Scribd
Upload
6K views

How Do I Setup Cisco VPN Client

The document provides steps to configure a Cisco ASA 5505 for client VPN access through the CLI. It includes enabling ISAKMP on the outside interface, creating IKE policies and group policies, defining usernames and passwords, setting the tunnel group type and preshared key, configuring address pools, defining IPSec transforms, creating crypto maps, and allowing IPSec traffic. The full configuration provides explanations for each step.

Uploaded by

sergiorsantos
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
6K views

How Do I Setup Cisco VPN Client

The document provides steps to configure a Cisco ASA 5505 for client VPN access through the CLI. It includes enabling ISAKMP on the outside interface, creating IKE policies and group policies, defining usernames and passwords, setting the tunnel group type and preshared key, configuring address pools, defining IPSec transforms, creating crypto maps, and allowing IPSec traffic. The full configuration provides explanations for each step.

Uploaded by

sergiorsantos
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 2

How do I setup Cisco ASA 5505 for Client VPN through CLI ?

Zones:
Virtual Private Networking (VPN), Networking Hardware Firewalls
Tags:
Setup of Cisco ASA 5505 VPN Remote Access
I am fairly familiar with these devices, but I use the ASA's ASDM pretty exclusively for setting up them up.
My problem is that the VPN wizard is hit or miss at best. Lately I'm running into issues with creating VPN's
that either won't attach, or won't talk to the inside interface from the VPN Pool (created on a different
subnet).

Can someone post a step by step CLI setup of a client access VPN? Ideally it would include some info on
what each line does if its not intuitive? ( I'm looking to understand the setup not just regurgitate the
commands.)

Thanks

Rank: Master
bignewf:
Here is a sample CLI config right from cisco:

Enable ISAKMP on ouside interface of ASA:


Asa#(config t)
Asa(config)# isakmp enable outside

Create ISAKMP Policy:


Asa#config t
Asa(config)#isakmp policy 10 authentication pre-share
Asa(config)# isakmp policy 10 encryption aes-25
Asa(config)# isakmp policy 10 hash sha
Asa(config)# isakmp policy 10 group 2
Asa(config)#isakmp policy 10 lifetime 86400

Configure Remote Access-Attributes for Default and User group-policy

asa(config)# group policy DfltGrpPolicy attributes

asa (config -group-policy)# vpn-simultaneous-logins 3


asa (config -group-policy)# ip-comp enable

Configuration of Group-Specific Group Policy


asa(config)# group-policy MYCompany internal
asa(config)# group-policy MyCompany attributes
asa(config-group-policy) default-domain value MyCompany.com

Config of User Policy here a user accound is mapped to the user group policy in the previous config above:

asa(config)# username vpnuser password cisco

asa(config)# username vpnuser attributes


asa(config-username)# vpn-group-policy-MyCompany

Define your Tunnel Type:


asa(config)# tunnel-group cisco type ipsec-ra

This the tunnel group name that needs to be configured on the cisco vpn client

Configure the ISAKMP Preshared Keys

asa(config)# tunnel-group cisco ipsec-attributes


as(config-ipsec)# pre-shared-key cisco123

This pre-shared key is also known as the group password in the Cisco remote access VPN
All cisco vpn clients that are configured for the tunnel group cisco must use the preshared key cisco123indicated
above

Configuring local user accounts:

asa(config)# username test password cisco123


asa(config)# username Joe password cisco999
These accounts would be in the local database on the ASA. However, you can use RADIUS, Windows NT
domain, Kerveros, SDI
for authentication also
If you use local authentication, then the tunnel-group must be configured with an authentication server, under
general attributes. The authentication-server-group subcommand specifies the authentication server.

asa(config)# tunnel-group cisco general-attributes


asa(config-group-plicy)# authentication-server-group LOCAL

Now, you must assign ip addresses to the vpn clients:

Using the appliance itself with a local address pool:

asa(config)# vpn-addr-assig local

asa(config)# ip local pool vpnremotepool 192.168.3.100-192.168.3.150

(not: this pool should be on a different subnet than your internal lans hosts)

For ip addresses from a dhcp server:

asa(config)#vpn-addr-assign dhcp
asa(config)#tunnel-group cisco general-attributes
asa(config-general)#dhcp-server 192.168.1.1

Define your IPSec Policy:

asa(config)# crypto ipsec transfore-set myset esp-aes-256 esp-sha-hmac (the transform set specifies the
encryption and hashing method used on the data packets once the tunnel is up)

Set up Dynamic Crypto Map:

asa(config)#crypto map IPSec_map 65535 ipsec-isakmp dynamic dynmap

Apply the crypto map to an interface - Outside interface:


asa(config)#crypto map IPSec_map interface outside

You must allow decrypted traffic to pass thru the asa. The correct way to do this would be to restrict traffic to
pass, but initially to get this working, I would allow all decrypted IPSec packets to pass without inspecting them
agianst the configured ACL's:

asa(config)#sysopt connection permit-ipsec

Finally, You need to create a connection entry on the cisco vpn client with the group authentication name, group
preshared key, and type of tunnel encapsulation

You might also like