These VPN setup notes are for an ASA 5500 unit but relate, in general, to all Cisco firewall units:
Notes created 4 December 2008
Company name: IBM
VPN IP Range: 192.168.100.1-192.168.100.254
VPN IP Subnet Mask: 255.255.255.0
Internal network IP range: 192.168.1.1-192.168.1.254
Internal network IP range subnet mask: 255.255.255.0
Primary DNS server: 192.168.1.100
Secondary DNS server: 192.168.1.101
Radius authentication server IP: 192.168.1.200
Remote access vpn configuration :
You can use the ASDM interface (GUI for Cisco ASA units) to enter details or
For command line input:
Use telnet or Putty as telnet.
At password prompt type ‘cisco’.
Then type ‘enable’ and enter enable password (same one you logon to asdm with).
1. Initial setup of ipsec – just need to do once:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dyn1 10 set transform-set ESP-3DES-SHA
crypto dynamic-map dyn1 10 set reverse-route
crypto map WAN_map 65535 ipsec-isakmp dynamic dyn1
crypto map WAN_map interface WAN
crypto isakmp enable WAN
crypto isakmp enable management
crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
2. Setup authentication server – use Radius for Windows based domain, do not use NT Domain (this is legacy NT only):
Radius uses active directory for group policy settings e.g. allow or deny remote access on users dialin tab.
Note: Items in quotes ” are supplied by you – do not include quotes:
aaa-server IBM_Auth_servers protocol radius
aaa-server IBM_Auth_servers (LAN) host 192.168.1.200 key “radius server secret key” radius-common-pw “radius server password”
IBM_Auth_Servers is the ASA’s connection to the Windows Radius authentication server and can be setup in ASDM under Configuration, Properties, AAA Setup, AAA Server Objects. Add a server group called IBM_Auth_servers and then add the IP number of the Radius server.
Note: you can add more than one Radius server IP, so you could add a remote radius server for failover if you have two ASA units failing over.
Radius servers are setup using Internet Authentication Service in Admin Tools – add the Cisco units internal IP (gateway IP) and shared secret and password.
3. Setup group policy:
group-policy IBM_VPN internal
group-policy IBM_VPN attributes dns-server value 192.168.1.100 192.168.1.101 vpn-tunnel-protocol IPSec
Note: Secondary DNS server should be on remote failover site if you have 2 ASA units failing over.
4. Setup IP Pool:
ip local pool IBM_VPN_POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
Note: the VPN IP range should be a separate range from your normal network and not used by any other service.
5. Setup Tunnel group – for each machine or site:
Items in quotes ” are supplied by you – do not include quotes:
tunnel-group IBM_VPN_London type ipsec-ra
tunnel-group IBM_VPN_London general-attributes address-pool IBM_VPN_POOL authentication-server-group IBM_Auth_Servers default-group-policy IBM_VPN
tunnel-group IBM_VPN_London ipsec-attributes pre-shared-key “your secret key”
Note: IBM_VPN_London is an individual tunnel group for a set of machines. e.g. you may use “IBM_VPN_Germany” for another remote office as a site name or “IBM_DESKTOP_77_WindowsXP” for an individual machine
“Your secret key” is the key you type into the VPN client software – use http://www.grc.com/passwords.htm to obtain 64 character key (do a separate one for each tunnel group i.e. each site and/or machine, DO NOT USE THE SAME KEY for all tunnel groups. In this way you can revoke a key and assign a new one without having to redo all VPN connections.
6. For the vpn client to be able to access internal network and go to internet via vpn tunnel (no split tunneling):
6a. Internet access:
See: Allowing Cisco VPN to access Internet via tunnel
same-security-traffic permit intra-interface
nat (WAN) 10 192.168.100.1-192.168.100.254 255.255.255.0
6b. Internal access:
access-list Inside_nat0_outbound line 4 extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
7. Allow local LAN access
To enable clients with ‘Allow Local access’ option set on VPN Client to be able to access their local resources do the following (this is so a user can access local resources like NAT drives or network printers whilst connected to the VPN – otherwise all traffic goes via the VPN link):
See: Cisco Local LAN Access Notes
access-list LOCAL_LAN_Access remark Clients with local lan access option set – internet and dns access is still via tunnel
access-list LOCAL_LAN_Access standard permit host 0.0.0.0 group-policy IBM_VPN attributes split-tunnel-policy excludespecified split-tunnel-network-list value LOCAL_LAN_Access
8. Setup on client machine:
Use VPN client software available from: Cisco VPN Client Software Download Site
Connect to external IP of ASA unit (WAN address) using IBM_VPN as VPN name and enter secret key for the tunneling group setup for this machine or site.
9. To list connections:
In ASDM goto Monitoring, VPN, VPN Statistics, Sessions – this will list all current sessions with relevant username, IP and encryption details.