• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 953
  • Last Modified:

Configure VPN server on cisco 5505 ASA


I got brand new cisco asa5505, i need to configure this as VPN server just like currently we have Cisco VPN 3000 concentrator. So that we can connect from vpn clients from remote branches. We have ciscso asa 5505 on the remote sites as well which we want to use as vpn client in order to connect to another cisco 5505 at headoffice which should act as vpn server.
I am new to asa5505, is there any easy way steps by steps i can achive this. thanks
1 Solution
tech2010Author Commented:
this link is no good.

anyone has any other information please come forward. thanks
the easiest way is to install PDM/ASDM on the ASA.

the link above will help you find the correct version for the version of ASA you are running.
once you have loaded the DM, on the ASA you need to configure
http server enable
http 0 0 inside

This will give all hosts on the inside network access to the DM (you can restrict which IPs you want to give access to)

Now, from your machine that has access, open a browser and point to https://ASA_IP

You should now have GUI access to your ASA.

Now under Wizards, you should have a way to setup Remote access VPN. Just enter all the information in the wizard all the way to the end. It should configure a working remote access VPN setup for you
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

What version of ASA 5505 do you have?  You said you currently have a vpn 3000 series concentrator.  Depending on the model, that will support many more simultaneous tunnels than your ASA.  If you purchased the ASA 5505 base license, it only supports 10 simultaneous IPSec tunnels and only 2 SSL vpn tunnels.  If you currently have 25 people or so logging into your concentrator, you'll need to upgrade your ASA license.  

Also consider configuring site-to-site vpns to the remote ASAs instead of using the client vpn model (easyvpn).  EasyVPN is a non-stop pain in the rear, I don't know anyone who likes it.  Setting up site-to-site vpns is a piece of cake.  

Answer these questions for me, and I'll reply with step-by-step commands to configure ipsec remote access, webvpn and site-to-site connections:

(1) For remote access-vpn users, what do you want to use to authenticate them?  Certs, active directory, local user database on the ASA, radius, etc?

(2) How many simultaneous tunnels are you expecting to see on average?

(3) Do you expect tons of traffic through these tunnels, or just typical internet access, outlook connection to exchabnge, some file sharing, etc.

(4) Does your ASA have the security plus upgrade license?

(5) Do you want remote access vpn users to have access to all hosts on the LAN side of your ASA?

tech2010Author Commented:
Texas_Billy: Thanks for your comments. Here are the answers of your questions in line by line.

- ASA version is 8.2(1)

- Cisco VPN 3005 concentrator: The current issue is not simultanous number of tunnels but actually the performance as almost all the remote VPN branhces having the performance issues. Basically the CPU utilization if above 95% of concentrator so probably that is causing the performance issues. Currently we have lots of branches connected via Remote VPN instead of site-to-site (LAN to LAN) and i agree that i think branches should be configured as site-to-site rather than remote vpn. And i think i would like to configure site-to-site if you can help.

1) Authentication method: Radius server with AD intregrated

2) probably 30 simultanous tunnels. Do you mean site-to-site tunnels or remote vpn user tunnels or all together?

3) There will be citrix traffic and there will be some exchange / outlook traffic and printing.

4) How can i check if it has security plus upgrade license. I dont think it has, what is this for?

5) Yes we want remote access users to have access to all hosts. Also we wanted to use this ASA at the main office to accept site-to-site and Remote VPN tunnels.

Also, will there be any performance issue with ASA? i believe not?


i highly recommend the asdm method. its easy to do using the user interface wizard
tech2010Author Commented:
hi, i am trying to setup site-to-site ipsec vpn via wizard but tunnel it is not working for me. I have got 10 branches which need to setup site to site with head office, 3 of them worked fine but when some of them are not working. Not sure why, even the way i am configuring is the same of remaining sites.

When i run packet tracer from Tools menu i get error. please help. thanks
can you post the running config on the 2 sites that are having issues with communication.

also, rather than using tracer, the output of debugs will be more useful

debug crypto ipsec
dubug crypto isakmp

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Tackle projects and never again get stuck behind a technical roadblock.
Join Now