cisco hands-on experience


IPSec Remote Access Configuration with ASA5505

Now i want to show how to configure a IPSec Remote-Access with an ASA5505.
Given is a DSL-Modem(NTBBA) and an ASA5505 with a Software Image <=8.3.

1. Prepare the ASA for the WAN connection.

In this section you learn how to configure the ASA5505 to get a connection to the WAN.
We used the Interface Vlan1 to connect with the DSL-Modem. Please set the DSL-Modem to
‘Pass-through Mode’.

Vlan1

interface Vlan1
nameif outside
security-level 0
pppoe client vpdn group WAN_DIALIN
ip address pppoe setroute
.
.
vpdn group WAN_DIALIN request dialout pppoe
vpdn group WAN_DIALIN localname [UserID/Username of the Provider]
vpdn group WAN_DIALIN ppp authentication chap
vpdn username [UserID/Username of the Provider] password ********* store-local
dhcpd auto_config outside

  • At this point you can reach the ASA5505 with the external IP address from your provider


The following steps will grant IPSec Remote access

Step 1. Enable ISAKMP
enable isakmp

Lab5505# conf t
Lab5505(config)# crypto isakmp enable outside

Step 2. Create ISAKMP policy
  • Priority = a number between 1 and 65535.
    ISAKMP begins with the lowest number. Is there no match – then the very next higher number will match and so on…
  • Encryption = choose the appropriate encryption type. The following types are available: 3des;aes(128bit);aes-192;aes-256;des
  • Hash = you can choose between MD5 and SHA.This check the paket on the way of transport (if the paket changed on the way of delivery) = Data Integrity
  • Authentication = you can choose between preshared keys;CRACK;RSA. A mechanism to handle the identity of the remote peer
  • D-H Group = allocation of a preshared key between 2 VPN devices. IKE policies support Group 1,2,5,7. In a normal case you choose Group 2 or 5.
  • Lifetime = Lifetime of a ISKAMP key. In normal case the lifetime is 86400 sec.

 

Create ISAKMP policy

Lab5505# conf t
Lab5505(config)# crypto isakmp policy 1
Lab5505(config-isakmp-policy)# authentication pre-share
Lab5505(config-isakmp-policy)# encryption aes-256
Lab5505(config-isakmp-policy)# hash sha
Lab5505(config-isakmp-policy)# group 2
Lab5505(config-isakmp-policy)# lifetime 86400

Step 3. Set up tunnel and group policies
  • Addition = Cisco ASA uses a ‘inheritance model’ to push network and security policies to the enduser. Possible locations are: default group policy; user’s assigned group policy; specific user’s policy. There are a default policy called DfltGrpPolicy (System Default). If a new policy is created, this will be applied under the ‘User Group Policies’.
    These Policies can be configured specially. Otherwise the properties of the DfltGrpPolicy will be inherit.

 

Set up tunnel and group policies

Lab5505(config)# group-policy [Name1] internal
Lab5505(config)# group-policy [Name1] attributes
Lab5505(config-group-policy)# vpn-tunnel-protocol ipSec

Lab5505(config)# tunnel-group [Name2] type ipsec-ra
Lab5505(config)# tunnel-group [Name2] general-attributes
Lab5505(config-tunnel-general)# default-group-policy [Name1]
Lab5505(config-tunnel-general)# tunnel-group [Name2] ipsec-attributes
Lab5505(config-tunnel-ipsec)# pre-shared-key [password]

Step 4. Define IPSec policy
  • Set Name = decribe the name of the transformset. The name has only local meaning and it’s not important for the tunnel establishment respectively transfer
  • ESP Encryption = there are several encryption types. esp-3des; esp-aes (128bit); esp-aes-192; esp-aes-256; esp-des; esp-none; esp-null
  • ESP Authentication = you can choose between MD5 and SHA.esp-md5-hmac (esp md5 authentication);esp-sha-hmac (esp sha authentication)
  • Mode = here you can choose between ‘Tunnel’ and ‘Transport Mode’.
    Transport Mode encrypt and authenticate the data packets between the VPN peers. Tunnel Mode encrypt and authenticate the IP packets between the VPN peers. In a remote access connection usually the Tunnel Mode will be used.

 

Define IPSec policy
Lab5505(config)# crypto ipsec transform-set [Name2] esp-aes-256 esp-sha-hmac

Step 5. Configure user authentication

Well known cisco user authentication.

Configure user authentication

Local:
Lab5505(config)# username [example] password 123example

AAA:
Lab5505(config)# aaa-server Radius protocol radius
Lab5505(config)# aaa-server Radius (inside) host 192.168.1.13
Lab5505(config-aaa-server-host)# key C1$co123
Lab5505(config)# tunnel-group [Name2] general-attributes
Lab5505(config-tunnel-general)# authentication-server-group Radius

Step 6. assign an IP address

Mapping an address pool to the GroupPolicy

assign an IP address

Lab5505(config)# ip local pool [vpnPool] 172.16.10.40-172.16.10.60 mask 255.255.0.0

Labor5505(config)# group-policy [Name1] attributes
Lab5505(config-group-policy)# address-pools value [vpnPool](vpnPool is only a name)

Step 7. Create a crypto map
Create a crypto map

Defining Dynamic Crypto Map

Lab5505(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set [Name2]


Defining Static Crypto Map

Lab5505(config)# crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP


Applying a Crypto Map to the Outside Interface

Lab5505(config)# crypto map outside_map interface outside

Step 8. configure the VPN Client
Now you have to put in the Group Authentication from step 3. in the following fields.
1. Connection entry: just a name
2. Description: this speaks for itself
3. Host: the external WAN IP address, with which you are reach the ASA5505 .
Radio Buttion -> Group Authentication
Name: [Name2] and password

 

The final prepare is to set the transport tab like shown
on the image.


just enjoy…

  1. Rajesh Reply

    Hi there,I’m having tuborle connecting to Vypr through my recently installed ASA5505. This is the ONLY site I can find with any info on setting this up through ASDM, so thanks!I’ve followed your steps and have the two access rules in place and have enabled the IPSEC Pass Thru Rule Action under Global Policy Inspection Rule.When I try to connect, the link *appears* to establish, but when checking Username & Password (I’m using the simple Windows VPN connection, not the Vypr client), the ASA log reports: regular translation creation failed for protocol 47 src inside:10.xxx.xxx.xxx dst outside:216.yyy.yyy.yyy Any ideas, what might be missing?Cheers,I.

    • George Reply

      Hi Rajesh,
      please use the VPN Client from Cisco. I never try a VPN Client
      from another vendor. I’m not sure if Vypr works fine with Cisco.

      Kind Regards
      George

Leave a Reply to Rajesh Cancel reply

*

captcha *