Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ASA 8.02 to Cisco 837 with RADIUS config

Posted on 2010-09-13
8
Medium Priority
?
405 Views
Last Modified: 2012-05-10
Hi all,

I need to know if this is technically possible and if so how, I have been tasked with configuring a VPN to an ASA appliance. This is already configured and running,  using RADIUS for authentication. What I need to do is configure an 837 to talk to the ASA.

Thing is with the 837, it will not be handling the internet connection, it needs to plug in to a COTS router, get an IP from the router and just handle the VPN side of things, and the only ports to pass data are 1732 and 3389.

I will paste VPN config of the ASA

aaa-server windows-radius protocol radius
aaa-server windows-radius host 192.168.x.x
 timeout 5
 key PASSWORD
 radius-common-pw PASSWORD
aaa authentication ssh console LOCAL

crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transfrom-set ESP-3DES-SHA esp-3des esp-she-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec df-bit clear-df outside
crypto dynamic-map RAS-DYN-MAP 10 set pfs group1
crypto dynamic-map RAS-DYN-MAP 10 set transform-set myset
crypto dynamic-map RAS-DYN-MAP 10 security-association lifetime seconds 86400
crypto dynamic-map RAS-DYN-MAP 10 set reverse-route
crypto dynamic-map RAS-DYN-MAP ipsec-isakmp dynamic RAS-DYN-MAP
crypto dynamic-map RAS-DYN-MAP interface outside

crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
no cyrpto isakmp nat-traversal
crypto isakmp ipsec-ver-tcp port 10000
no vpn-addr-assign aaa

Thanks for your help

Trejjy
0
Comment
Question by:Trejjy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
8 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 33670783
It sounds like what you're asking is that you have a remote-access VPN connecting to an ASA, and now you want to add an 837 to also talk to the ASA.  This is fine, and can be configured to work.  However, your commands don't look like they will work for this.  You don't say what version of IOS you're running, but take a look at the following link showing a 12.4 example configuration, and pay particular attention to the configuration for Router B.  http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008032b637.shtml
0
 

Author Comment

by:Trejjy
ID: 33671609
Jmeggers,

Sorry for that....

The ASA is running 8.0(2) and the 837 is running a c837-k9o3y6-mz.123-2.xe3.bin IOS
 
The ASA is running a split tunnel also but I am hazy on that side of things...
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 33678609
The split tunnel just means that the configuration that's pushed to the client allows Internet-bound traffic to bypass the tunnel.  I'm not very familiar with the specific code on the 837 but it shouldn't be much different from the example link I posted.  The example is IOS to IOS but the 837 side should be about the same as in the example.  There's another example at http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080808395.shtml 
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:Trejjy
ID: 33678665
Thanks mate,

I will have a play tonight with the 837, I guess my confusion came from the fact that the ASA has no pre shared key, so I have to introduce that in to the ASA and then configure that key on the 837? How does RADIUS come in to play with this?
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 2000 total points
ID: 33678853
The ASA does support pre-shared keys for EZVPN.  I finally found an example that's ASA to IOS (an 871) at http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml.  

As for the RADIUS, that should be authenticating the username and password for connecting a remote-access VPN from a laptop.  That's what Cisco refers to as "xauth" for extended authentication -- authenticating the username and password, beyond the basic group name and group key for connecting the IPSec tunnel.
0
 

Author Comment

by:Trejjy
ID: 33678878
Mate, you are a champ.. I will give it a shot tonight and let you know how I go...

Thanks again.
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 34459595
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question