04-02-2008 03:02 AM - edited 02-21-2020 03:38 PM
Good morning I writing you to know a URL where I will find Remote-Access VPN Configuration with CLI (Comman Line Interface)
Now I'm reading this URL:
http://www.cisco.com/en/US/docs/security/asa/asa71/getting_started/asa5500/quick/guide/rem_acc.html
but I should use CLI (on ASA) and not ASDM.
Anyone can suggest me a URL?
Best Regards
Davide
04-02-2008 05:06 AM
You can use this one, the cli portion is at the middle of the doc.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml
you may want to also check the RA vpn section here.
http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
Rgds
Jorge
04-02-2008 07:06 AM
Good evening Jorge thanks very much for the URL's.
If I can, I have another question as below:
I have add my crypto map "euro" on my ASA configuration, where there are already 3 crypto map "infoc" "reply" and "fly".
What happen is when I put in configuration:
hostname(config)# crypto map euro interface outside
this command bind crypto map "euro" on outside but undocking crypto map "infoc" "reply" and "fly".
Should you suggest me a solution?
Thanks for your help.
Cheers
Davide
04-02-2008 08:22 AM
Hi Davide, you can only have one crypto map on a given interface , but you can create numbers to separate your Ipsec tunnel policy from one another.
For example in a L2L vpn terminating in your pix/asa outside interface
here the IPsec phase-2 crypto map name is only one and unique for the crypto engine. (outside_map) and two different policies , same applies for isakmp policy Ipsec Phase-1
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_10
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer
crypto map outside_map 20 set transform-set
crypto map outside_map 21 ipsec-isakmp
crypto map outside_map 21 match address outside_cryptomap_21
crypto map outside_map 21 set peer
crypto map outside_map 21 set transform-set
access list mapping to the ipsec are called in above exmaple outside_cryptomap_20, and outside_cryptomap_21
etc..
here is a link for similar scenario that is explained better for RA and L2L vpn
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml
HTH
Rgds
Jorge
rate any helpful post if it helps
04-03-2008 05:48 AM
Hi Jorge thanks very much, your details are very helpfull for my configuration, with your suggestion, now with only a crypto map:
crypto map infocmap
I can manage 3 tunnels as below:
###
# First VPN customer
###
crypto map infocmap 10 match address acl_name
crypto map infocmap 10 set peer ip_address
crypto map infocmap 10 set transform-set infocset
crypto ipsec transform-set infocset esp-3des esp-md5-hmac
###
# Second VPN customer
###
crypto map infocmap 20 match address acl_name
crypto map infocmap 20 set peer ip_address
crypto map infocmap 20 set transform-set fromaset
crypto ipsec transform-set fromaset esp-3des esp-md5-hmac
###
# Third client IPSec VPN (RemoteAccess) customer
###
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
ip local pool eurostand pubblic_IP_address
username name_user password pwd_user
tunnel-group eurostand type ipsec-ra
tunnel-group eurostand general-attributes
address-pool eurostand
tunnel-group eurostand ipsec-attributes
pre-shared-key xxxxxxxxxx
crypto map infocmap 30 ipsec-isakmp dynamic eurostand
crypto dynamic-map eurostand 30 set transform-set euroset
crypto dynamic-map eurostand 30 set security-association lifetime seconds 288000
crypto dynamic-map eurostand 30 set reverse-route
crypto ipsec transform-set euroset esp-3des esp-sha-hmac
###
# For all VPN customer
###
crypto map infocmap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
crypto isakmp policy 20
crypto isakmp policy 30
All is ok, every tunnel is connected, now I sholud perform packet filtering on traffic by
client VPN (RemoteAccess) customer, for example deny terminal server session to a host on a DMZ
Can you suggest me a link, where I can find information about make packet filtering after is terminated a tunnel perfomed by a IPSec VPN client?
Thanks for your effort!
Cheers
Davide
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: