Cisco ASA 5500 Client VPN Access Via Kerberos (From CLI)


KB ID 0000049 Dtd 22/08/09


You would like to enable remote access for your clients using the Cisco VPN Client software.


Before you start - you need to ask yourself "Do I already have any IPSEC VPN's configured on this firewall?" Because if its not already been done, you need to enable ISAKMP on the outside interface. To accertain whether yours is on, or off, issue a "show run crypto isakmp" command and check the results, if you do NOT see "crypto isakmp enable outside" then you need to issue that command.

PetesASA# show run crypto isakmp
crypto isakmp enable outside << Mines already enabled.
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

1. Firstly we need to set up Kerberos AAA, if you wanted to use the ASDM to do this CLICK HERE however, to do the same via command line see the commands below. (so my DC is at and the the domain is Note you could use LOCAL or RADIUS for authentication as well, but as the title states we are using Kerberos :)

PetesASA(config)# aaa-server PNL-KERBEROS protocol kerberos
PetesASA(config)# aaa-server PNL-KERBEROS (inside) host
PetesASA(config)# kerberos-realm PETENETLIVE.COM

2. Set up a range of IP addresses, for the remote clients to use, Note: DONT use the same IP range as your internal network (That's a common error!) In this example I'm going to only have a range of 10 IP addresses.

PetesASA(config)# ip local pool IPSEC-VPN-DHCP-POOL

3. Now I'm going to create two access control lists, one for "Split Tunneling" (So when my remote clients connect, they can still browse the internet from their remote location.) And the second one will be to STOP the ASA performing NAT on the traffic that travels over the VPN.

Warning: If you already have NAT excluded traffic on the firewall (for other VPN's) this will BREAK THEM - to see if you do, issue a "show run nat" command, if you already have a nat (inside) 0 access-list {name} entry, then use that {name} NOT the one in my example.

So below I'm saying "Don't NAT Traffic from the network behind the ASA ( that's going to the remote clients ( that we set up in step 2".

PetesASA(config)# access-list Split-Tunnel standard permit
PetesASA(config)# access-list NO-NAT-TRAFFIC extended permit ip
PetesASA(config)# nat (inside) 0 access-list NO-NAT-TRAFFIC

3. Now we need to create a "Group Policy" this will specify that we are going to use split-tunneling, what type of VPN it is (IPSEC), the domain name and DNS server for the policy.

PetesASA(config)# group-policy IPSEC-VPN-POLICY internal
PetesASA(config)# group-policy IPSEC-VPN-POLICY attributes
PetesASA(config-group-policy)# vpn-tunnel-protocol IP Sec
PetesASA(config-group-policy)# split-tunnel-policy tunnelspecified
PetesASA(config-group-policy)# split-tunnel-network-list value Split-Tunnel
PetesASA(config-group-policy)# dns-server value
PetesASA(config-group-policy)# default-domain value PETENETLIVE.COM

4. Next we create a tunnel group, and tell that group to use the policy we created above, we also specify the Kerberos AAA we created , the IP Pool, and lastly we set up a shared key.

NOTE: This sets up two of the three pieces of information that you need to enter into the VPN Client software, the tunnel group goes in the "Name" section, and the pre-shared-key goes in the "Password" section HERE.

PetesASA(config-group-policy)# tunnel-group IPSEC-VPN-GROUP type remote-access
PetesASA(config)# tunnel-group IPSEC-VPN-GROUP general-attributes
PetesASA(config-tunnel-general)# default-group-policy IPSEC-VPN-POLICY
PetesASA(config-tunnel-general)# authentication-server-group PNL-KERBEROS
PetesASA(config-tunnel-general)# address-pool IPSEC-VPN-DHCP-POOL
PetesASA(config-tunnel-general)# tunnel-group IPSEC-VPN-GROUP ipsec-attributes
PetesASA(config-tunnel-ipsec)# pre-shared-key 12345678901234567890asdfg

5. Now we add "Transform sets" these are sets of encryption and hashing algorithms that the firewall will try and use to encrypt traffic with.

PetesASA(config)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
PetesASA(config)# crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
PetesASA(config)# crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
PetesASA(config)# crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
PetesASA(config)# crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
PetesASA(config)# crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
PetesASA(config)# crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
PetesASA(config)# crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
PetesASA(config)# crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
PetesASA(config)# crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

6. Lastly we need to create a "Dynamic Cryptomap", then get that cryptomap to use the transforms we have just created.

Note: I've also enabled NAT-Traversal here as well - sometimes the client software will connect successfully,and pass no traffic, if that happens 99% of the time its a NAT problem, caused by either mis-configured NAT on the ASA, or a device somewhere in the VPN tunnels path, that's performing NAT that breaks the traffic flow, NAT-Traversal fixes this, so lets turn it on anyway to be on the safe side :)

PetesASA(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
PetesASA(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
PetesASA(config)# crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
PetesASA(config)# crypto isakmp nat-traversal 20

7. Don't forget to save your hard work with a "write mem" command.

PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)

8. Now install and configure the VPN client on your remote client, you need to supply the client with the public IP address of the ASA, the tunnel group name, and the pre-shared-key (The last two sere set up in step 4).

Related Articles, References, Credits, or External Links


Author: Migrated

Share This Post On