Remote VPN access question

The_guroo_2 · ‎08-28-2013

Gents ......we have cisco 2800 series with static ip ........we have some remote users which connects to router over VPN ......client of uses windows VPN software......now client want to replace router with Asa 5512.......the remote access users uses email when they connect to the router .....I have few question does Asa support windows remote access client or do I have to purchase something ie software etc

A sample confit of Asa would be really helpful

Thanks

Marcin Latosiewicz · ‎08-28-2013

ASA supports l2tp over IPsec:

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/vpn_l2tp_ipsec.html

The_guroo_2 · ‎08-28-2013

Thanks Marcin

Just a quick question

Why would you use L2TP or PPTP with ASA or router what is different them using anyconnect or exyVPN

secondly is there any document which shows windows configuration i mean end to end configuration

my last question is in your doco its written

ASA 5512-X

•IPsec remote access VPN using IKEv2 (use one of the following):

–AnyConnect Premium license:

Base license: 2 sessions.

Optional permanent or time-based licenses: 10, 25, 50, 100, or 250 sessions.

Optional Shared licenses²: Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000.

–AnyConnect Essentials license³: 250 sessions.

•IPsec remote access VPN using IKEv1 and IPsec site-to-site VPN using IKEv1 or IKEv2:

Base license: 250 sessions.

The windows VPN comes under which cateogary

Thanks Heaps

Marcin Latosiewicz · ‎08-28-2013

PPTP is essentially (security-wise) dead.

http://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security

L2TP is used to establish a Layer 2 pipe between devices.

What ASA adds here is layer of security (IPsec).

EZVPN is essentially our framework of creating remote access VPN - using pure IPsec.

Without added overhead (and a few limitations) of L2TP over IPsec.

There's a lot of examples for L2tp over IPsec, including this one:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml

(If you're starting with ASA, use ASDM's VPN configuration wizard).

In practice we recommend most people to run Anyconnect, which allows both SSL and IPsec (IKEv2) connectivity to both ASA and IOS devices.

The_guroo_2 · ‎08-28-2013

Thankls Marcin

Excellent reply.........I will close this thread but just need one more clarification.....the above example of ASDM is excellent ....we have new ASA 5512X and in example you have old ASA with Server 2000......My question is that ASDM config is same in 5512X or its different.....secondly we have only one static IP which we will give it to outside interface.........do i need to do NAT as we will use 192.X IP;s

Thanks heaps

Marcin Latosiewicz · ‎08-28-2013

The new CLI (NAT, some crypto) is a bit different but ASDM remains similar.

You only need to use NAT if you're planning to hairpin traffic (and maybe add a NAT exclusion, depeneding on your setup).

Check config guide against your actual needed config ;-)

One note about the config -it's using MD5, but support for MD5 was removed (AFAIR) in Vista. Use SHA.

The_guroo_2 · ‎08-28-2013

the local Pcs behind inside interface will have NAT as they are private addresses......secondly i need config for split tunelling....as i dont want my employee to use internet or in this case i cant use split tunneling

Thanks and that will end my thread :-)