- About This Guide
- Index
- Glossary
-
- Configuring IPSec and ISAKMP
- Configuring L2TP over IPSec
- Setting General VPN Parameters
- Configuring Tunnel Groups, Group Policies, and Users
- Configuring IP Addresses for VPN
- Configuring Remote Access VPNs
- Configuring Network Admission Control
- Configuring Easy VPN on the ASA 5505
- Configuring the PPPoE Client
- Configuring LAN-to-LAN VPNs
- Configuring Clientless SSL VPN
- Configuring AnyConnect VPN Client Connections
- Configuring AnyConnect Host Scan
- Information About Remote Access IPsec VPNs
- Licensing Requirements for Remote Access IPsec VPNs
- Guidelines and Limitations
- Configuring Remote Access IPsec VPNs
- Configuring Interfaces
- Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface
- Configuring an Address Pool
- Adding a User
- Creating an IKEv1 Transform Set or IKEv2 Proposal
- Defining a Tunnel Group
- Creating a Dynamic Crypto Map
- Creating a Crypto Map Entry to Use the Dynamic Crypto Map
- Saving the Security Appliance Configuration
- Configuration Examples for Remote Access IPsec VPNs
- Feature History for Remote Access VPNs
Configuring Remote Access IPsec VPNs
This chapter describes how to configure Remote Access IPsec VPNs and includes the following sections:
Information About Remote Access IPsec VPNs
Remote access VPNs allow users to connect to a central site through a secure connection over a TCP/IP network such as the Internet. The Internet Security Association and Key Management Protocol, also called IKE, is the negotiation protocol that lets the IPsec client on the remote PC and the ASA agree on how to build an IPsec Security Association. Each ISAKMP negotiation is divided into two sections called Phase1 and Phase2.
Phase 1 creates the first tunnel to protect later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data travelling across the secure connection.
To set the terms of the ISAKMP negotiations, you create an ISAKMP policy. It includes the following:
- An authentication method, to ensure the identity of the peers.
- An encryption method, to protect the data and ensure privacy.
- A Hashed Message Authentication Codes (HMAC) method to ensure the identity of the sender and to ensure that the message has not been modified in transit.
- A Diffie-Hellman group to set the size of the encryption key.
- A time limit for how long the ASA uses an encryption key before replacing it.
A transform set combines an encryption method and an authentication method. During the IPsec security association negotiation with ISAKMP, the peers agree to use a particular transform set to protect a particular data flow. The transform set must be the same for both peers.
A transform set protects the data flows for the access list specified in the associated crypto map entry. You can create transform sets in the ASA configuration, and then specify a maximum of 11 of them in a crypto map or dynamic crypto map entry. For more overview information, including a table that lists valid encryption and authentication methods, see the “Creating an IKEv1 Transform Set” section in Chapter 73, “Configuring LAN-to-LAN IPsec VPNs” of this guide.
Licensing Requirements for Remote Access IPsec VPNs
The following table shows the licensing requirements for this feature:
Note This feature is not available on No Payload Encryption models.
|
|
---|---|
Base license and Security Plus license: 2 sessions. Optional permanent or time-based licenses: 10 or 25 sessions. Shared licenses are not supported.2 – AnyConnect Essentials license3: 25 sessions. |
|
Base and Security Plus license: 2 sessions. Optional permanent or time-based licenses: 10, 25, 50, 100, or 250 sessions. Optional Shared licenses 2 : Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000. – AnyConnect Essentials license 3 : 250 sessions. |
|
Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, or 750 sessions. Optional Shared licenses 2 : Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000. – AnyConnect Essentials license 3 : 750 sessions. |
|
Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, or 2500 sessions. Optional Shared licenses 2 : Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000. – AnyConnect Essentials license 3 : 2500 sessions. |
|
Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, 2500, or 5000 sessions. Optional Shared licenses 2 : Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000. – AnyConnect Essentials license 3 : 5000 sessions. |
|
Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, 2500, 5000, or 10000 sessions. Optional Shared licenses 2 : Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000. – AnyConnect Essentials license 3 : 10000 sessions. |
|
Optional permanent or time-based licenses: 10, 25, 50, 100, or 250 sessions. Optional Shared licenses 2 : Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000. – AnyConnect Essentials license 3 : 250 sessions. |
|
Optional permanent or time-based licenses: 10, 25, 50, 100, or 250 sessions. Optional Shared licenses 2 : Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000. – AnyConnect Essentials license 3 : 250 sessions. |
|
Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, or 750 sessions. Optional Shared licenses 2 : Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000. – AnyConnect Essentials license 3 : 750 sessions. |
|
Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, or 2500 sessions. Optional Shared licenses 2 : Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000. – AnyConnect Essentials license 3 : 2500 sessions. |
|
Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, 2500, or 5000 sessions. Optional Shared licenses 2 : Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000. – AnyConnect Essentials license 3 : 5000 sessions. |
|
Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, 2500, or 5000 sessions. Optional Shared licenses 2 : Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000. – AnyConnect Essentials license 3 : 5000 sessions. |
|
Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, 2500, 5000, or 10000 sessions. Optional Shared licenses 2 : Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000. – AnyConnect Essentials license 3 : 10000 sessions. |
|
1.The maximum combined VPN sessions of all types cannot exceed the maximum sessions shown in this table. For the ASA 5505, the maximum combined sessions is 10 for the Base license, and 25 for the Security Plus license. 2.A shared license lets the ASA act as a shared license server for multiple client ASAs. The shared license pool is large, but the maximum number of sessions used by each individual ASA cannot exceed the maximum number listed for permanent licenses. 3.The AnyConnect Essentials license enables AnyConnect VPN client access to the ASA. This license does not support browser-based SSL VPN access or Cisco Secure Desktop. For these features, activate an AnyConnect Premium license instead of the AnyConnect Essentials license. |
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Supported only in single context mode. Does not support multiple context mode.
Supported only in routed firewall mode. Transparent mode is not supported.
IPsec VPN sessions are replicated in Active/Standby failover configurations only. Active/Active failover configurations are not supported.
Configuring Remote Access IPsec VPNs
This section describes how to configure remote access VPNs and includes the following topics:
- Configuring Interfaces
- Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface
- Configuring an Address Pool
- Adding a User
- Creating an IKEv1 Transform Set or IKEv2 Proposal
- Defining a Tunnel Group
- Creating a Dynamic Crypto Map
- Creating a Crypto Map Entry to Use the Dynamic Crypto Map
- Saving the Security Appliance Configuration
Configuring Interfaces
An ASA has at least two interfaces, referred to here as outside and inside. Typically, the outside interface is connected to the public Internet, while the inside interface is connected to a private network and is protected from public access.
To begin, configure and enable two interfaces on the ASA. Then assign a name, IP address and subnet mask. Optionally, configure its security level, speed and duplex operation on the security appliance.
To configure interfaces, perform the following steps, using the command syntax in the examples:
Detailed Steps
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface
This section describes the procedure to configure an ISAKMP policy on the outside interface and how to enable the policy.
Detailed Steps
Perform the following steps and use the command syntax in the following examples as a guide.
Configuring an Address Pool
The ASA requires a method for assigning IP addresses to users. This section uses address pools as an example. Use the command syntax in the following examples as a guide.
Adding a User
This section shows how to configure usernames and passwords. Use the command syntax in the following examples as a guide.
Creating an IKEv1 Transform Set or IKEv2 Proposal
This section shows how to configure a transform set (IKEv1) or proposal (IKEv2), which combines an encryption method and an authentication method.
Use the command syntax in the following examples as a guide.
Defining a Tunnel Group
This section describes how to configure a tunnel group, which is a set of records that contain tunnel connection policies. You configure a tunnel group to identify AAA servers, specify connection parameters, and define a default group policy. The ASA stores tunnel groups internally.
There are two default tunnel groups in the ASA system: DefaultRAGroup, which is the default remote-access tunnel group, and DefaultL2Lgroup, which is the default LAN-to-LAN tunnel group. You can change them but not delete them. The ASA uses these groups to configure default tunnel parameters for remote access and LAN-to-LAN tunnel groups when there is no specific tunnel group identified during tunnel negotiation.
Use the command syntax in the following examples as a guide.
Detailed Steps
Creating a Dynamic Crypto Map
This section describes how to configure dynamic crypto maps, which define a policy template where all the parameters do not have to be configured. These dynamic crypto maps let the ASA receive connections from peers that have unknown IP addresses. Remote access clients fall in this category.
Dynamic crypto map entries identify the transform set for the connection. You also enable reverse routing, which lets the ASA learn routing information for connected clients, and advertise it via RIP or OSPF.
Use the command syntax in the following examples as a guide.
Detailed Steps
Creating a Crypto Map Entry to Use the Dynamic Crypto Map
This section describes how to create a crypto map entry that lets the ASA use the dynamic crypto map to set the parameters of IPsec security associations.
In the following examples for this command, the name of the crypto map is mymap, the sequence number is 1, and the name of the dynamic crypto map is dyn1, which you created in the previous section, “Creating a Dynamic Crypto Map.”
Use the command syntax in the following examples as a guide.
Detailed Steps
Saving the Security Appliance Configuration
After performing the preceding configuration tasks, be sure to save your configuration changes as shown in this example:
Configuration Examples for Remote Access IPsec VPNs
The following example shows how to configure a remote access IPsec/IKEv1 VPN:
The following example shows how to configure a remote access IPsec/IKEv2 VPN:
Feature History for Remote Access VPNs
Table 69-1 lists the release history for this feature.