[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 11288
  • Last Modified:

How to configure a Windows VPN client to access the CISCO VPN device

I have a CISCO ASA5505 set up for Remote Access VPN, both IPSEC and L2TP. I can access the device just fine using the CISCO VPN client but want to have the option to do so using a Windows client as well.

1) I think I have configured the device just fine. Below is the Running Config. However I am unable to log in and receive errors indicating that the SA payload is invalid and unable to remove Header entry. I am thinking I am probably putting the wrong user name and password. Any suggestions?

2) Also is it possible once the client is configured to create a Batch file so that a user could simply double click on the file to have the client configuration installed on his/her computer?

Thanks.

Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password XolaqzZOF0GNB2KQ encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.5.11 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 71.x.x.x 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool CFGC 192.168.5.112-192.168.5.122 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 192.168.0.0 255.255.0.0 192.168.5.1 1
route outside 0.0.0.0 0.0.0.0 71.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set L2TP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set L2TP-3DES-SHA mode transport
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
group-delimiter @
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
group-policy CFGC internal
group-policy CFGC attributes
 wins-server value 192.168.5.9 192.168.5.215
 dns-server value 192.168.5.215 192.168.5.9
 vpn-tunnel-protocol IPSec
 default-domain value childguidance.org
group-policy CFGC1 internal
group-policy CFGC1 attributes
 wins-server value 192.168.5.9 192.168.5.215
 dns-server value 192.168.5.215 192.168.5.9
 vpn-tunnel-protocol IPSec l2tp-ipsec
 default-domain value childguidance.org
username hiran1 password 3YX6J5v8ndCuU+OpQWvIWQ== nt-encrypted privilege 15
username hiran1 attributes
 vpn-group-policy CFGC1
 vpn-tunnel-protocol IPSec l2tp-ipsec
username hiran password TxwwacgGUcdSGFtB encrypted privilege 15
username hiran attributes
 vpn-group-policy CFGC
username jeff password M.BNdpNp46vb1.wF encrypted privilege 15
username jeff attributes
 vpn-group-policy CFGC
username jeff1 password wKNiKx/X0G8dw7a+TXz0dA== nt-encrypted privilege 15
username jeff1 attributes
 vpn-group-policy CFGC1
 vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group CFGC type ipsec-ra
tunnel-group CFGC general-attributes
 address-pool CFGC
 default-group-policy CFGC
tunnel-group CFGC ipsec-attributes
 pre-shared-key *
tunnel-group CFGC1 type ipsec-ra
tunnel-group CFGC1 general-attributes
 address-pool CFGC
 authorization-server-group LOCAL
 default-group-policy CFGC1
 strip-realm
 strip-group
tunnel-group CFGC1 ipsec-attributes
 pre-shared-key *
tunnel-group CFGC1 ppp-attributes
 authentication ms-chap-v2
prompt hostname context
Cryptochecksum:684180cb440f09ed64932da2c09643a5
: end
asdm image disk0:/asdm-523.bin
no asdm history enable
0
cfgchiran
Asked:
cfgchiran
  • 8
  • 8
1 Solution
 
Joseph HornseyPresident and JanitorCommented:
Take a look at this article:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml

This is what I used to configured the Windows client to connect to a PIX 515 running 7.2(2).  It shoul work on an ASA as well.

<-=+=->
0
 
cfgchiranAuthor Commented:
Thanks. From what I am gathering I am wondering if I have to have a RADIUS server or some server with local accounts (other than the user account I created on the CISCO ASA) to authenticate to the CISCO VPN.

Still confused as to which username and password I should put for the Windows VPN client on the client it self before connecting.
0
 
Joseph HornseyPresident and JanitorCommented:
I use Internet Authentication Service in Windows.  It's Microsoft's RADIUS server and it's built in to Windows 2000 and Windows 2003 servers.

Here's the link I used to configure it:
www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

Basically, between that doc and the other, you should be able to get this going.

Good luck!

<-=+=->
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
cfgchiranAuthor Commented:
SplinterCell: Thank you for the response.

Just to clarify - it's NOT possible to use a Windows VPN client to connect to a CISCO ASA/PIX without a RADIUS server? On the attached image, for the user name and password that is requested, is not possible to use a local user database on the CISCO ASA/PIX?

Meaning must I have an Internet Authentication Service available in Windows to authenticate?

If I was simply using the CISCO client it is possible to connect without using an authentication server, by using a local user database on the ASA/PIX itself. Is that not possible with the Windows VPN lient?
windows-VPN-screenshot.pdf
0
 
Joseph HornseyPresident and JanitorCommented:
Actually, I think you can.  I use Windows IAS so that I can control it all with Active Directory.  Take a look at Step 10 under "L2TP Using ASDM Configuration" in that first link I gave you.  You'll see there that the tunnel group authentication server group is set to Local.  This should use the ASA's user database.

I greatly prefer using Windows IAS because all of the networks I manage are Active Directory, and I hate having to manage multiple usernames for each user.  If, however, you're not in an Active Directory environment, this isn't a choice and using the local ASA database should be fine.

What are your thoughts?

<-=+=->

0
 
Joseph HornseyPresident and JanitorCommented:
To clarify (after re-reading your second post), if you set that authentication server group to "Local", then the user name and password you put into the client would be the user name and password you set up on the ASA.

<-=+=->
0
 
cfgchiranAuthor Commented:
I do use AD - but was worried if I would be compromising its security by making it available on the VPN. I have tried the ASA locla group method, but I keep getting an error message that indicates "invalid header" information.

I know if I use the CISCO client, then I use the Tunnel Group name and PSK for the initial log on info and then it prompts me for a user name and password, which I use from the local user group I have created on the CISCO.

Any thoughts?
0
 
Joseph HornseyPresident and JanitorCommented:
I'd try it out with IAS and Active Directory and see what happens.  It works beautifully in our environments, although I'm exclusively using the Cisco VPN Client.

As far as it being a security risk, I actually think it enhances security because whichever users are utilizing the VPN are being managed by the same policies and restrictions as everyone else.  This cuts down on the amount of administration you have to do.  Most security problems are caused by administrator mistakes, so the less there is to manage, the less chance there is of making a mistake which could cause a security concern.

The only real risk you face is that the RADIUS traffic between the ASA and IAS is going across your network in clear text.  In a switched environment (rather than using hubs), this is only a theoretical risk unless users have physical or vty access to your switches.

So, I'd go with IAS and make your life easier in the long run - a bit more work up front, but not much.  And the docs are pretty good at giving you details.

What version of Windows are you running?

<-=+=->
0
 
cfgchiranAuthor Commented:
Thank you. I have a Win 2003 domain with 2k and 2k3 AD servers. All XP Pro workstations.
0
 
Joseph HornseyPresident and JanitorCommented:
Well, I think you should be good to go, then.  If you were running Vista, I'd be concerned....

<-=+=->
0
 
cfgchiranAuthor Commented:
No Vista - not anytime soon anyway. :) - I think I prefer to use the CISCO client too, but wanted an option that would be easy for the staff to configure, and that's why I was considering the Windows client.

With your experience using the CISCO client, have you figured out an easy way to provide your home users with the client and the config information? Is there anyway to run a batch file (after the clinet is installed)  to configure the client with the PSK and Tunnel Group name, so that the PSK does not need to be shared with them?
0
 
Joseph HornseyPresident and JanitorCommented:
Well, what I've done is create a step-by-step guide for them with screenshots and stuff for the installation and configuration.

Check out this link, though:
http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client46/administration/guide/vcAch2.html#wpxref35352

A buddy of mine used this to come up with a preconfigured install for his clients.  I've just been too lazy to deal with it.

<-=+=->
0
 
cfgchiranAuthor Commented:
Thank you very much for all your help.
0
 
cfgchiranAuthor Commented:
Awesome feedback. Took a lot of time to answer my various questions. Really appreciate it. Thank you.
0
 
Joseph HornseyPresident and JanitorCommented:
You're welcome and thanks for the points!

Just out of curiosity, did you get this to work?  What solution did you end up using?

<-=+=->
0
 
cfgchiranAuthor Commented:
Have not yet finalized a solution, though I am most likely going to use the CISCO client with RADIUS. Just trying to figure out the creation of the PCF file to include with the client software for deployment to remote staff.

Thanks again for all your help. The points are well earned. :)
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 8
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now