted domain is SMTP namespace for which Exchange will accept emails.Now i must tell Exchange that default accepted domain is bigfirm.info:

[PS] C:\Windows\system32>New-AcceptedDomain -name bigfirm -DomainName bigfirm.info -DomainType authoritative

We must configure new domain in default email policy also:

[PS] C:\Windows\system32>Set-EmailAddressPolicy "default policy" -EnabledEmailAddressTemplates SMTP:@bigfirm.info

[PS] C:\Windows\system32>Update-EmailAddressPolicy "default policy"

 Testing

On GoDaddy,in DNS console,i created MX record and pointed it to my physical machine (Host A record with my current public IP address)

Untitled

For internal users,we need also to create DNS MX (Mail Exchanger) record,in bigfirm.biz DNS zone.

This record sets dc.bigfirm.biz as mail server for bigfirm.biz domain (although it will send mails for bigfirm.info)

Untitled

I created test user (this command will create user in AD,as well as create it’s mailbox)

[PS] C:\Windows\system32>New-Mailbox -UserPrincipalName don.hall@bigfirm.biz -Name "Don Hall" -OrganizationalUnit Users
-FirstName Don -LastName Hall -DisplayName "Don Hall" -ResetPasswordOnNextLogon $false -Password (ConvertTo-SecureStrin
g -AsPlainText -Force Passw0rd06)

I logged in new user to client computer,and started outlook,mail profile is automatically created.

For testing i used 10 minutes mail portal: http://10minutemail.com/10MinuteMail/index.html

and from don.hall@bigfirm.info account sent email to this temporary account

Untitled

I replayed to Don Hall:

Untitled1

And message landed to Don Hall’s inbox:

Untitled3

Simple PowerShell script which performs unattended install of Windows Server 2012 roles,component needed for Exchange,prepares AD and Schema and finally,installs Exchange

Untitled

Exchange setup (trial):https://www.microsoft.com/en-us/evalcenter/evaluate-exchange-server-2013

Filter Pack for Microsoft Office 2010:http://www.microsoft.com/en-us/download/details.aspx?id=17062
Service Pack 1 for Microsoft Office Filter Pack 2010:http://www.microsoft.com/en-us/download/details.aspx?id=26604

Unified Communications Managed API (UCMA) 4.0:http://www.microsoft.com/en-US/download/details.aspx?id=34992

All above files I put in c:\preinstall folder but you can change path in script:

function firstFunction {
Write-Host "You chose option 1"
return
}

Write-Host "----------------------------"
Write-Host "                            "
Write-Host "Silent Exchange 2013 install"
Write-Host "                            "
Write-Host "----------------------------"



do {
[int]$userMenuChoice = 0
while ( $userMenuChoice -lt 1 -or $userMenuChoice -gt 4) {
Write-Host "1. Install Exchange Prerequisites"
Write-Host "2. Prepare Schema,AD and install Exchange 2012"
Write-Host "3. Quit and Exit"


[int]$userMenuChoice = Read-Host "Please choose an option"

switch ($userMenuChoice) {
1{
New-Item -ItemType Directory -Force -Path C:\Temp  #Create Temp folder if it doesn't exists
cd "c:\preinstall"
.\UcmaRuntimeSetup.exe /passive /norestart
.\FilterPack64bit.exe /passive /norestart
.\filterpack2010sp1-kb2460041-x64-fullfile-en-us.exe /passive /norestart
.\Exchange-x64.exe /extract:C:\Temp\Exchange2013-x64 /u
Install-WindowsFeature RSAT-ADDS, AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation -Restart


}
2{
cd "C:\Temp\Exchange2013-x64"

.\Setup.exe /IAcceptExchangeServerLicenseTerms /ps
.\Setup.Exe /IAcceptExchangeServerLicenseTerms /preparead /organizationname:bigfirm
.\Setup.Exe /IAcceptExchangeServerLicenseTerms /mode:install /r:mb, ca /MdbName:bigfirm_db01 on:bigfirm
#If you wish to restart computer,uncomment next line
#Restart-computer -force
}

default {Write-Host "Nothing selected"}
}
}
} while ( $userMenuChoice -ne 3 )

Untitled

Port forwarding in ASA

Posted: August 11, 2015 in CISCO

Untitled

In this example we will configure ASA-1 to allow us to coonect from XP machine 50.50.50.10 to another XP machine (172.16.3.10)

ASA1 configuration:

interface GigabitEthernet0
nameif outside
security-level 0
ip address 10.10.20.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 172.16.3.2 255.255.255.0
!

access-list 130 extended permit ip 50.50.50.0 255.255.255.0 172.16.3.0 255.255.255.0

access-group 130 in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.20.2

ASA2 configuration:

interface GigabitEthernet0
nameif outside
security-level 0
ip address 20.20.20.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 50.50.50.2 255.255.255.0
!

access-list 120 extended permit ip 172.16.3.0 255.255.255.0 50.50.50.0 255.255.255.0

access-group 120 in interface outside
route outside 0.0.0.0 0.0.0.0 20.20.20.2

 R1:

interface FastEthernet0/0
ip address 10.10.20.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 20.20.20.2 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 50.50.50.0 255.255.255.0 20.20.20.1
ip route 172.16.3.0 255.255.255.0 10.10.20.1

Enabling remote access on ASA-1

!creating object for machine which we need aceess to (172.16.3.10)
ciscoasa(config)# object network xp
ciscoasa(config-network-object)# host 172.16.3.10
!traffic which comes addressed as outside ASA-1 interface (10.10.20.1),on port 3389 translate to 172.16.3.10 on port 3389
!we will RDP to 10.10.20.1:3389 and it will be translated to 172.17.3.10:3389
ciscoasa(config-network-object)# nat (any,outside) static interface service tcp 3389 3389
ciscoasa(config-network-object)exit
!Create object-group service named rdp of type tcp
ciscoasa(config)# object-group service rdp tcp
!port number 3389
ciscoasa(config-service-object-group)# port-object eq 3389
ciscoasa(config-service-object-group)#exit
!ACL to permit tcp from outside interface and port 3389 to XP machine on address 172.16.3.10 on port 3389
ciscoasa(config)#access-list 140 extended permit tcp interface outside eq 3389 object xp object-group rdp

RDP from 50.50.50.10 to 10.10.20.1

Untitled

We are redirected to 172.16.3.10

Untitled

In this example IPSEK VPN site to site tunnel (using Pre-Shared key) is configured between Routers R1 and R2

That traffic is NAT-ed on ASA and,on it’s way from the inside to the outside,it appears as if it originated from the outside

Untitled

In my previous posts i was writting about IPSEC policies so i won’t go into further explanations

R1:

interface FastEthernet0/0
ip address 20.20.20.2 255.255.255.0
ip nat inside
interface FastEthernet0/1
ip address 10.10.10.2 255.255.255.0
ip nat outside
ip route 0.0.0.0 0.0.0.0 10.10.10.1

NAT configuration on R1:

!We have pool of ip addresses used for NAT translation
R1(config)#ip nat pool nat_pool 10.10.10.40 10.10.10.50 netmask 255.255.255.0
!We need to exclude "interested traffic" from NAT 
R1(config)#access-list 130 deny  ip 20.20.20.0 0.0.0.255 172.16.3.0 0.0.0.255
!And to allow client from inside net access to the outide 
R1(config)#access-list 130 permit ip 20.20.20.0 0.0.0.255 any 
!Translate IP addresses of inside hosts to the addresses defined in nat_pool
R1(config)#ip nat inside source list 130 pool nat_pool

 IPSec configuration on R1

R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share !authentication
R1(config-isakmp)#encryption aes 256       !encryption
R1(config-isakmp)#hash sha                 !hash algorithm
R1(config-isakmp)#group 5                  !DH group
R1(config-isakmp)#lifetime 3600            !lifetime
R1(config)#crypto isakmp key mykey address 30.30.30.2
R1(config)#crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
!Encrypted traffic
R1(config)#access-list 101 permit ip 20.20.20.0 0.0.0.255 172.16.3.0 0.0.0.255
R1(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#match address 101                  !ACL 101
R1(config-crypto-map)#set peer 30.30.30.2                !R2's interface
R1(config-crypto-map)#set transform-set 10               !set created earlier
R1#config t
R1(config)#int f0/1
R1(config-if)#crypto map mymap

IPSec configuration on R2

R2(config)#crypto isakmp policy 10
R2(config-isakmp)#authentication pre-share !authentication
R2(config-isakmp)#encryption aes 256       !encryption
R2(config-isakmp)#hash sha                 !hash algorithm
R2(config-isakmp)#group 5                  !DH group
R2(config-isakmp)#lifetime 3600            !lifetime
R2(config)#crypto isakmp key mykey address 10.10.10.2
R2(config)#crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
!Encrypted traffic
R2(config)#access-list 101 permit ip 172.16.3.0 0.0.0.255 20.20.20.0 0.0.0.255
R2(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#match address 101                  !ACL 101
R2(config-crypto-map)#set peer 10.10.10.2                !R1's interface
R2(config-crypto-map)#set transform-set 10               !set created earlier
R2#config t
R2(config)#int f0/0
R2(config-if)#crypto map mymap

 

Configuring ASA:

!Permit encapsulated traffic through firewall
ciscoasa(config)# access-list 101 extended permit esp any host 30.30.30.2
ciscoasa(config)#access-group 101 in interface outside
!create object for addrees to which inside traffic will be translated (30.30.30.120)
ciscoasa(config)# object network ASA
ciscoasa(config-network-object)# host
ciscoasa(config-network-object)# host 30.30.30.120
ciscoasa(config-network-object)# object network inside_net
ciscoasa(config-network-object)# subnet 172.16.3.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) static ASA

Ping from 172.16.3.0 to 20.20.20.0 network

Untitled

Traffic captured between ASA and R1 is encrypted (ESP)

Untitled

Encapsulated traffic is translated from inside address (172.16.3.10) to 30.30.30.120-“imagined” public IP address

ciscoasa(config-network-object)# sh xlate
1 in use, 1 most used
Flags: D – DNS, i – dynamic, r – portmap, s – static, I – identity, T – twice
NAT from inside:172.16.3.0/24 to outside:30.30.30.120
flags s idle 0:07:51 timeout 0:00:00

We’ll allow client from the internet to securely access corporate networks (172.16.3.0 and 30.30.30.0) from the internet while access to the internet (192.168.12.0) will be unsecured

Untitled

I used static routes this time:

ASA config:

interface GigabitEthernet0
nameif outside
security-level 0
ip address 20.20.20.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 30.30.30.1 255.255.255.0
!

route outside 0.0.0.0 0.0.0.0 20.20.20.2 1
route inside 172.16.3.0 255.255.255.0 30.30.30.2 1

 R2:

interface FastEthernet0/0
ip address 30.30.30.2 255.255.255.0

!
interface FastEthernet0/1
ip address 172.16.3.1 255.255.255.0
!

ip route 0.0.0.0 0.0.0.0 30.30.30.1

 INTERNET :

interface FastEthernet0/0
ip address 10.10.10.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.12.2 255.255.255.0
!
interface FastEthernet1/0
ip address 20.20.20.2 255.255.255.0
 
!
ip route 0.0.0.0 0.0.0.0 20.20.20.1

I installed TFT server on 172.16.3.10 and uploaded ASDM-647.bin file which we will copy to ASA server in order to install ASDM appliance on XP and have GUI access to ASA configurations:

Also,I downloaded anyconnect-win-3.1.05178-k9.pkg and copied it to TFTP server

ciscoasa(config)#copy tftp://172.16.10.3/asdm-647.bin flash:/asdm.bin
ciscoasa(config)#copy tftp://172.16.3.10/anyconnect-win-3.1.05178-k9.pkg disk0: 
ciscoasa(config)#http server enable 
ciscoasa(config)#http 172.16.3.0 255.255.255.0 inside
!create pool for VPN clients 
ciscoasa(config)#ip local pool vpn_pool 192.168.1.1-192.168.1.3 mask 255.255.255.0
!allow traffic from 172.16.3.0 network to outside 
ciscoasa(config)#access-list inside_to_outside extended permit ip any 172.16.3.0 255.255.255.0
ciscoasa(config)#access-group inside_to_outside in interface outside
!define traffic which needs to be tunneled
ciscoasa(config)#access-list tunnel_traffic standard permit 30.30.30.0 255.255.255.0
ciscoasa(config)#access-list tunnel_traffic standard permit 172.16.3.0 255.255.255.0

From XP (172.16.3.10) enter https://30.30.30.1 in browser,download setup,install newest java and run app

Untitled

After connecting to ASA click wizard-VPN Wizard-AnyConnect VPN Wizard

Untitled

Type name for profile,choose outside and click next

Untitled

Uncheck IPsec (i didn’t use the digital certificate) and click next

Untitled
Click add,browse the disk and add package
Untitled

enter username and password for VPN user

Untitled

Add VPN pool we created earlier

Untitled

Add DNS server (i used google’s)

Untitled

Exclude VPN traffic from NAT

Untitled

Untitled

Click group policy on the left,select policy we’ve just created on the right (VPN) and click edit

Untitled

Uncheck check boxes besides policy and network list and select drop down menus as on the picture

(Tunnel traffic we defined earlier in access list)

Untitled

Untitled

I played a bit with NAT.Suppose we have one public IP address,if we want to translate inside address to this public address when traffic leaves the inside interace we would the type following commands:

ciscoasa(config)# object network vpn_server
ciscoasa(config-network-object)# host
ciscoasa(config-network-object)# host 20.20.20.5
ciscoasa(config-network-object)# nat (inside,outside) static vpn_server

On VPN client (10.10.10.10) install anyconnect-win-3.1.07021-pre-deploy-k9.msi and try to connect to 20.20.20.1 (outside ASA interface)

Untitled

Enter username/password when prompted

Untitled

try to ping hosts on 172.16.3.0 and 30.30.30.0 networks

Untitled

Observe translation table

ciscoasa(config-network-object)# sh xlate
5 in use, 5 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:0.0.0.0/0 to outside:0.0.0.0/0
flags sI idle 0:01:16 timeout 0:00:00
NAT from inside:30.30.30.0/24, 172.16.3.0/24 to outside:30.30.30.0/24,
172.16.3.0/24
flags sI idle 8:23:23 timeout 0:00:00
NAT from inside:30.30.30.0/24 to outside:20.20.20.5
flags s idle 5:41:39 timeout 0:00:00
NAT from inside:172.16.3.0/24 to outside:20.20.20.5
flags s idle 5:52:45 timeout 0:00:00

Traffic originated from the inside appears as if it comes from public address (20.20.20.5).