FAQ ID # 173
Last Update : 2009/08/10
Rating : Not Rated
Send FAQ by E-mail
Add to favorites
Print this FAQ

Social Bookmark this Article :

Question / Issue
Proxicast IPsec VPN Client for Windows example connection to a Cisco ASA 5500 series VPN/Firewall

Answer / Solution
The Proxicast IPSec VPN for Windows can be used to connect to many other vendor's IPSec-compliant devices in addition to Proxicast's LAN-Cell family.  This example presents 2 different ways of connecting to a Cisco ASA 5500 series device.

The Cisco ASA 5500 series (firmware version 7x) matches incoming remote-access VPN requests based on Tunnel Groups.  When using the Preshared-Key authentication method, the Proxicast IPSec VPN Client does not send the Tunnel Group name explicitly.  There are 2 ways to make the ASA match the incoming request to the correct Tunnel Group when using PSK.

When using X.509 certificates, you can configure the ASA to match Tunnel Group names based on information in the certificate, therefore the Tunnel Group name can be arbitrary.

Remote VPNs from a known IP Address
In situations where the public IP address of the remote device initiating the VPN request is known (for example, the public IP address of a branch office router or the static IP address assigned to a laptop 3G card), you can define a "static" Tunnel Group on the ASA.  The name of the Tunnel Group MUST be the public IP address of the remote VPN initiating device.  See the attached sample ASA configuration file: ASA-StaticTunnelGroup.txt

Remote VPNs from a dynamic IP Address
In situations where the public IP address of the remote device initiating the VPN request is unknown or changes frequently (for example, mobile users connecting from hotels or public hotspots). you must modify the built-in ASA Tunnel Group "DefaultRAGroup" so that its parameters match those sent by the Proxicast VPN Client.  See the attached sample ASA configuration file: ASA-DefaultRAGroup.txt

Also attached are screen shots and the configuration of the Proxicast IPSec VPN Client used in these examples (PRX2ASA-MainMode.tgb).

The following are the key settings used in the attached example configuration files.

ASA public IP address =
ASA private LAN subnet =

VPN Client public IP =
VPN Client private LAN subnet =

IKE = Main Mode
XAUTH is on (user = kevin)
PFS is off
ID matching is off
P1 Transform = ESP-3DES-SHA-DH2
P2 Transform = 3DES-SHA
PSK = 12345678

Key lines from the ASA configuration file (DefaultRAGroup Dynamic Rule example):

access-list outside_access_in extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list outside_cryptomap_65535.1 extended permit ip
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_65535.1
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800

username kevin password 6o2O2KNmXF.sqZoY encrypted
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
peer-id-validate nocheck

ASA-DefaultRAGroup.txt (3.3Kb)
ASA-StaticTunnellGroup.txt (3.3Kb)
Phase1.jpg (136.0Kb)
Phase1Advanced.jpg (79.9Kb)
Phase2.jpg (143.7Kb)
PRX2ASA-MainMode.tgb (1.9Kb)

Related FAQs
Tech Note: LAN-Cell 2 to Cisco ASA 5500 Series VPN Example
Unable to ping through VPN
Tech Note: LAN-Cell VPN Planner

Direct Link to This FAQ

ASA 5505 5510 5520 PIX
How would you rate this article?



Back to Top