EzVPN Remote with ASA5505

Yes, I did say I was going to continue our WebVPN saga, but it just came to me to set up an ASA5505 for remote access VPN or EzVPN remote and I though why not put it in a blog. It is a common scenario: we have small ASA5505 for small remote office and want to secure a traffic to HQ. Underlying connection could be ethernet, which is simple to set up, or it could be an ADSL connection with PPPoE. This is our case.

First we are going to initialize our outside interface. Like I said, we are going to use PPPoE.

Let’s start with creating PPPoE profile or VPDN group that we will attach to an outside interface:

ASA1# show run vpdn   
vpdn group TELCO request dialout pppoe
vpdn group TELCO localname someuser@adsl
vpdn group TELCO ppp authentication pap
vpdn username someuser@adsl password somepass

We have just created a PPPoE profile called TELCO with a username of someuser@adsl and password somepass. Some telcos uses a form of just someuser and some uses someuser@adsl or something similar. This along with a password is provided to us by telco upon signing an agreement. Authentication type is dictated by telco and most often it is a CHAP or a PAP, such as in our case.

Now we need to bring up Ethernet0/0 up and assign it to VLAN2 which will be an outside interface. Then under VLAN2 we will tie this interface to a PPPoE profile just created and assign a security level:

ASA1(config)# interface ethernet0/0
ASA1(config-if)# switchport access vlan 2
ASA1(config-if)# no shutdown
ASA1(config-if)# exit
ASA1(config)# interface vlan 2
ASA1(config-if)# ip address pppoe setroute
ASA1(config-if)# nameif outside
ASA1(config-if)# no shutdown
ASA1(config-if)# exit

This shoud be enough to give us a basic connectivity:

ASA1# ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/32/40 ms

The inside story is a short one:

ASA1(config)# interface ethernet 0/1
ASA1(config-if)# switchport access vlan 1
ASA1(config-if)# no shutdown
ASA1(config-if)# exit
ASA1(config)# interface vlan 1
ASA1(config-if)# ip address 10.x.y.193
ASA1(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ASA1(config-if)# no shutdown
ASA1(config-if)# exit


Finally, before we deal with the tunnel, let’s complete NAT configuration and allow pings through the ASA:

ASA1# conf t
ASA1(config)# fixup protocol icmp
INFO: converting ‘fixup protocol icmp ‘ to MPF commands
ASA1(config)# exit


ASA1(config)# object network INSIDE                 
ASA1(config-network-object)# subnet 10.x.y.192    
ASA1(config-network-object)# nat (inside,outside) dynamic interface
ASA1(config-network-object)# exit

This is a post 8.2 NAT that tells the ASA: hey, mister firewall, I have just created a subnet 10.x.y.192/28 and would like you to NAT it to the outside interface’s IP address.

Once we did all this and verified our connectivity through the ASA, we are ready for a VPN portion.

First, let’s do EzVPN remote:

ASA1# show run vpnclient
vpnclient server a.b.c.d
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup REMOTE_OFFICE_GROUP password grouppassword
vpnclient username REMOTE_OFFICE_USER password userpassword
vpnclient enable

I think that this config snip is self-explanatory: we are auto-connecting to server a.b.c.d with a group name REMOTE_OFFICE_GROUP and user REMOTE_OFFICE_USER. We are using network-extension mode, which allows HQ users to access remote office as well. Finally, we enable EzVPN remote.

Now the EzVPN server is a little more complicated, but still not a big deal:

group-policy REMOTE_OFFICE_POLICY internal
group-policy REMOTE_OFFICE_POLICY attributes
password-storage enable
nem enable

tunnel-group REMOTE_OFFICE_GROUP type remote-access
tunnel-group REMOTE_OFFICE_GROUP general-attributes
default-group-policy REMOTE_OFFICE_POLICY
tunnel-group REMOTE_OFFICE_GROUP ipsec-attributes
pre-shared-key grouppassword

username REMOTE_OFFICE_USER password userpassword privilege 0

We defined internal group-policy REMOTE_OFFICE_POLICY which enables password storage on a remote ASA5505 and network extension mode. We then created a tunnel group REMOTE_OFFICE_GROUP with the password that matches one on the remote box. We also connected this group to a group policy. More on this binding and attributes you can find in blogs about WebVPN. Finally we created a username for XAUTH authentication. This password needs to match the one created on the remote ASA.

Of course, we need ISAKMP parameters, IPSec transformation, crypto map and dynamic map, routing in place and access lists that suit our needs. You can find more on this params in this blog.

Finally, verification. On the HQ side:

ASAHQ/pri/act# show vpn-session remote filter name REMOTE_OFFICE_USER

Session Type: IPsec

Username     : REMOTE_OFFICE_USER     Index        : 16367
Assigned IP  : 10.x.y.192            Public IP    : 94.z.w.63
Protocol     : IKE IPsec
License      : IPsec
Encryption   : AES256                 Hashing      : SHA1
Bytes Tx     : 4440                   Bytes Rx     : 4440
Login Time   : 12:03:53 CEST Tue Jul 17 2012
Duration     : 0h:01m:19s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none


And on remote: “show vpnclient”, “show crypto isak sa” and “show crypto ipsec sa”.

This entry was posted in ASA, Cisco, VPN and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s