Remote Access VPN on Cisco ASA 5505

One of my favorite things to do with new equipment is test the maximum throughput of the device. The Cisco ASA 5505 is a nice firewall appliance but the ASA does not support BGP so be weary if you are purchasing one to study for your CCNA.

In this post I will attempt to explain how to setup IPsec VPN on the ASA (ver. 7.2) for remote users and authenticate with RADIUS using CLI. There are a ton of guides on how to setup and configure the Cisco ASA 5505 so I will just run through the basic stuff I assume you already have configured on your ASA.

Basic stuff:

Setup the host name, interface names, IP address, assign VLAN, and NAT and the default route on the firewall. Enable of disable DHCP on the inside interface.

Delete the existing keys
crypto key zeroize rsa

Configure your domain name
domain-name domain.com

Generate the keys
crypto key generate rsa general-keys modulus 1024 sh crypto key mypubkey rsa wr mem

Allow traffic to go both ways
same-security-traffic permit intra-interface

Create the rules for what goes in and out and stuff
access-list noNAT extended permit ip 192.168.150.0 255.255.255.0 192.168.57.0 255.255.255.0

192.168.57.X is the IP subnet that is assigned to the virtual adapters for VPN clients and 192.168.150.X is the local subnet of my network

Create the range of the IP address that the virtual adapters from VPN connection will receive
ip local pool IPPoolforVPN 192.168.57.15-192.168.57.90 mask 255.255.255.0

Assigned the access list created to allow communication between VPN clients and local network
nat (inside) 0 access-list noNAT

Define the authentication server and type
aaa-server WindowsServer protocol radius aaa-server WindowsServer max-failed-attempts 3 aaa-server WindowsServer deadtime 10 aaa-server WindowsServer (inside) host 192.168.150.11 shadowkey timeout 5

Create and name policy for the VPN group
group-policy ShadowVPN internal group-policy ShadowVPN attributes dns-server value 8.8.8.8 4.2.2.2 vpn-idle-timeout 240 vpn-session-timeout 720 ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified default-domain value domain.com split-dns value domain.com exit

Allow all the traffic that enters the security appliance through a VPN tunnel to bypass interface access lists
sysopt connection permit-vpn

Create encryption profile types
crypto ipsec transform-set RemoteAccess esp-aes esp-sha-hmac crypto dynamic-map dyn1 1 set transform-set RemoteAccess crypto map VPN 99 ipsec-isakmp dynamic dyn1 crypto map VPN interface outside crypto isakmp enable outside crypto isakmp identity address crypto isakmp nat-traversal 3600 crypto isakmp policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 43200 exit

Assign attributes to the tunnel group you created earlier
tunnel-group ShadowVPN type ipsec-ra

Specify the address pool you made earlier
tunnel-group ShadowVPN general-attributes address-pool IPPoolforVPN

Specify the RADIUS server
authentication-server-group WindowsServer default-group-policy ShadowVPN exit tunnel-group ShadowVPN ipsec-attributes pre-shared-key Hard.2.Guess.Key exit wr mem

Some commands to help troubleshoot issues
show crypto isakmp sa show crypto ipsec sa show crypto engine connection active debug crypto isakmp debug crypto ipsec

If the VPN connection is established but no traffic is encrypted or decrypted, check your ACL