Wednesday, July 13, 2011

Cisco ASA 8.4 IOS - Remote Access VPN

Below is the minimal configuration needed to implement remote access VPN's on a Cisco ASA 5505 running 8.4. Please keep in mind that the names that I used in my configuration is of my dog but it's best practice to use a name that describes what / who its for.

Enable ISAKMP on the interface:

ASA-2(config)# crypto ikev1 enable outside

ASA-2(config)# crypto ikev1 policy 1

ASA-2(config-ikev1-policy)# encryption 3des

ASA-2(config-ikev1-policy)# authentication pre-share

ASA-2(config-ikev1-policy)# hash md5

Setup your Group Policies & Tunnel Policies

ASA-2(config)# group-policy oscar_GP internal

ASA-2(config)# group-policy oscar_GP attributes

ASA-2(config-group-policy)# vpn-tunnel-protocol ikev1

ASA-2(config-group-policy)# address-pools value oscar_pool


*******************

ASA-2(config)# tunnel-group oscar_tg type remote-access

ASA-2(config)# tunnel-group oscar_tg general-attributes

ASA-2(config-tunnel-general)# default-group-policy oscar_GP

ASA-2(config-tunnel-general)# authentication-server-group LOCAL 

ASA-2(config)# tunnel-group oscar_tg ipsec-attributes

ASA-2(config-tunnel-ipsec)# ikev1 pre-shared-key C1sc0


*******************

ASA-2(config)# crypto ipsec ikev1 transform-set oscar_trans esp-3des esp-md5-hmac

ASA-2(config)# ip local pool oscar_pool 10.1.2.140-10.1.2.145 mask 255.255.255.0

ASA-2(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set oscar_trans

ASA-2(config)#username oscar password omEMDQBc9noujG1X encrypted privilege 15

ASA-2(config)# crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

ASA-2(config)# crypto map outside_map interface outside

1 comment: