11-05-2012 03:34 AM
Dear Folks,
I have ASA 5510 Adaptive Security Appliance with below features.
Now what is the best way of configuring VPN for remote users in secured manner if I don't have LDAP or Radius services server.
HOFW# sh flash:
--#-- --length-- -----date/time------ path
181 14137344 Mar 03 2003 08:36:00 asa804-k8.bin
195 436 Sep 01 2012 16:28:05 bar.emf
75 4096 Nov 10 2011 18:41:26 log
192 1335 Nov 10 2011 18:41:26 log/recovery-event.388.20111110.131127
79 4096 Jan 19 2009 16:12:34 crypto_archive
182 7562988 Jan 19 2009 16:14:06 asdm-613.bin
184 4863904 Jan 19 2009 16:15:44 securedesktop_asa_3_3_0_129.pkg.zip
185 4096 Jan 19 2009 16:15:46 sdesktop
194 1462 Jan 19 2009 16:15:46 sdesktop/data.xml
186 2153936 Jan 19 2009 16:15:46 anyconnect-win-2.2.0133-k9.pkg
187 3446540 Jan 19 2009 16:15:48 anyconnect-macosx-powerpc-2.2.0133-k9.p
kg
188 3412549 Jan 19 2009 16:15:50 anyconnect-macosx-i386-2.2.0133-k9.pkg
189 3756345 Jan 19 2009 16:15:52 anyconnect-linux-2.2.0133-k9.pkg HOFW# sh flash:
--#-- --length-- -----date/time------ path
181 14137344 Mar 03 2003 08:36:00 asa804-k8.bin
195 436 Sep 01 2012 16:28:05 bar.emf
75 4096 Nov 10 2011 18:41:26 log
192 1335 Nov 10 2011 18:41:26 log/recovery-event.388.20111110.131127
79 4096 Jan 19 2009 16:12:34 crypto_archive
182 7562988 Jan 19 2009 16:14:06 asdm-613.bin
184 4863904 Jan 19 2009 16:15:44 securedesktop_asa_3_3_0_129.pkg.zip
185 4096 Jan 19 2009 16:15:46 sdesktop
194 1462 Jan 19 2009 16:15:46 sdesktop/data.xml
186 2153936 Jan 19 2009 16:15:46 anyconnect-win-2.2.0133-k9.pkg
187 3446540 Jan 19 2009 16:15:48 anyconnect-macosx-powerpc-2.2.0133-k9.p
kg
188 3412549 Jan 19 2009 16:15:50 anyconnect-macosx-i386-2.2.0133-k9.pkg
189 3756345 Jan 19 2009 16:15:52 anyconnect-linux-2.2.0133-k9.pkg
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
Solved! Go to Solution.
11-05-2012 04:18 AM
With that ASA You'll be a little bit restricted in what you can do for Remote-Access-VPN.
There are two different ways to configure that:
1) Using SSL-VPNs with the AnyConnect-Client
For that you need the quite expensive AnyConnect-Premium licenses for the amount of concurent users that you plan to accept or the cheap AnyConnect Essentials license which will give you 250 AnyConnect users which is the platform-limit.
But for the AnyConnect Essential license you need to upgrade the RAM of your ASA because you need a newer ASA-OS for that.
But going that path will be the best option.
2) Using the legacy IPSec-Client (EasyVPN). The client is EOL/EOS announced and will not get any more development. But for now it could be a way to go until you upgrade your ASA.
Here is an example of how to configure your ASA for the old IPSec-CLient:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-05-2012 03:56 AM
If you don't have a central AAA-server, you have to authenticate your clients local on your ASA which is a common scenario in small business environments.
The "show flash" doesn't show which features are enabled, please post a "show version". Please post that output.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-05-2012 04:06 AM
Hi,
Please find the same
isco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(3)
Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"
HOFW up 195 days 2 hours
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: Ethernet0/0 : address is 0021.a0af.cd74, irq 9
1: Ext: Ethernet0/1 : address is 0021.a0af.cd75, irq 9
2: Ext: Ethernet0/2 : address is 0021.a0af.cd76, irq 9
3: Ext: Ethernet0/3 : address is 0021.a0af.cd77, irq 9
4: Ext: Management0/0 : address is 0021.a0af.cd78, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
<--- More --->
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : 250
WebVPN Peers : 100
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has a Base license.
Serial Number: JMX1304L00N
Running Activation Key: 0xa837d169 0xf05a36cc 0x6801c11c 0x874ce88c 0x063b1e8b
Configuration register is 0x1
Configuration last modified by enable_15 at 14:19:17.183 IST Sat Nov 3 2012
HOFW#
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
11-05-2012 04:18 AM
With that ASA You'll be a little bit restricted in what you can do for Remote-Access-VPN.
There are two different ways to configure that:
1) Using SSL-VPNs with the AnyConnect-Client
For that you need the quite expensive AnyConnect-Premium licenses for the amount of concurent users that you plan to accept or the cheap AnyConnect Essentials license which will give you 250 AnyConnect users which is the platform-limit.
But for the AnyConnect Essential license you need to upgrade the RAM of your ASA because you need a newer ASA-OS for that.
But going that path will be the best option.
2) Using the legacy IPSec-Client (EasyVPN). The client is EOL/EOS announced and will not get any more development. But for now it could be a way to go until you upgrade your ASA.
Here is an example of how to configure your ASA for the old IPSec-CLient:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide