<< Cut through proxy authentication on Cisco ASA firewall | QOS configuration on Cisco routers and switches >>

Cisco ASA firewall IPSEC Remote access VPN configuration

by Ras 1. December 2011 22:25

Steps to create an ipsec remote access vpn on the ASA firewall, people can connect to this VPN using Cisco VPN client application.

Below example is using windows domain AD for authentication.

!## Enable crypto for isakmp - 1st phase of the VPN conneciton
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800

!## Configure LDAP authenticaiton - windoes authentication
aaa-server WindowsAD protocol ldap
aaa-server WindowsAD (inside) host 10.1.1.10
timeout 5

!## Create a local pool for vpn - VPN users ip addresses
ip local pool VPN-POOL 10.2.2.129-10.2.2.254 mask 255.255.255.0

!## Create the group policy for vpn - attributes like DNS, WINS
group-policy tunnel1 internal
group-policy tunnel1 attributes
vpn-tunnel-protocol IPSec
dns-server value 10.1.1.10
wins-server value 10.1.1.10
default-domain value tas.local

!## Create the vpn tunnel
tunnel-group tunnel1 type remote-access
tunnel-group tunnel1 general-attributes
default-group-policy tunnel1
authentication-server-group WindowsAD
address-pool VPN-POOL
tunnel-group tunnel1 ipsec-attributes
pre-shared-key **********
vpn-filter value VPN-FILTER-ACL

!## Create an access list for vpn traffic filter
access-list VPN-FILTER-ACL extended permit ip 10.2.2.128 255.255.255.128 172.16.1.0 255.255.255.0

!## Specify acceptable transformation sets
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

!## Create the main dynamic mapps for ipsec remote access vpn
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

!## disable NAT for specifc vpn traffic
access-list DISABLE-NAT extended permit ip any 10.2.2.128 255.255.255.128
nat (inside) 0 DISABLE-NAT

a0aac1f3-b002-407e-9ccb-65f446f68baf|0|.0

Tags: cisco asa remote access vpn cisco vpn cisco asa easy vpn cisco asa vpn config cisco vpn example

Cisco | Security

Anyconnect Web VPN configuration on Cisco ASA firewalls// // Here is a sample configuration of a Cisco ASA VPN with anyconnect: // // ### Creatin...Cisco ASA Firewall Site to Site IPSEC VPN configuration// // Here is a basic site to site vpn template on a Cisco ASA firewall: Assume local subnet 19...Cisco ASA Firewall Site to Site VPN configuration// // Here is a basic site to site vpn template on Cisco ASA firewalls: // // Assume local ...

Add comment

Name* Required Please choose another name

E-mail*

Country Country flag

5+5 =

b i u quote

Comment
Preview

Notify me when new comments are added

Cisco ASA firewall IPSEC Remote access VPN configuration

Related posts

Add comment

About the author

Month List

Cisco ASA firewall IPSEC Remote access VPN configuration

Related posts

Add comment

About the author

Month List

Newsletter

Thank you