Cisco ASA 5540:Remote-Access VPN Configuration with CLI

Unanswered Question
Apr 2nd, 2008

Good morning I writing you to know a URL where I will find Remote-Access VPN Configuration with CLI (Comman Line Interface)

Now I'm reading this URL:

http://www.cisco.com/en/US/docs/security/asa/asa71/getting_started/asa5500/quick/guide/rem_acc.html

but I should use CLI (on ASA) and not ASDM.

Anyone can suggest me a URL?

Best Regards

Davide

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sercopi Wed, 04/02/2008 - 07:06

Good evening Jorge thanks very much for the URL's.

If I can, I have another question as below:

I have add my crypto map "euro" on my ASA configuration, where there are already 3 crypto map "infoc" "reply" and "fly".

What happen is when I put in configuration:

hostname(config)# crypto map euro interface outside

this command bind crypto map "euro" on outside but undocking crypto map "infoc" "reply" and "fly".

Should you suggest me a solution?

Thanks for your help.

Cheers

Davide

JORGE RODRIGUEZ Wed, 04/02/2008 - 08:22

Hi Davide, you can only have one crypto map on a given interface , but you can create numbers to separate your Ipsec tunnel policy from one another.

For example in a L2L vpn terminating in your pix/asa outside interface

here the IPsec phase-2 crypto map name is only one and unique for the crypto engine. (outside_map) and two different policies , same applies for isakmp policy Ipsec Phase-1

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_10

crypto map outside_map 20 set pfs group2

crypto map outside_map 20 set peer

crypto map outside_map 20 set transform-set

crypto map outside_map 21 ipsec-isakmp

crypto map outside_map 21 match address outside_cryptomap_21

crypto map outside_map 21 set peer

crypto map outside_map 21 set transform-set

access list mapping to the ipsec are called in above exmaple outside_cryptomap_20, and outside_cryptomap_21

etc..

here is a link for similar scenario that is explained better for RA and L2L vpn

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

HTH

Rgds

Jorge

rate any helpful post if it helps

sercopi Thu, 04/03/2008 - 05:48

Hi Jorge thanks very much, your details are very helpfull for my configuration, with your suggestion, now with only a crypto map:

crypto map infocmap

I can manage 3 tunnels as below:

###

# First VPN customer

###

crypto map infocmap 10 match address acl_name

crypto map infocmap 10 set peer ip_address

crypto map infocmap 10 set transform-set infocset

crypto ipsec transform-set infocset esp-3des esp-md5-hmac

###

# Second VPN customer

###

crypto map infocmap 20 match address acl_name

crypto map infocmap 20 set peer ip_address

crypto map infocmap 20 set transform-set fromaset

crypto ipsec transform-set fromaset esp-3des esp-md5-hmac

###

# Third client IPSec VPN (RemoteAccess) customer

###

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 43200

isakmp enable outside

ip local pool eurostand pubblic_IP_address

username name_user password pwd_user

tunnel-group eurostand type ipsec-ra

tunnel-group eurostand general-attributes

address-pool eurostand

tunnel-group eurostand ipsec-attributes

pre-shared-key xxxxxxxxxx

crypto map infocmap 30 ipsec-isakmp dynamic eurostand

crypto dynamic-map eurostand 30 set transform-set euroset

crypto dynamic-map eurostand 30 set security-association lifetime seconds 288000

crypto dynamic-map eurostand 30 set reverse-route

crypto ipsec transform-set euroset esp-3des esp-sha-hmac

###

# For all VPN customer

###

crypto map infocmap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

crypto isakmp policy 20

crypto isakmp policy 30

All is ok, every tunnel is connected, now I sholud perform packet filtering on traffic by

client VPN (RemoteAccess) customer, for example deny terminal server session to a host on a DMZ

Can you suggest me a link, where I can find information about make packet filtering after is terminated a tunnel perfomed by a IPSec VPN client?

Thanks for your effort!

Cheers

Davide

Actions

This Discussion