This document describes how to configure the Cisco 5500 Series Adaptive
Security Appliance (ASA) to act as a remote VPN server using the Adaptive
Security Device Manager (ASDM) or CLI and NAT the Inbound VPN Client traffic.
The ASDM delivers world-class security management and monitoring through an
intuitive, easy-to-use Web-based management interface. Once the Cisco ASA
configuration is complete, it can be verified through the Cisco VPN
This document assumes that the ASA is fully operational and configured
to allow the Cisco ASDM or CLI to make configuration changes. The ASA is also
assumed to be configured for Outbound NAT. Refer to
Inside Hosts Access to Outside Networks with the use of PAT for more
information on how to configure Outbound NAT.
Note: Refer to
HTTPS Access for ASDM or
7.x: SSH on the Inside and Outside Interface Configuration Example to
allow the device to be remotely configured by the ASDM or Secure Shell
The information in this document is based on these software and
Cisco Adaptive Security Appliance Software version 7.x and later
Adaptive Security Device Manager version 5.x and
Cisco VPN Client version 4.x and
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
This configuration can also be used with Cisco PIX Security Appliance
version 7.x and later.
Technical Tips Conventions for more information on document
Remote access configurations provide secure remote access for Cisco VPN
clients, such as mobile users. A remote access VPN lets remote users securely
access centralized network resources. The Cisco VPN Client complies with the
IPSec protocol and is specifically designed to work with the security
appliance. However, the security appliance can establish IPSec connections with
many protocol-compliant clients. Refer to
Configuration Guides for more information on IPSec.
Groups and users are core concepts in the management of the security of
VPNs and in the configuration of the security appliance. They specify
attributes that determine users access to and use of the VPN. A group is a
collection of users treated as a single entity. Users get their attributes from
group policies. Tunnel groups identify the group policy for specific
connections. If you do not assign a particular group policy to users, the
default group policy for the connection applies.
A tunnel group consists of a set of records that determines tunnel
connection policies. These records identify the servers to which the tunnel
users are authenticated, as well as the accounting servers, if any, to which
connection information is sent. They also identifiy a default group policy for
the connections, and they contain protocol-specific connection parameters.
Tunnel groups include a small number of attributes that pertain to the creation
of the tunnel itself. Tunnel groups include a pointer to a group policy that
defines user-oriented attributes.
Complete these steps in order to configure the Cisco ASA as a remote
VPN server with ASDM:
Open your browser and enter https://<IP_Address of the
interface of ASA that has been configured for ASDM Access> in order
to access the ASDM on the ASA.
Make sure to authorize any warnings your browser gives you related
to SSL certificate authenticity. The default username and password are both
The ASA presents this window to allow the download of the ASDM
application. This example loads the application onto the local computer and
does not run in a Java applet.
Click Download ASDM Launcher and Start ASDM in
order to download the installer for the ASDM application.
Once the ASDM Launcher downloads, complete the steps directed by
the prompts in order to install the software and run the Cisco ASDM
Enter the IP address for the interface you configured with the
http - command, and a username and password if you
This example uses cisco123 as the username and
cisco123 as the password.
Select Wizards > IPsec VPN Wizard from the Home
Select the Remote Access VPN tunnel type and
ensure that the VPN Tunnel Interface is set as desired, and click
Next as shown here.
The VPN Client Type is chosen, as shown. Cisco VPN
Client is chosen here. Click Next.
Enter a name for the Tunnel Group Name. Enter the
authentication information to use, which is the pre-shared key
in this example. The pre-shared key used in this example is
cisco123. The Tunnel Group Name used in this example is
cisco. Click Next.
Choose whether you want remote users to be authenticated to the
local user database or to an external AAA server group.
Note: You add users to the local user database in step 10.
Note: Refer to
7.x Authentication and Authorization Server Groups for VPN Users via ASDM
Configuration Example for information on how to configure an external
AAA server group with ASDM.
Provide a Username and optional
Password and click Add in order to add new
users to the user authentication database. Click Next.
Note: Do not remove existing users from this window. Select
Configuration > Device Management > Users/AAA > User
Accounts in the main ASDM window to edit existing entries in the
database or to remove them from the database.
In order to define a pool of local addresses to be dynamically
assigned to remote VPN Clients, click New to create a new
In the new window titled Add IP Pool provide this
information, and click OK.
Name of the IP Pool
Starting IP Address
Ending IP Address
After you define the pool of local addresses to be dynamically
assigned to remote VPN Clients when they connect, click
Optional: Specify the DNS and WINS server
information and a Default Domain Name to be pushed to remote VPN
Specify the parameters for IKE, also known as IKE Phase 1.
Configurations on both sides of the tunnel must match exactly.
However, the Cisco VPN Client automatically selects the proper configuration
for itself. Therefore, no IKE configuration is necessary on the client PC.
This window shows a summary of the actions that you have taken.
Click Finish if you are satisfied with your configuration.
Complete these steps in order to configure the Cisco ASA to NAT Inbound
VPN Client traffic with ASDM:
Choose Configuration > Firewall > Nat Rules,
and click Add. In the drop-down list, select Add
Dynamic NAT Rule.
In the Add Dynamic NAT Rule window, choose
Outside as the Interface, and click the browse button next to
the Source box.
In the Browse Source window, select the proper network objects and
also choose the source under the Selected Source section, and
click OK. Here the 192.168.1.0 Network Object is chosen.
In the Manage Global Pool window, click
In the Add Global Address Pool window, choose
Inside as the Interface and 2 as the
Pool ID. Also make sure that the radio button next to
PAT using IP Address of the interface is selected. Click
Add>>, and then click
Click OK after you select the global pool with the
Pool ID 2 configured in the previous
Now click Apply so that the configuration is
applied to the ASA.This completes the
Running Config on the ASA Device
ASA Version 8.0(3)
enable password 8Ry2YjIyt7RRXU24 encrypted
ip address 10.10.10.2 255.255.255.0
ip address 172.16.1.2 255.255.255.0
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255
pager lines 24
mtu Outside 1500
mtu inside 1500
ip local pool vpnpool 192.168.1.1-192.168.1.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
asdm history enable
arp timeout 14400
global (Outside) 1 interface
global (inside) 2 interface
nat (Outside) 2 192.168.1.0 255.255.255.0 outside
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route Outside 0.0.0.0 0.0.0.0 10.10.10.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
no snmp-server location
no snmp-server contact
!--- Configuration for IPsec policies.
!--- Enables the crypto transform configuration mode,
!--- where you can specify the transform sets that are used
!--- during an IPsec negotiation.
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SH
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
!--- Configuration for IKE policies.
!--- Enables the IKE policy configuration (config-isakmp)
!--- command mode, where you can specify the parameters that
!--- are used during an IKE negotiation. Encryption and
!--- Policy details are hidden as the default values are chosen.
crypto isakmp policy 10
crypto isakmp policy 30
telnet timeout 5
ssh timeout 60
console timeout 0
threat-detection statistics access-list
group-policy cisco internal
group-policy cisco attributes
!--- Specifies the username and password with their
!--- respective privilege levels
username cisco123 password ffIRPGpDSOJh9YLq encrypted privilege 15
username cisco password ffIRPGpDSOJh9YLq encrypted privilege 0
username cisco attributes
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
!--- Specifies the pre-shared key "cisco123" which must
!--- be identical at both peers. This is a global
!--- configuration mode command.
tunnel-group cisco ipsec-attributes
policy-map type inspect dns migrated_dns_map_1
message-length maximum 512
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
service-policy global_policy global
prompt hostname context
Attempt to connect to the Cisco ASA through the Cisco VPN Client in
order to verify that the ASA is successfully configured.
Fill in the details of your new connection.
The Host field must contain the IP address or hostname of the
previously configured Cisco ASA. The Group Authentication information must
correspond to that used in step 4. Click Save
when you are finished.
Select the newly created connection, and click
Enter a username and password for extended authentication. This
information must match that specified in steps 5 and 6.
Once the connection is successfully established, choose
Statistics from the Status menu in order to verify the details
of the tunnel.
This window shows traffic and crypto information:
This window shows split tunneling information:
This section provides information you can use to troubleshoot your
Output Interpreter Tool
(registered customers only)
(OIT) supports certain
show commands. Use the OIT to view an analysis of
show command output.
Common L2L and Remote Access IPSec VPN Troubleshooting Solutions for
more information on how to troubleshoot Site-Site VPN.