KB ID 0000049
Problem
You would like to enable remote access for your clients using the Cisco VPN Client software.
Solution
Before you start – you need to ask yourself “Do I already have any IPSEC VPN’s configured on this firewall?” Because if its not already been done, you need to enable ISAKMP on the outside interface. To accertain whether yours is on, or off, issue a “show run crypto isakmp” command and check the results, if you do NOT see “crypto isakmp enable outside” then you need to issue that command.
[box]
PetesASA# show run crypto isakmp crypto isakmp enable outside << Mines already enabled. crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 PetesASA#
[/box]
1. Firstly we need to set up Kerberos AAA, if you wanted to use the ASDM to do this CLICK HERE however, to do the same via command line see the commands below. (so my DC is at 10.254.254.5 and the the domain is petenetlive.com). Note you could use LOCAL or RADIUS for authentication as well, but as the title states we are using Kerberos 🙂
[box]
PetesASA(config)# PetesASA(config)# aaa-server PNL-KERBEROS protocol kerberos PetesASA(config)# aaa-server PNL-KERBEROS (inside) host 10.254.254.5 PetesASA(config)# kerberos-realm PETENETLIVE.COM PetesASA(config)#
[/box]
2. Set up a range of IP addresses, for the remote clients to use, Note: DONT use the same IP range as your internal network (That’s a common error!) In this example I’m going to only have a range of 10 IP addresses.
[box]
PetesASA(config)#
PetesASA(config)# ip local pool IPSEC-VPN-DHCP-POOL 10.253.253.1-10.253.253.5
PetesASA(config)#
[/box]
3. Now I’m going to create two access control lists, one for “Split Tunneling” (So when my remote clients connect, they can still browse the internet from their remote location.) And the second one will be to STOP the ASA performing NAT on the traffic that travels over the VPN.
Warning: If you already have NAT excluded traffic on the firewall (for other VPN’s) this will BREAK THEM – to see if you do, issue a “show run nat” command, if you already have a nat (inside) 0 access-list {name} entry, then use that {name} NOT the one in my example.
So below I’m saying “Don’t NAT Traffic from the network behind the ASA (10.254.254.0) that’s going to the remote clients (10.253.253.0) that we set up in step 2″.
[box]
PetesASA(config)# PetesASA(config)# access-list Split-Tunnel standard permit 10.254.254.0 255.255.255.0 PetesASA(config)# access-list NO-NAT-TRAFFIC extended permit ip 10.254.254.0 255.255.255.0 10.253.253.0 255.255.255.0 PetesASA(config)# nat (inside) 0 access-list NO-NAT-TRAFFIC PetesASA(config)#
[/box]
3. Now we need to create a “Group Policy” this will specify that we are going to use split-tunneling, what type of VPN it is (IPSEC), the domain name and DNS server for the policy.
[box]
PetesASA(config)# PetesASA(config)# group-policy IPSEC-VPN-POLICY internal PetesASA(config)# group-policy IPSEC-VPN-POLICY attributes PetesASA(config-group-policy)# vpn-tunnel-protocol IP Sec PetesASA(config-group-policy)# split-tunnel-policy tunnelspecified PetesASA(config-group-policy)# split-tunnel-network-list value Split-Tunnel PetesASA(config-group-policy)# dns-server value 10.254.254.5 PetesASA(config-group-policy)# default-domain value PETENETLIVE.COM PetesASA(config)#
[/box]
4. Next we create a tunnel group, and tell that group to use the policy we created above, we also specify the Kerberos AAA we created , the IP Pool, and lastly we set up a shared key.
NOTE: This sets up two of the three pieces of information that you need to enter into the VPN Client software, the tunnel group goes in the “Name” section, and the pre-shared-key goes in the “Password” section HERE.
[box]
PetesASA(config)# PetesASA(config-group-policy)# tunnel-group IPSEC-VPN-GROUP type remote-access PetesASA(config)# tunnel-group IPSEC-VPN-GROUP general-attributes PetesASA(config-tunnel-general)# default-group-policy IPSEC-VPN-POLICY PetesASA(config-tunnel-general)# authentication-server-group PNL-KERBEROS PetesASA(config-tunnel-general)# address-pool IPSEC-VPN-DHCP-POOL PetesASA(config-tunnel-general)# tunnel-group IPSEC-VPN-GROUP ipsec-attributes PetesASA(config-tunnel-ipsec)# pre-shared-key 12345678901234567890asdfg PetesASA(config)#
[/box]
5. Now we add “Transform sets” these are sets of encryption and hashing algorithms that the firewall will try and use to encrypt traffic with.
[box]
PetesASA(config)# PetesASA(config)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac PetesASA(config)# crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac PetesASA(config)# crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac PetesASA(config)# crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac PetesASA(config)# crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac PetesASA(config)# crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac PetesASA(config)# crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac PetesASA(config)# crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac PetesASA(config)# crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac PetesASA(config)# crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac PetesASA(config)#
[/box]
6. Lastly we need to create a “Dynamic Cryptomap”, then get that cryptomap to use the transforms we have just created.
Note: I’ve also enabled NAT-Traversal here as well – sometimes the client software will connect successfully,and pass no traffic, if that happens 99% of the time its a NAT problem, caused by either mis-configured NAT on the ASA, or a device somewhere in the VPN tunnels path, that’s performing NAT that breaks the traffic flow, NAT-Traversal fixes this, so lets turn it on anyway to be on the safe side 🙂
[box]
PetesASA(config)# PetesASA(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 PetesASA(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 PetesASA(config)# crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP PetesASA(config)# PetesASA(config)# crypto isakmp nat-traversal 20 PetesASA(config)#
[/box]
7. Don’t forget to save your hard work with a “write mem” command.
[box]
PetesASA(config)#
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425
8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#
[/box]
8. Now install and configure the VPN client on your remote client, you need to supply the client with the public IP address of the ASA, the tunnel group name, and the pre-shared-key (The last two sere set up in step 4).
Related Articles, References, Credits, or External Links
NA