How to configure Remote Access VPN using ASA?

Remote Access VPN (Easy VPN) provides a secure tunnel over the public network to the off-site users. Easy VPN is a proper client-server model, that is why we will try to perform maximum configurations on the sever end and use Cisco VPN client software at user end to establish connection.

Basic steps for Easy VPN Configuration:

1- First configure the ASA interface

* Interface name

* Security level

* IP address

* Enable crypto isakmp on ASA

2- Configure IP pool

* Pool name

* Range of IP addresses to be used in pool

3- Configure user accounts

* Username

* Password

3- First define the ISAKMP Policy.

* Authentication

* Hash

* Encryption

* Group

4- Establish IPsec transform set.

* Esp-des

* Esp-md5-hmac

* Esp-aes

* Asp-sha-hmac

5- Configure tunnel group

* Group name

* Group policies

6- Now apply crypto map on the outside interface.

* Used to verify the outgoing interface traffic

Configuration of ASA

ASA(config)#interface GigabitEthernet 0/1

ASA(config-if)# no shutdown

ASA(config-if)# nameif outside

ASA(config-if)# ip address 20.1.1.50 255.0.0.0

ASA(config-if)#exit



ASA(config)# crypto isakmp enable outside

(To enable crypto isakmp on ASA)

ASA(config)# ip local poolname 30.1.1.1-30.1.1.50

(define IP pool)

ASA(config)# route outside 0 0 20.0.0.0



ASA(config)# username Mark password Cisco

(define username and password)



Now defined the IKE polices on ASA

ASA-(config)#crypto isakmp policy 10

(10 is isakmp policy number)

ASA(config-isakmp)#encryption des

(enable encryption des)

ASA(config-isakmp)#hash md5

(enable algorithm md5 for hashing)

ASA(config-isakmp)#authentication pre-share

(enable Pre-shared method)

ASA(config-isakmp)#group 2

(enable diffie-Helman group 2)

ASA(config-isakmp)#exit

(Exit from crypto isakmp mode)



ASA(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac

(Here encryption type is des and hashing technique is md5-hmac)



ASA(config)# crypto dynamic-map dmap 10 set transform-set ts2

(apply the transform set)

ASA(config)#crypto map imap 10 ipsec-isakmp dynamic dmap

(call dynamic-map in crypto map name imap)

ASA(config)# tunnel-group marketing type ipsec-ra

(create a group for marketing department)

ASA(config)# tunnel-group marketing general-attributes

ASA(config-general)# address-pool poolname

ASA(config-general)# exit



ASA(config)# tunnel-group marketing ipsec-attributes

ASA(config-ipsec)# pre-shared-key Cisco

ASA(config-ipsec)# exit

ASA-B(config)# crypto map imap interface outside

(Apply crypto map on outside interface)


Now to verify the secure tunnel, dial connection from user end using Cisco VPN client.