IKEv1 Remote Access VPN on Cisco ASA for Legacy VPN Client

Even after the release of Cisco AnyConnect Secure Mobility Client which supports SSL VPN in addition to IKEv2 remote-access IPSec VPN, still out there are number of people who use legacy Cisco VPN client to connect IKEv1 remote-access IPSec VPN.
In the present scenario, we have to configure IKEv1 remote access VPN for Sales department and Engineering department of a company. Engineering users will have to be provided with access to web server as well as FTP server, while sales users may only have access to the web server.


ASA# 
ip local pool RA_VPN_POOL 10.10.10.1-10.10.10.255 mask 255.255.255.0
!
!
access-list IKE1_RA_VPN_SplitTunnelACL standard permit 192.168.100.0 255.255.255.0
!
access-list SALES_VPN_ACL extended permit tcp any host 192.168.100.10 eq www
access-list SALES_VPN_ACL extended permit udp any host 192.168.100.10 eq domain
access-list ENGR_VPN_ACL extended permit tcp any host 192.168.100.10 eq www
access-list ENGR_VPN_ACL extended permit tcp any host 192.168.100.10 eq ftp
access-list ENGR_VPN_ACL extended permit udp any host 192.168.100.10 eq domain
!
!
tunnel-group IKE1_RA_VPN type remote-access
tunnel-group IKE1_RA_VPN general-attributes
 address-pool RA_VPN_POOL
tunnel-group IKE1_RA_VPN ipsec-attributes
 ikev1 pre-shared-key *****
!
!
crypto ipsec ikev1 transform-set ESP_AES_SHA esp-aes esp-sha-hmac
crypto dynamic-map IKE1_RA_VPN_DYNMAP 500 set pfs
crypto dynamic-map IKE1_RA_VPN_DYNMAP 500 set ikev1 transform-set ESP_AES_SHA
crypto map IKE1_RA_MAP 200 ipsec-isakmp dynamic IKE1_RA_VPN_DYNMAP
crypto map IKE1_RA_MAP interface OUTSIDE
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 20
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
!
!
group-policy SALES_RA_IKE1_VPN_GRP_POLICY internal
group-policy SALES_RA_IKE1_VPN_GRP_POLICY attributes
 dns-server value 192.168.100.10
 vpn-filter value SALES_VPN_ACL
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value IKE1_RA_VPN_SplitTunnelACL
 default-domain value pacificgroup.co.in
!
group-policy ENGR_RA_IKE1_VPN_GRP_POLICY internal
group-policy ENGR_RA_IKE1_VPN_GRP_POLICY attributes
 dns-server value 192.168.100.10
 vpn-filter value ENGR_VPN_ACL
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value IKE1_RA_VPN_SplitTunnelACL
 default-domain value pacificgroup.co.in
!
!
username salesuser password uXUrGApVTzN8lH14 encrypted
username salesuser attributes
 vpn-group-policy SALES_RA_IKE1_VPN_GRP_POLICY
 service-type remote-access
!
username engruser password osgMkcb3N.VlT8/u encrypted
username engruser attributes
 vpn-group-policy ENGR_RA_IKE1_VPN_GRP_POLICY
 service-type remote-access
!
!
object network VPN_USERS
 subnet 10.10.10.0 255.255.255.0

object network INSIDE_NETWORK
 subnet 192.168.100.0 255.255.255.0
!
nat (INSIDE,OUTSIDE) source static INSIDE_NETWORK INSIDE_NETWORK destination static VPN_USERS VPN_USERS



To Verify the connected users, use the following command.
ASA# sh vpn-sessiondb ra-ikev1-ipsec

Session Type: IKEv1 IPsec

Username     : engruser       Index        : 2
Assigned IP  : 10.10.10.1     Public IP    : 172.31.10.2
Protocol     : IKEv1 IPsec   
License      : Other VPN
Encryption   : AES128         Hashing      : SHA1
Bytes Tx     : 3775           Bytes Rx     : 10230
Group Policy : ENGR_RA_IKE1_VPN_GRP_POLICY
Tunnel Group : IKE1_RA_VPN
Login Time   : 18:15:43 UTC Thu Jul 11 2013
Duration     : 0h:02m:52s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A             VLAN         : none



To manually disconnect remote access VPN users, following command can be used.
ASA# vpn-sessiondb logoff ra-ikev1-ipsec

ASA# vpn-sessiondb logoff index 4    
Do you want to logoff the VPN session(s)? [confirm]
INFO: Session with Index = 4 has been logged off

Jul 12 00:30:30 [IKEv1]Group = IKE1_RA_VPN, Username = engruser, IP = 172.31.10.2, Session is being torn down. Reason: Administrator Reset

No comments:

Post a Comment