Wednesday, July 3, 2013

Cisco ASA: Pre-8.3 Remote-Access VPN Template

I think I have put up on this blog a remote-access template before, but only for the 8.3 and after code (which can be found on this link).  I came across a need to add the pre-8.3 code for an engineer I work with so that it would be easy for him to learn quickly.  Below are some simple explanations.  You would need to substitute names/ip ranges/etc for your needs.  I hope this is helpful.

VPN DHCP POOL CONFIG:
ip local pool vpnpool 10.10.12.1-10.10.10.254 mask 255.255.255.0

NONAT ACL AND INTERESTING TRAFFIC ACL:
access-list nonat extended permit ip any 10.10.12.0 255.255.255.0
access-list remote_access extended permit ip any 10.10.12.0 255.255.255.0

APPLYING NONAT:
nat (inside) 0 access-list nonat

PHASE I CONFIG:
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

PHASE II CONFIG:
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

DYN_MAP FOR REMOTE-ACCESS CONFIG:
crypto dynamic-map dyn_map 65535 set pfs
crypto dynamic-map dyn_map 65535 set transform-set ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5

APPLYING DYN_MAP TO A CRYPTO MAP "OUTSIDE_MAP":
crypto map outside_map 65535 ipsec-isakmp dynamic dyn_map

APPLYING THE CRYPTO MAP TO THE OUTSIDE INTERFACE, AND ENABLING ISAKMP:
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp nat-traversal  10

GROUP POLICY CONFIG:
group-policy REMOTEACCESS internal
group-policy REMOTEACCESS attributes
 wins-server value 192.168.1.3 192.168.1.251
 dns-server value 192.168.1.3 192.168.1.251
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remote_access
 default-domain value eastalabamamhc.com

TUNNEL-GROUP CONFIG:
tunnel-group REMOTEACCESS type remote-access
tunnel-group REMOTEACCESS general-attributes
 address-pool vpnpool
 default-group-policy REMOTEACCESS
tunnel-group REMOTEACCESS ipsec-attributes
 pre-shared-key securekey
Posted by

No comments:

Post a Comment

Your comment will be reviewed for approval. Thank you for submitting your comments.

Subscribe to: Post Comments (Atom)