Cisco ASA Series Cli Configuration Manual page 1756
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Configuring Remote Access IPsec VPNs
There are two default tunnel groups in the ASA system: DefaultRAGroup, which is the default
remote-access tunnel group, and DefaultL2Lgroup, which is the default LAN-to-LAN tunnel group. You
can change them but not delete them. The ASA uses these groups to configure default tunnel parameters
for remote access and LAN-to-LAN tunnel groups when there is no specific tunnel group identified
during tunnel negotiation.
Perform the following task:
Detailed Steps
Command
Step 1
tunnel-group name type type
Example:
hostname(config)# tunnel-group testgroup
type ipsec-ra
hostname(config)#
Step 2
tunnel-group name general-attributes
Example:
hostname(config)# tunnel-group testgroup
general-attributes
hostname(config-tunnel-general)#
Step 3
address-pool [(interface name)]
address_pool1 [...address_pool6]
Example:
hostname(config-general)# address-pool
testpool
Step 4
tunnel-group name ipsec-attributes
Example:
hostname(config)# tunnel-group testgroup
ipsec-attributes
hostname(config-tunnel-ipsec)#
Step 5
ikev1 pre-shared-key key
Example:
hostname(config-tunnel-ipsec)#
pre-shared-key 44kkaol59636jnfx
Creating a Dynamic Crypto Map
This section describes how to configure dynamic crypto maps, which define a policy template where all
the parameters do not have to be configured. These dynamic crypto maps let the ASA receive
connections from peers that have unknown IP addresses. Remote access clients fall in this category.
Cisco ASA Series CLI Configuration Guide
1-12
Chapter 1
Purpose
Creates an IPsec remote access tunnel-group (also called
connection profile).
Enters tunnel group general attributes mode where you can enter
an authentication method.
Specifies an address pool to use for the tunnel group.
Enters tunnel group ipsec attributes mode where you can enter
IPsec-specific attributes for IKEv1 connections.
(Optional) Configures a pre-shared key (IKEv1 only). The key
can be an alphanumeric string from 1-128 characters.
The keys for the adaptive security appliance and the client must
be identical. If a Cisco VPN Client with a different preshared key
size tries to connect, the client logs an error message indicating it
failed to authenticate the peer.
Note
Configure AAA authentication for IKEv2 using
certificates in the tunnel group webvpn-attributes.
Configuring Remote Access IPsec VPNs
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
