The Cisco IPsec VPN client remains one of the most common applications used by corporate remote workers to connect into their office environment. The client enables remote workers to seamlessly continue working from their location over any IP-enabled network, just as if they were in the office.
The Cisco IPsec VPN client performs the peer operations required for the correct establishment of an IPsec tunnel with a VPN head-end. The head-end functions are commonly carried out by one of the following devices: ASA, PIX, VPN concentrator, or Cisco IOS router, providing access to corporate resources for authenticated users through the established tunnel.
The first setp, as with any configuration of a VPN on the ASA, is the connection profile configuration. You use the tunnel-group <name> type remote-access command at the command-line interface (CLI) to create the new connection profile. After this, you can specify the various attributes and IPsec-specific properties using the tunnel-group <name> general-attributes and tunnel-group <name> ipsec-attributes commands, respectively.
ASA5505(config)# username cisco password cisco privilege 15 // FOR XAUTH (EXTENDED AUTHENTICATION)
ASA5505(config)# ip local pool ?
configure mode commands/options:
WORD < 64 char Name of the local address pool
ASA5505(config)# ip local pool RA_VPN_POOL ?
configure mode commands/options:
WORD Specify an IP address or a range of IP addresses:start[-end]
ASA5505(config)# ip local pool RA_VPN_POOL 192.168.1.5-192.168.1.10
ASA5505(config)# access-list ?
configure mode commands/options:
WORD < 241 char Access list identifier
alert-interval Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny flow
maximum. If not specified, the default value is 300 sec
deny-flow-max Specify the maximum number of concurrent deny flows that can
be created. If not specified, the default value is 4096
ASA5505(config)# access-list NO_NAT_ACL ?
configure mode commands/options:
deny Specify packets to reject
extended Configure access policy for IP traffic through the system
line Use this to specify line number at which ACE should be entered
permit Specify packets to forward
remark Specify a comment (remark) for the access-list after this keyword
rename rename an existing access-list
standard Use this to configure policy having destination host or network
only
webtype Use this to configure WebVPN related policy
ASA5505(config)# access-list NO_NAT_ACL extended ?
configure mode commands/options:
deny Specify packets to reject
permit Specify packets to forward
ASA5505(config)# access-list NO_NAT_ACL extended permit ?
configure mode commands/options:
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object Specify a service object after this keyword
object-group Specify a service or protocol object-group after this keyword
ospf
pcp
pim
pptp
snp
tcp
udp
ASA5505(config)# access-list NO_NAT_ACL extended permit ip ?
configure mode commands/options:
A.B.C.D Source IP address
X:X:X:X::X/<0-128> Source IPv6 address/prefix
any Abbreviation for source address/mask of
0.0.0.0/0.0.0.0 OR source prefix ::/0
any4 Abbreviation of source address and mask of 0.0.0.0
0.0.0.0
any6 Abbreviation for source prefix ::/0
host Use this keyword to configure source host
interface Use interface address as source address
object Keyword to enter source object name
object-group Network object-group for source address
object-group-security Keyword to specify security object-group for source
object-group-user Keyword to specify user object-group for source
security-group Keyword to specify inline security-group
user Keyword to specify user for source
user-group Keyword to specify user-group for source
ASA5505(config)# access-list NO_NAT_ACL extended permit ip 192.168.1.0 ?
configure mode commands/options:
A.B.C.D Netmask for source IP address
ASA5505(config)# access-list NO_NAT_ACL extended permit ip 192.168.1.0 255.255.255.0 ?
configure mode commands/options:
A.B.C.D Destination IP address
X:X:X:X::X/<0-128> Destination IPv6 address/prefix
any Abbreviation for destination address/mask of
0.0.0.0/0.0.0.0 OR destination prefix ::/0
any4 Abbreviation for destination address and mask of
0.0.0.0 0.0.0.0
any6 Abbreviation for destination prefix ::/0
host Use this keyword to configure destination host
interface Use interface address as destination address
object Keyword to enter destination object name
object-group Network object-group for destination address
object-group-security Keyword to specify security object-group for
destination
security-group Keyword to specify inline security-group
ASA5505(config)# access-list NO_NAT_ACL extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 ?
configure mode commands/options:
A.B.C.D Netmask for destination IP address
ASA5505(config)# access-list NO_NAT_ACL extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0
255.255.255.0
ASA5505(config)# access-list SPLIT_TUNNEL_ACL standard ?
configure mode commands/options:
deny Specify packets to reject
permit Specify packets to forward
ASA5505(config)# access-list SPLIT_TUNNEL_ACL standard permit ?
configure mode commands/options:
Hostname or A.B.C.D Match based on destination network address
any4 Abbreviation for an address and mask of 0.0.0.0 0.0.0.0
host Use this keyword to configure destination host
SA5505(config)# access-list SPLIT_TUNNEL_ACL standard permit 192.168.1.0 ?
configure mode commands/options:
A.B.C.D Netmask for the IP address
ASA5505(config)# access-list SPLIT_TUNNEL_ACL standard permit 192.168.1.0 255.255.255.0
ASA5505(config)# group-policy ?
configure mode commands/options:
WORD < 65 char Enter the name of the group policy
ASA5505(config)# group-policy RA_VPN_POLICY ?
configure mode commands/options:
external Enter this keyword to specify an external group policy
internal Enter this keyword to specify an internal group policy
ASA5505(config)# group-policy RA_VPN_POLICY internal
ASA5505(config)# group-policy RA_VPN_POLICY ?
configure mode commands/options:
attributes Enter the attributes sub-command mode
external Enter this keyword to specify an external group policy
internal Enter this keyword to specify an internal group policy
ASA5505(config)# group-policy RA_VPN_POLICY attributes
ASA5505(config-group-policy)# ?
group_policy configuration commands:
address-pools Configure list of up to 6 address pools to
assign addresses from
backup-servers Configure list of backup servers to be used
by the remote client
banner Configure a banner, or welcome text to be
displayed on the VPN remote client
client-access-rule Specify rules permitting/denying access to
specific client types and versions.
client-bypass-protocol Set client behavior for protocols for which
it has not received an address
client-firewall Configure the firewall requirements for
users in this group-policy
default-domain Configure default domain name given to
users of this group
dhcp-network-scope Specify the range of IP addresses to
indicate to the DHCP server for address
assignment
dns-server Configure the primary and secondary DNS
servers
exit Exit from group-policy configuration mode
gateway-fqdn Configure the Gateway FQDN to be sent down
to the client
group-lock Enter name of an existing tunnel-group that
users are required to connect with
help Help for group_policy configuration
commands
intercept-dhcp Enable this command to use group policy for
clients requesting Microsoft DHCP
ip-comp Enter this command to enable IP compression
(LZS)
ip-phone-bypass Configure to allow Cisco IP phones behind
Hardware clients to bypass the Individual
User Authentication process.
ipsec-udp Enter this command to allow a client to
operate through a NAT device using UDP
encapsulation
ipsec-udp-port Enter the UDP port to be used by the client
for IPSec through NAT
ipv6-address-pools Configure list of up to 6 ipv6 address
pools to assign addresses from
ipv6-split-tunnel-policy Select the split tunneling method to be
used for IPv6 traffic by the remote client
ipv6-vpn-filter Enter name of a configured IPv6 ACL to
apply to users (DEPRECATED)
leap-bypass Enable/disable LEAP packets from Cisco
wireless devices to bypass the individual
user authentication process. This setting
applies only to HW clients.
msie-proxy Enter this command to configure MSIE
Browser Proxy settings for a client system
nac-settings Configured the name of the nac-policy
nem Configure hardware clients to use network
extension mode. This setting applies only
to HW clients.
no Remove an attribute value pair
password-storage Enable/disable storage of the login
password on the client system
pfs Enter this command to indicate that the
remote client needs to perform PFS
re-xauth Enter this command to enable
reauthentication of the user on IKE rekey
scep-forwarding-url Configure CA SCEP URL to forward the SCEP
messages.
secure-unit-authentication Configure interactive authentication. This
setting applies only to HW clients.
smartcard-removal-disconnect Configure client action for smart card
removal
split-dns Configure list of domains to be resolved
through the Split Tunnel
split-tunnel-all-dns Select the option to indicate how the
client should handle DNS queries when
split-tunneling is enabled
split-tunnel-network-list Configure name of access-list for split
tunnel configuration
split-tunnel-policy Select the split tunneling method to be
used for IPv4 traffic by the remote client
user-authentication Configure individual user authentication.
This setting applies only to HW clients.
user-authentication-idle-timeout Configure the idle timeout period in
minutes. If there is no communication in
this period, the system terminates the
connection. This setting applies only to HW
clients.
vlan Specify the VLAN onto which VPN traffic for
this group will be forwarded.
vpn-access-hours Enter name of a configured time-range
policy
vpn-filter Enter name of a configured ACL to apply to
users
vpn-idle-timeout Enter idle timeout period in minutes, enter
none to disable
vpn-session-timeout Enter maximum user connection time in
minutes, enter none for unlimited time
vpn-simultaneous-logins Enter maximum number of simultaneous logins
allowed
vpn-tunnel-protocol Enter permitted tunneling protocols
webvpn Configure group policy for WebVPN
wins-server Configure the primary and secondary WINS
servers
ASA5505(config-group-policy)# vpn-tunnel-protocol ?
group-policy mode commands/options:
ikev1 IKE version 1
ikev2 IKE version 2
l2tp-ipsec L2TP using IPSec for security
ssl-client SSL VPN Client
ssl-clientless SSL Clientless VPN
ASA5505(config-group-policy)# vpn-tunnel-protocol ikev1
ASA5505(config-group-policy)# split-tunnel-policy ?
group-policy mode commands/options:
excludespecified Exclude only networks specified by
split-tunnel-network-list
tunnelall Tunnel everything
tunnelspecified Tunnel only networks specified by split-tunnel-network-list
ASA5505(config-group-policy)# split-tunnel-policy tunnelspecified
ASA5505(config-group-policy)# split-tunnel-network-list ?
group-policy mode commands/options:
none Specify that no access-list will be used for split tunnel
configuration
value Specify a standard or extended type access-list for split tunnel
configuration
ASA5505(config-group-policy)# split-tunnel-network-list value ?
group-policy mode commands/options:
WORD Name of a standard or extended type access-list for split tunnel
configuration
ASA5505(config-group-policy)# split-tunnel-network-list value SPLIT_TUNNEL_ACL
SA5505(config-group-policy)# exit
ASA5505(config)# tunnel-group ?
configure mode commands/options:
WORD < 65 char Enter the name of the tunnel group
ASA5505(config)# tunnel-group RA_VPN_GRP ?
configure mode commands/options:
type Enter the type of this group-policy
ASA5505(config)# tunnel-group RA_VPN_GRP type ?
configure mode commands/options:
ipsec-l2l IPSec Site to Site group
ipsec-ra IPSec Remote Access group (DEPRECATED)
remote-access Remote access (IPSec and WebVPN) group
webvpn WebVPN group (DEPRECATED)
ASA5505(config)# tunnel-group RA_VPN_GRP type remote-access // TO ENTER IN GROUP AUTHENTICATION "NAME" FIELD IN VPN CLIENT
ASA5505(config)# tunnel-group RA_VPN_GRP ?
configure mode commands/options:
general-attributes Enter the general-attributes sub command mode
ipsec-attributes Enter the ipsec-attributes sub command mode
ppp-attributes Enter the ppp-attributes sub command mode
webvpn-attributes Enter the webvpn-attributes sub command mode
ASA5505(config)# tunnel-group RA_VPN_GRP general-attributes
ASA5505(config-tunnel-general)# ?
tunnel-group configuration commands:
accounting-server-group Enter name of the accounting server
group
address-pool Enter a list of address pools to
assign addresses from
annotation Specify annotation text - to be used
by ASDM only
authenticated-session-username Specify the authenticated username
will be associated with the session
authentication-attr-from-server Specify the authentication server that
provides authorization attribute for
the session
authentication-server-group Enter name of the authentication
server group
authorization-required Require users to authorize
successfully in order to connect
authorization-server-group Enter name of the authorization server
group
default-group-policy Enter name of the default group policy
dhcp-server Enter IP address or name of the DHCP
server
exit Exit from tunnel-group general
attribute configuration mode
help Help for tunnel group configuration
commands
ipv6-address-pool Enter a list of IPv6 address pools to
assign addresses from
nat-assigned-to-public-ip NAT assigned IP to public IP
no Remove an attribute value pair
override-account-disable Override account disabled from AAA
server
password-management Enable password management
scep-enrollment Enable SCEP proxy enrollment
secondary-authentication-server-group Enter name of the secondary
authentication server group
secondary-username-from-certificate The DN of the peer certificate used as
secondary username for authorization
strip-group Enable strip-group processing
strip-realm Enable strip-realm processing
username-from-certificate The DN of the peer certificate used as
username for authorization and/or
authentication
ASA5505(config-tunnel-general)# address-pool ?
tunnel-group-general mode commands/options:
( Open parenthesis for the network interface
WORD < 64 char Name of address pool to assign addresses from
ASA5505(config-tunnel-general)# address-pool RA_VPN_POOL
ASA5505(config-tunnel-general)# default-group-policy ?
tunnel-group-general mode commands/options:
WORD < 65 char Name of the default group policy
ASA5505(config-tunnel-general)# default-group-policy RA_VPN_POLICY
ASA5505(config-tunnel-general)# exit
ASA5505(config)# tunnel-group RA_VPN_GRP ipsec-attributes
ASA5505(config-tunnel-ipsec)# ?
tunnel-group configuration commands:
authorization-required Require users to authorize successfully in order to
connect (DEPRECATED)
chain Enable sending certificate chain
exit Exit from tunnel-group IPSec attribute configuration
mode
help Help for tunnel group configuration commands
ikev1 Configure IKEv1
isakmp Configure ISAKMP policy
no Remove an attribute value pair
peer-id-validate Validate identity of the peer using the peer's
certificate
radius-with-expiry Enable negotiation of password update during RADIUS
authentication (DEPRECATED)
ASA5505(config-tunnel-ipsec)# ikev1 ?
tunnel-group-ipsec mode commands/options:
client-update Configure and change client update parameters
pre-shared-key Associate a pre-shared key with the connection policy
radius-sdi-xauth Sends "Enter Username And Password" Prompt In The Xauth
Request.
trust-point Select the trustpoint that identifies the cert to be
sent to the IKE peer
user-authentication Set the IKEv1 user authentication method
ASA5505(config-tunnel-ipsec)# ikev1 pre-shared-key cisco // TO ENTER IN GROUP AUTHENTICATION "PASSWORD" FIELD IN VPN CLIENT
ASA5505(config-tunnel-ipsec)# ikev1 user-authentication ?
tunnel-group-ipsec mode commands/options:
( The interface where the IPSec tunnel terminates
hybrid IKE Hybrid Authentication for User
none Disable User Authentication
xauth IKE Extended Authentication for User
ASA5505(config-tunnel-ipsec)# ikev1 user-authentication xauth // TO PROMP FOR LOCAL DATABASE USERNAME AND PASSWORD
ASA5505(config-tunnel-ipsec)# exit
ASA5505(config)# crypto ?
configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map
exec mode commands/options:
ca Certification authority
ASA5505(config)# crypto ikev1 ?
configure mode commands/options:
am-disable Disable inbound aggressive mode connections
enable Enable IKEv1 on the specified interface
ipsec-over-tcp Enable and configure IPSec over TCP
policy Set IKEv1 policy suite
ASA5505(config)# crypto ikev1 enable ?
configure mode commands/options:
Type an interface name to enable
inside Name of interface Vlan1
outside Name of interface Vlan2
ASA5505(config)# crypto ikev1 enable outside // ENABLE IKEV1 IPSEC REMOTE ACCESS VPN ON THE ASA OUTSIDE INTERFACE
ASA5505(config)# crypto ikev1 policy ?
configure mode commands/options:
<1-65535> Policy suite priority(1 highest, 65535 lowest)
ASA5505(config)# crypto ikev1 policy 10 // CONFIGURE MORE SECURE IKE PHASE 1 POLICY ON LOWER PRIORITY NUMBERS, LOWER POLICY NUMBER PREFERRED
ASA5505(config-ikev1-policy)# ?
crypto ikev1 policy configuration commands:
authentication Set authentication method (pre-share or rsa-sig)
encryption Set encryption algorithm (des, 3des, aes-128, aes-192, or
aes-256)
exit Exit from crypto ikev1 policy configuration mode
group Set Diffie-Hellman group (1,2 or 5)
hash Set hash algorithm (md5 or sha1)
help Help for crypto ikev1 policy configuration commands
lifetime Set IKEV1 SA lifetime (seconds)
no Negate a command or set its defaults
<cr>
ASA5505(config-ikev1-policy)# authentication ?
ikev1-policy mode commands/options:
crack set auth crack
pre-share set auth pre-share
rsa-sig set auth rsa-sig
ASA5505(config-ikev1-policy)# authentication pre-share
ASA5505(config-ikev1-policy)# encryption ?
ikev1-policy mode commands/options:
3des 3des encryption
aes aes-128 encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption
ASA5505(config-ikev1-policy)# encryption aes
ASA5505(config-ikev1-policy)# hash ?
ikev1-policy mode commands/options:
md5 set hash md5
sha set hash sha1
ASA5505(config-ikev1-policy)# hash sha
ASA5505(config-ikev1-policy)# group ?
ikev1-policy mode commands/options:
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
7 Diffie-Hellman group 7 (DEPRECATED)
ASA5505(config-ikev1-policy)# group 2
ASA5505(config-ikev1-policy)# lifetime ?
ikev1-policy mode commands/options:
<120-2147483647> Lifetime in seconds
none Disable rekey and allow an unlimited rekey period
ASA5505(config-ikev1-policy)# lifetime 86400
ASA5505(config)# exit
ASA5505(config)# crypto ikev1 policy 20
ASA5505(config-ikev1-policy)# authentication pre-share
ASA5505(config-ikev1-policy)# encryption 3des
ASA5505(config-ikev1-policy)# hash md5
ASA5505(config-ikev1-policy)# group 2
ASA5505(config-ikev1-policy)# lifetime 86400
ASA5505(config-ikev1-policy)# exit
ASA5505(config)# crypto ipsec ?
configure mode commands/options:
df-bit Set IPsec DF policy
fragmentation Set IPsec fragmentation policy
ikev1 Set IKEv1 settings
ikev2 Set IKEv2 settings
security-association Set security association parameters
ASA5505(config)# crypto ipsec ikev1 ?
configure mode commands/options:
transform-set Define transform and settings
ASA5505(config)# crypto ipsec ikev1 transform-set ?
configure mode commands/options:
WORD < 64 char Transform set tag
ASA5505(config)# crypto ipsec ikev1 transform-set ESP-AES-256-SHA ?
configure mode commands/options:
esp-3des esp 3des encryption
esp-aes esp aes 128 encryption
esp-aes-192 esp aes 192 encryption
esp-aes-256 esp aes 256 encryption
esp-des esp des encryption
esp-md5-hmac esp md5 authentication
esp-none esp no authentication
esp-null esp null encryption
esp-sha-hmac esp sha authentication
mode mode transport
ASA5505(config)# crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 ?
configure mode commands/options:
esp-3des esp 3des encryption
esp-aes esp aes 128 encryption
esp-aes-192 esp aes 192 encryption
esp-aes-256 esp aes 256 encryption
esp-des esp des encryption
esp-md5-hmac esp md5 authentication
esp-none esp no authentication
esp-null esp null encryption
esp-sha-hmac esp sha authentication
<cr>
ASA5505(config)# crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac // IKE PHASE 2 POLICY
ASA5505(config)# crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
ASA5505(config)# crypto dynamic-map ?
configure mode commands/options:
WORD < 64 char Dynamic crypto map template tag
ASA5505(config)# crypto dynamic-map IKEV1_CRYPTO_MAP ?
configure mode commands/options:
<1-65535> Sequence to insert into dynamic-map entry
ASA5505(config)# crypto dynamic-map IKEV1_CRYPTO_MAP 65535 ?
configure mode commands/options:
annotation Specify annotation text - to be used by ASDM only
match Match address of packets to encrypt
set Specify dynamic crypto map settings
ASA5505(config)# crypto dynamic-map IKEV1_CRYPTO_MAP 65535 set ?
configure mode commands/options:
df-bit Set IPsec DF policy
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
nat-t-disable Disable nat-t negotiation for connections based on this
entry
peer Set IP address of peer
pfs Specify pfs settings
reverse-route Enable reverse route injection for connections based on
this entry
security-association Security association duration
tfc-packets Configure TFC packets to mask a tunnel's traffic
profile
validate-icmp-errors Set Validate ICMP Errors
ASA5505(config)# crypto dynamic-map IKEV1_CRYPTO_MAP 65535 set ikev1 ?
configure mode commands/options:
transform-set Specify list of transform sets in priority order
ASA5505(config)# crypto dynamic-map IKEV1_CRYPTO_MAP 65535 set ikev1 transform-set ?
configure mode commands/options:
WORD Proposal tag
ASA5505(config)# crypto dynamic-map IKEV1_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA ?
configure mode commands/options:
WORD Proposal tag
<cr>
ASA5505(config)# crypto dynamic-map IKEV1_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA ESP-3DES-MD5 // APPLY IKE PHASE 2 POLICIES ON DYNAMIC CRYPTO MAP, USE DYNAMIC CRYPTO MAP IF THE CONNECTING VPN CLIENT IP ADDRESS IS UNKNOWN
ASA5505(config)# crypto map ?
configure mode commands/options:
WORD < 64 char Crypto map template tag
ASA5505(config)# crypto map OUTSIDE_CRYPTO_MAP ?
configure mode commands/options:
<1-65535> Sequence to insert into map entry
client Enable IKE extended authentication (Xauth)
interface Name of interface to apply the crypto map to
ASA5505(config)# crypto map OUTSIDE_CRYPTO_MAP 65535 ?
configure mode commands/options:
annotation Specify annotation text - to be used by ASDM only
ipsec-isakmp IPSec w/ISAKMP
match Match address of packets to encrypt
set Specify crypto map settings
ASA5505(config)# crypto map OUTSIDE_CRYPTO_MAP 65535 ipsec-isakmp ?
configure mode commands/options:
dynamic Entry is a dynamic map
ASA5505(config)# crypto map OUTSIDE_CRYPTO_MAP 65535 ipsec-isakmp dynamic ?
configure mode commands/options:
WORD dynamic map name
ASA5505(config)# crypto map OUTSIDE_CRYPTO_MAP 65535 ipsec-isakmp dynamic IKEV1_CRYPTO_MAP
ASA5505(config)# crypto map OUTSIDE_CRYPTO_MAP interface ?
configure mode commands/options:
Current available interface(s):
inside Name of interface Vlan1
outside Name of interface Vlan2
ASA5505(config)# crypto map OUTSIDE_CRYPTO_MAP interface outside // APPLY CRYPTO MAP ON THE OUTSIDE INTERFACE
We could use the following show commands on the ASA to verify our RA IPsec VPN configurations:
ASA5505# show run crypto ?
ca Show certification authority policy
dynamic-map Show dynamic crypto map configuration
ikev1 Show IKEv1 configuration
ikev2 Show IKEv2 configuration
ipsec Show IPSec configuration
isakmp Show ISAKMP configuration
map Show crypto map configuration
| Output modifiers
<cr>
ASA5505# show run crypto ikev1
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
ASA5505#
ASA5505# show run crypto ipsec
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
ASA5505#
ASA5505# show run crypto dynamic-map
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto dynamic-map IKEV1_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA ESP-3DES-MD5
ASA5505#
ASA5505# show run crypto map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_CRYPTO_MAP 65535 ipsec-isakmp dynamic IKEV1_CRYPTO_MAP
crypto map OUTSIDE_CRYPTO_MAP interface outside
Enter the following information for your VPN connection and a successful connection attempt to occur:
* Connection name: This is a local name for the connection that your remote users can use to easily identify the VPN connection if they have multiple connections.
* Descriptions: You can help your remote users further by entering a description for the connection here (for example, remote connection to the head office).
* Host: Enter the IP address or hostname of the remote VPN endpoint device (the VPN gateway in the case of a VPN client).
We could enable and verify logging on the VPN client and also view ASDM Real-Time Log Viewer to check if IPsec remote access VPN was established.
The Cisco IPsec VPN client performs the peer operations required for the correct establishment of an IPsec tunnel with a VPN head-end. The head-end functions are commonly carried out by one of the following devices: ASA, PIX, VPN concentrator, or Cisco IOS router, providing access to corporate resources for authenticated users through the established tunnel.
The first setp, as with any configuration of a VPN on the ASA, is the connection profile configuration. You use the tunnel-group <name> type remote-access command at the command-line interface (CLI) to create the new connection profile. After this, you can specify the various attributes and IPsec-specific properties using the tunnel-group <name> general-attributes and tunnel-group <name> ipsec-attributes commands, respectively.
ASA5505(config)# username cisco password cisco privilege 15 // FOR XAUTH (EXTENDED AUTHENTICATION)
ASA5505(config)# ip local pool ?
configure mode commands/options:
WORD < 64 char Name of the local address pool
ASA5505(config)# ip local pool RA_VPN_POOL ?
configure mode commands/options:
WORD Specify an IP address or a range of IP addresses:start[-end]
ASA5505(config)# ip local pool RA_VPN_POOL 192.168.1.5-192.168.1.10
ASA5505(config)# access-list ?
configure mode commands/options:
WORD < 241 char Access list identifier
alert-interval Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny flow
maximum. If not specified, the default value is 300 sec
deny-flow-max Specify the maximum number of concurrent deny flows that can
be created. If not specified, the default value is 4096
ASA5505(config)# access-list NO_NAT_ACL ?
configure mode commands/options:
deny Specify packets to reject
extended Configure access policy for IP traffic through the system
line Use this to specify line number at which ACE should be entered
permit Specify packets to forward
remark Specify a comment (remark) for the access-list after this keyword
rename rename an existing access-list
standard Use this to configure policy having destination host or network
only
webtype Use this to configure WebVPN related policy
ASA5505(config)# access-list NO_NAT_ACL extended ?
configure mode commands/options:
deny Specify packets to reject
permit Specify packets to forward
ASA5505(config)# access-list NO_NAT_ACL extended permit ?
configure mode commands/options:
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object Specify a service object after this keyword
object-group Specify a service or protocol object-group after this keyword
ospf
pcp
pim
pptp
snp
tcp
udp
ASA5505(config)# access-list NO_NAT_ACL extended permit ip ?
configure mode commands/options:
A.B.C.D Source IP address
X:X:X:X::X/<0-128> Source IPv6 address/prefix
any Abbreviation for source address/mask of
0.0.0.0/0.0.0.0 OR source prefix ::/0
any4 Abbreviation of source address and mask of 0.0.0.0
0.0.0.0
any6 Abbreviation for source prefix ::/0
host Use this keyword to configure source host
interface Use interface address as source address
object Keyword to enter source object name
object-group Network object-group for source address
object-group-security Keyword to specify security object-group for source
object-group-user Keyword to specify user object-group for source
security-group Keyword to specify inline security-group
user Keyword to specify user for source
user-group Keyword to specify user-group for source
ASA5505(config)# access-list NO_NAT_ACL extended permit ip 192.168.1.0 ?
configure mode commands/options:
A.B.C.D Netmask for source IP address
ASA5505(config)# access-list NO_NAT_ACL extended permit ip 192.168.1.0 255.255.255.0 ?
configure mode commands/options:
A.B.C.D Destination IP address
X:X:X:X::X/<0-128> Destination IPv6 address/prefix
any Abbreviation for destination address/mask of
0.0.0.0/0.0.0.0 OR destination prefix ::/0
any4 Abbreviation for destination address and mask of
0.0.0.0 0.0.0.0
any6 Abbreviation for destination prefix ::/0
host Use this keyword to configure destination host
interface Use interface address as destination address
object Keyword to enter destination object name
object-group Network object-group for destination address
object-group-security Keyword to specify security object-group for
destination
security-group Keyword to specify inline security-group
ASA5505(config)# access-list NO_NAT_ACL extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 ?
configure mode commands/options:
A.B.C.D Netmask for destination IP address
ASA5505(config)# access-list NO_NAT_ACL extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0
255.255.255.0
ASA5505(config)# access-list SPLIT_TUNNEL_ACL standard ?
configure mode commands/options:
deny Specify packets to reject
permit Specify packets to forward
ASA5505(config)# access-list SPLIT_TUNNEL_ACL standard permit ?
configure mode commands/options:
Hostname or A.B.C.D Match based on destination network address
any4 Abbreviation for an address and mask of 0.0.0.0 0.0.0.0
host Use this keyword to configure destination host
SA5505(config)# access-list SPLIT_TUNNEL_ACL standard permit 192.168.1.0 ?
configure mode commands/options:
A.B.C.D Netmask for the IP address
ASA5505(config)# access-list SPLIT_TUNNEL_ACL standard permit 192.168.1.0 255.255.255.0
ASA5505(config)# group-policy ?
configure mode commands/options:
WORD < 65 char Enter the name of the group policy
ASA5505(config)# group-policy RA_VPN_POLICY ?
configure mode commands/options:
external Enter this keyword to specify an external group policy
internal Enter this keyword to specify an internal group policy
ASA5505(config)# group-policy RA_VPN_POLICY internal
ASA5505(config)# group-policy RA_VPN_POLICY ?
configure mode commands/options:
attributes Enter the attributes sub-command mode
external Enter this keyword to specify an external group policy
internal Enter this keyword to specify an internal group policy
ASA5505(config)# group-policy RA_VPN_POLICY attributes
ASA5505(config-group-policy)# ?
group_policy configuration commands:
address-pools Configure list of up to 6 address pools to
assign addresses from
backup-servers Configure list of backup servers to be used
by the remote client
banner Configure a banner, or welcome text to be
displayed on the VPN remote client
client-access-rule Specify rules permitting/denying access to
specific client types and versions.
client-bypass-protocol Set client behavior for protocols for which
it has not received an address
client-firewall Configure the firewall requirements for
users in this group-policy
default-domain Configure default domain name given to
users of this group
dhcp-network-scope Specify the range of IP addresses to
indicate to the DHCP server for address
assignment
dns-server Configure the primary and secondary DNS
servers
exit Exit from group-policy configuration mode
gateway-fqdn Configure the Gateway FQDN to be sent down
to the client
group-lock Enter name of an existing tunnel-group that
users are required to connect with
help Help for group_policy configuration
commands
intercept-dhcp Enable this command to use group policy for
clients requesting Microsoft DHCP
ip-comp Enter this command to enable IP compression
(LZS)
ip-phone-bypass Configure to allow Cisco IP phones behind
Hardware clients to bypass the Individual
User Authentication process.
ipsec-udp Enter this command to allow a client to
operate through a NAT device using UDP
encapsulation
ipsec-udp-port Enter the UDP port to be used by the client
for IPSec through NAT
ipv6-address-pools Configure list of up to 6 ipv6 address
pools to assign addresses from
ipv6-split-tunnel-policy Select the split tunneling method to be
used for IPv6 traffic by the remote client
ipv6-vpn-filter Enter name of a configured IPv6 ACL to
apply to users (DEPRECATED)
leap-bypass Enable/disable LEAP packets from Cisco
wireless devices to bypass the individual
user authentication process. This setting
applies only to HW clients.
msie-proxy Enter this command to configure MSIE
Browser Proxy settings for a client system
nac-settings Configured the name of the nac-policy
nem Configure hardware clients to use network
extension mode. This setting applies only
to HW clients.
no Remove an attribute value pair
password-storage Enable/disable storage of the login
password on the client system
pfs Enter this command to indicate that the
remote client needs to perform PFS
re-xauth Enter this command to enable
reauthentication of the user on IKE rekey
scep-forwarding-url Configure CA SCEP URL to forward the SCEP
messages.
secure-unit-authentication Configure interactive authentication. This
setting applies only to HW clients.
smartcard-removal-disconnect Configure client action for smart card
removal
split-dns Configure list of domains to be resolved
through the Split Tunnel
split-tunnel-all-dns Select the option to indicate how the
client should handle DNS queries when
split-tunneling is enabled
split-tunnel-network-list Configure name of access-list for split
tunnel configuration
split-tunnel-policy Select the split tunneling method to be
used for IPv4 traffic by the remote client
user-authentication Configure individual user authentication.
This setting applies only to HW clients.
user-authentication-idle-timeout Configure the idle timeout period in
minutes. If there is no communication in
this period, the system terminates the
connection. This setting applies only to HW
clients.
vlan Specify the VLAN onto which VPN traffic for
this group will be forwarded.
vpn-access-hours Enter name of a configured time-range
policy
vpn-filter Enter name of a configured ACL to apply to
users
vpn-idle-timeout Enter idle timeout period in minutes, enter
none to disable
vpn-session-timeout Enter maximum user connection time in
minutes, enter none for unlimited time
vpn-simultaneous-logins Enter maximum number of simultaneous logins
allowed
vpn-tunnel-protocol Enter permitted tunneling protocols
webvpn Configure group policy for WebVPN
wins-server Configure the primary and secondary WINS
servers
ASA5505(config-group-policy)# vpn-tunnel-protocol ?
group-policy mode commands/options:
ikev1 IKE version 1
ikev2 IKE version 2
l2tp-ipsec L2TP using IPSec for security
ssl-client SSL VPN Client
ssl-clientless SSL Clientless VPN
ASA5505(config-group-policy)# vpn-tunnel-protocol ikev1
ASA5505(config-group-policy)# split-tunnel-policy ?
group-policy mode commands/options:
excludespecified Exclude only networks specified by
split-tunnel-network-list
tunnelall Tunnel everything
tunnelspecified Tunnel only networks specified by split-tunnel-network-list
ASA5505(config-group-policy)# split-tunnel-policy tunnelspecified
ASA5505(config-group-policy)# split-tunnel-network-list ?
group-policy mode commands/options:
none Specify that no access-list will be used for split tunnel
configuration
value Specify a standard or extended type access-list for split tunnel
configuration
ASA5505(config-group-policy)# split-tunnel-network-list value ?
group-policy mode commands/options:
WORD Name of a standard or extended type access-list for split tunnel
configuration
ASA5505(config-group-policy)# split-tunnel-network-list value SPLIT_TUNNEL_ACL
SA5505(config-group-policy)# exit
ASA5505(config)# tunnel-group ?
configure mode commands/options:
WORD < 65 char Enter the name of the tunnel group
ASA5505(config)# tunnel-group RA_VPN_GRP ?
configure mode commands/options:
type Enter the type of this group-policy
ASA5505(config)# tunnel-group RA_VPN_GRP type ?
configure mode commands/options:
ipsec-l2l IPSec Site to Site group
ipsec-ra IPSec Remote Access group (DEPRECATED)
remote-access Remote access (IPSec and WebVPN) group
webvpn WebVPN group (DEPRECATED)
ASA5505(config)# tunnel-group RA_VPN_GRP type remote-access // TO ENTER IN GROUP AUTHENTICATION "NAME" FIELD IN VPN CLIENT
ASA5505(config)# tunnel-group RA_VPN_GRP ?
configure mode commands/options:
general-attributes Enter the general-attributes sub command mode
ipsec-attributes Enter the ipsec-attributes sub command mode
ppp-attributes Enter the ppp-attributes sub command mode
webvpn-attributes Enter the webvpn-attributes sub command mode
ASA5505(config)# tunnel-group RA_VPN_GRP general-attributes
ASA5505(config-tunnel-general)# ?
tunnel-group configuration commands:
accounting-server-group Enter name of the accounting server
group
address-pool Enter a list of address pools to
assign addresses from
annotation Specify annotation text - to be used
by ASDM only
authenticated-session-username Specify the authenticated username
will be associated with the session
authentication-attr-from-server Specify the authentication server that
provides authorization attribute for
the session
authentication-server-group Enter name of the authentication
server group
authorization-required Require users to authorize
successfully in order to connect
authorization-server-group Enter name of the authorization server
group
default-group-policy Enter name of the default group policy
dhcp-server Enter IP address or name of the DHCP
server
exit Exit from tunnel-group general
attribute configuration mode
help Help for tunnel group configuration
commands
ipv6-address-pool Enter a list of IPv6 address pools to
assign addresses from
nat-assigned-to-public-ip NAT assigned IP to public IP
no Remove an attribute value pair
override-account-disable Override account disabled from AAA
server
password-management Enable password management
scep-enrollment Enable SCEP proxy enrollment
secondary-authentication-server-group Enter name of the secondary
authentication server group
secondary-username-from-certificate The DN of the peer certificate used as
secondary username for authorization
strip-group Enable strip-group processing
strip-realm Enable strip-realm processing
username-from-certificate The DN of the peer certificate used as
username for authorization and/or
authentication
ASA5505(config-tunnel-general)# address-pool ?
tunnel-group-general mode commands/options:
( Open parenthesis for the network interface
WORD < 64 char Name of address pool to assign addresses from
ASA5505(config-tunnel-general)# address-pool RA_VPN_POOL
ASA5505(config-tunnel-general)# default-group-policy ?
tunnel-group-general mode commands/options:
WORD < 65 char Name of the default group policy
ASA5505(config-tunnel-general)# default-group-policy RA_VPN_POLICY
ASA5505(config-tunnel-general)# exit
ASA5505(config)# tunnel-group RA_VPN_GRP ipsec-attributes
ASA5505(config-tunnel-ipsec)# ?
tunnel-group configuration commands:
authorization-required Require users to authorize successfully in order to
connect (DEPRECATED)
chain Enable sending certificate chain
exit Exit from tunnel-group IPSec attribute configuration
mode
help Help for tunnel group configuration commands
ikev1 Configure IKEv1
isakmp Configure ISAKMP policy
no Remove an attribute value pair
peer-id-validate Validate identity of the peer using the peer's
certificate
radius-with-expiry Enable negotiation of password update during RADIUS
authentication (DEPRECATED)
ASA5505(config-tunnel-ipsec)# ikev1 ?
tunnel-group-ipsec mode commands/options:
client-update Configure and change client update parameters
pre-shared-key Associate a pre-shared key with the connection policy
radius-sdi-xauth Sends "Enter Username And Password" Prompt In The Xauth
Request.
trust-point Select the trustpoint that identifies the cert to be
sent to the IKE peer
user-authentication Set the IKEv1 user authentication method
ASA5505(config-tunnel-ipsec)# ikev1 pre-shared-key cisco // TO ENTER IN GROUP AUTHENTICATION "PASSWORD" FIELD IN VPN CLIENT
ASA5505(config-tunnel-ipsec)# ikev1 user-authentication ?
tunnel-group-ipsec mode commands/options:
( The interface where the IPSec tunnel terminates
hybrid IKE Hybrid Authentication for User
none Disable User Authentication
xauth IKE Extended Authentication for User
ASA5505(config-tunnel-ipsec)# ikev1 user-authentication xauth // TO PROMP FOR LOCAL DATABASE USERNAME AND PASSWORD
ASA5505(config-tunnel-ipsec)# exit
ASA5505(config)# crypto ?
configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map
exec mode commands/options:
ca Certification authority
ASA5505(config)# crypto ikev1 ?
configure mode commands/options:
am-disable Disable inbound aggressive mode connections
enable Enable IKEv1 on the specified interface
ipsec-over-tcp Enable and configure IPSec over TCP
policy Set IKEv1 policy suite
ASA5505(config)# crypto ikev1 enable ?
configure mode commands/options:
Type an interface name to enable
inside Name of interface Vlan1
outside Name of interface Vlan2
ASA5505(config)# crypto ikev1 enable outside // ENABLE IKEV1 IPSEC REMOTE ACCESS VPN ON THE ASA OUTSIDE INTERFACE
ASA5505(config)# crypto ikev1 policy ?
configure mode commands/options:
<1-65535> Policy suite priority(1 highest, 65535 lowest)
ASA5505(config)# crypto ikev1 policy 10 // CONFIGURE MORE SECURE IKE PHASE 1 POLICY ON LOWER PRIORITY NUMBERS, LOWER POLICY NUMBER PREFERRED
ASA5505(config-ikev1-policy)# ?
crypto ikev1 policy configuration commands:
authentication Set authentication method (pre-share or rsa-sig)
encryption Set encryption algorithm (des, 3des, aes-128, aes-192, or
aes-256)
exit Exit from crypto ikev1 policy configuration mode
group Set Diffie-Hellman group (1,2 or 5)
hash Set hash algorithm (md5 or sha1)
help Help for crypto ikev1 policy configuration commands
lifetime Set IKEV1 SA lifetime (seconds)
no Negate a command or set its defaults
<cr>
ASA5505(config-ikev1-policy)# authentication ?
ikev1-policy mode commands/options:
crack set auth crack
pre-share set auth pre-share
rsa-sig set auth rsa-sig
ASA5505(config-ikev1-policy)# authentication pre-share
ASA5505(config-ikev1-policy)# encryption ?
ikev1-policy mode commands/options:
3des 3des encryption
aes aes-128 encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption
ASA5505(config-ikev1-policy)# encryption aes
ASA5505(config-ikev1-policy)# hash ?
ikev1-policy mode commands/options:
md5 set hash md5
sha set hash sha1
ASA5505(config-ikev1-policy)# hash sha
ASA5505(config-ikev1-policy)# group ?
ikev1-policy mode commands/options:
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
7 Diffie-Hellman group 7 (DEPRECATED)
ASA5505(config-ikev1-policy)# group 2
ASA5505(config-ikev1-policy)# lifetime ?
ikev1-policy mode commands/options:
<120-2147483647> Lifetime in seconds
none Disable rekey and allow an unlimited rekey period
ASA5505(config-ikev1-policy)# lifetime 86400
ASA5505(config)# exit
ASA5505(config)# crypto ikev1 policy 20
ASA5505(config-ikev1-policy)# authentication pre-share
ASA5505(config-ikev1-policy)# encryption 3des
ASA5505(config-ikev1-policy)# hash md5
ASA5505(config-ikev1-policy)# group 2
ASA5505(config-ikev1-policy)# lifetime 86400
ASA5505(config-ikev1-policy)# exit
ASA5505(config)# crypto ipsec ?
configure mode commands/options:
df-bit Set IPsec DF policy
fragmentation Set IPsec fragmentation policy
ikev1 Set IKEv1 settings
ikev2 Set IKEv2 settings
security-association Set security association parameters
ASA5505(config)# crypto ipsec ikev1 ?
configure mode commands/options:
transform-set Define transform and settings
ASA5505(config)# crypto ipsec ikev1 transform-set ?
configure mode commands/options:
WORD < 64 char Transform set tag
ASA5505(config)# crypto ipsec ikev1 transform-set ESP-AES-256-SHA ?
configure mode commands/options:
esp-3des esp 3des encryption
esp-aes esp aes 128 encryption
esp-aes-192 esp aes 192 encryption
esp-aes-256 esp aes 256 encryption
esp-des esp des encryption
esp-md5-hmac esp md5 authentication
esp-none esp no authentication
esp-null esp null encryption
esp-sha-hmac esp sha authentication
mode mode transport
ASA5505(config)# crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 ?
configure mode commands/options:
esp-3des esp 3des encryption
esp-aes esp aes 128 encryption
esp-aes-192 esp aes 192 encryption
esp-aes-256 esp aes 256 encryption
esp-des esp des encryption
esp-md5-hmac esp md5 authentication
esp-none esp no authentication
esp-null esp null encryption
esp-sha-hmac esp sha authentication
<cr>
ASA5505(config)# crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac // IKE PHASE 2 POLICY
ASA5505(config)# crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
ASA5505(config)# crypto dynamic-map ?
configure mode commands/options:
WORD < 64 char Dynamic crypto map template tag
ASA5505(config)# crypto dynamic-map IKEV1_CRYPTO_MAP ?
configure mode commands/options:
<1-65535> Sequence to insert into dynamic-map entry
ASA5505(config)# crypto dynamic-map IKEV1_CRYPTO_MAP 65535 ?
configure mode commands/options:
annotation Specify annotation text - to be used by ASDM only
match Match address of packets to encrypt
set Specify dynamic crypto map settings
ASA5505(config)# crypto dynamic-map IKEV1_CRYPTO_MAP 65535 set ?
configure mode commands/options:
df-bit Set IPsec DF policy
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
nat-t-disable Disable nat-t negotiation for connections based on this
entry
peer Set IP address of peer
pfs Specify pfs settings
reverse-route Enable reverse route injection for connections based on
this entry
security-association Security association duration
tfc-packets Configure TFC packets to mask a tunnel's traffic
profile
validate-icmp-errors Set Validate ICMP Errors
ASA5505(config)# crypto dynamic-map IKEV1_CRYPTO_MAP 65535 set ikev1 ?
configure mode commands/options:
transform-set Specify list of transform sets in priority order
ASA5505(config)# crypto dynamic-map IKEV1_CRYPTO_MAP 65535 set ikev1 transform-set ?
configure mode commands/options:
WORD Proposal tag
ASA5505(config)# crypto dynamic-map IKEV1_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA ?
configure mode commands/options:
WORD Proposal tag
<cr>
ASA5505(config)# crypto dynamic-map IKEV1_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA ESP-3DES-MD5 // APPLY IKE PHASE 2 POLICIES ON DYNAMIC CRYPTO MAP, USE DYNAMIC CRYPTO MAP IF THE CONNECTING VPN CLIENT IP ADDRESS IS UNKNOWN
ASA5505(config)# crypto map ?
configure mode commands/options:
WORD < 64 char Crypto map template tag
ASA5505(config)# crypto map OUTSIDE_CRYPTO_MAP ?
configure mode commands/options:
<1-65535> Sequence to insert into map entry
client Enable IKE extended authentication (Xauth)
interface Name of interface to apply the crypto map to
ASA5505(config)# crypto map OUTSIDE_CRYPTO_MAP 65535 ?
configure mode commands/options:
annotation Specify annotation text - to be used by ASDM only
ipsec-isakmp IPSec w/ISAKMP
match Match address of packets to encrypt
set Specify crypto map settings
ASA5505(config)# crypto map OUTSIDE_CRYPTO_MAP 65535 ipsec-isakmp ?
configure mode commands/options:
dynamic Entry is a dynamic map
ASA5505(config)# crypto map OUTSIDE_CRYPTO_MAP 65535 ipsec-isakmp dynamic ?
configure mode commands/options:
WORD dynamic map name
ASA5505(config)# crypto map OUTSIDE_CRYPTO_MAP 65535 ipsec-isakmp dynamic IKEV1_CRYPTO_MAP
ASA5505(config)# crypto map OUTSIDE_CRYPTO_MAP interface ?
configure mode commands/options:
Current available interface(s):
inside Name of interface Vlan1
outside Name of interface Vlan2
ASA5505(config)# crypto map OUTSIDE_CRYPTO_MAP interface outside // APPLY CRYPTO MAP ON THE OUTSIDE INTERFACE
We could use the following show commands on the ASA to verify our RA IPsec VPN configurations:
ASA5505# show run crypto ?
ca Show certification authority policy
dynamic-map Show dynamic crypto map configuration
ikev1 Show IKEv1 configuration
ikev2 Show IKEv2 configuration
ipsec Show IPSec configuration
isakmp Show ISAKMP configuration
map Show crypto map configuration
| Output modifiers
<cr>
ASA5505# show run crypto ikev1
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
ASA5505#
ASA5505# show run crypto ipsec
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
ASA5505#
ASA5505# show run crypto dynamic-map
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto dynamic-map IKEV1_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA ESP-3DES-MD5
ASA5505#
ASA5505# show run crypto map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_CRYPTO_MAP 65535 ipsec-isakmp dynamic IKEV1_CRYPTO_MAP
crypto map OUTSIDE_CRYPTO_MAP interface outside
Enter the following information for your VPN connection and a successful connection attempt to occur:
* Connection name: This is a local name for the connection that your remote users can use to easily identify the VPN connection if they have multiple connections.
* Descriptions: You can help your remote users further by entering a description for the connection here (for example, remote connection to the head office).
* Host: Enter the IP address or hostname of the remote VPN endpoint device (the VPN gateway in the case of a VPN client).
We could enable and verify logging on the VPN client and also view ASDM Real-Time Log Viewer to check if IPsec remote access VPN was established.
No comments:
Post a Comment