Cisco Asa remote access vpn - example 1 - preshared key with split-tunneling

 

ra_vpn_example1.png

 

  • create ACL for split tunneling(this traffic will be tunneled)

(config)#access-list standard ra_vpn permit 10.0.0.0 255.0.0.0


  • create pool of addresses for remote  clients

 (config)#ip local pool ra_vpn_pool 149.121.229.200-149.121.229.250 mask 255.255.255.192


  • create internal group policy

(config)# group-policy RA_VPN_Policy internal
(config)# group-policy RA_VPN_Policy attributes

(config-group-policy)# dns-server value 10.10.10.10 10.10.10.11

(config-group-policy)# default-domain value danpol.net

(config-group-policy)# banner login "Welcome on Remote Access VPN at danpol.net"

set split-tunneling(options are: tunnel all, excludespecified and tunnelspecified).

(config-group-policy)# split-tunnel-policy tunnelspecified

configure network which should be tunneled

(config-group-policy)# split-tunnel-network-list value ra_vpn


  • create tunnel-group

(config)# tunnel-group RA_VPN_tunnel_group type ipsec-ra

(config)# tunnel-group RA_VPN_tunnel_group general-attributes

specify ip address assignment(our local ip address pool)

(config-tunnel-general)# address-pool ra_vpn_pool

specify policy for vpn connection(our RA_VPN_Policy)

 (config-tunnel-general)# default-group-policy RA_VPN_Policy

 (config)# tunnel-group RA_VPN_tunnel_group ipsec-attributes

define pre-shared-key

(config-tunnel-ipsec)# pre-shared-key xxxxxxxxxxxxxxxxxxxxx

  • configure crypto map

configure transformset(phase2)

(config)# crypto ipsec transform-set RA_VPN_transformset esp-aes-256 esp-sha-hmac

configure dynamic map 

crypto dynamic-map RA_VPN_dynamic 5000 set transform-set RA_VPN_transformset

crypto map RA_VPN_map 100 ipsec-isakmp dynamic RA_VPN_dynamic

enable crypto-map on outside interface

(config)# crypto map RA_VPN_map interface outside 

 

  • enable isakmp on external interface

(config)#crypto isakmp enable outside


  • define isakmp policy(ipsec phase1)

(config)# isakmp policy 100

(config-isakmp-policy)# group 2

(config-isakmp-policy)# encryption  aes-256

(config-isakmp-policy)# authentication pre-share


  •  configure natting (DO NOT NAT remote access traffic!!!)

ACL for excempt nat

 access-list nonat line 1 extended permit ip any 149.121.229.192 255.255.255.192

  nat (inside) 0 access-list nonat


  • create user for remote access

 (config)#username danpol password ....

(config)# username adrianda attributes

(config-username)# vpn-group-policy RA_VPN_Policy

 

  • Configure VPN client profile

 

ra_vpn_preshared_key_client1.png

 

Connection Entry - name of profile

Description - short info about this profile

Group Authentication-Name - name of tunnel-group

Password - pre-shared-key we typed in tunnel-group configuration

 

dzbanek 2012-12-01

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.