Scribd Logo
Upload

Welcome to Scribd!

  • How Do I Setup Cisco VPN Client

    Uploaded by

    sergiorsantos
    6K views2 pages
    I'm running into issues with creating vpn's that either won't attach, or won't talk to the inside interface from the VPN Pool (created on a different subnet) I am fairly familiar with these devices, but I use the asa's ASDM pretty exclusively for setting them up. Can someone post a step by step CLI setup of a client access VPN? Ideally it would include some info on what each line does if its not intuitive?

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    I'm running into issues with creating vpn's that either won't attach, or won't talk to the inside interface from the VPN Pool (created on a different subnet) I am fairly familiar with these devices, but I use the asa's ASDM pretty exclusively for setting them up. Can someone post a step by step CLI setup of a client access VPN? Ideally it would include some info on what each line does if its not intuitive?

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6K views2 pages

    How Do I Setup Cisco VPN Client

    Uploaded by

    sergiorsantos
    I'm running into issues with creating vpn's that either won't attach, or won't talk to the inside interface from the VPN Pool (created on a different subnet) I am fairly familiar with these devices, but I use the asa's ASDM pretty exclusively for setting them up. Can someone post a step by step CLI setup of a client access VPN? Ideally it would include some info on what each line does if its not intuitive?

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    How do I setup Cisco ASA 5505 for Client VPN through CLI ?

    Zones:
    Virtual Private Networking (VPN), Networking Hardware Firewalls
    Tags:
    Setup of Cisco ASA 5505 VPN Remote Access
    I am fairly familiar with these devices, but I use the ASA's ASDM pretty exclusively for setting up them up.
    My problem is that the VPN wizard is hit or miss at best. Lately I'm running into issues with creating VPN's
    that either won't attach, or won't talk to the inside interface from the VPN Pool (created on a different
    subnet).

    Can someone post a step by step CLI setup of a client access VPN? Ideally it would include some info on
    what each line does if its not intuitive? ( I'm looking to understand the setup not just regurgitate the
    commands.)

    Thanks

    Rank: Master
    bignewf:
    Here is a sample CLI config right from cisco:

    Enable ISAKMP on ouside interface of ASA:


    Asa#(config t)
    Asa(config)# isakmp enable outside

    Create ISAKMP Policy:


    Asa#config t
    Asa(config)#isakmp policy 10 authentication pre-share
    Asa(config)# isakmp policy 10 encryption aes-25
    Asa(config)# isakmp policy 10 hash sha
    Asa(config)# isakmp policy 10 group 2
    Asa(config)#isakmp policy 10 lifetime 86400

    Configure Remote Access-Attributes for Default and User group-policy

    asa(config)# group policy DfltGrpPolicy attributes

    asa (config -group-policy)# vpn-simultaneous-logins 3


    asa (config -group-policy)# ip-comp enable

    Configuration of Group-Specific Group Policy


    asa(config)# group-policy MYCompany internal
    asa(config)# group-policy MyCompany attributes
    asa(config-group-policy) default-domain value MyCompany.com

    Config of User Policy here a user accound is mapped to the user group policy in the previous config above:

    asa(config)# username vpnuser password cisco

    asa(config)# username vpnuser attributes


    asa(config-username)# vpn-group-policy-MyCompany

    Define your Tunnel Type:


    asa(config)# tunnel-group cisco type ipsec-ra

    This the tunnel group name that needs to be configured on the cisco vpn client

    Configure the ISAKMP Preshared Keys

    asa(config)# tunnel-group cisco ipsec-attributes


    as(config-ipsec)# pre-shared-key cisco123

    This pre-shared key is also known as the group password in the Cisco remote access VPN
    All cisco vpn clients that are configured for the tunnel group cisco must use the preshared key cisco123indicated
    above

    Configuring local user accounts:

    asa(config)# username test password cisco123


    asa(config)# username Joe password cisco999
    These accounts would be in the local database on the ASA. However, you can use RADIUS, Windows NT
    domain, Kerveros, SDI
    for authentication also
    If you use local authentication, then the tunnel-group must be configured with an authentication server, under
    general attributes. The authentication-server-group subcommand specifies the authentication server.

    asa(config)# tunnel-group cisco general-attributes


    asa(config-group-plicy)# authentication-server-group LOCAL

    Now, you must assign ip addresses to the vpn clients:

    Using the appliance itself with a local address pool:

    asa(config)# vpn-addr-assig local

    asa(config)# ip local pool vpnremotepool 192.168.3.100-192.168.3.150

    (not: this pool should be on a different subnet than your internal lans hosts)

    For ip addresses from a dhcp server:

    asa(config)#vpn-addr-assign dhcp
    asa(config)#tunnel-group cisco general-attributes
    asa(config-general)#dhcp-server 192.168.1.1

    Define your IPSec Policy:

    asa(config)# crypto ipsec transfore-set myset esp-aes-256 esp-sha-hmac (the transform set specifies the
    encryption and hashing method used on the data packets once the tunnel is up)

    Set up Dynamic Crypto Map:

    asa(config)#crypto map IPSec_map 65535 ipsec-isakmp dynamic dynmap

    Apply the crypto map to an interface - Outside interface:


    asa(config)#crypto map IPSec_map interface outside

    You must allow decrypted traffic to pass thru the asa. The correct way to do this would be to restrict traffic to
    pass, but initially to get this working, I would allow all decrypted IPSec packets to pass without inspecting them
    agianst the configured ACL's:

    asa(config)#sysopt connection permit-ipsec

    Finally, You need to create a connection entry on the cisco vpn client with the group authentication name, group
    preshared key, and type of tunnel encapsulation

    You might also like