Command line setup of Cisco VPN on ASA 5500


These VPN setup notes are for an ASA 5500 unit but relate, in general, to all Cisco firewall units:

Notes created 4 December 2008


Company name: IBM

VPN IP Range:

VPN IP Subnet Mask:

Internal network IP range:

Internal network IP range subnet mask:

Primary DNS server:

Secondary DNS server:

Radius authentication server IP:

Remote access vpn configuration :

You can use the ASDM interface (GUI for Cisco ASA units) to enter details or

For command line input:

Use telnet or Putty as telnet.

At password prompt type ‘cisco’.

Then type ‘enable’ and enter enable password (same one you logon to asdm with).

1. Initial setup of ipsec – just need to do once:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map dyn1 10 set transform-set ESP-3DES-SHA

crypto dynamic-map dyn1 10 set reverse-route

crypto map WAN_map 65535 ipsec-isakmp dynamic dyn1

crypto map WAN_map interface WAN

crypto isakmp enable WAN

crypto isakmp enable management

crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400

crypto isakmp nat-traversal  20

crypto isakmp ipsec-over-tcp port 10000

2. Setup authentication server – use Radius for Windows based domain, do not use NT Domain (this is legacy NT only):

Radius uses active directory for group policy settings e.g. allow or deny remote access on users dialin tab.

Note: Items in quotes ” are supplied by you – do not include quotes:

aaa-server IBM_Auth_servers protocol radius

aaa-server IBM_Auth_servers (LAN) host  key “radius server secret key”  radius-common-pw “radius server password”

IBM_Auth_Servers is the ASA’s connection to the Windows Radius authentication server and can be setup in ASDM under Configuration, Properties, AAA Setup, AAA Server Objects. Add a server group called IBM_Auth_servers and then add the IP number of the Radius server. 

Note: you can add more than one Radius server IP, so you could add a remote radius server for failover if you have two ASA units failing over.

Radius servers are setup using Internet Authentication Service in Admin Tools – add the Cisco units internal IP (gateway IP) and shared secret and password.

 3. Setup group policy:

configure terminal

group-policy IBM_VPN internal

group-policy IBM_VPN attributes dns-server value vpn-tunnel-protocol IPSec



Note: Secondary DNS server should be on remote failover site if you have 2 ASA units failing over.

4. Setup IP Pool:

configure terminal

ip local pool IBM_VPN_POOL mask


Note: the VPN IP range should be a separate range from your normal network and not used by any other service.

5. Setup Tunnel group – for each machine or site:

Items in quotes ” are supplied by you – do not include quotes:

configure terminal

tunnel-group IBM_VPN_London type ipsec-ra

tunnel-group IBM_VPN_London general-attributes address-pool IBM_VPN_POOL authentication-server-group IBM_Auth_Servers default-group-policy IBM_VPN


tunnel-group IBM_VPN_London ipsec-attributes pre-shared-key “your secret key”



Note: IBM_VPN_London is an individual tunnel group for a set of machines. e.g. you may use “IBM_VPN_Germany” for another remote office as a site name or “IBM_DESKTOP_77_WindowsXP” for an individual machine

“Your secret key” is the key you type into the VPN client software – use to obtain 64 character key (do a separate one for each tunnel group i.e. each site and/or machine, DO NOT USE THE SAME KEY for all tunnel groups. In this way you can revoke a key and assign a new one without having to redo all VPN connections.

6. For the vpn client to be able to access internal network and go to internet via vpn tunnel (no split tunneling):

6a. Internet access:

See: Allowing Cisco VPN to access Internet via tunnel

configure terminal

same-security-traffic permit intra-interface

nat (WAN) 10

6b. Internal access:

access-list Inside_nat0_outbound line 4 extended permit ip


7. Allow local LAN access

To enable clients with ‘Allow Local access’ option set on VPN Client to be able to access their local resources do the following (this is so a user can access local resources like NAT drives or network printers whilst connected to the VPN – otherwise all traffic goes via the VPN link):

See: Cisco Local LAN Access Notes

access-list LOCAL_LAN_Access remark Clients with local lan access option set – internet and dns access is still via tunnel

access-list LOCAL_LAN_Access standard permit host group-policy IBM_VPN attributes split-tunnel-policy excludespecified split-tunnel-network-list value LOCAL_LAN_Access

8. Setup on client machine:

Use VPN client software available from: Cisco VPN Client Software Download Site

Connect to external IP of ASA unit (WAN address) using IBM_VPN as VPN name and enter secret key for the tunneling group setup for this machine or site.

9. To list connections:

In ASDM goto Monitoring, VPN, VPN Statistics, Sessions – this will list all current sessions with relevant username, IP and encryption details.

Author: James

IT Manager - Network, Web coding, MS SQL and Online Mapping expert

One thought on “Command line setup of Cisco VPN on ASA 5500”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s