Cisco ASA 5540:Remote-Access VPN Configuration with CLI

Unanswered Question
Apr 2nd, 2008
User Badges:

Good morning I writing you to know a URL where I will find Remote-Access VPN Configuration with CLI (Comman Line Interface)


Now I'm reading this URL:


http://www.cisco.com/en/US/docs/security/asa/asa71/getting_started/asa5500/quick/guide/rem_acc.html


but I should use CLI (on ASA) and not ASDM.


Anyone can suggest me a URL?


Best Regards

Davide

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sercopi Wed, 04/02/2008 - 07:06
User Badges:

Good evening Jorge thanks very much for the URL's.


If I can, I have another question as below:


I have add my crypto map "euro" on my ASA configuration, where there are already 3 crypto map "infoc" "reply" and "fly".


What happen is when I put in configuration:


hostname(config)# crypto map euro interface outside


this command bind crypto map "euro" on outside but undocking crypto map "infoc" "reply" and "fly".


Should you suggest me a solution?


Thanks for your help.


Cheers

Davide

JORGE RODRIGUEZ Wed, 04/02/2008 - 08:22
User Badges:
  • Green, 3000 points or more

Hi Davide, you can only have one crypto map on a given interface , but you can create numbers to separate your Ipsec tunnel policy from one another.


For example in a L2L vpn terminating in your pix/asa outside interface


here the IPsec phase-2 crypto map name is only one and unique for the crypto engine. (outside_map) and two different policies , same applies for isakmp policy Ipsec Phase-1


crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_10

crypto map outside_map 20 set pfs group2

crypto map outside_map 20 set peer

crypto map outside_map 20 set transform-set


crypto map outside_map 21 ipsec-isakmp

crypto map outside_map 21 match address outside_cryptomap_21

crypto map outside_map 21 set peer

crypto map outside_map 21 set transform-set


access list mapping to the ipsec are called in above exmaple outside_cryptomap_20, and outside_cryptomap_21


etc..



here is a link for similar scenario that is explained better for RA and L2L vpn


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml



HTH

Rgds

Jorge

rate any helpful post if it helps


sercopi Thu, 04/03/2008 - 05:48
User Badges:

Hi Jorge thanks very much, your details are very helpfull for my configuration, with your suggestion, now with only a crypto map:


crypto map infocmap


I can manage 3 tunnels as below:


###

# First VPN customer

###


crypto map infocmap 10 match address acl_name


crypto map infocmap 10 set peer ip_address


crypto map infocmap 10 set transform-set infocset


crypto ipsec transform-set infocset esp-3des esp-md5-hmac


###

# Second VPN customer

###


crypto map infocmap 20 match address acl_name


crypto map infocmap 20 set peer ip_address


crypto map infocmap 20 set transform-set fromaset


crypto ipsec transform-set fromaset esp-3des esp-md5-hmac


###

# Third client IPSec VPN (RemoteAccess) customer

###


isakmp policy 1 authentication pre-share


isakmp policy 1 encryption 3des


isakmp policy 1 hash sha


isakmp policy 1 group 2


isakmp policy 1 lifetime 43200


isakmp enable outside


ip local pool eurostand pubblic_IP_address


username name_user password pwd_user


tunnel-group eurostand type ipsec-ra


tunnel-group eurostand general-attributes


address-pool eurostand


tunnel-group eurostand ipsec-attributes


pre-shared-key xxxxxxxxxx


crypto map infocmap 30 ipsec-isakmp dynamic eurostand


crypto dynamic-map eurostand 30 set transform-set euroset


crypto dynamic-map eurostand 30 set security-association lifetime seconds 288000


crypto dynamic-map eurostand 30 set reverse-route


crypto ipsec transform-set euroset esp-3des esp-sha-hmac


###

# For all VPN customer

###


crypto map infocmap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

crypto isakmp policy 20

crypto isakmp policy 30


All is ok, every tunnel is connected, now I sholud perform packet filtering on traffic by

client VPN (RemoteAccess) customer, for example deny terminal server session to a host on a DMZ


Can you suggest me a link, where I can find information about make packet filtering after is terminated a tunnel perfomed by a IPSec VPN client?


Thanks for your effort!


Cheers

Davide

Actions

This Discussion