本文转自:https://www.petenetlive.com/KB/Article/0000071

Problem

Below is a walkthrough for setting up a client to gateway VPN Tunnel using a Cisco ASA appliance.This is done via the ASDM console. Though if (Like me) you prefer using the Command Line Interface I’ve put the commands at the end.

You will need a RADIUS server, WIndows Server (2000 and 2003) Has its own RADIUS bolt on called Windows IAS Step 1 Below is a walkthrough on how to set this up.

It also uses the Cisco VPN client – the version used is v5 which is still in beta at the time of writing.

Solution

Note: This is an old post and covers setup on Server 2003, for a more modern version, (Server 2012/2016/2019) of this procedure, see the following article;

Windows Server Setup RADIUS for Cisco ASA 5500 Authentication

Step 1 Install RADIUS (Server 2003 Windows IAS)

Note: for Server 2008 go here and for Server 2012 go here.

1. Assuming you don’t already have IAS installed, Click Start > Control Panel > Add Remove Programs.

add rmeov eprograms

2. Add/Remove Windows Components.

window scomponents

3. Double Click “Networking Services”.

networking services

4. Tick Internet Authentication Service.

ias

5. Next

internet authentication services

6. The Service will install, NOTE it may ask you for the Windows CD, if you have already copied the i386 directory to a hard drive on the server, point it there instead.

i386

7. When its done click Finish.

2003 radius

8. Click Start > Run.

setup radius

9. Type mmc > OK.

launch mmc

10. An Empty MMC Console will open.

management console

11. Click File > AddRemove Snap-in.

add snapin

12. Click Add

add mmc

13 Scroll down to Internet Authentication Service (IAS), Select it > Add.

14. Finish

finish

15. Close.

16 OK.

close mmc

17 Right Click “RADIUS Clients” > New RADIUS Client.

radius client

18 Give it a sensible name like “CiscoASA” > Enter its IP address > Next.

client name

19 Client vendor set to “RADIUS Standard” > Enter a shared secret to use in this example I’ll use 123456 I suggest you use something more secure 🙂 > Finish.

radius password

20 Back at the main console > Select “Remote Access Policies” > Right Click “Connections to other Access Servers” > Properties.

ias policy

21 Tick “Grant remote access permissions”. > Press the Edit Profile button.

change policy ias

22. On the Authentication tab, tick Unencrypted authentication (PAP SPAP)

pap spap

23. On the Encryption tab ensure “No Encryption” is ticked.

no encryption

24. Pah! Reading help files is for the weak > No.

help file

25. Apply > OK.

end radius

26. We will now create a new user to use the RADIUS. Click Start > dsa.msc > OK. Active Directory Users and COmputers will open.

ADUC

27 Right click the OU you want your user created inside > New > User.

gran user vpn

28. Give the user a name and logon name, e.g. user2 > Next > Enter and confirm a password and tick Password Never Expires > Next.

username

29. If you have Microsoft Exchange you will see this next if you don’t see it don’t panic > Next

grant mailbox

30. Finish

31. Locate the user > Right Click > Properties.

user properties

32. On the Dial in Tab select “Allow Access” > Apply > OK. Then close all the open windows.

Step 2 Add the RADIUS server to the ASA5500 as an AAA Server.

grant dial in

1. Open the ASDM > Configuration > Properties >AAA Setup > AAA Server Groups > Add.

asa aaa

2. Give the Server group a name e,g “WindowsIAS” > Select RADIUS > OK.

ASA AAA server group

3. In the bottom section titled “Servers in the selected group” Click Add.

Add to AAA

4. Set interface name to “Inside” > Enter the IP Address of the Windows server > Enter the “Server Secret Key” (you specified above in Step1 Number 19) > Re-enter the same one next to “Common Password.” > OK.

RADIUS Password ASA

5. Click Apply > Test.

6. Select Authentication > Enter the username and password you created earlier (Step 1 Numbers 28,29 and 30) > OK.

Test Authentication

7. If it fails recheck all your previous settings. > OK.

check radius

8. Back at the ASDM > File > Save Running Configuration to Flash”.

save to flash

Step 2 Configure the ASA for Client VPN Access.

1. Open up the ADSM console. > Click Wizards > VPN Wizard.

vpn wizard

2. Select “Remote Access”. > Next.

remote access vpn

3. Select Cisco VPN Client. > Next.

vpn remote client

4. Enter a Pre Shared Key e.g. thisisthepresharedkey > And then give the Tunnel group a name e.g. “RemoteVPN”. > Next.

pre shared key

5. Select “Authenticate using an AAA Server Group “. > Select The Server Group you created in Step 2 > Next.

AAA authentication

6. Now we need to create some IP addresses that the remote clients will use when connected. > Click New.

VPN Pool

7. Give the Pool a name e.g. RemotePool and set the start and end IP addresses you want to lease (note these DONT have to be on the same network as your internal IP’s – In fact, for auditing its good practice to make them different). > Enter a Subnet Mask. > OK.

VPN IP range

8. Click Next.

VPN pool

9. Enter the details you want the remote clients to use while connected, DNS servers, WINS Servers and domain name. > Next.

VPN DNS Servers

10. Leave it on the defaults of 3DES, SHA and DH Group 2 (Note some Cisco VPN clients will not support AES). > Next

encryption VPN

11. Again leave it on the default of 3DES and SHA. > Next.

Hashing VPN

12. You can choose what IP addresses you want the remote VPN clients to have access to, first change the drop down to “Inside”, here I want them to have access to the entire network behind the ASA so I will choose 10.254.254.0 with a mask of 255.255.255.0 > Click Add. > Next.

NOTE If you do not tick the box to enable “Split Tunneling” then the client cannot browse the internet etc while connected via VPN.

split tunnelling

13 Review the information at the end of the wizard. > Finish

review vpn settings

14 Now you need to save the changes you have just made, From the ASDM Select File > “Save running configuration to flash”

Save firewall changes to memory

Step 2 Configure the Client VPN Software on the remote client.

Also See THIS VIDEO

1. I’ll assume you have the software installed you can get it from two places, On the CD that came with the ASA, or download it direct from Cisco (NOTEthis needs a valid Cisco CCO account and a service contract). > Click New.

vpn client

2. Under connection entry give the connection a name e.g. “Remote VPN to Office” > Under “Host” enter the Public IP of the ASA (NOTE I’ve blurred this one out to protect my IP address). > Under “Name” enter the name you created earlier (Step 1 number 4) > Under Password use the password you created earlier (Step 1 number 4) and enter it a second time to confirm. NOTE these are NOT the usernames and passwords you created in Step 1 number 6. > Click Transport Tab.

vpn connection settings

3 Accept the defaults but tick “Allow LAN access if you want to be able to access YOUR drives etc from the network behind the ASA” > Save.

connection host IP

4. Select the Connection you have just created. > Connect.

launch vpn connection

5. Enter the username and password you created earlier (Step 1 Number 6) of user1 and password1. > OK.

vpn username cisco

6 After a few seconds (provided the details were all right) it will connect, hover over the padlock in your task tray and it should say “VPN Client – Connected”.

VPN connected

Do the same thing from command line

access-list remotevpn_splitTunnelAcl standard permit 10.254.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.254.254.0 255.255.255.0 10.254.250.0 255.255.255.0
ip local pool vpnpool 10.254.250.1-10.254.250.254 mask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
aaa-server windowsias protocol radius
aaa-server windowsias host 10.254.254.10
key 123456
radius-common-pw 123456
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value 10.254.254.10
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remotevpn_splitTunnelAcl
default-domain value petenetlive.com
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group remotevpn type ipsec-ra
tunnel-group remotevpn general-attributes
address-pool vpnpool
authentication-server-group windowsias
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
pre-shared-key thisisthepresharedkey