Cisco ASA 5540:Remote-Access VPN Configuration with CLI

Unanswered Question
Apr 2nd, 2008
User Badges:

Good morning I writing you to know a URL where I will find Remote-Access VPN Configuration with CLI (Comman Line Interface)

Now I'm reading this URL:

but I should use CLI (on ASA) and not ASDM.

Anyone can suggest me a URL?

Best Regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sercopi Wed, 04/02/2008 - 07:06
User Badges:

Good evening Jorge thanks very much for the URL's.

If I can, I have another question as below:

I have add my crypto map "euro" on my ASA configuration, where there are already 3 crypto map "infoc" "reply" and "fly".

What happen is when I put in configuration:

hostname(config)# crypto map euro interface outside

this command bind crypto map "euro" on outside but undocking crypto map "infoc" "reply" and "fly".

Should you suggest me a solution?

Thanks for your help.



JORGE RODRIGUEZ Wed, 04/02/2008 - 08:22
User Badges:
  • Green, 3000 points or more

Hi Davide, you can only have one crypto map on a given interface , but you can create numbers to separate your Ipsec tunnel policy from one another.

For example in a L2L vpn terminating in your pix/asa outside interface

here the IPsec phase-2 crypto map name is only one and unique for the crypto engine. (outside_map) and two different policies , same applies for isakmp policy Ipsec Phase-1

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_10

crypto map outside_map 20 set pfs group2

crypto map outside_map 20 set peer

crypto map outside_map 20 set transform-set

crypto map outside_map 21 ipsec-isakmp

crypto map outside_map 21 match address outside_cryptomap_21

crypto map outside_map 21 set peer

crypto map outside_map 21 set transform-set

access list mapping to the ipsec are called in above exmaple outside_cryptomap_20, and outside_cryptomap_21


here is a link for similar scenario that is explained better for RA and L2L vpn




rate any helpful post if it helps

sercopi Thu, 04/03/2008 - 05:48
User Badges:

Hi Jorge thanks very much, your details are very helpfull for my configuration, with your suggestion, now with only a crypto map:

crypto map infocmap

I can manage 3 tunnels as below:


# First VPN customer


crypto map infocmap 10 match address acl_name

crypto map infocmap 10 set peer ip_address

crypto map infocmap 10 set transform-set infocset

crypto ipsec transform-set infocset esp-3des esp-md5-hmac


# Second VPN customer


crypto map infocmap 20 match address acl_name

crypto map infocmap 20 set peer ip_address

crypto map infocmap 20 set transform-set fromaset

crypto ipsec transform-set fromaset esp-3des esp-md5-hmac


# Third client IPSec VPN (RemoteAccess) customer


isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 43200

isakmp enable outside

ip local pool eurostand pubblic_IP_address

username name_user password pwd_user

tunnel-group eurostand type ipsec-ra

tunnel-group eurostand general-attributes

address-pool eurostand

tunnel-group eurostand ipsec-attributes

pre-shared-key xxxxxxxxxx

crypto map infocmap 30 ipsec-isakmp dynamic eurostand

crypto dynamic-map eurostand 30 set transform-set euroset

crypto dynamic-map eurostand 30 set security-association lifetime seconds 288000

crypto dynamic-map eurostand 30 set reverse-route

crypto ipsec transform-set euroset esp-3des esp-sha-hmac


# For all VPN customer


crypto map infocmap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

crypto isakmp policy 20

crypto isakmp policy 30

All is ok, every tunnel is connected, now I sholud perform packet filtering on traffic by

client VPN (RemoteAccess) customer, for example deny terminal server session to a host on a DMZ

Can you suggest me a link, where I can find information about make packet filtering after is terminated a tunnel perfomed by a IPSec VPN client?

Thanks for your effort!




This Discussion