Cisco ASA Remote Access VPN

As a convenient note to myself and to help anyone else out who’d like to get simple Remote Access VPN’s setup on their ASA using the Cisco VPN Client 5.x, here’s the very basic configuration using the CLI as most walkthrough’s are ASDM based on the Cisco website.

This is set out to be dumped straight onto an ASA which has little configuration other than basic IP addressing. To add this to a running unit, you’ll have to read here and understand what you’ll need to change to dump this config straight on.

Assumptions:

  • You’re using 8.2.1 of ASA OS.
  • VPN user authentication will be completed with the local user database.
  • You’ll only be allowed to access the ASA’s inside network from the connecting VPN client (alternative offered later on the page)
  • Your internal addressing is 192.168.0.0/24 and DNS and DHCP configurations used don’t conflict – change as appropriate.
  • The access-list nonat_inside and nat statements are there as they are required from an empty ASA configuration but you’ll very likely have these setup already so simply add the ace from the access-list statement below to your existing nat 0 access-list and don’t add the nat (inside) statement to your config at all.

username localvpnuser password 12345678 privilege 0
access-list nonat_inside extended permit ip any 192.168.0.8 255.255.255.248
nat (inside) 0 access-list nonat_inside
crypto isakmp enable outside
ip local pool RAVPNDHCPPOOL 192.168.0.9-192.168.0.14 mask 255.255.255.0
group-policy RAVPN_ADMIN internal
group-policy RAVPN_ADMIN attributes
dns-server value 192.168.0.2 192.168.0.3
vpn-tunnel-protocol IPSec
default-domain value internaldomain.local
username localvpnuser attributes
Vpn-group-policy RAVPN_ADMIN
tunnel-group RAVPN_ADMIN type remote-access
tunnel-group RAVPN_ADMIN general-attributes
default-group-policy RAVPN_ADMIN
address-pool RAVPNDHCPPOOL
tunnel-group RAVPN_ADMIN ipsec-attributes
pre-shared-key C0mpl1c@t3d
crypto isakmp policy 10 authen pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map sys_def_crypto 65535 set pfs group2
crypto dynamic-map sys_def_crypto 65535 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic sys_def_crypto
crypto map outside_map interface outside

When creating the entry in the installed Cisco VPN Client, you’ll need three things, the IP address of the ASA Device you’re connecting to, the group name (here it’s RAVPN_ADMIN) and the password for that group, which here, is specified in the sub configuration of tunnel-group RAVPN_ADMIN ipsec-attributes.

This done, you’ll be able to click connect, enter the username and password of the local user you created in the first line of the config and you’ll be connected to your inside network.

If you consider being connected to the Internet ‘ok’ for your particular situation, you can add split tunnelling to your configuration by adding these five lines

access-list split_tunnel_list remark The corporate network behind the ASA
access-list split_tunnel_list standard permit 192.168.0.0 255.255.255.0
group-policy RAVPN_ADMIN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_list

I hope this helps y’all out. I’ll be posting similar configurations using the same assumptions for the Clientless SSL VPN feature and the Cisco SSL VPN Client (AnyConnect VPN Client) shortly.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s