This guide covers configuration of remote access (client) VPN on a Cisco ASA or PIX Firewall using the wizard (This should transfer quite well to Cisco Routers also). It is aimed at beginners to VPNs.
Firstly, let’s address why you would want to do this.
Remote Access VPNs have a multitude of uses, they basically afford you access to your networks resources from anywhere that has an internet connection.
Going on a training course and need to be able to log back into your corporate network to make changes or check your mail? Working from home and need to be able to open and save documents that are located on network shares? Maybe you just want to log into your home PC to start Itunes downloading that latest album. If any of the above applies to you, this is what you need!
We will have to start by assuming that you have the login details for the ASA and that you have loaded up ASDM (the web interface for the ASA).
You will be presented with a screen not unlike the below:
Step 1:
The menu we are interested in is the “Wizards” menu and then the Ipsec VPN Wizard – shown below.
At this point, you will be offered to options, site-to-site or remote access. In this case, we will be ticking the remote access box (site to site guide to come at a later date) and then selecting the ‘outside’ interface from the drop down box.
I would always recommend locking this down if you are configuring multiple groups. If for example, you were configuring the VPN to allow a 3rd party to support your Exchange server, you may want to just allow RDP access to that server.
For now, we will leave the box ticked to simplify the guide.
Step 2:
At this window you need to choose the type of client you will be using (Image shown below). In this case, we will use the Cisco VPN client. As you can see, you also have the option to use the Microsoft client here too, but this is beyond the scope of this guide.
Click next!
This is where you really need to start taking notes of the passwords you are using. You will be presented with the screen below:
Let me please state at this time that I do NOT under ANY circumstances condone the use of “password” as a pre-shared key 
You should use a random password generator for each string.
You should attempt to create the longest password you can remember. This should not be a personal identifier, such as D.O.B or name. It should be a random string of upper and lower case letters, numbers and characters. There are plenty of random generators on the web. A good tip is to replace letters with characters or numbers. For example, password could become |D@55w0rD.
The absolute bare minimum character length is 8, and this is a BARE minimum. It is worth mentioning at this point, that once you enter the Group password in the Cisco VPN Client, it will be saved there, and you will not have to enter it again. It seems silly to have a short pass phrase now, right?
The tunnel group name is used in conjunction with the above password as Group Authentication. Basically, with Cisco VPNs you have two forms of login. Group login/authentication and user login/authentication. We will come to user auth soon enough. You can pick a tunnel group name that best identifies the groups function, for example “Tech_Support_HQ”.
Click Next!
Step 4:
You will be presented with the following screen:
Tick the option for “Authenticate using the local user database”. Configuring AAA is beyond the scope of this guide.
Using the local database means that you can use the username and password you would normally use to log into the ASA with. You can also add more users to the ASA for this purpose.
Click Next!
Step 5:
At this screen we will configure the Users that will access the VPN. In our case, George Dubya.
So, simply add your username to the box on the left, add a password (see step 3 for guidelines on password creation) and then click “add”. Your user should show up in the column to the right.
Click Next!
Step 6:
We need to start by clicking “new” and assigning a name to the Pool. This can be any name of your choosing.
We then need to fill out the boxes for starting and ending IP. To keep this as simple as possible, we will use a /24 or 255.255.255.0 Netmask.
So for the starting IP, let’s go with 192.168.200.1 and the last IP will be 192.168.200.254. The mask, as above will be 255.255.255.0. Click ok and ensure that the Pool you created is selected in the drop down box.
This address range should be different to the one on the inside interface of the ASA. You do not want the addressing to clash.
Your screen should look like the image below:
Click Next!
Step 7:
Still with us? Good We are on the final straight now.
You will be prompted with the following options:
These are all fairly straight forward. If you are connecting to your office, use the office DNS, WINS and Domain settings. If you are connecting to Home, chances are you will want to use your ISP’s DNS settings and make a domain up. You probably will not have a WINS server at home either, so this can be left blank.
Note: The domain name will be used for split DNS. This means that DNS requests for your head office resources will be sent encrypted to head office, while other requests (internet lookups) will be sent out of your home router (Assuming you are connecting from home).
Click Next!
Step 8:
We will try and keep this bit simple. For encryption choose “3DES”, authentication will be “SHA” and DH group will be 2. These are not the most secure option, but should suffice for IKE negotiations. You can always pick AES if you choose, but the key size will be large so your DH group will have to change to allow for this. 5 is recommended in this scenario.
Click Next!
Step 9:
This screen will look fairly similar to the last, and will use similar terminology.
In this instance we will use AES-256 for encryption and SHA for authentication, as per the screen grab below:
Click Next!
Step 10:
This is usually where beginners get confused so its time for a scenario.
Let’s presume that you are configuring all of this so that you can work from home on Fridays Not such a bad use of the technology!
Your head office network is where the ASA is. The ASA protects your servers network, which is addressed 10.10.10.0 255.255.255.0 and you have 2 servers on there at the moment, a File server at 10.10.10.1 and a Domain controller/Exchange server at 10.10.10.2.
In this scenario, we can fill out the current screen in two ways. We can either add each of these hosts or we can add the entire network. To keep things simple, we will add the entire network.
Firstly, you will have to drop down the box and select the “servers” interface. In our case, this will be the “inside”.
Once this is done, you need to add the entire 10.10.10.0 255.255.255.0 network to the box and then click “Add”. As per the screen grab below:
We will also need to tick the box to “enable split tunnelling”. This allows you to access the exchange server and file server at work, as well as any local network devices and the internet!
Click Next….
Step 11:
We are done with the config as far as the ASA is concerned. Check the confirmation screen and ensure everything is how you left it. Click finish 
Supplementary:
Configuring the VPN client to match the above ASA config:
1) Launch the VPN client and click “New”
2) Fill out the details as previously configured:
The group was “Tech_Support_HQ” and the password was the one you generated in step 3.
3) Enter the public IP address of the ASA you are connecting to (Outside interface)
4) Click “Save”. No other work is necessary here.
5) You should now have a profile in the VPN client list!
6) Double click the profile. If everything is working well, you will be prompted for a username and password as below:
7) Enter the username and password and click ok. You should now be able to get to servers on your head office network!
If you have any issues, it is worth checking that “Enable IPSEC over NAT-T” is ticked. This can be found in the “IKE Parameters” section of the VPN config!
Any issues? Leave a comment below and we may be able to help.
Entries (RSS)
April 10th, 2008 at 3:34 pm
This is good info, currently I have my VPN Client running to a 3000, can I setup my ASA 5505 to use same credentials and use that as my VPN jump off point from Home? I know you can vlan the ports, I would like to setup my VPN on one VLAN so I can run my pc dock, and possibly take a voip phone at home as well and use that, will that work ?
April 10th, 2008 at 4:12 pm
Thats not a problem for the ASA, there is a couple of ways you can do this. You can opt for using the Cisco Easy VPN client functionality or alternatively set-up a site to site VPN.
September 3rd, 2008 at 9:44 pm
Hi.
Do you know if there is a guide for this wizard, but when you get to the point of choise of VPN you go with Windows VPN. I cant fins any on the net.
I got the VPN up but I cannot seem to get acces to either LAN och internet. If I had that sort of guide I might find a sulution for my problem.
//Mikael
September 9th, 2008 at 7:51 pm
Hi Mikael,
Probably best to use the packet-trace command to get to the bottom of this. The output will tell you where things are falling down if you specify the correct source and destination.
February 6th, 2009 at 1:19 pm
Nice work! I?ll have to do a cross post on this one
February 17th, 2009 at 12:29 pm
Here is the best vpn server, that has a very long time using.
June 16th, 2010 at 7:01 pm
Awesome, I think you nailed it! Thanks for good writing. Regards