Help on creating VPN access group in ASA 5520


Jan 7, 2010 8:02 AM
Jan 7th, 2010

Hello.  We have a new installation and our firewall/vpn is through a ASA 5520.  Our network consultants are so busy that they cannot get to our request in a timely manner.  I want to create a VPN access group which uses a Radius server or through Active Directory server for authentication.  The network engineer has created a group for us but the authentication is using a ASA Local user profile.  I want to use Radius of WinNt login.  I am an expert in Cisco CVPN3500 concentrator but not on the ASA yet.

Can someone give me step-by-step guide to create a VPN group with Radius or AD?

Thanks in advance.

Average Rating: 0 (0 ratings)


AnujPratap Thu, 03/04/2010 - 22:55 (reply to mlewis1)

Defining a Tunnel Group

A tunnel group is a set of records that contain tunnel connection policies. You configure a tunnel group to identify AAA servers, specify connection parameters, and define a default group policy. The security appliance stores tunnel groups internally.

There are two default tunnel groups in the security appliance system: DefaultRAGroup, which is the default IPSec remote-access tunnel group, and DefaultL2Lgroup, which is the default IPSec LAN-to-LAN tunnel group.
You can change them but not delete them. The security appliance uses these groups to configure default tunnel parameters for remote access and LAN-to-LAN tunnel groups when there is no specific tunnel group identified during tunnel negotiation.

To establish a basic remote access connection, you must set three attributes for a tunnel group:
• Set the connection type to IPSec remote access.
• Configure the address assignment method, in the following example, address pool.
• Configure an authentication method, in the following example, preshared key.

Step 1  To set the connection type to IPSec remote access, enter the tunnel-group command. The command syntax is tunnel-group name type type, where name is the name you assign to the tunnel group, and type is the type of tunnel. The tunnel types as you enter them in the CLI include the following:
• ipsec-ra (IPSec remote access)
• ipsec-l2l (IPSec LAN to LAN)
In the following example the name of the tunnel group is testgroup.

ASA(config)# tunnel-group testgroup type remote-access

Step 2  To configure an authentication method for the tunnel group, enter the general-attributes mode and then enter the address-pool command to create the address pool. In the following example the name of the group is testgroup and the name of the address pool is VPNRange.

ASA(config)# tunnel-group DefaultRAGroup general-attributes
ASA(config-general)# authentication-server-group VPN
ASA(config-general)# authentication-server-group (inside) xyz
ASA(config-general)# authorization-server-group VPN
ASA(config-general)# accounting-server-group VPN


ASA(config)# tunnel-group testgourp type remote-access

ASA(config)# tunnel-group testgroup general-attributes
ASA(config-general)# address-pool VPNRange
ASA(config-general)# authentication-server-group VPN
ASA(config-general)# accounting-server-group VPN
ASA(config-general)# default-group-policy testgroup
ASA(config)# tunnel-group gourp-name ipsec-attributes
ASA(config-tunnel-ipsec)# pre-shared-key *******
below aaa comand is also require, which means that where is Radius server is located.
aaa-server name (inside) host Radius

AnujPratap Thu, 03/04/2010 - 23:14 (reply to AnujPratap)

please use below command also for mentioining radius server ip address.

aaa-server VPN (inside) host (radius server ip address)


Login or Register to take actions

This Document

Posted January 7, 2010 at 8:02 AM
Comments:3 Avg. Rating:0
Views:3372 Contributors:2
Tags: No tags.

Documents Leaderboard

Rank Username Points
1 139
2 90
3 75
4 55
5 48
Rank Username Points