ASA VPN Configuration

08 June 2014

I'm putting here my working VPN configuration for ASA 5505 on ASA Version 8.4(7). All upper case values need changing to suit your business requirements and personal taste. IP addresses are mere examples.

Network Object Mapping

object network OBJ_REMOTE_VPN_ENDPOINT
 subnet 172.16.0.0 255.240.0.0
 description OBJ_REMOTE_VPN_ENDPOINT is a label

object network OBJ_INSIDE_SERVER1
 host 10.100.100.131
 description OBJ_INSIDE_SERVER1 is a label

object network OBJ_INSIDE_HOST1
 host 10.100.100.190
 description OBJ_INSIDE_HOST1 is a label

object network OBJ_NATTED_INSIDE_HOST1
 host 10.0.7.190
 description OBJ_NATTED_INSIDE_HOST1 is a label

Access Control List

access-list INSIDE-OUTSIDE extended permit ip object OBJ_NATTED_INSIDE_HOST1 object OBJ_REMOTE_VPN_ENDPOINT
access-list ACL_VPN_NUMBER1 extended permit ip 10.0.7.176 255.255.255.240 172.16.0.0 255.240.0.0

Network Address Transalation

  nat (inside,outside) source static OBJ_INSIDE_SERVER1 OBJ_NATTED_INSIDE_HOST1 destination
   static OBJ_REMOTE_VPN_ENDPOINT OBJ_REMOTE_VPN_ENDPOINT description NAT inside host to private IP

Phase 1 ISAKMP

crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2

Phase 2 IPSEC

crypto ipsec ikev1 transform-set AES256_SHA esp-aes-256 esp-sha-hmac

Group Policy

group-policy GPOLICY_NAME internal
group-policy GPOLICY_NAME attributes
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1

tunnel-group 8.8.8.8 type ipsec-l2l
tunnel-group 8.8.8.8 general-attributes
 default-group-policy GPOLICY_NAME
tunnel-group 8.8.8.8 ipsec-attributes
 ikev1 pre-shared-key A_VERY_WEAK_PRE_SHARED_KEY
 isakmp keepalive disable

Crypto Map

crypto map CMAP_OUTSIDE 11 match address ACL_VPN_NUMBER1
crypto map CMAP_OUTSIDE 11 set pfs
crypto map CMAP_OUTSIDE 11 set peer 8.8.8.8
crypto map CMAP_OUTSIDE 11 set ikev1 transform-set AES256_SHA
crypto map CMAP_OUTSIDE 11 set security-association lifetime seconds 28800