Top Panel
Top Panel
Top Panel
Remote Access IPsec. Cisco ASA as an ezVPN Server PDF Print E-mail
Written by Alexei Spirin   
Monday, 28 February 2011 13:35
ASA Config: ASA ezVPN Server with local authentication
sysopt connection permit-ipsec
crypto isakmp enable outside
crypto isakmp nat-traversal 60
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ipsec transform-set ts1 esp-aes-256 esp-sha-hmac
crypto dynamic-map crDM1 10 set pfs
crypto dynamic-map crDM1 10 set transform-set ts1
crypto dynamic-map crDM1 10 set security-association lifetime seconds 28800
crypto dynamic-map crDM1 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map crDM1 10 set reverse-route
crypto map crM1 10000 ipsec-isakmp dynamic crDM1
crypto map crM1 interface outside
access-list splitUsers extended permit ip any
ip local pool vpnUsers mask
group-policy vpnUsers internal
group-policy vpnUsers attributes
vpn-tunnel-protocol IPSec
password-storage disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitUsers
tunnel-group vpnUsers type remote-access
tunnel-group vpnUsers general-attributes
address-pool vpnUsers
authentication-server-group LOCAL
default-group-policy vpnUsers
tunnel-group vpnUsers ipsec-attributes
pre-shared-key PleaseChangeMe!
username User1 password PleaseChangeMe! privilege 0

Some notes:

User authentication done via local database is considered as an address range for corporate network is considered as VPN user address range

To successfully connect user must know group name and group key (vpnUsers and PLeaseChangeMe! in this example) and personal login and password (User1 and PLeaseChangeMe! in this example)

Cisco IOS router as an ezVPN Server

Last Updated on Monday, 18 June 2012 17:32


# Phil 2011-03-16 05:56
Does this need a no nat policy added? such as:

nat (inside) 0 access-list splitUsers
# Alexei Spirin 2012-06-18 17:48
sure you need to add this as well as all basic config, but you know the latest trend like 'no nat-control' as a default configuration in 8.3 and later makes life easier :)