Solved: 5505 with 9.1 VPN server setup

alceryes3 · ‎03-18-2013

ASA 5505 Sec plus lic w/OS 9.1

I want to setup a quick and simple VPN server on my ASA. I want to do local authentication and, once authenticated, I want to allow all internal access. I only have 1 WAN IP. I'm finding a ton of conflicting info online. The ASA is already setup and is operational. I just need the correct commands to setup the VPN. Any help is appreciated.

TIA!

Tarjeet Singh · ‎03-25-2013

I am not sure with you question. Hope it will help you if you just need easy VPN client configuration

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 10 set security-association lifetime seconds 28800

crypto dynamic-map Outside_dyn_map 10 set security-association lifetime kilobytes 4608000

crypto dynamic-map Outside_dyn_map 10 set reverse-route

crypto map VPN_MAP 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map VPN_MAP interface outside

crypto isakmp enable outside

crypto isakmp identity address

group-policy RemoteVPN_local internal

group-policy RemoteVPN_local attributes

dns-server value ---------------------- DNS ip address

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RemoteVPN_splitTunnelAcl <-----access list

default-domain value -------------------DNS server name

tunnel-group RemoteVPN_local type remote-access

tunnel-group RemoteVPN_local general-attributes

address-pool RemoteVPN_local <---DHCP pool

authorization-server-group LOCAL

default-group-policy RemoteVPN_local

tunnel-group RemoteVPN_local ipsec-attributes

pre-shared-key *******

access-list RemoteVPN_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

aaa authentication http console AD LOCAL

aaa authentication telnet console AD LOCAL

aaa authentication ssh console AD LOCAL

aaa authentication enable console AD LOCAL

ip local pool RemoteVPN_local 10.70.0.129-10.70.0.254 mask 255.255.255.0

and make sure no nat for private traffic and

View solution in original post

alceryes3 · ‎03-25-2013

No answer?

I'm probably just missing a simple step...hoping for a nudge in the right direction.

Tarjeet Singh · ‎03-25-2013

I am not sure with you question. Hope it will help you if you just need easy VPN client configuration

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 10 set security-association lifetime seconds 28800

crypto dynamic-map Outside_dyn_map 10 set security-association lifetime kilobytes 4608000

crypto dynamic-map Outside_dyn_map 10 set reverse-route

crypto map VPN_MAP 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map VPN_MAP interface outside

crypto isakmp enable outside

crypto isakmp identity address

group-policy RemoteVPN_local internal

group-policy RemoteVPN_local attributes

dns-server value ---------------------- DNS ip address

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RemoteVPN_splitTunnelAcl <-----access list

default-domain value -------------------DNS server name

tunnel-group RemoteVPN_local type remote-access

tunnel-group RemoteVPN_local general-attributes

address-pool RemoteVPN_local <---DHCP pool

authorization-server-group LOCAL

default-group-policy RemoteVPN_local

tunnel-group RemoteVPN_local ipsec-attributes

pre-shared-key *******

access-list RemoteVPN_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

aaa authentication http console AD LOCAL

aaa authentication telnet console AD LOCAL

aaa authentication ssh console AD LOCAL

aaa authentication enable console AD LOCAL

ip local pool RemoteVPN_local 10.70.0.129-10.70.0.254 mask 255.255.255.0

and make sure no nat for private traffic and

Tarjeet Singh · ‎03-25-2013

webvpn

enable outside

svc image disk0:/anyconnect-win-3.1.00495-k9.pkg 1 (download this image from cisco into your flash and give path here)

svc enable

group-policy SSLPolicy internal

group-policy SSLPolicy attributes

dns-server value 10.80.10.16 10.80.10.10

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RemoteVPN_splitTunnelAcl

default-domain value

address-pools value RemoteVPN_local

webvpn

svc keep-installer installed

svc keepalive 15

svc ask none default svc

url-entry enable

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool Web_VPN

authorization-server-group LOCAL

authentication-server-group LOCAL

default-group-policy SSLPolicy

access-list RemoteVPN_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

ip local pool RemoteVPN_local 10.70.0.129-10.70.0.254 mask 255.255.255.0

Create a local account for user

Tarjeet Singh · ‎03-25-2013

this second config I have pasted for Webvpn anyconnect client..

alceryes3 · ‎03-25-2013

Thanks Tarjeet! Wow! That's a little more complex than I thought.

I actually want to setup a local VPN server on the ASA. I only want to issue a couple of specific IP's for VPN connections. I'll then be connecting from the outside using a Cisco PCF file. I already have a user configured and outside SSH connection configured.

Thx!

Tarjeet Singh · ‎03-26-2013

Hi Alceryes,

You do not need to enable SSH on outside interface for VPN. Also if you have spicific public IP address which will access ASA then you can allow them on outside interface and deny rest of traffic for VPN traffic. Normally we allow any outside traffic because client can be connecting fro anywhere which random public ip adresses all the time.

You can use the first config i gave you. let me know if you need any kind of help. you can search on cisco for remote VPN configuration.