Remote Access IPsec. Cisco ASA as an ezVPN Server Print
Written by Alexei Spirin   
Monday, 28 February 2011 13:35
ASA Config: ASA ezVPN Server with local authentication
sysopt connection permit-ipsec
crypto isakmp enable outside
crypto isakmp nat-traversal 60
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
crypto ipsec transform-set ts1 esp-aes-256 esp-sha-hmac
crypto dynamic-map crDM1 10 set pfs
crypto dynamic-map crDM1 10 set transform-set ts1
crypto dynamic-map crDM1 10 set security-association lifetime seconds 28800
crypto dynamic-map crDM1 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map crDM1 10 set reverse-route
crypto map crM1 10000 ipsec-isakmp dynamic crDM1
crypto map crM1 interface outside
!
access-list splitUsers extended permit ip 10.0.0.0 255.0.0.0 any
ip local pool vpnUsers 192.168.13.1-192.168.13.254 mask 255.255.255.0
!
group-policy vpnUsers internal
group-policy vpnUsers attributes
vpn-tunnel-protocol IPSec
password-storage disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitUsers
!
tunnel-group vpnUsers type remote-access
tunnel-group vpnUsers general-attributes
address-pool vpnUsers
authentication-server-group LOCAL
default-group-policy vpnUsers
!
tunnel-group vpnUsers ipsec-attributes
pre-shared-key PleaseChangeMe!
!
username User1 password PleaseChangeMe! privilege 0

Some notes:

User authentication done via local database

10.0.0.0/8 is considered as an address range for corporate network

192.168.13.0/24 is considered as VPN user address range

To successfully connect user must know group name and group key (vpnUsers and PLeaseChangeMe! in this example) and personal login and password (User1 and PLeaseChangeMe! in this example)

Cisco IOS router as an ezVPN Server

Last Updated on Monday, 18 June 2012 17:32