How Do I Setup Cisco Vpn Client
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View How Do I Setup Cisco Vpn Client as PDF for free.
More details
- Words: 590
- Pages: 2
How do I setup Cisco ASA 5505 for Client VPN through CLI ? Zones: Virtual Private Networking (VPN), Networking Hardware Firewalls Tags: Setup of Cisco ASA 5505 VPN Remote Access
I am fairly familiar with these devices, but I use the ASA's ASDM pretty exclusively for setting up them up. My problem is that the VPN wizard is hit or miss at best. Lately I'm running into issues with creating VPN's that either won't attach, or won't talk to the inside interface from the VPN Pool (created on a different subnet). Can someone post a step by step CLI setup of a client access VPN? Ideally it would include some info on what each line does if its not intuitive? ( I'm looking to understand the setup not just regurgitate the commands.) Thanks
Rank: Master bignewf: Here is a sample CLI config right from cisco: Enable ISAKMP on ouside interface of ASA: Asa#(config t) Asa(config)# isakmp enable outside Create ISAKMP Policy: Asa#config t Asa(config)#isakmp policy 10 authentication pre-share Asa(config)# isakmp policy 10 encryption aes-25 Asa(config)# isakmp policy 10 hash sha Asa(config)# isakmp policy 10 group 2 Asa(config)#isakmp policy 10 lifetime 86400 Configure Remote Access-Attributes for Default and User group-policy asa(config)# group policy DfltGrpPolicy attributes asa (config -group-policy)# vpn-simultaneous-logins 3 asa (config -group-policy)# ip-comp enable Configuration of Group-Specific Group Policy asa(config)# group-policy MYCompany internal asa(config)# group-policy MyCompany attributes asa(config-group-policy) default-domain value MyCompany.com Config of User Policy here a user accound is mapped to the user group policy in the previous config above: asa(config)# username vpnuser password cisco asa(config)# username vpnuser attributes asa(config-username)# vpn-group-policy-MyCompany Define your Tunnel Type: asa(config)# tunnel-group cisco type ipsec-ra This the tunnel group name that needs to be configured on the cisco vpn client Configure the ISAKMP Preshared Keys asa(config)# tunnel-group cisco ipsec-attributes as(config-ipsec)# pre-shared-key cisco123 This pre-shared key is also known as the group password in the Cisco remote access VPN All cisco vpn clients that are configured for the tunnel group cisco must use the preshared key cisco123indicated
above Configuring local user accounts: asa(config)# username test password cisco123 asa(config)# username Joe password cisco999 These accounts would be in the local database on the ASA. However, you can use RADIUS, Windows NT domain, Kerveros, SDI for authentication also If you use local authentication, then the tunnel-group must be configured with an authentication server, under general attributes. The authentication-server-group subcommand specifies the authentication server. asa(config)# tunnel-group cisco general-attributes asa(config-group-plicy)# authentication-server-group LOCAL Now, you must assign ip addresses to the vpn clients: Using the appliance itself with a local address pool: asa(config)# vpn-addr-assig local asa(config)# ip local pool vpnremotepool 192.168.3.100-192.168.3.150 (not: this pool should be on a different subnet than your internal lans hosts) For ip addresses from a dhcp server: asa(config)#vpn-addr-assign dhcp asa(config)#tunnel-group cisco general-attributes asa(config-general)#dhcp-server 192.168.1.1 Define your IPSec Policy: asa(config)# crypto ipsec transfore-set myset esp-aes-256 esp-sha-hmac (the transform set specifies the encryption and hashing method used on the data packets once the tunnel is up) Set up Dynamic Crypto Map: asa(config)#crypto map IPSec_map 65535 ipsec-isakmp dynamic dynmap Apply the crypto map to an interface - Outside interface: asa(config)#crypto map IPSec_map interface outside You must allow decrypted traffic to pass thru the asa. The correct way to do this would be to restrict traffic to pass, but initially to get this working, I would allow all decrypted IPSec packets to pass without inspecting them agianst the configured ACL's: asa(config)#sysopt connection permit-ipsec
Finally, You need to create a connection entry on the cisco vpn client with the group authentication name, group preshared key, and type of tunnel encapsulation
I am fairly familiar with these devices, but I use the ASA's ASDM pretty exclusively for setting up them up. My problem is that the VPN wizard is hit or miss at best. Lately I'm running into issues with creating VPN's that either won't attach, or won't talk to the inside interface from the VPN Pool (created on a different subnet). Can someone post a step by step CLI setup of a client access VPN? Ideally it would include some info on what each line does if its not intuitive? ( I'm looking to understand the setup not just regurgitate the commands.) Thanks
Rank: Master bignewf: Here is a sample CLI config right from cisco: Enable ISAKMP on ouside interface of ASA: Asa#(config t) Asa(config)# isakmp enable outside Create ISAKMP Policy: Asa#config t Asa(config)#isakmp policy 10 authentication pre-share Asa(config)# isakmp policy 10 encryption aes-25 Asa(config)# isakmp policy 10 hash sha Asa(config)# isakmp policy 10 group 2 Asa(config)#isakmp policy 10 lifetime 86400 Configure Remote Access-Attributes for Default and User group-policy asa(config)# group policy DfltGrpPolicy attributes asa (config -group-policy)# vpn-simultaneous-logins 3 asa (config -group-policy)# ip-comp enable Configuration of Group-Specific Group Policy asa(config)# group-policy MYCompany internal asa(config)# group-policy MyCompany attributes asa(config-group-policy) default-domain value MyCompany.com Config of User Policy here a user accound is mapped to the user group policy in the previous config above: asa(config)# username vpnuser password cisco asa(config)# username vpnuser attributes asa(config-username)# vpn-group-policy-MyCompany Define your Tunnel Type: asa(config)# tunnel-group cisco type ipsec-ra This the tunnel group name that needs to be configured on the cisco vpn client Configure the ISAKMP Preshared Keys asa(config)# tunnel-group cisco ipsec-attributes as(config-ipsec)# pre-shared-key cisco123 This pre-shared key is also known as the group password in the Cisco remote access VPN All cisco vpn clients that are configured for the tunnel group cisco must use the preshared key cisco123indicated
above Configuring local user accounts: asa(config)# username test password cisco123 asa(config)# username Joe password cisco999 These accounts would be in the local database on the ASA. However, you can use RADIUS, Windows NT domain, Kerveros, SDI for authentication also If you use local authentication, then the tunnel-group must be configured with an authentication server, under general attributes. The authentication-server-group subcommand specifies the authentication server. asa(config)# tunnel-group cisco general-attributes asa(config-group-plicy)# authentication-server-group LOCAL Now, you must assign ip addresses to the vpn clients: Using the appliance itself with a local address pool: asa(config)# vpn-addr-assig local asa(config)# ip local pool vpnremotepool 192.168.3.100-192.168.3.150 (not: this pool should be on a different subnet than your internal lans hosts) For ip addresses from a dhcp server: asa(config)#vpn-addr-assign dhcp asa(config)#tunnel-group cisco general-attributes asa(config-general)#dhcp-server 192.168.1.1 Define your IPSec Policy: asa(config)# crypto ipsec transfore-set myset esp-aes-256 esp-sha-hmac (the transform set specifies the encryption and hashing method used on the data packets once the tunnel is up) Set up Dynamic Crypto Map: asa(config)#crypto map IPSec_map 65535 ipsec-isakmp dynamic dynmap Apply the crypto map to an interface - Outside interface: asa(config)#crypto map IPSec_map interface outside You must allow decrypted traffic to pass thru the asa. The correct way to do this would be to restrict traffic to pass, but initially to get this working, I would allow all decrypted IPSec packets to pass without inspecting them agianst the configured ACL's: asa(config)#sysopt connection permit-ipsec
Finally, You need to create a connection entry on the cisco vpn client with the group authentication name, group preshared key, and type of tunnel encapsulation
Related Documents
How Do I Setup Cisco Vpn Client
May 2020 6
Cisco Vpn
December 2019 10
Windows 10 Pptp Vpn Client Setup
October 2019 28
Cisco Vpn Client For Windows Userguide
April 2020 7
How To Setup Vista As Vpn Host
June 2020 6