Cisco ASA 8.4 IOS - Remote Access VPN

Below is the minimal configuration needed to implement remote access VPN's on a Cisco ASA 5505 running 8.4. Please keep in mind that the names that I used in my configuration is of my dog but it's best practice to use a name that describes what / who its for.

Enable ISAKMP on the interface:

ASA-2(config)# crypto ikev1 enable outside

ASA-2(config)# crypto ikev1 policy 1

ASA-2(config-ikev1-policy)# encryption 3des

ASA-2(config-ikev1-policy)# authentication pre-share

ASA-2(config-ikev1-policy)# hash md5

Setup your Group Policies & Tunnel Policies

ASA-2(config)# group-policy oscar_GP internal

ASA-2(config)# group-policy oscar_GP attributes

ASA-2(config-group-policy)# vpn-tunnel-protocol ikev1

ASA-2(config-group-policy)# address-pools value oscar_pool

*******************

ASA-2(config)# tunnel-group oscar_tg type remote-access

ASA-2(config)# tunnel-group oscar_tg general-attributes

ASA-2(config-tunnel-general)# default-group-policy oscar_GP

ASA-2(config-tunnel-general)# authentication-server-group LOCAL 

ASA-2(config)# tunnel-group oscar_tg ipsec-attributes

ASA-2(config-tunnel-ipsec)# ikev1 pre-shared-key C1sc0

*******************

ASA-2(config)# crypto ipsec ikev1 transform-set oscar_trans esp-3des esp-md5-hmac

ASA-2(config)# ip local pool oscar_pool 10.1.2.140-10.1.2.145 mask 255.255.255.0

ASA-2(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set oscar_trans

ASA-2(config)#username oscar password omEMDQBc9noujG1X encrypted privilege 15

ASA-2(config)# crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

ASA-2(config)# crypto map outside_map interface outside

From http://adrian-brayton.blogspot.com.ar/2011/07/cisco-asa-84-ios-remote-access-vpn.html

Site to Site vpn config example ASA 8.4 or newer.

Just copy paste.
Mirror this config on the other side.

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
object network OBJ-SiteA
subnet 10.0.0.0 255.255.255.0
object network OBJ-SiteB
subnet 10.0.3.0 255.255.255.0
!
access-list VPN-TRAFIC extended permit ip object OBJ-SiteA object OBJ-SiteB
nat (inside,outside) source static OBJ-SiteA OBJ-SiteA destination static OBJ-SiteB OBJ-SiteB no-proxy-arp route-lookup
!
tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 ipsec-attributes
pre-shared-key cisco123
isakmp keepalive threshold 10 retry 2 (Optional)
!
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-3des esp-md5-hmac
!
crypto map CRYPTO-MAP 1 match address VPN-TRAFIC
crypto map CRYPTO-MAP 1 set pfs group2 (Optional)
crypto map CRYPTO-MAP 1 set peer 200.200.200.200
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside



Related Article :

http://www.petenetlive.com/KB/Article/0000050.htm

Cisco site to site VPN Configuration Cheatsheet

Cisco
VPN

Please find enclosed the cisco site to site VPN configuration in a nutshell. These basic commands would help in configuring a site to site VPN setup. This can also assist in troubleshooting vpn issues.

VPN Configuration Steps:

sysopt connection permit-ipsec
Phase I
isakmp enable outside
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
iaskmp policy 10 authentication pre-share or rsa-sig
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

isakmp key abc123 address 192.168.1.2 netmask 255.255.255.255
isakmp identity address

show isakmp policy
show isakmp

Phase 2
access-list 101 permit ip 10.0.1.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list 101
crypto ipsec transform-set customer1 esp-des esp-sha-hmac

crypto map PIX1MAP 10 ipsec-isakmp
crypto map PIX1MAP 10 match address 101
crypto map PIX1MAP 10 set peer 192.168.2.1
crypto map PIX1MAP 10 set transform-set customer1
crypto map PIX1MAP 10 set security-association lifetime seconds 28800
crypto map PIX1MAP 10 set pfs group1
crypto map PIX1MAP interface outside

crypto dynamic-map dynamic-map-name dynamic-seq-num

show crypto map
show isakmp
show isakmp policy
show access-list
show crypto ipsec transform-set
show crypto map

clear crypto ipsec sa
clear crypto isakmp sa
debug crypto ipsec
debug crypto isakmp

Steps to configure a simple site-to-site IKE/IPSec connection with examples:

ciscoasa(config)# vpnsetup site-to-site steps

Steps to configure a simple site-to-site IKE/IPSec connection with examples:

1. Configure Interfaces

interface GigabitEthernet0/0
ip address 10.10.4.200 255.255.255.0
nameif outside
no shutdown

interface GigabitEthernet0/1
ip address 192.168.0.20 255.255.255.0
nameif inside
no shutdown

2. Configure ISAKMP policy

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha

3. Configure transform-set

crypto ipsec transform-set myset esp-3des esp-sha-hmac

4. Configure ACL

access-list L2LAccessList extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

5. Configure Tunnel group

tunnel-group 10.20.20.1 type ipsec-l2l
tunnel-group 10.20.20.1 ipsec-attributes
pre-shared-key P@rtn3rNetw0rk

6. Configure crypto map and attach to interface

crypto map mymap 10 match address L2LAccessList
crypto map mymap 10 set peer 10.10.4.108
crypto map mymap 10 set transform-set myset
crypto map mymap 10 set reverse-route
crypto map mymap interface outside

7. Enable isakmp on interface

crypto isakmp enable outside

Steps to configure a simple remote access IKE/IPSec connection with examples:

ciscoasa(config)# vpnsetup ipsec-remote-access steps

Steps to configure a simple remote access IKE/IPSec connection with examples:

1. Configure Interfaces

interface GigabitEthernet0/0
ip address 10.10.4.200 255.255.255.0
nameif outside
no shutdown

interface GigabitEthernet0/1
ip address 192.168.0.20 255.255.255.0
nameif inside
no shutdown

2. Configure ISAKMP policy

crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha

3. Setup an address pool

ip local pool client-pool 192.168.1.1-192.168.1.254

4. Configure authentication method

aaa-server MyRadius protocol radius
aaa-server MyRadius host 192.168.0.254
key $ecretK3y

5. Define tunnel group

tunnel-group client type remote-access
tunnel-group client general-attributes
address-pool client-pool
authentication-server-group MyRadius
tunnel-group client ipsec-attributes
pre-shared-key VpnUs3rsP@ss

6. Setup ipsec parameters

crypto ipsec transform-set myset esp-3des esp-sha-hmac

7. Setup dynamic crypto map

crypto dynamic-map dynmap 1 set transform-set myset
crypto dynamic-map dynmap 1 set reverse-route

8. Create crypto map entry and associate dynamic map with it

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

9. Attach crypto map to interface

crypto map mymap interface outside

10. Enable isakmp on interface

crypto isakmp enable outside

Configure a Site 2 Site VPN on a ASA

In this article I will be showing you how to configure a Site 2 Site VPN on a ASA.
Also included within this example is a group-policy (named "Example_Policy") which we restrict access between the 2 endpoints to just tcp/80 traffic.
Please Note : This example presumes that you have already created the object groups for Local_LAN and Remote_LAN.
Access-Lists

Add the ACLs which we will need to NAT, the encryption domain and the group policy.

        access-list Example_Policy_ACL extended permit tcp object-group Local_LAN object-group Remote_LAN eq 80
        access-list Example_Policy_ACL extended deny ip any any
        access-list Example_VPN_ACL permit ip object-group Local_LAN object-group Remote_LAN
Group Policy
Create your group policy which will restrict traffic between hosts within your encryption domain.
        group-policy Example_Policy internal
        group-policy Example_Policy attributes
              vpn-filter value Example_Policy_ACL
              default-group-policy Example_Policy
NAT
Add your No NAT for traffic within the encryption domain
        nat (outside) 0 access-list Example_VPN_ACL
Tunnel Group
Create your tunnel group which will include your pre-shared key.
       tunnel-group [Peer IP] type ipsec-l2l
       tunnel-group [Peer IP] general-attributes
            default-group-policy Example_Policy
       tunnel-group [Peer IP] ipsec-attributes
            pre-shared-key [pre-share key] 
Phase 1
        crypto isakmp identity address
        crypto isakmp enable outside
        crypto isakmp policy 10
           authentication pre-share
           encryption [?]
           hash [?]
           group [?]
           lifetime [secs]
Phase 2
        crypto ipsec transform-set [transform set name] esp-3des esp-sha-hmac
        crypto map outside interface outside
        crypto map outside set transform-set [transform set]
        crypto map outside 20 match address Example_VPN_ACL
        crypto map outside 20 set peer [Peer IP]
        crypto map outside 20 set security-association lifetime seconds [secs]

Installing a Third Party Certificate for WebVPN(SSL) on the ASA

In order to not get the annoying “Invalid certificate” errors in Internet Explorer we need to purchase and install a third party certificate for the ASA. Then we can associate the WebVPN with the certificate so we don’t get the warnings.  Of course, you can do this through the ASDM, but what fun is that?  CLI all the way, here we go.
http://www.dasblinkenlichten.com/?p=125
Notes
-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them
-Note sections are in italics and embedded directly within the code below
-During the install/setup the CLI asks several questions.  I note when they will appear by inserting a line beginning with ‘Question Prompt –‘ in between the lines of code.  I also put the response you should enter after the line in bold.
Verify that your clock is set correctly
To do this, issue the ‘show clock’ command at the CLI.  If it isn’t configured correctly, define a NTP server (Which you should have done during initial config) and ensure your time zone is set correctly.  I usually use us.pool.ntp.org as an NTP server.  You can resolve it to an IP to get rid of the DNS lookup.
Generate the CSR
ASA(config)# crypto key generate rsa label <Your domain name> modulus 2048
Notes: I use the domain name that I am going to use for the label name, it just makes it easier if everything is the same (FQDN, System FQDN, Label, etc….).  An example would be ‘SSLVPN.test.com’.  Additionally I use a 2048 bit modulus because GoDaddy (The third party CA I am using) will no longer accept the 1024 bit modulus.
ASA(config)# crypto ca trustpoint <Your domain name>
ASA(config-ca-trustpoint)# subject-name CN=<Your domain name>, OU=<Organization Unit>, O=<Organization Name>, C=<Country (US)>, St=<Your State>, L=<Your City>
ASA(config-ca-trustpoint)# keypair <Your domain name>
ASA(config-ca-trustpoint)# fqdn <Your domain name>
ASA(config-ca-trustpoint)# enrollment terminal
ASA(config-ca-trustpoint)# exit
ASA(config)# crypto ca enroll <Your domain name>
Question Prompt – Include the device serial number in the subject name? [yes/no]: NO
Question Prompt – Display Certificate Request to terminal? [yes/no]: YES
Notes: After answering YES the CLI will output the CSR.  You need to copy the CSR so you can submit it to your Certificate Authority (GoDaddy in this case)
Redisplay enrollment request? [yes/no]: NO
Submit your CSR to your Certificate Authority
Again, I used GoDaddy because it seemed to be the cheapest.  The certificate was less then $30 for the year.  You purchase a certificate credit and then when you are ready to submit your CSR you go into their Certificate Management Portal under your login and submit the CSR.  After submitting the request it took about 5 minutes for my certificate to be generated.  You download the certificate file in Zip format.  In the Zip file you should have two certificates.  One is the certificate for the FQDN which you purchased and the other is the certificate for the CA.  This is where it gets a little tricky. First you need to authenticate the CA by importing their certificate.  Then you need to import your actual certificate.  I’m not going to get into the details of how certificates work but if you don’t know how, you should find out.  Google ‘Public Key encryption’.  Alright, so my Zip file had two certificates in it.
gd_bundle.crt – The certificate for the CA
<Domain name>.crt – The certificate for my domain
You’ll need to export both of the certificates to Base-64 encoded X.509.  To do this in Windows double click the certificate.  A certificate window with three tabs should appear as shown below.
Click on the second tab ‘Details’ and select the ‘Copy to File…” button
This will open the Certificate Export Wizard.  Press NEXT
On the next screen select ‘Base-64 encoded X.509 (.CER)’ and press NEXT
On the following screen select a location to output the file to and press NEXT
Press FINISH on the summary screen.  You should get a pop up window indicating that export was successful.

Now browse to where you chose to store the certificate, right click on it, select ‘Open With’, and choose WordPad.  When you open it in WordPad you should get something similar to what is shown below. 
Perform this certificate Export for your certificate as well as the CA’s certificate.   During the rest of the walk through I will refer to these exports as “CA Certificate”(The CA’s certificate) and “CA Certificate Response”(The certificate for your domain).
Install the certificates on the ASA
ASA(config)# crypto ca authenticate <Your domain name>
Notes: You will now receive the prompt shown below.
”Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself”
Copy the CA Certificate and paste it into the CLI window.  Then make sure you are on a new line, type to the word quit, and press enter.
Question Prompt – Do you accept this certificate? [yes/no]: yes
Notes: After you accept the certificate you should get a message indicating that the certificate import was successful
ASA(config)# exit
ASA(config)# crypto ca import <Your domain name> certificate
Notes: You will now receive the prompt shown below.
”Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself”
Copy the CA Certificate Response and paste it into the CLI window.  Then make sure you are on a new line, type to the word quit, and press enter. After you press enter you should get a message indicating that the certificate import was successful
Tell WebVPN to use your new certificate
ASA(config)# ssl trust-point <Your domain name> outside
Verify
You can use the command ‘show crypto ca certificates’ to verify that your certificates imported successfully.  Of course the other way to test would be to just connect to the outside IP on SSL and see if you still get that annoying warning.

ASA RA VPN 8.3

clear configure tunnel-group
clear configure group-policy RA_StoneHill
clear configure isakmp
clear configure ipsec
clear configure crypto
clear configure crypto ipsec ikev1



object network NETWORK_OBJ_192.168.2.0_24
 subnet 192.168.2.0 255.255.255.0

object network NETWORK_OBJ_192.168.200.128_26
 subnet 192.168.200.128 255.255.255.192

access-list RA_ATTESTGRP_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24
destination static NETWORK_OBJ_192.168.200.128_26 NETWORK_OBJ_192.168.200.128_26

ip local pool vpnpool 192.168.200.150-192.168.200.190 mask 255.255.255.0

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-A
ES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-A
ES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

group-policy RA_ATTESTGRP internal
group-policy RA_ATTESTGRP attributes
 dns-server value 4.2.2.2
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RA_ATTESTGRP_splitTunnelAcl
 default-domain value urb.local

tunnel-group RA_ATTESTGRP type remote-access
tunnel-group RA_ATTESTGRP general-attributes
 address-pool vpnpool
 default-group-policy RA_ATTESTGRP
tunnel-group RA_ATTESTGRP ipsec-attributes
 ikev1 pre-shared-key *****

Cisco ASA Site to Site VPN Notes

https://supportforums.cisco.com/docs/DOC-11639
configure Phase1
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
Troubleshooting:
sh run crypto isakmp
sh isakmp policy
sh isakmp sa :Show connected peers
sh vpn-sessiondb detail l2l
deb cryto isakmp 5
clear crypto isakmp :This will clear all of the SA’s
To confirm that the IPSEC traffic is reaching the ASA, do a capture for all UDP 500 traffic:
On both ends:
access-list cap extended permit ip host {local public ip} host {remote public ip}
access-list cap extended permit ip host {remote public ip} host {local public ip}
Create a capture:
cap cap access-list cap int outside
Display the results of the capture:
sh cap cap detail
To clear the capture log:
clear cap cap
If you don’t know the pre-shared key(s):
more system:run | b tunnel-gr
Configure Phase2
These two should be identical and the opposite (IPs/Subnets) on the other end:
access-list nonat extended permit ip {local} {remote}
access-list nonat extended permit ip {local} {remote}
access-list uk extended permit ip {local} {remote}
access-list uk extended permit ip {local} {remote}
nat (inside) 0 access-list nonat
crypto ipsec transform-set dfwvpn esp-des esp-md5-hmac
crypto map vpnmap 20 match address uk
crypto map vpnmap 20 set peer {target public ip}
crypto map vpnmap 20 set transform-set ukvpn
crypto map vpnmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
tunnel-group {target public ip} type ipsec-l2l
tunnel-group {target public ip} ipsec-attributes
pre-shared-key {key}
Troubleshooting:
sh crypto map
sh isakmp
sh isakmp policy
sh access-list
sh cry ipsec sa :Show’s ipsec peers
sh crypto ipsec transform-set
sh crypto map :shows crypto maps
sh run | inc route :shows only the routes in the running config
sh access-list :shows access lists
sh arp :Shows the arp table
sh run | in access-group :Shows only the access-groups in the running config
ping in :pings using the internal interface (A good way to bring up the tunnel)
management-access inside :The inside interface of the ASA cannot be pinged from the other end of the tunnel unless the management-access command is configured in the global configuration mode.
clear cry ipsec sa peer :Clears ONLY the one peer
clear cry isa :Clears ALL peers
clear arp :Clears the arp table
deb cry isa 200 : Debugs ISA
deb cry ipsec 200 : Debugs IPSEC
debug crypto ipsec
debug crypto isakmp
To clear configurations (in configuration mode):
clear configure crypto map vpnmap 20 :Clears crypto map 20
clear configure tunnel-group :Clears the tunnel-group
IMPORTANT! USE THIS COMMAND ESPECIALLY ON PIX IOS UPGRADE!!!
This command allows packets from an IPsec tunnel and their payloads to bypass interface ACLs on the security appliance. IPsec tunnels that are terminated on the security appliance are likely to fail if one of these commands is not enabled.
sysopt connection permit-ipsec :OLD
sysopt connection permit-vpn :NEW
===============================================================================
BUT ALERT:
They fixed an older bug in 7.2(4) as per the Bug Tooklit:
Symptom:
Commands that are system defaults do not show up in the
typical “show running-config” output. The purpose of the “show running-config all” command
is to allow all configured commands both default and non-default to be viewed in one output.
For PIX/ASA, the output of the command “show running-config all” should
include the the configured sysopt commands such as
“sysopt connection tcpmss 1380″ which at present, it does not.
ciscoasa# sh run all | incl sys
ciscoasa# sh run all | incl sysopt
ciscoasa#
Conditions:

Some “sysopt” commands are on as system defaults and do not show in the running configuration output.
However, the “show running-config all” output is supposed to showall commands in the running
configuration including the defaults like some sysopt commands. This issue is purely cosmetic and does
not affect the operation of the PIX/ASA.