VPN Cheat for Cisco ASA using CLI

Posted by
Facebooktwitterredditpinterestlinkedintumblr

Who says you can’t cheat during the exam? Really? Hmmnnn… Last week I’m looking for WebVPN commands on Cisco’s website. I’m just skimming through the pages and my eyes caught the word “VPNsetup” and I said to myself “It smells something fishy here.” I dug the details on it and I saw gold. The gold was a guide on how to setup IPSec remote access, L2TP remote access, L2L and SSL web VPN. This tip can be use during the CCIE lab exam or VPN deployments.

ASA5510(config)# vpnsetup ipsec-remote-access steps
Steps to configure a remote access IKE/IPSec connection with examples:
1. Configure Interfaces

interface GigabitEthernet0/0
ip address 10.10.4.200 255.255.255.0
nameif outside
no shutdown

interface GigabitEthernet0/1
ip address 192.168.0.20 255.255.255.0
nameif inside
no shutdown

2. Configure ISAKMP policy

crypto isakmp policy 65535
authentication pre-share
encryption aes
hash sha

3. Setup an address pool

ip local pool client-pool 192.168.1.1-192.168.1.254

4. Configure authentication method

aaa-server MyRadius protocol radius
aaa-server MyRadius host 192.168.0.254
key $ecretK3y

5. Define tunnel group

tunnel-group client type remote-access
tunnel-group client general-attributes
address-pool client-pool
authentication-server-group MyRadius
tunnel-group client ipsec-attributes
pre-shared-key VpnUs3rsP@ss

6. Setup ipsec parameters

crypto ipsec transform-set myset esp-aes esp-sha-hmac

7. Setup dynamic crypto map

crypto dynamic-map dynmap 1 set transform-set myset
crypto dynamic-map dynmap 1 set reverse-route

8. Create crypto map entry and associate dynamic map with it

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

9. Attach crypto map to interface

crypto map mymap interface outside

10. Enable isakmp on interface

crypto isakmp enable outside

ASA5510(config)# vpnsetup l2tp-remote-access steps
Steps to configure a remote access L2TP/IPSec connection with examples:

1. Configure Interfaces

interface GigabitEthernet0/0
ip address 10.10.4.200 255.255.255.0
nameif outside
no shutdown

interface GigabitEthernet0/1
ip address 192.168.0.20 255.255.255.0
nameif inside
no shutdown

2. Configure ISAKMP policy

crypto isakmp policy 65535
authentication pre-share
encryption aes
hash sha

3. Setup an address pool

ip local pool client-pool 192.168.1.1-192.168.1.254

4. Configure authentication method

aaa-server MyRadius protocol radius
aaa-server MyRadius host 192.168.0.254
key $ecretK3y

5. Define tunnel group

tunnel-group client type remote-access
tunnel-group client general-attributes
address-pool client-pool
authentication-server-group MyRadius
tunnel-group client ipsec-attributes
pre-shared-key VpnUs3rsP@ss
tunnel-group DefaultRAGroup ppp-attributes
authentication pap

6. Setup ipsec parameters

crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto ipsec transform-set myset mode transport

7. Setup dynamic crypto map

crypto dynamic-map dynmap 1 set transform-set myset

8. Create crypto map entry and associate dynamic map with it

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

9. Attach crypto map to interface

crypto map mymap interface outside

10. Enable isakmp on interface

crypto isakmp enable outside

ASA5510(config)# vpnsetup site-to-site steps

Steps to configure a site-to-site IKE/IPSec connection with examples:

1. Configure Interfaces

interface GigabitEthernet0/0
ip address 10.10.4.200 255.255.255.0
nameif outside
no shutdown

interface GigabitEthernet0/1
ip address 192.168.0.20 255.255.255.0
nameif inside
no shutdown

2. Configure ISAKMP policy

crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha

3. Configure transform-set

crypto ipsec transform-set myset esp-aes esp-sha-hmac

4. Configure ACL

access-list L2LAccessList extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

5. Configure Tunnel group

tunnel-group 10.20.20.1 type ipsec-l2l
tunnel-group 10.20.20.1 ipsec-attributes
pre-shared-key P@rtn3rNetw0rk

6. Configure crypto map and attach to interface

crypto map mymap 10 match address L2LAccessList
crypto map mymap 10 set peer 10.10.4.108
crypto map mymap 10 set transform-set myset
crypto map mymap 10 set reverse-route
crypto map mymap interface outside

7. Enable isakmp on interface

crypto isakmp enable outside

ASA5510(config)# vpnsetup ssl-remote-access steps

Steps to configure a remote access SSL VPN remote access connection and AnyConnect with examples:

1. Configure and enable interface

interface GigabitEthernet0/0
ip address 10.10.4.200 255.255.255.0
nameif outside
no shutdown

interface GigabitEthernet0/1
ip address 192.168.0.20 255.255.255.0
nameif inside
no shutdown

2. Enable WebVPN on the interface

webvpn
enable outside

3. Configure default route

route outside 0.0.0.0 0.0.0.0 10.10.4.200

4. Configure AAA authentication and tunnel group

tunnel-group DefaultWEBVPNGroup type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LOCAL

5. If using LOCAL database, add users to the Database

username test password t3stP@ssw0rd
username test attributes
service-type remote-access

Proceed to configure AnyConnect VPN client:

6. Point the ASA to an AnyConnect image

webvpn
svc image anyconnect-win-2.1.0148-k9.pkg

7. enable AnyConnect

svc enable

8. Add an address pool to assign an ip address to the AnyConnect client

ip local pool client-pool 192.168.1.1-192.168.1.254 mask 255.255.255.0

9. Configure group policy

group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol svc webvpn

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *

*