|FAQ ID # 173|
|Last Update : 2009/08/10
Rating : Not Rated
Send FAQ by E-mail
Add to favorites
Print this FAQ
Social Bookmark this Article :
|Question / Issue|
|Proxicast IPsec VPN Client for Windows example connection to a Cisco ASA 5500 series VPN/Firewall|
|Answer / Solution|
|The Proxicast IPSec VPN for Windows can be used to connect to many other vendor's IPSec-compliant devices in addition to Proxicast's LAN-Cell family. This example presents 2 different ways of connecting to a Cisco ASA 5500 series device.
The Cisco ASA 5500 series (firmware version 7x) matches incoming remote-access VPN requests based on Tunnel Groups. When using the Preshared-Key authentication method, the Proxicast IPSec VPN Client does not send the Tunnel Group name explicitly. There are 2 ways to make the ASA match the incoming request to the correct Tunnel Group when using PSK.
When using X.509 certificates, you can configure the ASA to match Tunnel Group names based on information in the certificate, therefore the Tunnel Group name can be arbitrary.
Remote VPNs from a known IP Address
In situations where the public IP address of the remote device initiating the VPN request is known (for example, the public IP address of a branch office router or the static IP address assigned to a laptop 3G card), you can define a "static" Tunnel Group on the ASA. The name of the Tunnel Group MUST be the public IP address of the remote VPN initiating device. See the attached sample ASA configuration file: ASA-StaticTunnelGroup.txt
Remote VPNs from a dynamic IP Address
In situations where the public IP address of the remote device initiating the VPN request is unknown or changes frequently (for example, mobile users connecting from hotels or public hotspots). you must modify the built-in ASA Tunnel Group "DefaultRAGroup" so that its parameters match those sent by the Proxicast VPN Client. See the attached sample ASA configuration file: ASA-DefaultRAGroup.txt
Also attached are screen shots and the configuration of the Proxicast IPSec VPN Client used in these examples (PRX2ASA-MainMode.tgb).
The following are the key settings used in the attached example configuration files.
ASA public IP address = 22.214.171.124
VPN Client public IP = 126.96.36.199
XAUTH is on (user = kevin)
PFS is off
ID matching is off
P1 Transform = ESP-3DES-SHA-DH2
P2 Transform = 3DES-SHA
PSK = 12345678
Key lines from the ASA configuration file (DefaultRAGroup Dynamic Rule example):
access-list outside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto isakmp identity address
username kevin password 6o2O2KNmXF.sqZoY encrypted
|Tech Note: LAN-Cell 2 to Cisco ASA 5500 Series VPN Example|
|Unable to ping through VPN|
|Tech Note: LAN-Cell VPN Planner|
|Direct Link to This FAQ|
|ASA 5505 5510 5520 PIX|