Browsing All Posts filed under »VPN«

Certificate mapping to anyconnect tunnel-group I.

July 15, 2011


I try to configure the ASA to find the tunnel for anyconnect users according the certificate details. The command look like following: firewall(config)# crypto ca certificate map <certificate-map-name> <sequencenumber> Where the sequencenumber is the Sequence to insert into certificate map entry firewall(config)# webvpn firewall(config-webvpn)# certificate-group-map <certificate-map-name> <certificate-map-index> <tunnel-group name> Where the certificate-map-index is the index […]

Configuring remote access vpn with IKEv1, IKEv2 and SSL in the same time

March 9, 2011


With the following configuration and with sufficient license we should be able to connect to our Cisco ASA firewall with Cisco Anyconnect and with the new Anyconnect Secure Mobility Client (the first Cisco IKEv2 client) and with the old Cisco VPN client with IKEv1, that is natively supported on some Apple devices, like an IPad. […]

RA VPN keepalives and timouts

December 13, 2010


RA VPN timeouts 1. Session timeouts 2. IPSec SA lifetimes 3. ISAKMP lifetimes and Nat-T keepalive interval 4. Timeout in the group policy 5. DPD timeouts. 1. Session timeouts As the VPN may go through many Firewall till it reaches the VPN gateway it can happen that the session is broken before the timouts here […]

Isakmp keepalive and IPad and your ISP

December 7, 2010


Have you already experienced that the VPN session times out without after some minutes on your IPad. No matter if the keepalive setting is reached or not, it will disconnect after some minutes. There is a document for IPads what the support regarding the IPSEC. Here ist the link: (Page 68 – Certificate section.) […]

Configuring SSL VPN for Anyconnect

November 28, 2010


The AnyConnect client provides remote end users running Microsoft Vista, Windows XP or Windows 2000, Linux, or Macintosh OS X, with the benefits of a Cisco SSL VPN client, and supports applications and functions unavailable to a clientless, browser-based SSL VPN connection. In addition, the AnyConnect client supports IPv6 over an IPv4 network. The AnyConnect […]

Certificate based RA VPN with openssl

November 22, 2010


The basic certificate based VPN is as easy as the VPN with pre-shared key. There is only some additional steps required from the ASA site. The problems arise if the clients starts to use certificates without knowing what and how they should do. As a Firewall administrator you can not have responsibility for all clients, […]

Basic Site to Site VPN with pre-shared key

November 19, 2010


In the following example I configured a basic L2L VPN between 2 PIX firewall with pre-shared key. The Firewalls has different software versions, the sp2 is an old 6.3.4 version firewall (no more support..). sp1 (Cisco PIX Security Appliance Software Version 7.1(2), PIX-515E) E0 – ssw fa0/20 E1 – ssw fa0/12 sp2 (Cisco PIX Firewall […]