Cisco ASA firewall VPN configuration

Source: Internet
Author: User

Step 1 of Cisco ASA firewall VPN configuration: Create an address pool. To remotely access the client, you need to assign an IP address during logon. Therefore, we also need to create a DHCP address pool for these clients. However, if you have a DHCP server, you can also use a DHCP server. QUANMA-T (config) # ip local pool vpnpool mask Step 2: Create IKE Phase 1. QUANMA-T (config) # isakmp policy 1 QUANMA-T (config-isakmp-policy) # authentication pre-share QUANMA-T (config-isakmp-policy) # encryption 3des QUANMA-T (config-isakmp-policy) # hash sha QUANMA-T (config-isakmp-policy) # group 2 QUANMA-T (config-isakmp-policy) # lifetime 43200 QUANMA-T (config-isakmp-policy) # exit Step 3: Apply IKE stage 1 to the outside interface. QUANMA-T (config) # isakmp enable outside Step 4: Define the conversion set QUANMA-T (config) # crypto ipsec transform-set vpnset esp-3des esp-sha-hmac here the set conversion set name is vpnset. Step 5: dynamic encryption ing configuration QUANMA-T (config) # crypto dynamic-map outside-dyn-map 10 set transform-set vpnset QUANMA-T (config) # crypto dynamic-map outside-dyn-map 10 set reverse-route QUANMA-T (config) # crypto dynamic-map outside-dyn-map 10 set security-association lifetime seconds 288000 Step 6: call the dynamic encryption ing in the static encryption ing and apply the above interface QUANMA-T (config) # crypto map outside-map 10 ipsec-isakmp dynamic outside-dyn-map QUANMA-T (config )# Step 7 of crypto map outside-map interface outside: NAT is mainly used to forward layer-3 ipsec esp traffic to layer-4 UDP traffic. ESP is a three-tier package with only the Protocol Number and no port number. When it wants to traverse a PAT device, because the PAT device is based on port conversion, the ESP package cannot pass, in this case, it is necessary to encapsulate it into the UDP packet for normal transmission (source port is UDP4500) QUANMA-T (config) # crypto isakmp nat-traversal // default keepalives time 20 seconds Step 8: configuring the access list bypass by using the sysopt connect command, we tell the ASA to allow the SSL/IPsec client to bypass the interface access list: QUANMA-T (config) # sysopt connection permit-ipsec Step 9: create and set a group policy to specify the parameters that apply to the connected client. In this article, we will create a group policy called vpnclient. QUANMA-T (config) # group-policy vpnclient internal QUANMA-T (config) # group-policy vpnclient attributes QUANMA-T (config-group-policy) # dns-server value QUANMA-T (config-group-policy) # vpn-tunnel-protocol ipsec QUANMA-T (config-group-policy) # default-domain value QUANMA-T (config-group-policy) # exit Step 10: Set up the tunnel group as an attribute QUANMA-T (config) # tunnel-group vpnclient type ipsec-ra QUANMA-T (config) # tunnel-group vpnclient ipsec-attributes QUANMA-T (config-tunnel-ipsec) # pre-shared-key cisco123 QUANMA-T (config-tunnel-ipsec) # exit QUANMA-T (config) # tunnel-group vpnclient general-attributes QUANMA-T (config-tunnel-general) # authentication-server-group LOCAL QUANMA-T (config-tunnel-general) # default-group-policy vpnclient QUANMA-T (config-tunnel-general) # address-pool vpnpool QUANM A-T (config-tunnel-general) # exit and here vpnclient is the username we set for the group user, the domain share key is the password for the group user.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.