Using the Cisco ASA 5505 as a VPN server with the Cisco VPN Client software

This walkthrough will describe how to use your Cisco ASA5505 as a VPN server for a remote client. The remote client doe not need to have an 5505 as a VPN endpoint, it only needs to have the Cisco VPN Client software installed.

To configure the ASA5505, first log into it using the Cisco ASDM.

  1. Click the “Wizards” drop down, select “VPN Wizard.”
  2. Select “Remote Access,” click Next.
  3. Select “Cisco VPN Client,” click Next
  4. Select “Pre-shared key,” then fill in what I’m going to call your “VPN Connection Password.” This will be saved in the client and should be as long and secure as possible.
  5. Tunnel Group Name: Enter what I’m going to call your “VPN Connection Username,” and Click Next.
  6. Select “Authenticate using the local user database,” click Next.
  7. Create a username and password for each VPN user, click Next.
  8. Click “New…” to create a new VPN IP pool. You can do whatever you want here, but here is my suggestion:
    • Name: VPNUsers
    • Starting IP Address: 192.168.15.194
    • Ending IP Address: 192.168.15.220
    • Subnet Mask: 255.255.255.224
    • Click “OK.”
  9. Click Next.
  10. Fill in DNS and WINS for your outside network and Click Next.
  11. IKE Policy defaults are fine, click Next.
  12. IPSec defaults are fine, click Next.
  13. Leave NAT Settings blank, but check “Enable Split tunneling” at the bottom and click Next.
  14. Click Finish.

One more step, without this you won’t be able to connect to anything besides the internal network when you are connected to the VPN.

  1. Click “Configuration” at the top of the screen.
  2. Click “VPN” on the left side of the screen.
  3. Under “General,” click “Group Policy.”
  4. Click the Group Policy that corresponds to the one you defined during the Wizard, and click the Edit button.
  5. Click the Client Configuration Tab.
  6. Click the “Manage” button next to Split Tunnel Network List.
  7. Double click the Entry under the Standard ACL tab.
  8. Change the IP address and Netmask to match that of your internal network, the subnet where your servers are located.
  9. Click OK, OK, OK and finally: Apply.

Now that we’ve done all that, we should save it from working memory into the flash. I like to do a reboot while I do this, and we can do it using the Cisco ASDM!

  1. Click Tools and select System Reload.
  2. Be sure to change the radio button at the top to Save the running configuration at the time of reload.
  3. Click “Schedule Reload,” Yes, and Exit ASDM.

To connect your new VPN, you’ll need the Cisco VPN Client. I’m using version 4.6.

  1. Install the Cisco VPN Client.
  2. Click “New.”
    • Connection Entry: Name of the VPN connection. I used the same thing I put in for the Tunnel Group Name (VPN Connection Username), but you can use whatever you want.
    • Host: The IP address or DNS name of the VPN Server.
    • On the Authentication Tab, make sure “Group Authentication” is selected.
    • Name: Put whatever you put for Tunnel Group Name (VPN Connection Username).
    • Password: put in your “Pre-shared Key” VPN (Connection password).
      That’s it! Hit Save.

To connect, double-click the connection entry you just created.
Enter your username and password, which we defined users on the Cisco ASA5505 device during the VPN Wizard.

Done and Done!

21 thoughts on “Using the Cisco ASA 5505 as a VPN server with the Cisco VPN Client software

  1. Trond

    Is it so that I shall put the DNS-server IP-address from the outside – as in – for instance 8.8.8.8 (the google dns server addresses).

    Or do I have to create DNS-servers and domain(s) inside the network?

  2. Matthew

    Hello @ all,

    I’m having trouble pinging some of the internal devices when connected via VPN (Cisco ASA 5505). I am able to ping some of the devices (Windows servers) but not able to ping other IP devices. That’s very strange to me. Does anyone have any insight on this?

    Internal network is 192.168.1.0/24
    VPN IP pool is 172.16.50.0/24

    My VPN ip is 172.16.50.8 and able to ping 192.168.1.6 (windows server) but not able to ping 192.168.1.230 (Cisco wireless AP) on same subnet and both devices have the same GW 192.168.1.1

    Thanks

    Matthew

    1. Anthony Curreri

      Matthew, some devices are configured not to respond to pings, for security reasons. You can possibly change the devices configuration to tell it to respond to pings, or maybe it has the option to administer it from outside, so you could try accessing it using a web browser to check connectivity.

  3. Charles Biggers

    What would I do if I had 2 internal subnets I needed the Client to access? I can get 1 subnet working at a time but I need to access both. Can you help?

  4. Matthew

    Hello @ Peter,
    Can you expand on your comment on “i had to add a new static route. keyword “tunneled” (route inside 0.0.0.0 0.0.0.0 192.168.15.254 tunneled) with .254 being the next hop routers on both networks.

    What do you mean by “.254 being the next hop routers on both networks”? Is .254 your inside router interface?

    Thanks

    Matthew

    1. Anthony Curreri

      (I know I’m not Peter, but…) .254 is a pretty common gateway address. My guess is that it’s the same as the gateway that a client on the same network segment would get if they acquired their address through DHCP. My $0.02.

  5. Peter

    Hey @all,

    ha! its done 😉
    i had to add a new static route. keyword “tunneled” (route inside 0.0.0.0 0.0.0.0 192.168.15.254 tunneled)
    with .254 being the next hop routers on both networks. The key is the ‘tunneled’ at the end of the default route that will lead to your internal infrastructure network.

  6. Anthony Curreri

    Peter,

    I don’t have anything set in the VPN policy section. That sounds fine to me, you just need to make sure that the subnets you use behind the firewall and for the VPN pool are both different from each other, and are also different from the networks that the VPN device and the client are located on.

    If you can take your unit off line to work on it, I would:

    1) wipe the current config,
    http://www.mailbeyond.com/restoring-factory-defaults-to-the-cisco-asa5505-firewall-via-the-console

    2) set a static ip
    http://www.mailbeyond.com/set-a-static-ip-for-your-cisco-asa5505-firewall

    3) follow these directions, making sure your subnets are all unique. It should work, it’s worked for me.

  7. Peter

    Anthony, i use the asa5505 as default gateway for some server (nat works): LAN > asa5505 > cable modem > internet

    vpn: i’m using the same vpn ip pool described as in your tutorial. on the client who connects to the asa there is a route:
    192.168.21.0 (internal lan behind the asa)
    255.255.255.224 (mask)
    192.168.15.194 (vpn client ip-adress and gateway for internal lan behind the asa)

    i think this is correct but i can’t reach any host behind the asa..

    do i need some security policies for the vpn ip pool network?

  8. Peter

    Hey Anthony, thx for your blog – amazing!
    I followed your instructions step by step. but now i am having the same problems as KMAC. I can connect to tha asa with cisco vpn client. i can resolv any internet-host but no internal-host behind the asa. do i need a special static route for the vpn tunnel?

    Peter

    1. Anthony Curreri

      Peter, I’m not sure what problem you guys are having. Maybe it’s the static route, I do have a static route set, because I used the directions available here to give the unit a static IP: http://www.mailbeyond.com/set-a-static-ip-for-your-cisco-asa5505-firewall

      Here’s just the route part of that page:

      # Click ‘Routing’ on the left, Make sure ‘Static Routes’ is selected.
      # This box is probably empty. Click ‘Add’.
      # For the interface name, select ‘Outside’ (or whatever the outside interface is named)
      # In the IP Address field, type: ‘0.0.0.0?
      # In the Mask field, type: ‘0.0.0.0?
      # In the Gateway IP field, type the gateway outside of your asa5505. Like, whatever it’s gateway is. If you have a box on the same subnet as the cisco box, do an ipconfig /all and use the gateway listed there.

      And maybe you’re encountering this: http://www.mailbeyond.com/nat-routing-problem-on-cisco-asa-5505

      If anyone has any ideas, please leave a comment here!

  9. Anthony Curreri

    Jeremy, I’m not sure what your problem is based on your description. What IP address did DHCP give your computer? What IP address is the Virtual VPN client adapter set to? What is the IP address of the host you wish to connect to? The host needs to be behind the firewall… Can you browse the web and get other network traffic?

  10. Jeremy

    I am having the same problem. I can connect to the VPN via the client but i can not get anywhere with it. My computer is set to DHCP on the client and still nothing. Could it be the NAT settings?

  11. Pingback: What’s the easiest way to connect 2 small remote offices together with VPN (with “consumer” broadband routers)? | High Speed Routers

  12. Pingback: Using the Cisco ASA 5505 as a VPN server with the VPN Client …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.