Creating a dynamic crypto map – Cisco ASA 5505 User Manual

Page 1536

Advertising
background image

69-12

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 69 Configuring Remote Access IPsec VPNs

Configuring Remote Access IPsec VPNs

There are two default tunnel groups in the ASA system: DefaultRAGroup, which is the default
remote-access tunnel group, and DefaultL2Lgroup, which is the default LAN-to-LAN tunnel group. You
can change them but not delete them. The ASA uses these groups to configure default tunnel parameters
for remote access and LAN-to-LAN tunnel groups when there is no specific tunnel group identified
during tunnel negotiation.

Use the command syntax in the following examples as a guide.

Detailed Steps

Creating a Dynamic Crypto Map

This section describes how to configure dynamic crypto maps, which define a policy template where all
the parameters do not have to be configured. These dynamic crypto maps let the ASA receive
connections from peers that have unknown IP addresses. Remote access clients fall in this category.

Command

Purpose

Step 1

tunnel-group

name type type

Example:

hostname(config)# tunnel-group testgroup

type ipsec-ra

hostname(config)#

Creates an IPsec remote access tunnel-group (also called
connection profile).

Step 2

tunnel-group

name general-attributes

Example:

hostname(config)# tunnel-group testgroup

general-attributes

hostname(config-tunnel-general)#

Enters tunnel group general attributes mode where you can enter
an authentication method.

Step 3

address-pool

[(interface name)]

address_pool1

[...address_pool6]

Example:

hostname(config-general)# address-pool

testpool

Specifies an address pool to use for the tunnel group.

Step 4

tunnel-group

name ipsec-attributes

Example:

hostname(config)# tunnel-group testgroup

ipsec-attributes

hostname(config-tunnel-ipsec)#

Enters tunnel group ipsec attributes mode where you can enter
IPsec-specific attributes for IKEv1 connections.

Step 5

ikev1 pre-shared-key

key

Example:

hostname(config-tunnel-ipsec)#

pre-shared-key 44kkaol59636jnfx

(Optional) Configures a pre-shared key (IKEv1 only). The key
can be an alphanumeric string from 1-128 characters.

The keys for the adaptive security appliance and the client must
be identical. If a Cisco VPN Client with a different preshared key
size tries to connect, the client logs an error message indicating it
failed to authenticate the peer.

Note

Configure AAA authentication for IKEv2 using
certificates in the tunnel group webvpn-attributes.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals