[c-nsp] VPN clients on Cisco ASA

Oddiraju, Kiran @ London SMC Kiran.Oddiraju at cbre.com
Wed Jul 29 06:21:21 EDT 2009


I changed the default-group-policy to Kiran-CUCM-VPN and now I am able
to VPN in to my network. Thanks Ryan and everyone for your help

Regards,
Kiran

-----Original Message-----
From: Ryan West [mailto:rwest at zyedge.com] 
Sent: 28 July 2009 15:18
To: Oddiraju, Kiran @ London SMC
Cc: cisco-nsp at puck.nether.net
Subject: RE: VPN clients on Cisco ASA

Kiran,

You'll want to get Xauth configured for your RA-VPN.  Do you have an
internal auth server you can query?  You can query AD directly through
LDAP / NT protocol / Kerberos or use IAS through RADIUS.  Once you
establish those servers, you'll want to call them in your tunnel-group
Kir-VPN gen attributes.  You probably also want to set your
default-group-policy to Kiran-CUCM-VPN in the same section.  Since you
are most likely failing IKE negotiations, you can run a 'debug cry isa
2' and gather more information.


I would recommend following this guide and leveraging IAS, it's more of
the traditional method, but I think it would be a good fit for your
needs.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura
tion_example09186a00806de37e.shtml

You should try to sanitize your configs in the future, just put in
x.x.x.x when posting public IPs.

-ryan


-----Original Message-----
From: Oddiraju, Kiran @ London SMC [mailto:Kiran.Oddiraju at cbre.com] 
Sent: Tuesday, July 28, 2009 10:01 AM
To: Ryan West
Cc: cisco-nsp at puck.nether.net
Subject: Re: VPN clients on Cisco ASA

Hi Guys,

Appreciate your help on this. Have tried the VPN Wizard and the CLI
config from the below link but still no luck. The Cisco VPN client tries
to connect and after for a few seconds shows Not Connected. I think it
is an ACL issue but I am not 100% sure. I have attached the running
config, could someone please take a look?

Many thanks,
Kiran

-----Original Message-----
From: Ryan West [mailto:rwest at zyedge.com]
Sent: 27 July 2009 13:57
To: Oddiraju, Kiran @ London SMC; cisco-nsp at puck.nether.net
Subject: RE: VPN clients on Cisco ASA

Hello again Kiran,

I think you should take a quick read through the following link.  You
can use the ASDM Remote Access VPN wizard to configure most of the
settings and if you're interested in doing it via CLI, that's also an
option.

http://www.cisco.com/en/US/products/ps6120/products_configuration_exampl
e09186a008060f25c.shtml

In particular, the options you have asked are all covered in the doc
except for split-tunneling, at least the associated output in CLI.
You'll want to configure that inside the group policy you create from
the link above.  Here is an example:

group-policy mygrouppolicyname attributes  split-tunnel-policy
tunnelspecified  split-tunnel-network-list value <ACL Here>

Let me know how it works out for you.

-ryan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Oddiraju, Kiran
@ London SMC
Sent: Monday, July 27, 2009 8:33 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] VPN clients on Cisco ASA

Hi List,

 

Cisco ASA 5505

Cisco VPN Client 5.0

ASA External IP: 80.90.100.117 /29

Internal range: 192.168.0.0 /24

 

I am new to Cisco ASA world and have been struggling to configure my
5505 to accept VPN connections from external hosts. I want to allocate
IP address dynamically, allow access to certain subnets and allow
internet access thru their local connection. Can someone please post me
a sample ASA config?

 

Thanks guys

 

Regards,

Kiran


CB Richard Ellis Limited, Registered Office: St Martin's Court, 10
Paternoster Row, London, EC4M 7HP, registered in England and Wales No.
3536032. 
Regulated by the RICS and an appointed representative of CB Richard
Ellis Indirect Investment Services Limited which is authorised and
regulated by the Financial Services Authority.

This communication is from CB Richard Ellis Limited or one of its
associated/subsidiary companies. This communication contains information
which is confidential and may be privileged. If you are not the intended
recipient, please contact the sender immediately. Any use of its
contents is strictly prohibited and you must not copy, send or disclose
it, or rely on its contents in any way whatsoever. 
Reasonable care has been taken to ensure that this communication (and
any attachments or hyperlinks contained within it) is free from computer
viruses. 
No responsibility is accepted by CB Richard Ellis Limited or its
associated/subsidiary companies and the recipient should carry out any
appropriate virus checks.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

CB Richard Ellis Limited, Registered Office: St Martin's Court, 10
Paternoster Row, London, EC4M 7HP, registered in England and Wales No.
3536032. 
Regulated by the RICS and an appointed representative of CB Richard
Ellis Indirect Investment Services Limited which is authorised and
regulated by the Financial Services Authority.

This communication is from CB Richard Ellis Limited or one of its
associated/subsidiary companies. This communication contains information
which is confidential and may be privileged. If you are not the intended
recipient, please contact the sender immediately. Any use of its
contents is strictly prohibited and you must not copy, send or disclose
it, or rely on its contents in any way whatsoever. 
Reasonable care has been taken to ensure that this communication (and
any attachments or hyperlinks contained within it) is free from computer
viruses. 
No responsibility is accepted by CB Richard Ellis Limited or its
associated/subsidiary companies and the recipient should carry out any
appropriate virus checks.

CB Richard Ellis Limited, Registered Office: St Martin's Court, 
10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 3536032. 
Regulated by the RICS and an appointed representative of CB Richard Ellis 
Indirect Investment Services Limited which is authorised and regulated by the Financial Services Authority.

This communication is from CB Richard Ellis Limited or one of its 
associated/subsidiary companies. This communication contains information 
which is confidential and may be privileged. If you are not the intended recipient, 
please contact the sender immediately. Any use of its contents is strictly prohibited 
and you must not copy, send or disclose it, or rely on its contents in any way whatsoever. 
Reasonable care has been taken to ensure that this communication 
(and any attachments or hyperlinks contained within it) is free from computer viruses. 
No responsibility is accepted by CB Richard Ellis Limited or its associated/subsidiary 
companies and the recipient should carry out any appropriate virus checks.



More information about the cisco-nsp mailing list