Category Archives: VPN

Cisco IOS VPN to IPCop

crypto isakmp key supersecertkey address AAA.BBB.CCC.DDD
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map CSM_CME_FastEthernet0.831 131 ipsec-isakmp
set peer AAA.BBB.CCC.DDD
set transform-set ESP-3DES-SHA
match address XY-TEST-CRYPTO-ACL
ip nat outside source static 192.168.XX.121 10.4.YYY.243 add-route
ip access-list extended XY-TEST-CRYPTO-ACL
permit ip 10.0.YYY.40 192.168.XX.0

# Do not modify ‘ipsec.conf’ directly since any changes you make will be
# overwritten whenever you change IPsec settings using the web interface!
version 2.0
config setup

conn %default

conn RED

Cisco AnyConnect VPN with Cisco 3845

After the implementation of the AnyConnect Client to our ASA5500 is at a good state i want to have some backup until our productional hardware will delivered. 😉

So i decided to use one of our Cisco 3845 Routers to do the job.

show version

[sourcecode gutter=”false” autolinks=”false” collapse=”true”]
C3845#show version
Load for five secs: 1%/0%; one minute: 3%; five minutes: 3%
Time source is NTP, 07:48:17.248 CET Sat Sep 11 2010
Cisco IOS Software, 3800 Software (C3845-ADVSECURITYK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support:
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 16:43 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T10, RELEASE SOFTWARE (fc1)

C3845 uptime is 34 weeks, 4 days, 14 hours, 47 minutes
System returned to ROM by reload at 15:53:45 CET Mon Jan 11 2010
System restarted at 15:55:20 CET Mon Jan 11 2010
System image file is "flash:c3845-advsecurityk9-mz.150-1.M1.bin"

First i installed the AnyConnect Package on the Router.

[sourcecode gutter=”false” autolinks=”false”]
C3845(config)#webvpn install svc flash:/anyconnect-win-2.5.1025-k9.pkg sequence 1
SSLVPN Package SSL-VPN-Client (seq:1): installed successfully

[sourcecode gutter=”false” autolinks=”false”]
ip local pool CSM_POOL_1
ip local pool vpnpool
ip local pool SSLVPNClient
webvpn gateway SSLVPN
ip address port 443
ssl trustpoint TP-self-signed-2234495401
webvpn install svc flash:/webvpn/anyconnect-win-2.5.1025-k9.pkg sequence 1
webvpn context SSLVPN
ssl authenticate verify all
policy group SSLVPN
functions svc-required
svc address-pool "CSM_POOL_1"
svc keep-client-installed
svc dns-server primary
svc dns-server secondary
default-group-policy SSLVPN
gateway SSLVPN
If you feel this helps a bit or may be not ? Please leave a comment.

Flickr : , , , , ,

Cisco ASA AnyConnect VPN

Some Notes what todo

radius authentication für die ASA

ASA 8.X: AnyConnect Start Before Logon Feature Configuration

Configuration Examples and TechNotes


av-pairs ????

certificate selection process

certifate import on cli / asdm  /ios

set the certificate on the interface : ssl trust-point MyTrustPoint Outside

Docu: Backup Gateway

Piuctures: ASDM, CCP

Write complete setup down ….

Reference the Docu. :-)

Flickr : , , , , ,

How to authentication AnyConnect VPN against RADIUS

AnyConnect and Cisco ACS Radius is a bit more complected because the ASA5500 documentation states that you can not use the Same Radius for
Authentication and Authorization. So things getting more complex by it self 😉 But if i see things in the right light we don’t need authorization at all so we will on monday how things will develope.

How to authentication AnyConnect VPN against RADIUS

The Authentication against RADIUS is quiet easy to configure.

Just add the RADIUS Servers as described here.
Than add following to the configuration:

[sourcecode gutter=”false” autolinks=”false”]
tunnel-group SSLClientProfile general-attributes
authentication-server-group AAA-RADIUS
By debuging the radius authentication is see our freeradius deliver the av-pairs with the authentication request so lets see if the ASA accepts them.
If you feel this helps a bit or may be not ? Please leave a comment.

Flickr : , , , , ,

How to use Radius/Tacacs+ and Certificate based Authentication for AnyConnect VPN

First you have to add a valid Certificate to the ASA, then change following in the configuration.

tunnel-group SSLClientProfile general-attributes
authentication-server-group AAA-TACACS+
tunnel-group SSLClientProfile webvpn-attributes
authentication aaa certificate
Then you can connect to the asa only with username and a user certificate.

Flickr : , , , , ,

How to authenticate AnyConnect VPN against Tacacs+

How to authentication AnyConnect VPN against Tacacs+

The Authentication against Tacacs+ is quiet easy to configure.

Just add the Tacacs+ Servers as described here.
Than add following to the configuration:

tunnel-group SSLClientProfile general-attributes
authentication-server-group AAA-TACACS+

If you feel this helps a bit or may be not ? Please leave a comment.

Cisco ASA5500 Setup

Cisco ASA5500 Setup

In my test enviroment i have a ASA5510 with a Basic Configuration. You can use this as a starting point for configuring the ASA5500 Series Firewalls.

The ASA5510 is connected behind the Outside ASA5500 Firewall, this ASA will do the Packet filtering,
because i am a friend of KISS (“keep it simple and straightforward”), things get complicated by it self.
For the same reasons i like diving after the DIR (“Do it right”) Method.

In this post we will begin with a basic Setup of the ASA firewall. In the next posts i will describe other topics based on this setup.

Continue reading Cisco ASA5500 Setup

How to configure Cisco ASA 5500 for AnyConnect Client

So i was testing some stuff with the Authentication on the ASA Firewall and the AnyConnect client in the last days. So i feel it is time to write things down a little bit.

First i discovered we have the same problem with Windows 7 Firewall. Windows is not detecting the Interface so the Firewall do not say here we are part of the domain:-( Sad very Sad. But as i described here, there is a workaround but this is not supported by Cisco in any way.
But anyhow, we have to move to the AnyConnect Client to get VPN running with WWAN Cards.

So lets begin with a basic setup, only localusers and connect to the ASA with the AnyConnect Client.
No complex things, just connectivity. So we will start here with the configuration.
In the next posts we will go to the more complex things.

Continue reading How to configure Cisco ASA 5500 for AnyConnect Client

Cisco VPN Clients are not recognized by Windows 7 Firewall

As i former described we have problems with the Cisco IPSec VPN Client and WWAN Cards. So we are testing the AnyConnect Client. We are now faceing some common problems with both clients.

We discovered that the Network adapter created by the Cisco IPSec VPN Client (Version and also the Cisco AnyConnect SSL VPN Client (Version 2.5.0217) not recognized by the Windows 7 Advanced Firewall. And therefore the AD Grouppolicy for the Firewall is not applied.

As a Workaround you can drop following lines from the “vpnva.inf” file from the AnyConnect Package:
;Vista specific entry — benign on 2K/XP
HKR, , *NdisDeviceType, 0x00010001, 1
or delete the Key for the adapter from the registry.

If you feel this helps a bit or may be not ? Please leave a comment.
Flickr : , , , ,

Cisco IPSec VPN and WWAN Cards are not working so we move to Cisco AnyConnect

Lately we discovered that Windows 7, Cisco IPsec VPNs and buildin UMTS Cards, also called WWAN Cards, do not work togehter. So we are now going the next step to the Cisco AnyConnect on the ASA Platform.

Here the snipplet from the release notes:

Support for Windows 7 on x64 (64-bit). This release, however, does not support WWAN devices (also called wireless data cards) on Windows 7 x86 (32-bit) and x64.

Reference : Release Notes for Cisco VPN Client, Release 5.0.0

For the ASA based AnyConnect you will find the nessesay Tools and Software here:

Cisco ASA Series Firewalls and VPN Gateways
Cisco AnyConnect Client
Cisco AnyConnect Client Profile Editor

A Basic Installation will follow.

If you feel this helps a bit or may be not ? Please leave a comment.

Flickr : , , , ,