Cisco ASA Site to Site VPN ‘Using ASDM’

KB ID 0000072

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

Do the same from command line

Below is a walk-through for setting up one end of a site to site VPN Tunnel using a Cisco ASA appliance – Via the ASDM console. Though if (like me) you prefer using the Command Line Interface I’ve put the commands at the end.

click image for full subnet information

Solution

VPN Setup Procedure carried out on ASDM 6.4

Note: The video above uses IKE v1 and IKE v2, in reality you would choose one or the other, and for IKE v2 both ASA 5500 firewalls need to be running OS 8.4(1) or above.

VPN Setup Procedure carried out on ASDM 5.2

1. Open up the ADSM console. > Click Wizards > VPN Wizard.

2. Select “Site-to-Site VPN” > Next.

3. Enter the Peer IP address (IP of the other end of the VPN tunnel – I’ve blurred it out to protect the innocent) > Select “Pre Shared Key” and enter the key (this needs to be identical to the key at the other end. > Give the tunnel group a name or accept the default entry of its IP address. > Next.

4. Choose the encryption protocol (DES, 3DES, AES-128, AES-192, or AES256), choose the Authentication Method (SHA or MD5), and choose the Diffie Hellman Group (1, 2, 5 or 7). Note the other end must match, this establishes phase 1 of the tunnel. > Next.

5. Now select the Encryption Protocols (DES, 3DES, AES-128, AES-192, or AES256), choose the Authentication method (SHA, MD5 or None). Note this is for phase 2 and will protect the encrypted traffic “In Flight”. > Next.

6. Now you need to specify what traffic to encrypt, on the left hand side enter the network or host details (of what’s behind the ASA you are working on), and on the right hand side the IP address of the network or host that’s behind the other VPN endpoint.  Note the other end should be a mirror image. > Next.

7. Review the Settings (Note I’ve blurred the IP address out again) > Next.

8. Back at the ASDM console commit the settings to the ASA memory, Click File > “Save Running Configuration to Flash.”

ASA 5500 VPN Setup from command line

[box]

object network Site-A-SN
subnet 192.168.1.0 255.255.255.0
object network Site-B-SN
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) source static Site-A-SN Site-A-SN destination static Site-B-SN Site-B-SN
access-list outside_1_cryptomap extended permit ip object Site-A-SN object Site-B-SN
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer {Other Ends IP Address}
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group {Other Ends IP Address} type ipsec-l2l
tunnel-group {Other Ends IP Address} ipsec-attributes
ikev1 pre-shared-key 12345678901234567890asdfg

[/box]

ASA 5500 VPN for Version 8.2 and older firewalls

[box]

access-list outside_20_cryptomap extended permit ip 10.254.254.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.254.254.0 255.255.255.0 10.1.0.0 255.255.0.0
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer {Other Ends IP Address}
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group {Other Ends IP Address} type ipsec-l2l
tunnel-group {Other Ends IP Address} ipsec-attributes
pre-shared-key 12345678901234567890asdfg

[/box]

 

Related Articles, References, Credits, or External Links

Original article written 09/11/09

Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels

Troubleshooting Phase 2 Cisco Site to Site (L2L) VPN Tunnels

Cisco ASA AnyConnect VPN ‘Using ASDM’

KB ID 0000069

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

Below is a walk through for setting up a client to gateway VPN Tunnel using a Cisco Firepower ASA appliance. This was done via the ASDM console. The video was shot with ASA version 9.13(1) and ASDM 7.13(1).

Suggestion: If you are setting this up for the first time, I would suggest setting it up to use the ASA’s LOCAL database for usernames and passwords, (as shown in the video). Then once you have it working, you can change the authentication (AAA) to your preferred method (see links at bottom of page).

The original article was written with ASA version 8.0(4) and ASDM 6.1(3), which was a little more difficult so I will leave that procedure at the end just in case 🙂

Note: The ASDM cannot be used on the normal port (https) on the outside interface when using AnyConnect, because HTTPS or TCP port 443 needs to be free (and also IMPORTANTLY NOT ‘port-forwarded’ to a web server / Exchange server etc. for this to work). To fix that, either change the port that AnyConnect is using (not the best solution!) Or, (a much better solution) Change the port ASDM is using

Solution

Setup AnyConnect From ASDM (Local Authentication)

In case you don’t want to watch a video! Launch the ASDM > Wizards > VPN Wizards > AnyConnect VPN Wizard > Next.

Give the AnyConnect profile a name i.e PF-ANYCONNECT, (I capitalise any config that I enter, so it stands out when I’m looking at the firewall configuration). >Next > Untick IPSec > Next.

Note: You can use IPSec if you want, but you will need a Certificate pre-installed to do so!

Now you need to upload the AnyConnect client packages for each operating system that is going to want to connect, 

Once the package (with a pkg extension) is located, you can upload it directly into the firewalls flash memory. 

Repeat the process for each OS that will be connecting. (PLEASE! Don’t forget to add the macOS package! or your users will see THIS ERROR) > Next > As mentioned above I’m using LOCAL (on the ASA) authentication. I always set this up first, then test it, then if required, change the authentication method > If you don’t already have a LOCAL user created then add a username and password for testing > Next.

Next (Unless you want to setup SAML) > Here I’ll create a new ‘Pool’ of IP addresses for my remote clients to use. You can also use an internal DHCP server for remote clients, again I normally setup and test with a Pool from the ASA, then if I need to use a DHCP server, I swap it over once I’ve tested AnyConnect. If that’s a requirement, see the following article;

AnyConnect – Using a Windows DHCP Server

Enter the DNS server(s) details for you remote clients > WINS? Who is still using WINS! > Domain name > Next > Tick ‘Exempt VPN traffic from network address translation’ > Next.

Next > Finish

DON’T FORGET TO SAVE THE CHANGES!! (File > Save Running Configuration to Flash)

Now any remote client attempting to connect to AnyConnect can install the client software directly from the firewall, (This is assuming you have not already installed it for them beforehand).

 

For Older Versions of the ASA/ASDM

Note: The information below is OBSOLETE, I only leave it here in case someone is running some VERY old versions of the ASDM and AnyConnect

1. Open up the ADSM console. > Click Wizards >SSL VPN Wizard.

2. Select “Both Options”. > Next.

3. Enter a connection name > If you have a certificate already select it here or simply leave it on” -None-” and the ASA will generate an un trusted one. > Next.

4. For this example we are going to use the ASA’s Local database to hold our user database, however, if you want to use RADIUS/Windows IAS select those options and accordingly, and then follow the instructions. Note: To set up IAS read my notes HERE > Enter a username and password.

5. Add. > Next

6. We are going to create a new policy in this case called SSL Users > Next.

7. You can now add bookmarks (Links on the VPN portal page) > Manage > Add > Type in a name > Add. > OK.

8. Give it a name and subtitle (look at step 18 to see how that displays) > Enter the internal URL for the web site > OK.

9. Add > OK.

10. OK.

11. Next.

12. Create an IP Pool (IP range to be leased to the VPN clients that is DIFFERENT to your LAN IP range) > New > enter a name, IP addresses, and the subnet mask > OK.

13. Point the ASA to the Anyconnect client you want to use (Note you can upload a software image from your PC here as well) Next > Accept the warning about NAT Exemptions (Note if you do get a warning to add a NAT Exemption see the note at the end).

14. Finish.

15. Before it will work you need to Select Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Double click the Connection profile you created earlier in step 3 > Enter a name in the Aliases section i.e. AnyConnect > OK. > Tick the box that says “Allow user to select connection profile by its alias………” > Apply.

16. File > Save running configuration to flash.

17. Connect externally to https://{public_IP} (Note this has to be in the browsers trusted site list) > Enter a username and password > Login

18. You are now on the “Portal” site any bookmarks created above will be visible > Click the AnyConnect Tab.

19. Double click to launch AnyConnect.

20. The Anyconnect client will install if not used previously (User needs to be local admin) and connects.

NAT Exemptions: Note if you received a warning about needing to add the remote VPN pool as a NAT Exemption (After step 13) you will need to add the following lines to the ASA

Syntax;

[box]

access-list {name} extended permit ip {LAN behind ASA} {Subnet behind ASA} {VPN Pool Range} {VPN Pool Subnet}

nat (inside) 0 access-list {name}

Working example

access-list nonat extended permit ip 10.254.254.0 255.255.255.0 10.254.253.0 255.255.255.0

nat (inside) 0 access-list nonat

[/box]

WARNING: Make sure the name matches any existing no NAT ACLs or your IPsec vpns will fail!

Related Articles, References, Credits, or External Links

Cisco ASA 5500 AnyConnect Setup From Command Line

AnyConnect: Allow ‘Local’ LAN Access

AnyConnect 4 – Plus and Apex Licensing Explained

Cisco AnyConnect – Essentials / Premium Licences Explained

AnyConnect (AAA) Authentication Methods

Kerberos Authentication (Cisco ASA)

LDAP Authenticaiton (Cisco ASA)

RADIUS Authentication(Cisco ASA)

Duo 2FA Authentication (Cisco ASA)

Cisco – Testing AAA Authentication (Cisco ASA and IOS)

Barracuda Email Security Gateway Setup and Deployment

KB ID 0001253 

Problem

This is the process for setting up both physical and virtual Barracuda Email Security Gateway Appliances, (formally Barracuda Spam Firewall).

Note: This walk though sets out the basic functions to get your appliance working and inspecting email, it’s not an exhaustive list of all the features of the appliance.

Solution

Before you start, I’m making the assumption if you have a physical appliance, it’s racked and connected to the correct network. Or if you are using a virtual appliance it’s been deployed from OVA and connected to the correct network.

Barracuda Email Gateway Initial Setup

To get access to the appliance the default username password is admin and admin.

Navigate to TCP/IP Configuration > Enter the IP addressing information, then ensure you SAVE the config.

You will also need to enter the licence token, that was supplied to you from your reseller, again make sure you SAVE the configuration.

Exit, and you are prompted to type YES, the system will reboot.

Barracuda Email Gateway Mail Configuration.

Once the appliance has rebooted, you can connect to it though a web browser (via https). The username and password will still be admin/admin. First task is to update the appliance to the latest version. (Advanced > Firmware Update) You may need to do this a few times and each update will require a reboot of the appliance.

Basic > Administration > Email Notifications: Setup an email address for system alerts, and a system contact email address. Save the changes.

On the same tab > Change the tine zone > (This may require another reboot).

Basic > IP Configuration: Destination Mail Serber TCP/IP Configuration > Enter the details of your exchange server (MS Exchange Note:  that already has a configured receive connector). Use the ‘Test Email Connection’ button to make sure it’s working. Also set a local hostname and domain name, WARNING don’t use the default one of Barracuda, as this is displayed to the outside world, (best not to advertise, your email filter vendor).

Domains > Domain Manager: Add in all the domains the you want to filter email for

Barracuda Manage Domains or Manage Globally

IMPORTANT: You can change settings for each individual domain, (handy if you filter email domains for a lot of different customers). Or you change settings globally. To manage an individual domain, navigate to Domain > Domain Manager > Select the domain and click Manage Domain. From this point forward you are only changing settings for this managed domain. You return to global configuration by clicking ‘Manage System“.

I’ve mentioned this now, because the next steps are carried out ‘per domain’.

For each Exchange Managed (i.e. Active Directory Domain.) Users > LDAP Configuration >  Change Exchange Accelerator /LDAP Verification  to “Yes” > Enter the FQDN of one of your domain controllers > LDAP Port (use 389 or 3268)  > Then enter the ‘Distinguished Name’ and password for a domain user. Make sure the test passes before you proceed.

How to Find a Distinguished Name? Run the following dsquery command;

[box]dsquery user –name “User Name”[/box]

Why Have you just done this? Because now Barracuda will reject all mail sent to this domain, for users that do not exist. This is because spammers will bulk mail known good domain names with random names in the hope of getting lucky. Repeat for any other domains you are authoritative for. But Ensure you use a machine email address of the domain you are protecting like so;

Back in global configuration > I’m going to set Quarantine, on a user by user basis (rather than globally). Basic > Quarantine enable per-user, then enter an email and the FQDN of the Barracuda appliance > Save.

Basic > Spam Checking: The actual levels you want may require some tuning, this is a good place to start. You would normally use either Quarantine or Tagging, Im setting the appliance to block at level 6 and quarantine at level 3. (Note: These levels are scores that Barracuda assigns to the emails, that grade the likelihood of them being spam). 

The Barracuda, (like most email platforms) wont accept email from any ip/host/subnet unless you allow it. So that your email server can send mail though the Barracuda you need to add it in. Basic > Outbound > Relay Using Trusted IP/Range >Enter either the IP addresses of your mail servers, or the subnet they are on.

Configure Exchange 2013/2016 To Send Mail via Barracuda

I know there are many Email platforms but I’m using Exchange 2016, to send email via this appliance you need to add it as a “Smart Host” on the Exchange Organisations ‘Send Connector’. Log into Exchange Admin Center > Mail Flow > Send Connector > Select the connector > Edit.

Delivery Tab > Enter the FQDN or IP of the Barracuda > Save.

Then restart the Microsoft Exchange Transport Service. 

Exchange Receive Connector: You probably already have a receive connector, configured for internet email (i.e set to anonymous, for port 25). In some Exchange deployments, you may need to add a connector for the Barracuda and allow it to relay mail through Exchange.

Repoint Mail ‘Feed’ To Barracuda

How you do this depends on your network setup, and firewall vendor. If you already have mail coming into your mail server then you are probably doing one of the following;

  • Port Forwarding SMTP (TCP Port 25) from your public IP, to the internal IP of the mail server.
  • Statically NATTED a public IP address, to the internal/private IP of the Mail server, and opened SMTP (TCP Port 25) to that IP.

In either case, you need to change the private IP address that mail is pointing to from your mail server to the Barracuda IP. If you are using a Cisco Firewall or Router, Ive already written some articles that may help, take a look at the following.

Cisco PIX / ASA Port Forwarding

Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall

Juniper (JUNOS) SRX – Static ‘One-to-One’ NAT

Cisco Routers – Port Forwarding

Changing Pubic IP Address Warning

Be aware if you change the public IP address that you accept mail on, you need to change your DNS MX Records to match, (if you use SPF records those may also need changing). See the following article;

Setting up the Correct DNS Records for your Web or Mail Server

All being well, you should now see mail flowing through the Barracuda (Massage Log).

Related Articles, References, Credits, or External Links

NA

vSphere – Adding a Serial Port to a VM

KB ID 0001039 

Problem

I wanted to perform command line access to a virtual firewall on my home ESXi server, (a Juniper Firefly vSRX) via a console session. To do that I needed to add a serial port to that VM.

Solution

1. From Within the VI client > Select the ESXi Host > Configuration > Security Profile > Firewall Section > Properties.

2. Locate and enable ‘VM serial port connected over network’ > OK.

3. From the actual VM‘s properties, (right click > Edit settings) > Add > Serial Port > Next.

4. Connect via Network > Next.

5. Select ‘Server (VM listens for connection)’ > In Port URI enter telnet://{IP-of the ESX-Server}:2001 > Next.

Note: That’s the IP of the ESX server NOT the VM, here I’m using port 2001, but you can use 23 (standard telnet), or a random port above 1024.

6. Review the settings > Finish.

7. Now on a machine that has network connectivity to the ESX server > launch a telnet session to the VM (remember to use port 2001 as telnet defaults to 23!).

Here I’m using PuTTY but you can run ‘telnet {ip-address} {port}’ from a Windows client, (providing you have telnet enabled).

8. I’m in and working.

 

Related Articles, References, Credits, or External Links

NA

HP MSM765zl and 775zl – Initial Setup and Routing

KB ID 0000917 

Problem

The MSM 765zl and 775zl, unlike the rest of the HP MSM controller series, do not have any physical Ethernet ports on them.

So before you can get to its web management interface, you need to be able to give it an IP address, and then the controller needs to be able to find a route back to where you are, assuming you are not on a flat unrouted/single VLAN. Obviously if you are directly connected to the same network segment then you can set the devices ‘default route’ from the web management console.

Solution

1. Connect to the chassis that the controller is in, either via telnet or console cable. As I outlined in an earlier article you need to find the controllers slot letter and index number with a services command. (If you are sat in front of the switch the slot letter should already be known!)

2. Now, connect to the MSM directly and give the controller its LAN and WAN IP addresses.

Note: HP call them LAN and WAN interfaces, (I know it’s confusing), the WAN interface does not have to connect to the WAN it only points in that direction. I’m assuming it’s a throw back from when these devices were developed by Colubris.

[box] CORE-SW# services F 2
CORE-SW(msm765-aplication-F)> enable
CORE-SW(msm765-aplication-F)# config
CORE-SW(msm765-aplication-F)(config)# interface ip wan
CORE-SW(msm765-aplication-F)(config-if-ip)# ip address 192.168.1.1/24
CORE-SW(msm765-aplication-F)(config-if-ip)# ip address mode static
CORE-SW(msm765-aplication-F)(config-if-ip)# end
CORE-SW(msm765-aplication-F)(config)# interface ip lan
CORE-SW(msm765-aplication-F)(config-if-ip)# ip address 10.254.0.100/16
CORE-SW(msm765-aplication-F)(config-if-ip)# ip address mode static
CORE-SW(msm765-aplication-F)(config-if-ip)# end
[/box]

3. Now if you are on the same network (or VLAN) as the controller, you should be able to connect to the web management console. If not you will need to do two further steps

a) Connect the TWO virtual ports of the MSM to the correct VLANs on the switch.

b) Add a route back to the network you are on, either by setting a default route (if there is only one) or a static route.

Connect The Two MSM Virtual Ports

At this point the MSM blade can be treated like any other blade with Ethernet ports on it. Above we found out the blade was in slot F, so the ports with show up on the chassis switch as F1 and F2.

Port number 1: Is the WAN/Internet port
Port number 2: Is the LAN port

At the very least the WAN port should be in a different VLAN like so;

[box]

CORE-SW> enable
Password xxxxxxxx
CORE-SW# configure terminal
CORE-SW(config)# vlan 210 name WifiLink
CORE-SW(config)# vlan 210
CORE-SW(vlan-210)# untagged F1
CORE-SW(vlan-210)# exit
CORE-SW(config)#

If all your LAN traffic is on VLAN 1 (which is the default), then the MSM LAN port will already be untagged in VLAN 1. If not you will also need to present the MSM LAN port to the LAN VLAN.

CORE-SW# configure terminal
CORE-SW(config)# vlan 10 name LANTraffic
CORE-SW(config)# vlan 10
CORE-SW(vlan-10)# untagged F2
CORE-SW(vlan-10)# exit
CORE-SW(config)#

[/box]

Adding Default and Static Routes to the MSM controller.

The controller needs a default route, or it will not be able to send traffic out of the local LAN. In a simple flat network that should be all that you need. But if you have multiple network segments (or VLANs), then it will also need a static route adding for each of these. This is important for both access to the web management console, and because your wireless access points need to be able to speak to the controller! If your wireless access points are on a different network you may need to follow the article below to let them know where the controller is.

Register HP Wireless Access Points With an HP MSM Controller on a Different Subnet

[box]

CORE-SW# services F 2
CORE-SW(msm765-aplication-F)> enable
CORE-SW(msm765-aplication-F)# config
CORE-SW(msm765-aplication-F)(config)# ip route gateway 0.0.0.0/0 192.168.1.254 1

If you need to add additional routes the syntax is the same as above.

CORE-SW(msm765-aplication-F)(config)# ip route gateway 10.100.0.0/16 10.254.0.254 1
CORE-SW(msm765-aplication-F)(config)# ip route gateway 10.200.0.0/16 10.254.0.254 1

[/box]

Now you should be able to connect to the web management console and configure your wireless networks, this process is identical to configuring the physical controllers, like the MSM 720 see the link below.

Manually Configuring HP Wireless (MSM 720 controller) for Public and Private Wireless Networks

Related Articles, References, Credits, or External Links

NA

 

Cisco ASA5500 Client IPSEC VPN Access

(This method uses the ASA to hold the user database) to use RADIUS CLICK HERE to use Kerberos CLICK HERE

KB ID 0000070

Problem

Note: IPSEC VPN is still possible, but getting Windows clients is a little sketchy, and you will have to mess about with them to get them to work on modern versions of Windows. (Mac OSX and iPhone/iPad can connect with their built in VPN software though).

Below is a walkthrough for setting up a client to gateway VPN Tunnel using a Cisco ASA appliance.This is done via the ASDM console.

It also uses the Cisco VPN client – This is no longer available form Cisco see the following article.

Download Cisco VPN Client Software

Solution

Step1 Configure the ASA5500

1. Open up the ADSM console. > Click Wizards > VPN Wizard.

2. Select “Remote Access”. > Next.

3. Select Cisco VPN Client. > Next.

4. Enter a Pre Shared Key e.g. thisisthepresharedkey > And then give the Tunnel group a name e.g. “RemoteVPN”. > Next.

5. Select “Authenticate using the local user database”. > Next.

6. Now create a user, for this exercise I’ve created a user called user1 with a password of password1

7. Click Add. > Next.

8. Now we need to create some IP addresses that the remote clients will use when connected. > Click New

9. Give the Pool a name e.g. RemotePool and set the start and end IP addresses you want to lease (note these DONT have to be on the same network as your internal IP’s – In fact, for auditing its good practice to make them different). > Enter a Subnet Mask. > OK.

10 Click Next.

11 Enter the details you want the remote clients to use while connected, DNS servers, WINS Servers and domain name. > Next.

12. Leave it on the defaults of 3DES, SHA and DH Group 2 (Note some Cisco VPN clients will not support AES). > Next

13. Again leave it on the default of 3DES and SHA. > Next.

14. You can choose what IP addresses you want the remote VPN clients to have access to, first change the dropdown to “Inside”, here I want them to have access to the entire network behind the ASA so I will choose 10.254.254.0 with a mask of 255.255.255.0 > Click Add. > Next.

NOTE If you do not tick the box to enable “Split Tunneling” then the client cannot browse the internet etc while connected via VPN.

15. Review the information at the end of the wizard. > Finish

16. Now you need to save the changes you have just made, From the ASDM Select File > “Save running configuration to flash”

Step 2 Configure the Client VPN Software on the remote client.

Also See THIS VIDEO

1. I’ll assume you have the software installed you can get it from two places, On the CD that came with the ASA, or download it direct from Cisco (NOTE this needs a valid Cisco CCO account and a service contract). > Click New.

2. Under connection entry give the connection a name e.g. “Remote VPN to Office” > Under “Host” enter the Public IP of the ASA (NOTE I’ve blurred this one out to protect my IP address). > Under “Name” enter the name you created earlier (Step 1 number 4) > Under Password use the password you created earlier (Step 1 number 4) and enter it a second time to confirm. NOTE these are NOT the usernames and passwords you created in Step 1 number 6. > Click Transport Tab.

3 Accept the defaults but tick “Allow LAN access if you want to be able to access YOUR drives etc from the network behind the ASA” > Save.

4. Select the Connection you have just created. > Connect.

5. Enter the username and password you created earlier (Step 1 Number 6) of user1 and password1. > OK.

6 After a few seconds (provided the details were all right) it will connect, hover over the padlock in your task tray and it should say “VPN Client – Connected”.

Create Additional Users on the ASA

1. Open the ASDM and navigate to Configuration > VPN > General > Users > Add.

2. Give the user a name > Enter and confirm a password > Set the Privilege Level to 0 > Then Select the VPN Policy Tab

3. > Under Group Policy untick “Inherit” > Select RemoteVPN (the policy you set in Step1 Number 4) > OK.

4. You will now see the user listed (Don’t forget to save the settings, (File > “Save Running Configuration to Flash”).

Setup ASA 5500 IPSEC Remote VPN From Command Line

[box]

ip local pool IPSEC-VPN-POOL 10.254.250.1-10.254.250.100 mask 255.255.255.0
!
access-list ACL-SPLIT-TUNNEL standard permit 10.254.254 255.255.255.0
!      
object network Obj-Remote-IPSEC-VPN
 subnet 10.254.250.0 255.255.255.128
!
object network Obj-Local-LAN
 subnet 10.254.254.0 255.255.255.0
!
group-policy IPSEC-Remote-VPN internal
group-policy IPSEC-Remote-VPN attributes
  von-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value ACL-SPLIT-TUNNEL
  dns-server value 8.8.8.8
  default-domain value petenetlive.com
  vpn-simultaneous-logins 5
!
tunnel-group IPSEC-Remote-VPN type remote-access
tunnel-group IPSEC-Remote-VPN general-attributes
 default-group-policy IPSEC-Remote-VPN
 address-pool IPSEC-VPN-POOL
 tunnel-group IPSEC-Remote-VPN ipsec-attributes
 ikev1 pre-shared-key 123456
!
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto ikev1 enable  outside
!
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group2
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface  outside
!
nat (inside,outside) 1 source static Obj-Local-LAN Obj-Local-LAN destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup
!
crypto isakmp nat-traversal 20
!
username TestUser password Password123 privilege 0
username TestUser attributes
vpn-group-policy IPSEC-Remote-VPN

[/box]

Below, is the commands required for an ASA running code OLDER than version 8.3

[box]

access-list splitvpn standard permit 10.254.254.0 255.255.255.0
access-list nonat extended permit ip 10.254.254.0 255.255.255.0 10.254.250.0 255.255.255.0
ip local pool VPNPool 10.254.250.1-10.254.250.254 mask 255.255.255.0
nat (inside) 0 access-list nonat
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value 10.254.254.10
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitvpn
split-dns value petenetlive.com
username user1 password IzFIX6IZbh5HBYwq encrypted privilege 0
username user1 attributes
vpn-group-policy remotevpn
sysopt connection tcpmss 1200
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set ESP-3DES-SHA
crypto map outside_map 64553 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group remotevpn type ipsec-ra
tunnel-group remotevpn general-attributes
address-pool vpnpool
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
pre-shared-key thisisthepresharedkey

[/box]

Related Articles, References, Credits, or External Links

Original article written 21/01/10 updated 07/06/11

Windows 8 and Cisco (IPSEC) VPN Client

Windows 10 – Running the Cisco VPN Client Software