Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
0
Helpful
3
Replies

VPN for remote users if radius or ldap services avail servers are not there?

Go to solution
Muhammad Thanveer
Level 5
Level 5

‎11-05-2012 03:34 AM

Dear Folks,

I have ASA 5510 Adaptive Security Appliance with below features.

Now what is the best way of configuring VPN for remote users in secured manner if I don't have LDAP or Radius services server.

HOFW#  sh flash:

--#--  --length--  -----date/time------  path

  181  14137344    Mar 03 2003 08:36:00  asa804-k8.bin

  195  436         Sep 01 2012 16:28:05  bar.emf

   75  4096        Nov 10 2011 18:41:26  log

  192  1335        Nov 10 2011 18:41:26  log/recovery-event.388.20111110.131127

   79  4096        Jan 19 2009 16:12:34  crypto_archive

  182  7562988     Jan 19 2009 16:14:06  asdm-613.bin

  184  4863904     Jan 19 2009 16:15:44  securedesktop_asa_3_3_0_129.pkg.zip

  185  4096        Jan 19 2009 16:15:46  sdesktop

  194  1462        Jan 19 2009 16:15:46  sdesktop/data.xml

  186  2153936     Jan 19 2009 16:15:46  anyconnect-win-2.2.0133-k9.pkg

  187  3446540     Jan 19 2009 16:15:48  anyconnect-macosx-powerpc-2.2.0133-k9.p

kg

  188  3412549     Jan 19 2009 16:15:50  anyconnect-macosx-i386-2.2.0133-k9.pkg

  189  3756345     Jan 19 2009 16:15:52  anyconnect-linux-2.2.0133-k9.pkg HOFW#  sh flash:
--#--  --length--  -----date/time------  path
  181  14137344    Mar 03 2003 08:36:00  asa804-k8.bin
  195  436         Sep 01 2012 16:28:05  bar.emf
   75  4096        Nov 10 2011 18:41:26  log
  192  1335        Nov 10 2011 18:41:26  log/recovery-event.388.20111110.131127
   79  4096        Jan 19 2009 16:12:34  crypto_archive
  182  7562988     Jan 19 2009 16:14:06  asdm-613.bin
  184  4863904     Jan 19 2009 16:15:44  securedesktop_asa_3_3_0_129.pkg.zip
  185  4096        Jan 19 2009 16:15:46  sdesktop
  194  1462        Jan 19 2009 16:15:46  sdesktop/data.xml
  186  2153936     Jan 19 2009 16:15:46  anyconnect-win-2.2.0133-k9.pkg
  187  3446540     Jan 19 2009 16:15:48  anyconnect-macosx-powerpc-2.2.0133-k9.p
kg
  188  3412549     Jan 19 2009 16:15:50  anyconnect-macosx-i386-2.2.0133-k9.pkg
  189  3756345     Jan 19 2009 16:15:52  anyconnect-linux-2.2.0133-k9.pkg

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."       

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Muhammad Thanveer

‎11-05-2012 04:18 AM

With that ASA You'll be a little bit restricted in what you can do for Remote-Access-VPN.

There are two different ways to configure that:

1) Using SSL-VPNs with the AnyConnect-Client

For that you need the quite expensive AnyConnect-Premium licenses for the amount of concurent users that you plan to accept or the cheap AnyConnect Essentials license which will give you 250 AnyConnect users which is the platform-limit.

But for the AnyConnect Essential license you need to upgrade the RAM of your ASA because you need a newer ASA-OS for that.

But going that path will be the best option.

2) Using the legacy IPSec-Client (EasyVPN). The client is EOL/EOS announced and will not get any more development. But for now it could be a way to go until you upgrade your ASA.

Here is an example of how to configure your ASA for the old IPSec-CLient:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

‎11-05-2012 03:56 AM

If you don't have a central AAA-server, you have to authenticate your clients local on your ASA which is a common scenario in small business environments.

The "show flash" doesn't show which features are enabled, please post a "show version". Please post that output.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
Muhammad Thanveer
Level 5
Level 5
In response to Karsten Iwen

‎11-05-2012 04:06 AM

Hi,

Please find the same

isco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(3)

Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"

HOFW up 195 days 2 hours

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   :  CN1000-MC-BOOT-2.00
                             SSL/IKE microcode:  CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  :  CNlite-MC-IPSECm-MAIN-2.05
0: Ext: Ethernet0/0         : address is 0021.a0af.cd74, irq 9
1: Ext: Ethernet0/1         : address is 0021.a0af.cd75, irq 9
2: Ext: Ethernet0/2         : address is 0021.a0af.cd76, irq 9
3: Ext: Ethernet0/3         : address is 0021.a0af.cd77, irq 9
4: Ext: Management0/0       : address is 0021.a0af.cd78, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5
<--- More --->
              

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 50       
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Security Contexts            : 0        
GTP/GPRS                     : Disabled 
VPN Peers                    : 250      
WebVPN Peers                 : 100      
AnyConnect for Mobile        : Disabled 
AnyConnect for Linksys phone : Disabled 
Advanced Endpoint Assessment : Disabled 
UC Proxy Sessions            : 2        

This platform has a Base license.

Serial Number: JMX1304L00N
Running Activation Key: 0xa837d169 0xf05a36cc 0x6801c11c 0x874ce88c 0x063b1e8b
Configuration register is 0x1
Configuration last modified by enable_15 at 14:19:17.183 IST Sat Nov 3 2012

HOFW#  

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Muhammad Thanveer

‎11-05-2012 04:18 AM

With that ASA You'll be a little bit restricted in what you can do for Remote-Access-VPN.

There are two different ways to configure that:

1) Using SSL-VPNs with the AnyConnect-Client

For that you need the quite expensive AnyConnect-Premium licenses for the amount of concurent users that you plan to accept or the cheap AnyConnect Essentials license which will give you 250 AnyConnect users which is the platform-limit.

But for the AnyConnect Essential license you need to upgrade the RAM of your ASA because you need a newer ASA-OS for that.

But going that path will be the best option.

2) Using the legacy IPSec-Client (EasyVPN). The client is EOL/EOS announced and will not get any more development. But for now it could be a way to go until you upgrade your ASA.

Here is an example of how to configure your ASA for the old IPSec-CLient:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents