Now i want to show how to configure a IPSec Remote-Access with an ASA5505.
Given is a DSL-Modem(NTBBA) and an ASA5505 with a Software Image <=8.3.
1. Prepare the ASA for the WAN connection.
In this section you learn how to configure the ASA5505 to get a connection to the WAN.
We used the Interface Vlan1 to connect with the DSL-Modem. Please set the DSL-Modem to
- At this point you can reach the ASA5505 with the external IP address from your provider
The following steps will grant IPSec Remote access
Step 1. Enable ISAKMP
Step 2. Create ISAKMP policy
- Priority = a number between 1 and 65535.
ISAKMP begins with the lowest number. Is there no match – then the very next higher number will match and so on…
- Encryption = choose the appropriate encryption type. The following types are available: 3des;aes(128bit);aes-192;aes-256;des
- Hash = you can choose between MD5 and SHA.This check the paket on the way of transport (if the paket changed on the way of delivery) = Data Integrity
- Authentication = you can choose between preshared keys;CRACK;RSA. A mechanism to handle the identity of the remote peer
- D-H Group = allocation of a preshared key between 2 VPN devices. IKE policies support Group 1,2,5,7. In a normal case you choose Group 2 or 5.
- Lifetime = Lifetime of a ISKAMP key. In normal case the lifetime is 86400 sec.
Step 3. Set up tunnel and group policies
- Addition = Cisco ASA uses a ‘inheritance model’ to push network and security policies to the enduser. Possible locations are: default group policy; user’s assigned group policy; specific user’s policy. There are a default policy called DfltGrpPolicy (System Default). If a new policy is created, this will be applied under the ‘User Group Policies’.
These Policies can be configured specially. Otherwise the properties of the DfltGrpPolicy will be inherit.
Step 4. Define IPSec policy
- Set Name = decribe the name of the transformset. The name has only local meaning and it’s not important for the tunnel establishment respectively transfer
- ESP Encryption = there are several encryption types. esp-3des; esp-aes (128bit); esp-aes-192; esp-aes-256; esp-des; esp-none; esp-null
- ESP Authentication = you can choose between MD5 and SHA.esp-md5-hmac (esp md5 authentication);esp-sha-hmac (esp sha authentication)
- Mode = here you can choose between ‘Tunnel’ and ‘Transport Mode’.
Transport Mode encrypt and authenticate the data packets between the VPN peers. Tunnel Mode encrypt and authenticate the IP packets between the VPN peers. In a remote access connection usually the Tunnel Mode will be used.
Step 5. Configure user authentication
Well known cisco user authentication.
Step 6. assign an IP address
Mapping an address pool to the GroupPolicy
Step 7. Create a crypto map
Step 8. configure the VPN Client
1. Connection entry: just a name
2. Description: this speaks for itself
3. Host: the external WAN IP address, with which you are reach the ASA5505 .
Radio Buttion -> Group Authentication
Name: [Name2] and password
on the image.