I use this as a reminder. Cisco ASA 5505 (8.2)

→

Cisco ASA 5505 (8.2) - IPsec Remote Access VPN

ISAKMP Policy: 1

ip local pool: VPN_POOL

transform-set: TRANSFORM

tunnel-group: TESTGROUP

pre-shared key: testingkey

group-policy: group_policy

split-tunnel: ACL-SPLIT-TUNNEL

——————————————————————————————————

ASA(config)# interface vlan2
ASA(config-if)# ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx <— public static IP and mask

ASA(config-if)# nameif outside
ASA(config-if)# no shutdown

ASA(config)# interface e0/0

ASA(config-if)# switchport access vlan 2

ASA(config-if)# no shutdown

ASA(config)# isakmp enable outside
ASA(config)# isakmp policy 1 authentication pre-share

ASA(config)# isakmp policy 1 encryption aes
ASA(config)# isakmp policy 1 hash sha
ASA(config)# isakmp policy 1 group 2
ASA(config)# isakmp policy 1 lifetime 43200

ASA(config)# crypto ipsec transform set TRANSFORM_SET esp-aes esp-sha-hmac

ASA(config)# crypto isakmp nat-traversal 20

ASA(config)# crypto dynamic-map dyn1 1 set transform-set TRANSFORM_SET

ASA(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1

ASA(config)# crypto map mymap interface outside

ASA(config)# ip local pool VPN_POOL 192.168.50.0 192.168.50.128 mask 255.255.255.128 <— pool that your VPN users will be assigned to

<— The below NONAT statements defines what traffic we do not want to be translated by the appliance. This is also called Identity NAT. —>

ASA(config)# access-list NONAT extended permit ip 192.168.2.0 255.255.255.128 192.168.2.128 255.255.255.128

ASA(config)# nat (inside) 0 access-list NONAT

ASA(config)# access-list ACL-SPLIT-TUNNEL extended permit ip 192.168.2.0 255.255.255.128 <— inside local network 192.168.2.128 255.255.255.128 <— VPN local pool

ASA(config)# username testuser password 12345678

ASA(config)# group-policy GROUP_POLICY internal

ASA(config)# group-policy GROUP_POLICY attributes

ASA(config-group-policy)# vpn-idle-timeout 120

ASA(config-group-policy)# split-tunnel-policy tunnelspecified

ASA(config-group-policy)# split-tunnel-network-list value ACL-SPLIT-TUNNEL

ASA(config)# tunnel-group TESTGROUP type remote-access
ASA(config)# tunnel-group TESTGROUP general-attributes

ASA(config-general)# address-pool VPN_POOL

ASA(config-general)# default-group-policy GROUP_POLICY
ASA(config)# tunnel-group TESTGROUP ipsec-attributes

ASA(config-ipsec)# pre-shared-key testingkey

ASA(config)# management-access inside <— this allows us to ping/telnet/ssh/http to the inside interface when connected to the VPN
ASA(config)# write memory

7 months ago Notes (53)

alexii86 liked this
iprefertolaugh posted this