The Packet University

I was introduced to the ASA "VPNSETUP" command by a Matt over on IPExeperts "Online Study List".  Its a different type of command that whan we normally find in Cisco gear.  Basically it allows you to see all of the commands necessary to build a very basic VPN.  If you find yourself in a position where documentation is not readily available, you can output this command to a text file.  Then just tweak it around to your liking and paste it back into the configuration.  Thanks Matt.

Take a look below for the full output of this command.

term pager 0

ciscoasa(config)# vpnsetup ?

configure mode commands/options:
  ipsec-remote-access  Display IPSec Remote Access Configuration Commands
  l2tp-remote-access   Display L2TP/IPSec Configuration Commands
  site-to-site         Display IPSec Site-to-Site Configuration Commands
  ssl-remote-access    Display SSL Remote Access Configuration Commands

ciscoasa(config)# vpnsetup ipsec-remote-access ?

configure mode commands/options:
  steps  Display VPN Setup Commands

ciscoasa(config)# vpnsetup ipsec-remote-access steps

Steps to configure a remote access IKE/IPSec connection with examples:

1. Configure Interfaces

    interface GigabitEthernet0/0
     ip address 10.10.4.200 255.255.255.0
     nameif outside
     no shutdown

    interface GigabitEthernet0/1
     ip address 192.168.0.20 255.255.255.0
     nameif inside
     no shutdown

2. Configure ISAKMP policy

    crypto isakmp policy 65535
     authentication pre-share
     encryption aes
     hash sha

3. Setup an address pool

    ip local pool client-pool 192.168.1.1-192.168.1.254

4. Configure authentication method

    aaa-server MyRadius protocol radius
    aaa-server MyRadius host 192.168.0.254
     key $ecretK3y

5. Define tunnel group

    tunnel-group client type remote-access
    tunnel-group client general-attributes
     address-pool client-pool
     authentication-server-group MyRadius
    tunnel-group client ipsec-attributes
     pre-shared-key VpnUs3rsP@ss

6. Setup ipsec parameters

    crypto ipsec transform-set myset esp-aes esp-sha-hmac

7. Setup dynamic crypto map

    crypto dynamic-map dynmap 1 set transform-set myset
    crypto dynamic-map dynmap 1 set reverse-route

8. Create crypto map entry and associate dynamic map with it

    crypto map mymap 65535 ipsec-isakmp dynamic dynmap

9. Attach crypto map to interface

    crypto map mymap interface outside

10. Enable isakmp on interface

    crypto isakmp enable outside


ciscoasa(config)# vpnsetup l2tp-remote-access steps

Steps to configure a remote access L2TP/IPSec connection with examples:

1. Configure Interfaces

    interface GigabitEthernet0/0
     ip address 10.10.4.200 255.255.255.0
     nameif outside
     no shutdown

    interface GigabitEthernet0/1
     ip address 192.168.0.20 255.255.255.0
     nameif inside
     no shutdown

2. Configure ISAKMP policy

    crypto isakmp policy 65535
     authentication pre-share
     encryption aes
     hash sha

3. Setup an address pool

    ip local pool client-pool 192.168.1.1-192.168.1.254

4. Configure authentication method

    aaa-server MyRadius protocol radius
    aaa-server MyRadius host 192.168.0.254
     key $ecretK3y

5. Define tunnel group

    tunnel-group client type remote-access
    tunnel-group client general-attributes
     address-pool client-pool
     authentication-server-group MyRadius
    tunnel-group client ipsec-attributes
     pre-shared-key VpnUs3rsP@ss
    tunnel-group DefaultRAGroup ppp-attributes
     authentication pap

6. Setup ipsec parameters

    crypto ipsec transform-set myset esp-aes esp-sha-hmac
    crypto ipsec transform-set myset mode transport

7. Setup dynamic crypto map

    crypto dynamic-map dynmap 1 set transform-set myset

8. Create crypto map entry and associate dynamic map with it

    crypto map mymap 65535 ipsec-isakmp dynamic dynmap

9. Attach crypto map to interface

    crypto map mymap interface outside

10. Enable isakmp on interface

    crypto isakmp enable outside


ciscoasa(config)# vpnsetup site-to-site steps

Steps to configure a site-to-site IKE/IPSec connection with examples:

1. Configure Interfaces

    interface GigabitEthernet0/0
     ip address 10.10.4.200 255.255.255.0
     nameif outside
     no shutdown

    interface GigabitEthernet0/1
     ip address 192.168.0.20 255.255.255.0
     nameif inside
     no shutdown

2. Configure ISAKMP policy

    crypto isakmp policy 10
     authentication pre-share
     encryption aes
     hash sha

3. Configure transform-set

    crypto ipsec transform-set myset esp-aes esp-sha-hmac

4. Configure ACL

    access-list L2LAccessList extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

5. Configure Tunnel group

    tunnel-group 10.20.20.1 type ipsec-l2l
    tunnel-group 10.20.20.1 ipsec-attributes
     pre-shared-key P@rtn3rNetw0rk

6. Configure crypto map and attach to interface

    crypto map mymap 10 match address L2LAccessList
    crypto map mymap 10 set peer 10.10.4.108
    crypto map mymap 10 set transform-set myset
    crypto map mymap 10 set reverse-route
    crypto map mymap interface outside

7. Enable isakmp on interface

    crypto isakmp enable outside


ciscoasa(config)# vpnsetup ssl-remote-access steps

Steps to configure a remote access SSL VPN remote access connection and AnyConnect with examples:

1. Configure and enable interface

    interface GigabitEthernet0/0
     ip address 10.10.4.200 255.255.255.0
     nameif outside
     no shutdown

    interface GigabitEthernet0/1
     ip address 192.168.0.20 255.255.255.0
     nameif inside
     no shutdown

2. Enable WebVPN on the interface

    webvpn
     enable outside

3. Configure default route

    route outside 0.0.0.0 0.0.0.0 10.10.4.200

4. Configure AAA authentication and tunnel group

    tunnel-group DefaultWEBVPNGroup type remote-access
    tunnel-group DefaultWEBVPNGroup general-attributes
     authentication-server-group LOCAL

5. If using LOCAL database, add users to the Database

    username test password t3stP@ssw0rd
    username test attributes
     service-type remote-access

Proceed to configure AnyConnect VPN client:

6. Point the ASA to an AnyConnect image

    webvpn
     svc image anyconnect-win-2.1.0148-k9.pkg

7. enable AnyConnect

    svc enable

8. Add an address pool to assign an ip address to the AnyConnect client

    ip local pool client-pool 192.168.1.1-192.168.1.254 mask 255.255.255.0

9. Configure group policy

    group-policy DfltGrpPolicy internal
    group-policy DfltGrpPolicy attributes
     vpn-tunnel-protocol svc webvpn


ciscoasa(config)# term pager 24

ciscoasa(config)# exit

ciscoasa#

---