Saturday, August 2, 2014

Cisco IPsec VPN Client on ASA

The Cisco IPsec VPN client remains one of the most common applications used by corporate remote workers to connect into their office environment. The client enables remote workers to seamlessly continue working from their location over any IP-enabled network, just as if they were in the office.

The Cisco IPsec VPN client performs the peer operations required for the correct establishment of an IPsec tunnel with a VPN head-end. The head-end functions are commonly carried out by one of the following devices: ASA, PIX, VPN concentrator, or Cisco IOS router, providing access to corporate resources for authenticated users through the established tunnel.

The first setp, as with any configuration of a VPN on the ASA, is the connection profile configuration. You use the tunnel-group <name> type remote-access command at the command-line interface (CLI) to create the new connection profile. After this, you can specify the various attributes and IPsec-specific properties using the tunnel-group <name> general-attributes and tunnel-group <name> ipsec-attributes commands, respectively.

ASA5505(config)# username cisco password cisco privilege 15   // FOR XAUTH (EXTENDED AUTHENTICATION)

ASA5505(config)# ip local pool ?

configure mode commands/options:
  WORD < 64 char  Name of the local address pool
ASA5505(config)# ip local pool RA_VPN_POOL ?

configure mode commands/options:
  WORD  Specify an IP address or a range of IP addresses:start[-end]
ASA5505(config)# ip local pool RA_VPN_POOL 192.168.1.5-192.168.1.10
ASA5505(config)# access-list ?

configure mode commands/options:
  WORD < 241 char  Access list identifier
  alert-interval   Specify the alert interval for generating syslog message
                   106001 which alerts that the system has reached a deny flow
                   maximum. If not specified, the default value is 300 sec
  deny-flow-max    Specify the maximum number of concurrent deny flows that can
                   be created. If not specified, the default value is 4096
ASA5505(config)# access-list NO_NAT_ACL ?

configure mode commands/options:
  deny      Specify packets to reject
  extended  Configure access policy for IP traffic through the system
  line      Use this to specify line number at which ACE should be entered
  permit    Specify packets to forward
  remark    Specify a comment (remark) for the access-list after this keyword
  rename    rename an existing access-list
  standard  Use this to configure policy having destination host or network
            only
  webtype   Use this to configure WebVPN related policy
ASA5505(config)# access-list NO_NAT_ACL extended ?

configure mode commands/options:
  deny    Specify packets to reject
  permit  Specify packets to forward
ASA5505(config)# access-list NO_NAT_ACL extended permit ?

configure mode commands/options:
  <0-255>       Enter protocol number (0 - 255)
  ah
  eigrp
  esp
  gre
  icmp
  icmp6
  igmp
  igrp
  ip
  ipinip
  ipsec
  nos
  object        Specify a service object after this keyword
  object-group  Specify a service or protocol object-group after this keyword
  ospf
  pcp
  pim
  pptp
  snp
  tcp
  udp
ASA5505(config)# access-list NO_NAT_ACL extended permit ip ?

configure mode commands/options:
  A.B.C.D                Source IP address
  X:X:X:X::X/<0-128>     Source IPv6 address/prefix
  any                    Abbreviation for source address/mask of
                         0.0.0.0/0.0.0.0 OR source prefix ::/0
  any4                   Abbreviation of source address and mask of 0.0.0.0
                         0.0.0.0
  any6                   Abbreviation for source prefix ::/0
  host                   Use this keyword to configure source host
  interface              Use interface address as source address
  object                 Keyword to enter source object name
  object-group           Network object-group for source address
  object-group-security  Keyword to specify security object-group for source
  object-group-user      Keyword to specify user object-group for source
  security-group         Keyword to specify inline security-group
  user                   Keyword to specify user for source
  user-group             Keyword to specify user-group for source

ASA5505(config)# access-list NO_NAT_ACL extended permit ip 192.168.1.0 ?

configure mode commands/options:
  A.B.C.D  Netmask for source IP address
ASA5505(config)# access-list NO_NAT_ACL extended permit ip 192.168.1.0 255.255.255.0 ?

configure mode commands/options:
  A.B.C.D                Destination IP address
  X:X:X:X::X/<0-128>     Destination IPv6 address/prefix
  any                    Abbreviation for destination address/mask of
                         0.0.0.0/0.0.0.0 OR destination prefix ::/0
  any4                   Abbreviation for destination address and mask of
                         0.0.0.0 0.0.0.0
  any6                   Abbreviation for destination prefix ::/0
  host                   Use this keyword to configure destination host
  interface              Use interface address as destination address
  object                 Keyword to enter destination object name
  object-group           Network object-group for destination address
  object-group-security  Keyword to specify security object-group for
                         destination
  security-group         Keyword to specify inline security-group
ASA5505(config)# access-list NO_NAT_ACL extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 ?

configure mode commands/options:
  A.B.C.D  Netmask for destination IP address
ASA5505(config)# access-list NO_NAT_ACL extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0

255.255.255.0
ASA5505(config)# access-list SPLIT_TUNNEL_ACL standard ?

configure mode commands/options:
  deny    Specify packets to reject
  permit  Specify packets to forward
ASA5505(config)# access-list SPLIT_TUNNEL_ACL standard permit ?

configure mode commands/options:
  Hostname or A.B.C.D  Match based on destination network address
  any4                 Abbreviation for an address and mask of 0.0.0.0 0.0.0.0
  host                 Use this keyword to configure destination host
SA5505(config)# access-list SPLIT_TUNNEL_ACL standard permit 192.168.1.0 ?

configure mode commands/options:
  A.B.C.D  Netmask for the IP address
ASA5505(config)# access-list SPLIT_TUNNEL_ACL standard permit 192.168.1.0 255.255.255.0
ASA5505(config)# group-policy ?

configure mode commands/options:
  WORD < 65 char  Enter the name of the group policy
ASA5505(config)# group-policy RA_VPN_POLICY ?

configure mode commands/options:
  external  Enter this keyword to specify an external group policy
  internal  Enter this keyword to specify an internal group policy
ASA5505(config)# group-policy RA_VPN_POLICY internal
ASA5505(config)# group-policy RA_VPN_POLICY ?

configure mode commands/options:
  attributes  Enter the attributes sub-command mode
  external    Enter this keyword to specify an external group policy
  internal    Enter this keyword to specify an internal group policy
ASA5505(config)# group-policy RA_VPN_POLICY attributes
ASA5505(config-group-policy)# ?

group_policy configuration commands:
  address-pools                     Configure list of up to 6 address pools to
                                    assign addresses from
  backup-servers                    Configure list of backup servers to be used
                                    by the remote client
  banner                            Configure a banner, or welcome text to be
                                    displayed on the VPN remote client
  client-access-rule                Specify rules permitting/denying access to
                                    specific client types and versions.
  client-bypass-protocol            Set client behavior for protocols for which
                                    it has not received an address
  client-firewall                   Configure the firewall requirements for
                                    users in this group-policy
  default-domain                    Configure default domain name given to
                                    users of this group
  dhcp-network-scope                Specify the range of IP addresses to
                                    indicate to the DHCP server for address
                                    assignment
  dns-server                        Configure the primary and secondary DNS
                                    servers
  exit                              Exit from group-policy configuration mode
  gateway-fqdn                      Configure the Gateway FQDN to be sent down
                                    to the client
  group-lock                        Enter name of an existing tunnel-group that
                                    users are required to connect with
  help                              Help for group_policy configuration
                                    commands
  intercept-dhcp                    Enable this command to use group policy for
                                    clients requesting Microsoft DHCP
  ip-comp                           Enter this command to enable IP compression
                                    (LZS)
  ip-phone-bypass                   Configure to allow Cisco IP phones behind
                                    Hardware clients to bypass the Individual
                                    User Authentication process.
  ipsec-udp                         Enter this command to allow a client to
                                    operate through a NAT device using UDP
                                    encapsulation
  ipsec-udp-port                    Enter the UDP port to be used by the client
                                    for IPSec through NAT
  ipv6-address-pools                Configure list of up to 6 ipv6 address
                                    pools to assign addresses from
  ipv6-split-tunnel-policy          Select the split tunneling method to be
                                    used for IPv6 traffic by the remote client
  ipv6-vpn-filter                   Enter name of a configured IPv6 ACL to
                                    apply to users (DEPRECATED)
  leap-bypass                       Enable/disable LEAP packets from Cisco
                                    wireless devices to bypass the individual
                                    user authentication process. This setting
                                    applies only to HW clients.
  msie-proxy                        Enter this command to configure MSIE
                                    Browser Proxy settings for a client system
  nac-settings                      Configured the name of the nac-policy
  nem                               Configure hardware clients to use network
                                    extension mode. This setting applies only
                                    to HW clients.
  no                                Remove an attribute value pair
  password-storage                  Enable/disable storage of the login
                                    password on the client system
  pfs                               Enter this command to indicate that the
                                    remote client needs to perform PFS
  re-xauth                          Enter this command to enable
                                    reauthentication of the user on IKE rekey
  scep-forwarding-url               Configure CA SCEP URL to forward the SCEP
                                    messages.
  secure-unit-authentication        Configure interactive authentication. This
                                    setting applies only to HW clients.
  smartcard-removal-disconnect      Configure client action for smart card
                                    removal
  split-dns                         Configure list of domains to be resolved
                                    through the Split Tunnel
  split-tunnel-all-dns              Select the option to indicate how the
                                    client should handle DNS queries when
                                    split-tunneling is enabled
  split-tunnel-network-list         Configure name of access-list for split
                                    tunnel configuration
  split-tunnel-policy               Select the split tunneling method to be
                                    used for IPv4 traffic by the remote client
  user-authentication               Configure individual user authentication.
                                    This setting applies only to HW clients.
  user-authentication-idle-timeout  Configure the idle timeout period in
                                    minutes. If there is no communication in
                                    this period, the system terminates the
                                    connection. This setting applies only to HW
                                    clients.
  vlan                              Specify the VLAN onto which VPN traffic for
                                    this group will be forwarded.
  vpn-access-hours                  Enter name of a configured time-range
                                    policy
  vpn-filter                        Enter name of a configured ACL to apply to
                                    users
  vpn-idle-timeout                  Enter idle timeout period in minutes, enter
                                    none to disable
  vpn-session-timeout               Enter maximum user connection time in
                                    minutes, enter none for unlimited time
  vpn-simultaneous-logins           Enter maximum number of simultaneous logins
                                    allowed
  vpn-tunnel-protocol               Enter permitted tunneling protocols
  webvpn                            Configure group policy for WebVPN
  wins-server                       Configure the primary and secondary WINS
                                    servers
ASA5505(config-group-policy)# vpn-tunnel-protocol ?

group-policy mode commands/options:
  ikev1           IKE version 1
  ikev2           IKE version 2
  l2tp-ipsec      L2TP using IPSec for security
  ssl-client      SSL VPN Client
  ssl-clientless  SSL Clientless VPN
ASA5505(config-group-policy)# vpn-tunnel-protocol ikev1
ASA5505(config-group-policy)# split-tunnel-policy ?

group-policy mode commands/options:
  excludespecified  Exclude only networks specified by
                    split-tunnel-network-list
  tunnelall         Tunnel everything
  tunnelspecified   Tunnel only networks specified by split-tunnel-network-list
ASA5505(config-group-policy)# split-tunnel-policy tunnelspecified
ASA5505(config-group-policy)# split-tunnel-network-list ?

group-policy mode commands/options:
  none   Specify that no access-list will be used for split tunnel
         configuration
  value  Specify a standard or extended type access-list for split tunnel
         configuration
ASA5505(config-group-policy)# split-tunnel-network-list value ?

group-policy mode commands/options:
  WORD  Name of a standard or extended type access-list for split tunnel
        configuration
ASA5505(config-group-policy)# split-tunnel-network-list value SPLIT_TUNNEL_ACL
SA5505(config-group-policy)# exit
ASA5505(config)# tunnel-group ?

configure mode commands/options:
  WORD < 65 char  Enter the name of the tunnel group
ASA5505(config)# tunnel-group RA_VPN_GRP ?

configure mode commands/options:
  type  Enter the type of this group-policy
ASA5505(config)# tunnel-group RA_VPN_GRP type ?

configure mode commands/options:
  ipsec-l2l      IPSec Site to Site group
  ipsec-ra       IPSec Remote Access group (DEPRECATED)
  remote-access  Remote access (IPSec and WebVPN) group
  webvpn         WebVPN group (DEPRECATED)
ASA5505(config)# tunnel-group RA_VPN_GRP type remote-access    // TO ENTER IN GROUP AUTHENTICATION "NAME" FIELD IN VPN CLIENT
ASA5505(config)# tunnel-group RA_VPN_GRP ?

configure mode commands/options:
  general-attributes  Enter the general-attributes sub command mode
  ipsec-attributes    Enter the ipsec-attributes sub command mode
  ppp-attributes      Enter the ppp-attributes sub command mode
  webvpn-attributes   Enter the webvpn-attributes sub command mode
ASA5505(config)# tunnel-group RA_VPN_GRP general-attributes
ASA5505(config-tunnel-general)# ?

tunnel-group configuration commands:
  accounting-server-group                Enter name of the accounting server
                                         group
  address-pool                           Enter a list of address pools to
                                         assign addresses from
  annotation                             Specify annotation text - to be used
                                         by ASDM only
  authenticated-session-username         Specify the authenticated username
                                         will be associated with the session
  authentication-attr-from-server        Specify the authentication server that
                                         provides authorization attribute for
                                         the session
  authentication-server-group            Enter name of the authentication
                                         server group
  authorization-required                 Require users to authorize
                                         successfully in order to connect
  authorization-server-group             Enter name of the authorization server
                                         group
  default-group-policy                   Enter name of the default group policy
  dhcp-server                            Enter IP address or name of the DHCP
                                         server
  exit                                   Exit from tunnel-group general
                                         attribute configuration mode
  help                                   Help for tunnel group configuration
                                         commands
  ipv6-address-pool                      Enter a list of IPv6 address pools to
                                         assign addresses from
  nat-assigned-to-public-ip              NAT assigned IP to public IP
  no                                     Remove an attribute value pair
  override-account-disable               Override account disabled from AAA
                                         server
  password-management                    Enable password management
  scep-enrollment                        Enable SCEP proxy enrollment
  secondary-authentication-server-group  Enter name of the secondary
                                         authentication server group
  secondary-username-from-certificate    The DN of the peer certificate used as
                                         secondary username for authorization
  strip-group                            Enable strip-group processing
  strip-realm                            Enable strip-realm processing
  username-from-certificate              The DN of the peer certificate used as
                                         username for authorization and/or
                                         authentication
ASA5505(config-tunnel-general)# address-pool ?

tunnel-group-general mode commands/options:
  (               Open parenthesis for the network interface
  WORD < 64 char  Name of address pool to assign addresses from
ASA5505(config-tunnel-general)# address-pool RA_VPN_POOL
ASA5505(config-tunnel-general)# default-group-policy ?

tunnel-group-general mode commands/options:
  WORD < 65 char  Name of the default group policy
ASA5505(config-tunnel-general)# default-group-policy RA_VPN_POLICY
ASA5505(config-tunnel-general)# exit
ASA5505(config)# tunnel-group RA_VPN_GRP ipsec-attributes
ASA5505(config-tunnel-ipsec)# ?

tunnel-group configuration commands:
  authorization-required  Require users to authorize successfully in order to
                          connect (DEPRECATED)
  chain                   Enable sending certificate chain
  exit                    Exit from tunnel-group IPSec attribute configuration
                          mode
  help                    Help for tunnel group configuration commands
  ikev1                   Configure IKEv1
  isakmp                  Configure ISAKMP policy
  no                      Remove an attribute value pair
  peer-id-validate        Validate identity of the peer using the peer's
                          certificate
  radius-with-expiry      Enable negotiation of password update during RADIUS
                          authentication (DEPRECATED)
ASA5505(config-tunnel-ipsec)# ikev1 ?

tunnel-group-ipsec mode commands/options:
  client-update        Configure and change client update parameters
  pre-shared-key       Associate a pre-shared key with the connection policy
  radius-sdi-xauth     Sends "Enter Username And Password" Prompt In The Xauth
                       Request.
  trust-point          Select the trustpoint that identifies the cert to be
                       sent to the IKE peer
  user-authentication  Set the IKEv1 user authentication method
ASA5505(config-tunnel-ipsec)# ikev1 pre-shared-key cisco    // TO ENTER IN GROUP AUTHENTICATION "PASSWORD" FIELD IN VPN CLIENT
ASA5505(config-tunnel-ipsec)# ikev1 user-authentication ?

tunnel-group-ipsec mode commands/options:
  (       The interface where the IPSec tunnel terminates
  hybrid  IKE Hybrid Authentication for User
  none    Disable User Authentication
  xauth   IKE Extended Authentication for User
ASA5505(config-tunnel-ipsec)# ikev1 user-authentication xauth     // TO PROMP FOR LOCAL DATABASE USERNAME AND PASSWORD
ASA5505(config-tunnel-ipsec)# exit
ASA5505(config)# crypto ?

configure mode commands/options:
  ca           Certification authority
  dynamic-map  Configure a dynamic crypto map
  ikev1        Configure IKEv1 policy
  ikev2        Configure IKEv2 policy
  ipsec        Configure transform-set, IPSec SA lifetime, and fragmentation
  isakmp       Configure ISAKMP
  key          Long term key operations
  map          Configure a crypto map

exec mode commands/options:
  ca  Certification authority
ASA5505(config)# crypto ikev1 ?

configure mode commands/options:
  am-disable      Disable inbound aggressive mode connections
  enable          Enable IKEv1 on the specified interface
  ipsec-over-tcp  Enable and configure IPSec over TCP
  policy          Set IKEv1 policy suite
ASA5505(config)# crypto ikev1 enable ?

configure mode commands/options:
Type an interface name to enable
  inside   Name of interface Vlan1
  outside  Name of interface Vlan2
ASA5505(config)# crypto ikev1 enable outside   // ENABLE IKEV1 IPSEC REMOTE ACCESS VPN ON THE ASA OUTSIDE INTERFACE
ASA5505(config)# crypto ikev1 policy ?

configure mode commands/options:
  <1-65535>  Policy suite priority(1 highest, 65535 lowest)
ASA5505(config)# crypto ikev1 policy 10     // CONFIGURE MORE SECURE IKE PHASE 1 POLICY ON LOWER PRIORITY NUMBERS, LOWER POLICY NUMBER PREFERRED
ASA5505(config-ikev1-policy)# ?

crypto ikev1 policy configuration commands:
  authentication  Set authentication method (pre-share or rsa-sig)
  encryption      Set encryption algorithm (des, 3des, aes-128, aes-192, or
                  aes-256)
  exit            Exit from crypto ikev1 policy configuration mode
  group           Set Diffie-Hellman group (1,2 or 5)
  hash            Set hash algorithm (md5 or sha1)
  help            Help for crypto ikev1 policy configuration commands
  lifetime        Set IKEV1 SA lifetime (seconds)
  no              Negate a command or set its defaults
  <cr>
ASA5505(config-ikev1-policy)# authentication ?

ikev1-policy mode commands/options:
  crack      set auth crack
  pre-share  set auth pre-share
  rsa-sig    set auth rsa-sig
ASA5505(config-ikev1-policy)# authentication pre-share
ASA5505(config-ikev1-policy)# encryption ?

ikev1-policy mode commands/options:
  3des     3des encryption
  aes      aes-128 encryption
  aes-192  aes-192 encryption
  aes-256  aes-256 encryption
  des      des encryption
ASA5505(config-ikev1-policy)# encryption aes
ASA5505(config-ikev1-policy)# hash ?

ikev1-policy mode commands/options:
  md5  set hash md5
  sha  set hash sha1
ASA5505(config-ikev1-policy)# hash sha
ASA5505(config-ikev1-policy)# group ?

ikev1-policy mode commands/options:
  1  Diffie-Hellman group 1
  2  Diffie-Hellman group 2
  5  Diffie-Hellman group 5
  7  Diffie-Hellman group 7 (DEPRECATED)
ASA5505(config-ikev1-policy)# group 2
ASA5505(config-ikev1-policy)# lifetime ?

ikev1-policy mode commands/options:
  <120-2147483647>  Lifetime in seconds
  none              Disable rekey and allow an unlimited rekey period
ASA5505(config-ikev1-policy)# lifetime 86400
ASA5505(config)# exit
ASA5505(config)# crypto ikev1 policy 20
ASA5505(config-ikev1-policy)# authentication pre-share
ASA5505(config-ikev1-policy)# encryption 3des
ASA5505(config-ikev1-policy)# hash md5
ASA5505(config-ikev1-policy)# group 2
ASA5505(config-ikev1-policy)# lifetime 86400
ASA5505(config-ikev1-policy)# exit
ASA5505(config)# crypto ipsec ?

configure mode commands/options:
  df-bit                Set IPsec DF policy
  fragmentation         Set IPsec fragmentation policy
  ikev1                 Set IKEv1 settings
  ikev2                 Set IKEv2 settings
  security-association  Set security association parameters
ASA5505(config)# crypto ipsec ikev1 ?

configure mode commands/options:
  transform-set  Define transform and settings
ASA5505(config)# crypto ipsec ikev1 transform-set ?

configure mode commands/options:
  WORD < 64 char  Transform set tag
ASA5505(config)# crypto ipsec ikev1 transform-set ESP-AES-256-SHA ?

configure mode commands/options:
  esp-3des      esp 3des encryption
  esp-aes       esp aes 128 encryption
  esp-aes-192   esp aes 192 encryption
  esp-aes-256   esp aes 256 encryption
  esp-des       esp des encryption
  esp-md5-hmac  esp md5 authentication
  esp-none      esp no authentication
  esp-null      esp null encryption
  esp-sha-hmac  esp sha authentication
  mode          mode transport
ASA5505(config)# crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 ?

configure mode commands/options:
  esp-3des      esp 3des encryption
  esp-aes       esp aes 128 encryption
  esp-aes-192   esp aes 192 encryption
  esp-aes-256   esp aes 256 encryption
  esp-des       esp des encryption
  esp-md5-hmac  esp md5 authentication
  esp-none      esp no authentication
  esp-null      esp null encryption
  esp-sha-hmac  esp sha authentication
  <cr>
ASA5505(config)# crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac   // IKE PHASE 2 POLICY
ASA5505(config)# crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
ASA5505(config)# crypto dynamic-map ?

configure mode commands/options:
  WORD < 64 char  Dynamic crypto map template tag
ASA5505(config)# crypto dynamic-map IKEV1_CRYPTO_MAP ?

configure mode commands/options:
  <1-65535>  Sequence to insert into dynamic-map entry
ASA5505(config)# crypto dynamic-map IKEV1_CRYPTO_MAP 65535 ?

configure mode commands/options:
  annotation  Specify annotation text - to be used by ASDM only
  match       Match address of packets to encrypt
  set         Specify dynamic crypto map settings
ASA5505(config)# crypto dynamic-map IKEV1_CRYPTO_MAP 65535 set ?

configure mode commands/options:
  df-bit                Set IPsec DF policy
  ikev1                 Configure IKEv1 policy
  ikev2                 Configure IKEv2 policy
  nat-t-disable         Disable nat-t negotiation for connections based on this
                        entry
  peer                  Set IP address of peer
  pfs                   Specify pfs settings
  reverse-route         Enable reverse route injection for connections based on
                        this entry
  security-association  Security association duration
  tfc-packets           Configure TFC packets to mask a tunnel's traffic
                        profile
  validate-icmp-errors  Set Validate ICMP Errors
ASA5505(config)# crypto dynamic-map IKEV1_CRYPTO_MAP 65535 set ikev1 ?

configure mode commands/options:
  transform-set  Specify list of transform sets in priority order
ASA5505(config)# crypto dynamic-map IKEV1_CRYPTO_MAP 65535 set ikev1 transform-set ?

configure mode commands/options:
  WORD  Proposal tag
ASA5505(config)# crypto dynamic-map IKEV1_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA ?

configure mode commands/options:
  WORD  Proposal tag
  <cr>
ASA5505(config)# crypto dynamic-map IKEV1_CRYPTO_MAP 65535 set ikev1 transform-set  ESP-AES-256-SHA ESP-3DES-MD5   // APPLY IKE PHASE 2 POLICIES ON DYNAMIC CRYPTO MAP, USE DYNAMIC CRYPTO MAP IF THE CONNECTING VPN CLIENT IP ADDRESS IS UNKNOWN
ASA5505(config)# crypto map ?

configure mode commands/options:
  WORD < 64 char  Crypto map template tag
ASA5505(config)# crypto map OUTSIDE_CRYPTO_MAP ?

configure mode commands/options:
  <1-65535>  Sequence to insert into map entry
  client     Enable IKE extended authentication (Xauth)
  interface  Name of interface to apply the crypto map to
ASA5505(config)# crypto map OUTSIDE_CRYPTO_MAP 65535 ?

configure mode commands/options:
  annotation    Specify annotation text - to be used by ASDM only
  ipsec-isakmp  IPSec w/ISAKMP
  match         Match address of packets to encrypt
  set           Specify crypto map settings
ASA5505(config)# crypto map OUTSIDE_CRYPTO_MAP 65535 ipsec-isakmp ?

configure mode commands/options:
  dynamic  Entry is a dynamic map
ASA5505(config)# crypto map OUTSIDE_CRYPTO_MAP 65535 ipsec-isakmp dynamic ?

configure mode commands/options:
  WORD  dynamic map name
ASA5505(config)# crypto map OUTSIDE_CRYPTO_MAP 65535 ipsec-isakmp dynamic IKEV1_CRYPTO_MAP
ASA5505(config)# crypto map OUTSIDE_CRYPTO_MAP interface ?

configure mode commands/options:
Current available interface(s):
  inside   Name of interface Vlan1
  outside  Name of interface Vlan2
ASA5505(config)# crypto map OUTSIDE_CRYPTO_MAP interface outside    // APPLY CRYPTO MAP ON THE OUTSIDE INTERFACE


We could use the following show commands on the ASA to verify our RA IPsec VPN configurations:

ASA5505# show run crypto ?

  ca           Show certification authority policy
  dynamic-map  Show dynamic crypto map configuration
  ikev1        Show IKEv1 configuration
  ikev2        Show IKEv2 configuration
  ipsec        Show IPSec configuration
  isakmp       Show ISAKMP configuration
  map          Show crypto map configuration
  |            Output modifiers
  <cr>
ASA5505# show run crypto ikev1
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
ASA5505#
ASA5505# show run crypto ipsec
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
ASA5505#
ASA5505# show run crypto dynamic-map
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto dynamic-map IKEV1_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA ESP-3DES-MD5
ASA5505#
ASA5505# show run crypto map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_CRYPTO_MAP 65535 ipsec-isakmp dynamic IKEV1_CRYPTO_MAP
crypto map OUTSIDE_CRYPTO_MAP interface outside


Enter the following information for your VPN connection and a successful connection attempt to occur:

* Connection name: This is a local name for the connection that your remote users can use to easily identify the VPN connection if they have multiple connections.

* Descriptions: You can help your remote users further by entering a description for the connection here (for example, remote connection to the head office).

* Host: Enter the IP address or hostname of the remote VPN endpoint device (the VPN gateway in the case of a VPN client).







We could enable and verify logging on the VPN client and also view ASDM Real-Time Log Viewer to check if IPsec remote access VPN was established.







No comments:

Post a Comment