How do I setup Cisco ASA 5505 for Client VPN through CLI ?
Setup of Cisco ASA 5505 VPN Remote Access
I am fairly familiar with these devices, but I use the
ASA's
ASDM pretty exclusively for setting upthem up.My problem is that the VPN wizard is hit or miss at best. Lately I'm running into issues with creating VPN'sthat either won't attach, or won't talk to the inside interface from the VPN Pool (created on a differentsubnet).Can someone post a step by step CLI setup of a client access VPN? Ideally it would include some info onwhat each line does if its not intuitive? ( I'm looking to understand the setup not just regurgitate thecommands.)Thanks
Here is a sample CLI config right from cisco:Enable ISAKMP on ouside interface of
ASA
:
Asa
#(config t)
Asa
(config)# isakmp enable outsideCreate ISAKMP Policy:
Asa
#config t
Asa
(config)#isakmp policy
10
authentication pre-share
Asa
(config)# isakmp policy
10
encryption aes-25
Asa
(config)# isakmp policy
10
hash sha
Asa
(config)# isakmp policy
10
group 2
Asa
(config)#isakmp policy
10
lifetime 86400Configure Remote Access-Attributes for Default and User group-policy
asa
(config)# group policy DfltGrpPolicy attributes
asa
(config -group-policy)# vpn-simultaneous-logins 3
asa
(config -group-policy)# ip-comp enableConfiguration of Group-Specific Group Policy
asa
(config)# group-policy MYCompany internal
asa
(config)# group-policy MyCompany attributes
asa
(config-group-policy) default-domain value MyCompany.comConfig of User Policy here a user accound is mapped to theuser grouppolicy in the previous config above:
asa
(config)# username vpnuser password cisco
asa
(config)# username vpnuser attributes
asa
(config-username)# vpn-group-policy-MyCompanyDefine your Tunnel Type:
asa
(config)# tunnel-group cisco type ipsec-raThis the tunnel group name that needs to be configured on thecisco vpn clientConfigure the ISAKMP Preshared Keys
asa
(config)# tunnel-group cisco ipsec-attributesas(config-ipsec)# pre-shared-key
cisco123
This pre-shared key is also known as the group password in the Cisco remote access VPNAllcisco vpn clientsthat are configured for the tunnel group cisco must use the preshared key
cisco123
indicated
Leave a Comment