[c-nsp] VPN clients on Cisco ASA

Ryan West rwest at zyedge.com
Tue Jul 28 10:18:30 EDT 2009 

Kiran,

You'll want to get Xauth configured for your RA-VPN.  Do you have an internal auth server you can query?  You can query AD directly through LDAP / NT protocol / Kerberos or use IAS through RADIUS.  Once you establish those servers, you'll want to call them in your tunnel-group Kir-VPN gen attributes.  You probably also want to set your default-group-policy to Kiran-CUCM-VPN in the same section.  Since you are most likely failing IKE negotiations, you can run a 'debug cry isa 2' and gather more information.

I would recommend following this guide and leveraging IAS, it's more of the traditional method, but I think it would be a good fit for your needs.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

You should try to sanitize your configs in the future, just put in x.x.x.x when posting public IPs.

-ryan


-----Original Message-----
From: Oddiraju, Kiran @ London SMC [mailto:Kiran.Oddiraju at cbre.com] 
Sent: Tuesday, July 28, 2009 10:01 AM
To: Ryan West
Cc: cisco-nsp at puck.nether.net
Subject: Re: VPN clients on Cisco ASA

Hi Guys,

Appreciate your help on this. Have tried the VPN Wizard and the CLI config from the below link but still no luck. The Cisco VPN client tries to connect and after for a few seconds shows Not Connected. I think it is an ACL issue but I am not 100% sure. I have attached the running config, could someone please take a look?

Many thanks,
Kiran

-----Original Message-----
From: Ryan West [mailto:rwest at zyedge.com]
Sent: 27 July 2009 13:57
To: Oddiraju, Kiran @ London SMC; cisco-nsp at puck.nether.net
Subject: RE: VPN clients on Cisco ASA

Hello again Kiran,

I think you should take a quick read through the following link.  You can use the ASDM Remote Access VPN wizard to configure most of the settings and if you're interested in doing it via CLI, that's also an option.

http://www.cisco.com/en/US/products/ps6120/products_configuration_exampl
e09186a008060f25c.shtml

In particular, the options you have asked are all covered in the doc except for split-tunneling, at least the associated output in CLI.
You'll want to configure that inside the group policy you create from the link above.  Here is an example:

group-policy mygrouppolicyname attributes  split-tunnel-policy tunnelspecified  split-tunnel-network-list value <ACL Here>

Let me know how it works out for you.

-ryan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Oddiraju, Kiran @ London SMC
Sent: Monday, July 27, 2009 8:33 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] VPN clients on Cisco ASA

Hi List,

 

Cisco ASA 5505

Cisco VPN Client 5.0

ASA External IP: 80.90.100.117 /29

Internal range: 192.168.0.0 /24

 

I am new to Cisco ASA world and have been struggling to configure my
5505 to accept VPN connections from external hosts. I want to allocate IP address dynamically, allow access to certain subnets and allow internet access thru their local connection. Can someone please post me a sample ASA config?

 

Thanks guys

 

Regards,

Kiran


CB Richard Ellis Limited, Registered Office: St Martin's Court, 10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No.
3536032. 
Regulated by the RICS and an appointed representative of CB Richard Ellis Indirect Investment Services Limited which is authorised and regulated by the Financial Services Authority.

This communication is from CB Richard Ellis Limited or one of its associated/subsidiary companies. This communication contains information which is confidential and may be privileged. If you are not the intended recipient, please contact the sender immediately. Any use of its contents is strictly prohibited and you must not copy, send or disclose it, or rely on its contents in any way whatsoever. 
Reasonable care has been taken to ensure that this communication (and any attachments or hyperlinks contained within it) is free from computer viruses. 
No responsibility is accepted by CB Richard Ellis Limited or its associated/subsidiary companies and the recipient should carry out any appropriate virus checks.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

CB Richard Ellis Limited, Registered Office: St Martin's Court, 10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 3536032. 
Regulated by the RICS and an appointed representative of CB Richard Ellis Indirect Investment Services Limited which is authorised and regulated by the Financial Services Authority.

This communication is from CB Richard Ellis Limited or one of its associated/subsidiary companies. This communication contains information which is confidential and may be privileged. If you are not the intended recipient, please contact the sender immediately. Any use of its contents is strictly prohibited and you must not copy, send or disclose it, or rely on its contents in any way whatsoever. 
Reasonable care has been taken to ensure that this communication (and any attachments or hyperlinks contained within it) is free from computer viruses. 
No responsibility is accepted by CB Richard Ellis Limited or its associated/subsidiary companies and the recipient should carry out any appropriate virus checks.

More information about the cisco-nsp mailing list