Cisco Remote-Access IPSec VPN Setup

ASDM also provides a VPN Wizard that configures remote-access IPSec VPN connections for the Cisco EasyVPN clients. This wizard guides you through the step-by-step configurations required for a successful EasyVPN client tunnel. In this section, Figure 21-21 is used as a reference topology in which a security Cisco ASA is being set up to accept VPN connections on the outside interface from multiple remote-access clients. The inside interface of Cisco ASA in Chicago is directly connected to the subnet, while another inside network,, is behind Router1. The public interface's IP address is, and the default route sends all traffic to the next-hop router toward the Internet.

Figure 21-21. Remote-Access Topology

The goal of this example is to enable split tunneling such that the clients encrypt only traffic destined for the inside networks on Cisco ASA. All other traffic destined for the Internet, such as web traffic to, should flow in clear text directly from the remote VPN clients.

Use the following procedure for step-by-step configuration of ASDM:

Step 1.

Launch the VPN Wizard.

To launch the VPN Wizard, click Wizards > VPN Wizard, as shown earlier in Figure 21-3.

ASDM launches the VPN Wizard, which provides an option to select the VPN tunnel type. Click the Remote Access radio button, as shown in Figure 21-22.

Figure 21-22. Selecting Remote-Access Tunnel

In this example, because VPN clients connect to Cisco ASA on the outside interface, the Outside interface is chosen from the drop-down menu in the VPN Tunnel Interface field. Click Next to move forward to the Remote Access Client window.

Step 2.

Select the type of remote-access VPN tunnel.

The current version of Cisco ASA supports only Cisco IPSec remote-access VPNs, which is the default remote-access VPN tunnel type, as shown in Figure 21-23. Click Next to move to the VPN Client Tunnel Group Name and Authentication Method window.

Figure 21-23. Selecting the Type of Remote-Access VPN


Step 3.

Set up the tunnel group name.

Specify the tunnel group name and the password if preshared keys are used. If PKI is being used, select the server certificate from the drop-down menu. In Figure 21-24, the administrator is setting up Cisco ASA with a tunnel group name of SecureMeTnlGrp with the associated preshared key of cisco123. Click Next to move to the Client Authentication window.

Figure 21-24. Specifying a Tunnel Group Name


Step 4.

Set the user authentication method.

As mentioned in Chapter 7, "Authentication, Authorization, and Accounting (AAA)," Cisco ASA supports local and external databases for user authentication. If an external database server is used for authentication, you must predefine it. If it is not defined earlier, you can leave the wizard and set it up under Configuration > Features > Properties > AAA Setup > AAA Servers. In Figure 21-25, the administrator is setting up Cisco ASA to use the local database for user authentication. Click Next to move to the User Accounts window.

Figure 21-25. Selecting the Local User Database


Step 5.

Create the user database.

In Step 4, the administrator is using the local user database for user authentication. ASDM allows you to create additional user accounts, if necessary. In Figure 21-26, the administrator is setting up an account for ciscouser2 with a password of 123cisco (shown in asterisks). Click Add to instruct ASDM to create a user account. Click Next to move to the Address Pool window.

Figure 21-26. Creating User Accounts


Step 6.

Assign IP addresses.

An important step in setting up the remote-access VPN connection is to assign an IP address to the client during the tunnel negotiation. ASDM prompts you to create an address pool and specify a range of IP addresses. In Figure 21-27, the administrator has set up an IP pool called ippool, which starts at and ends at The subnet mask for the range of addresses is Click Next to move to the Attributes Pushed to Client (Optional) window.

Figure 21-27. Assigning IP Addresses


Step 7.

Set up mode configuration attributes.

The VPN Wizard allows you to configure three basic mode configuration attributes, which include the DNS and WINS servers, IP addresses, and the domain name of an organization, as shown in Figure 21-28. In this example, and are being used as the DNS addresses, and and are being used as the WINS addresses. The domain name is Click Next to move to IKE Policy window.

Figure 21-28. Assigning Mode Configuration Attributes


Step 8.

Select the IKE policy.

Cisco ASA allows you to choose the IKE parameters such as the encryption and authentication types and the Diffie-Hellman (DH) group. In Figure 21-29, the administrator has selected 3DES for encryption, SHA for authentication, and DH group 2 for key generation. Click Next to move to the IPSec Encryption and Authentication window.

Figure 21-29. IKE Policy



Cisco VPN Client supports DH groups 2 and 5, by default. You have to select one of these groups to match the client settings.

Step 9.

Set up the IPSec transform set.

Set up the IPSec transform set by selecting the IPSec encryption and authentication methods. In Figure 21-30, the administrator has chosen 3DES for encryption and MD5 for hash authentication. Click Next to move to the Address Translation Exemption and Split Tunneling (Optional) window.

Figure 21-30. IPSec Transform Set


Step 10.

Bypass address translation.

If NAT control is enabled on the security Cisco ASA, you can choose to bypass address translation for the traffic sourced from the inside network of Cisco ASA and destined for the VPN client's assigned addresses. ASDM creates an access list to identify traffic traveling over the tunnel, and applies NAT exemption to bypass address translation. To identify local networks, add the local hosts/subnets/networks in the Selected Hosts/Networks pane, as shown in Figure 21-31. In this example, the administrator does not want and addresses to be translated if they are sending traffic to the VPN pool of addresses,

Figure 21-31. Enabling Split Tunneling and NAT Exemption

By using split tunneling, you can enforce the remote VPN users to encrypt only the traffic destined for the inside networks of Cisco ASA. All other traffic can go to the Internet in clear text. Enable split tunneling by checking off the box shown at the bottom of Figure 21-31. Click Next to move to the last step of the VPN Wizard.

Step 11.

Verify remote-access configuration.

The last step in setting up a remote-access tunnel is to verify that all the parameters are accurate. If they look correct, click Finish to complete the wizard.

If the Preview Command Before Sending to the Device option is enabled in ASDM, the entire remote-access VPN configuration is displayed to you before being sent to the security Cisco ASA. If the configuration looks accurate, click Send to push it to Cisco ASA. Example 21-2 shows the complete remote-access VPN configuration created by ASDM. ASDM does not add comments, but they are added here for ease of understanding.

Example 21-2. Complete Remote-Access Configuration Created by ASDM

!Access-list to bypass Address Translation

access-list inside_nat0_outbound permit ip

access-list inside_nat0_outbound permit ip

!Access-list is linked to NAT 0

nat (inside) 0 access-list inside_nat0_outbound

!Access-list is identify traffic for Split tunneling

access-list SecureMeTnlGrp_splitTunnelAcl standard permit

access-list SecureMeTnlGrp_splitTunnelAcl standard permit

!User Accounts for local X-Auth

username ciscouser1 password ffIRPGpDSOJh9YLq encrypted privilege 0

username ciscouser2 password ffIRPGpDSOJh9YLq encrypted privilege 0

!Pool of addresses to be assigned to the VPN users

ip local pool ippool mask

!Configuration of VPN group-policy

group-policy SecureMeTnlGrp internal

!group-policy to send mode-config attributes

group-policy SecureMeTnlGrp attributes

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value SecureMeTnlGrp_splitTunnelAcl

 dns-server value

 wins-server value

 default-domain value

!Configuration of Remote Access VPN group called SecureMeTnlGrp

tunnel-group SecureMeTnlGrp type ipsec-ra

tunnel-group SecureMeTnlGrp general-attributes

!The VPN Group is using VPN attributes from the group-policy

 default-group-policy SecureMeTnlGrp

 address-pool ippool

!Configuration of preshared key for SecureMeTnlGrp

tunnel-group SecureMeTnlGrp ipsec-attributes

 pre-shared-key cisco123

!IPSec transform-set for data encryption

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

!ISAKMP Phase 1 policy

isakmp enable outside

isakmp policy 30 authen pre-share

isakmp policy 30 encrypt 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

!Dynamic Crypto map configuration

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

!Static crypto map configuration

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

!Sysopt to bypass packet filtration

sysopt connection permit-ipsec

Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies

Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231 © 2008-2020.
If you may any questions please contact us: