VPN – CCIE23050.com CCIE Network blog HTTP://1806971003

ASA Anyconnect config

Posted on November 1, 2016 by admin

Pre 8.3

ssl trust-point ASDM_TrustPoint1 OUTSIDE

webvpn

enable OUTSIDE

anyconnect-essentials

svc image disk0:/anyconnect-win-3.1.02040-k9.pkg 1

svc image disk0:/anyconnect-linux-2.5.6005-k9.pkg 2

svc image disk0:/anyconnect-macosx-i386-2.5.6005-k9.pkg 3

svc image disk0:/anyconnect-linux-64-2.5.6005-k9.pkg 4

svc enable

tunnel-group-list enable

tunnel-group TG_Anyconnect type remote-access

tunnel-group TG_Anyconnect general-attributes

address-pool VPN_POOL

authentication-server-group RSA

tunnel-group TG_Anyconnect webvpn-attributes

proxy-auth sdi

group-alias A disable

group-alias A_AnyConnect enable

group-alias Anyconnect disable

Post 8.3

ssl trust-point ASDM_TrustPoint1 OUTSIDE

webvpn

enable OUTSIDE

anyconnect enable

tunnel-group-list enable

tunnel-group TG_Anyconnect type remote-access

tunnel-group TG_Anyconnect general-attributes

address-pool VPN_POOL

authentication-server-group RSA

tunnel-group TG_Anyconnect webvpn-attributes

proxy-auth sdi

group-alias A disable

group-alias A_AnyConnect enable

group-alias Anyconnect disable

group-policy DfltGrpPolicy attributes

dns-server value 8.8.8.8

vpn-simultaneous-logins 500

vpn-idle-timeout 180

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client

default-domain value ccie23050.com

post 8.3 ASA l2l VPN config

Posted on November 1, 2016 by admin

name 77.77.77.77 farend_Peer

name 10.77.1.1 farend_Host1

name 10.77.1.2 farend_Host2

name 10.77.1.3 farend_Host3

object-group network FAR_END_HOSTS

description FAR_END_HOSTS

network-object 10.77.1.1 255.255.255.255

network-object 10.77.1.2 255.255.255.255

network-object 10.77.1.3 255.255.255.255

object-group network LOCAL-END_HOSTS

description LOCAL-END_HOSTS

network-object 172.16.77.0 255.255.255.0

network-object 172.20.77.0 255.255.255.0

access-list 105 extended permit ip object-group LOCAL-END_HOSTS object-group FAR_END_HOSTS

Tunnel Group Config

tunnel-group 77.77.77.77 type ipsec-l2l

tunnel-group 77.77.77.77 ipsec-attributes

ikev1 pre-shared-key xxxxx

Crypto Config

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map OUTSIDE_map 20 match address 105

crypto map OUTSIDE_map 20 set pfs

crypto map OUTSIDE_map 20 set peer 77.77.77.77

crypto map OUTSIDE_map 20 set ikev1 transform-set ESP-AES-256-SHA

crypto map OUTSIDE_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 3

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

NAT Config

object-group network obj-remote-NAT

network-object 10.77.1.0 255.255.255.0

object-group network obj-local-NAT

network-object 172.16.77.0 255.255.255.0

network-object 172.20.77.0 255.255.255.0

nat (INSIDE,OUTSIDE) source static obj-local-NAT obj-local-NAT destination static obj-remote-NAT obj-remote-NAT

ASA EZVPN

Posted on November 1, 2016 by admin

crypto ipsec transform-set FirstSet esp-aes esp-sha-hmac

crypto dynamic-map dyn1 1 set transform-set FirstSet

crypto dynamic-map dyn1 1 set reverse-route

crypto map CMAP 1 ipsec-isakmp dynamic dyn1

crypto map CMAP interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

access-list 100 extended permit ip 10.0.0.0 255.0.0.0 any

group-policy tgroup1gp internal

group-policy tgroup1gp attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 100

username cisco password cisco

ip local pool TESTPOOL 192.168.0.1-192.168.0.254

tunnel-group tgroup1 type remote-access

tunnel-group tgroup1 general-attributes

address-pool TESTPOOL

default-group-policy tgroup1gp

tunnel-group tgroup1 ipsec-attributes

pre-shared-key cisco

on client

tgroup1 password cisco

then username cisco password cisco