Cisco Remote-Access IPSec VPN Setup
ASDM also provides a VPN Wizard that configures remote-access IPSec VPN connections for the Cisco EasyVPN clients. This wizard guides you through the step-by-step configurations required for a successful EasyVPN client tunnel. In this section, Figure 21-21 is used as a reference topology in which a security Cisco ASA is being set up to accept VPN connections on the outside interface from multiple remote-access clients. The inside interface of Cisco ASA in Chicago is directly connected to the 192.168.10.0/24 subnet, while another inside network, 192.168.20.0/24, is behind Router1. The public interface's IP address is 209.165.200.225/27, and the default route sends all traffic to the next-hop router toward the Internet.
Figure 21-21. Remote-Access Topology
The goal of this example is to enable split tunneling such that the clients encrypt only traffic destined for the inside networks on Cisco ASA. All other traffic destined for the Internet, such as web traffic to www.cisco.com, should flow in clear text directly from the remote VPN clients.
Use the following procedure for step-by-step configuration of ASDM:
|
Step 1. |
Launch the VPN Wizard.
To launch the VPN Wizard, click Wizards > VPN Wizard, as shown earlier in Figure 21-3.
ASDM launches the VPN Wizard, which provides an option to select the VPN tunnel type. Click the Remote Access radio button, as shown in Figure 21-22.
Figure 21-22. Selecting Remote-Access Tunnel In this example, because VPN clients connect to Cisco ASA on the outside interface, the Outside interface is chosen from the drop-down menu in the VPN Tunnel Interface field. Click Next to move forward to the Remote Access Client window.
|
|
Step 2. |
Select the type of remote-access VPN tunnel.
The current version of Cisco ASA supports only Cisco IPSec remote-access VPNs, which is the default remote-access VPN tunnel type, as shown in Figure 21-23. Click Next to move to the VPN Client Tunnel Group Name and Authentication Method window.
Figure 21-23. Selecting the Type of Remote-Access VPN |
|
Step 3. |
Set up the tunnel group name.
Specify the tunnel group name and the password if preshared keys are used. If PKI is being used, select the server certificate from the drop-down menu. In Figure 21-24, the administrator is setting up Cisco ASA with a tunnel group name of SecureMeTnlGrp with the associated preshared key of cisco123. Click Next to move to the Client Authentication window.
Figure 21-24. Specifying a Tunnel Group Name |
|
Step 4. |
Set the user authentication method.
As mentioned in Chapter 7, "Authentication, Authorization, and Accounting (AAA)," Cisco ASA supports local and external databases for user authentication. If an external database server is used for authentication, you must predefine it. If it is not defined earlier, you can leave the wizard and set it up under Configuration > Features > Properties > AAA Setup > AAA Servers. In Figure 21-25, the administrator is setting up Cisco ASA to use the local database for user authentication. Click Next to move to the User Accounts window.
Figure 21-25. Selecting the Local User Database |
|
Step 5. |
Create the user database.
In Step 4, the administrator is using the local user database for user authentication. ASDM allows you to create additional user accounts, if necessary. In Figure 21-26, the administrator is setting up an account for ciscouser2 with a password of 123cisco (shown in asterisks). Click Add to instruct ASDM to create a user account. Click Next to move to the Address Pool window.
Figure 21-26. Creating User Accounts |
|
Step 6. |
Assign IP addresses.
An important step in setting up the remote-access VPN connection is to assign an IP address to the client during the tunnel negotiation. ASDM prompts you to create an address pool and specify a range of IP addresses. In Figure 21-27, the administrator has set up an IP pool called ippool, which starts at 192.168.50.1 and ends at 192.168.50.127. The subnet mask for the range of addresses is 255.255.255.128. Click Next to move to the Attributes Pushed to Client (Optional) window.
Figure 21-27. Assigning IP Addresses |
|
Step 7. |
Set up mode configuration attributes.
The VPN Wizard allows you to configure three basic mode configuration attributes, which include the DNS and WINS servers, IP addresses, and the domain name of an organization, as shown in Figure 21-28. In this example, 192.168.10.10 and 192.168.10.20 are being used as the DNS addresses, and 192.168.10.20 and 192.168.10.10 are being used as the WINS addresses. The domain name is securemeinc.com. Click Next to move to IKE Policy window.
Figure 21-28. Assigning Mode Configuration Attributes |
|
Step 8. |
Select the IKE policy.
Cisco ASA allows you to choose the IKE parameters such as the encryption and authentication types and the Diffie-Hellman (DH) group. In Figure 21-29, the administrator has selected 3DES for encryption, SHA for authentication, and DH group 2 for key generation. Click Next to move to the IPSec Encryption and Authentication window.
Figure 21-29. IKE Policy Note Cisco VPN Client supports DH groups 2 and 5, by default. You have to select one of these groups to match the client settings. |
|
Step 9. |
Set up the IPSec transform set.
Set up the IPSec transform set by selecting the IPSec encryption and authentication methods. In Figure 21-30, the administrator has chosen 3DES for encryption and MD5 for hash authentication. Click Next to move to the Address Translation Exemption and Split Tunneling (Optional) window.
Figure 21-30. IPSec Transform Set |
|
Step 10. |
Bypass address translation.
If NAT control is enabled on the security Cisco ASA, you can choose to bypass address translation for the traffic sourced from the inside network of Cisco ASA and destined for the VPN client's assigned addresses. ASDM creates an access list to identify traffic traveling over the tunnel, and applies NAT exemption to bypass address translation. To identify local networks, add the local hosts/subnets/networks in the Selected Hosts/Networks pane, as shown in Figure 21-31. In this example, the administrator does not want 192.168.10.0/24 and 192.168.20.0/24 addresses to be translated if they are sending traffic to the VPN pool of addresses, 192.168.50.0/25.
Figure 21-31. Enabling Split Tunneling and NAT Exemption By using split tunneling, you can enforce the remote VPN users to encrypt only the traffic destined for the inside networks of Cisco ASA. All other traffic can go to the Internet in clear text. Enable split tunneling by checking off the box shown at the bottom of Figure 21-31. Click Next to move to the last step of the VPN Wizard.
|
|
Step 11. |
Verify remote-access configuration.
The last step in setting up a remote-access tunnel is to verify that all the parameters are accurate. If they look correct, click Finish to complete the wizard.
|
If the Preview Command Before Sending to the Device option is enabled in ASDM, the entire remote-access VPN configuration is displayed to you before being sent to the security Cisco ASA. If the configuration looks accurate, click Send to push it to Cisco ASA. Example 21-2 shows the complete remote-access VPN configuration created by ASDM. ASDM does not add comments, but they are added here for ease of understanding.
Example 21-2. Complete Remote-Access Configuration Created by ASDM
!Access-list to bypass Address Translation access-list inside_nat0_outbound permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.128 access-list inside_nat0_outbound permit ip 192.168.20.0 255.255.255.0 192.168.50.0 255.255.255.128 !Access-list is linked to NAT 0 nat (inside) 0 access-list inside_nat0_outbound !Access-list is identify traffic for Split tunneling access-list SecureMeTnlGrp_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0 access-list SecureMeTnlGrp_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0 !User Accounts for local X-Auth username ciscouser1 password ffIRPGpDSOJh9YLq encrypted privilege 0 username ciscouser2 password ffIRPGpDSOJh9YLq encrypted privilege 0 !Pool of addresses to be assigned to the VPN users ip local pool ippool 192.168.50.1-192.168.50.127 mask 255.255.255.128 !Configuration of VPN group-policy group-policy SecureMeTnlGrp internal !group-policy to send mode-config attributes group-policy SecureMeTnlGrp attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value SecureMeTnlGrp_splitTunnelAcl dns-server value 192.168.10.10 192.168.10.20 wins-server value 192.168.10.20 192.168.10.10 default-domain value securemeinc.com !Configuration of Remote Access VPN group called SecureMeTnlGrp tunnel-group SecureMeTnlGrp type ipsec-ra tunnel-group SecureMeTnlGrp general-attributes !The VPN Group is using VPN attributes from the group-policy default-group-policy SecureMeTnlGrp address-pool ippool !Configuration of preshared key for SecureMeTnlGrp tunnel-group SecureMeTnlGrp ipsec-attributes pre-shared-key cisco123 !IPSec transform-set for data encryption crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac !ISAKMP Phase 1 policy isakmp enable outside isakmp policy 30 authen pre-share isakmp policy 30 encrypt 3des isakmp policy 30 hash sha isakmp policy 30 group 2 isakmp policy 30 lifetime 86400 !Dynamic Crypto map configuration crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 !Static crypto map configuration crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside !Sysopt to bypass packet filtration sysopt connection permit-ipsec