For most network engineers, one of the most difficult and tricky features to configure on Cisco equipment is to properly setup a VPN communication network. I have realized that from the numerous emails and questions I get almost every day from readers of my blog and in my workplace as well.

Cisco is one of the leaders in VPN technologies. This is good for enterprises and companies which can use the flexible Cisco VPN features to meet their business goals (such as low cost in connectivity and communication between branches, flexibility in communication, security etc).

On the other hand, VPN is a pain for network administrators who are required to know how to configure and design several different VPN technologies supported by Cisco, such as Site-to-Site IPSEC VPN, remote access IPSEC VPN using vpn client software, Easy VPN, GRE VPN Tunnels, GRE over IPSEC, DMVPN (Dynamic Multipoint VPN), Virtual Tunnels configuration etc etc. In addition to the above VPN technologies, a network administrator is also required to know how to configure them on different networking platforms, such as Firewalls (ASA, PIX) and IOS Routers.

Recently I have stumbled upon a really useful software tool which will be of great value for Cisco network engineers. The VPN Config Generator tool from configureterminal.com. As the website states, with VPN Config Generator you can “Create Complicated VPNs in seconds at the click of a button!“.

As you can see from the pictures above, you first select the platform that you want to configure VPN on (i.e Router or ASA/PIX Firewall), and then select the type of VPN that you want to configure. The tool supports almost all Cisco VPN technologies and also supports configurations between different platforms (e.g ASA to ASA, ASA to Router etc). After you specify the required parameters, the tool will generate a working configuration (in text format) which you can just copy and paste onto the Router or Firewall (ASA/PIX) via the command line terminal and you will be up and running. So basically you are working offline first and then upload the generated config onto the live device.

I highly recommend this tool as it will save you from a lot of hassle and problems. Check it out from the official website HERE.

Both iPhone software versions 2.x and 3.x support three types of remote access VPN connectivity: L2TP, PPTP and IPSec (see picture below). The IPSec option is actually a Cisco VPN client software for communicating securely with Cisco Adaptive Security Appliance (ASA 5500 Series Firewalls).

Cisco states that only ASA and PIX firewalls support the iPhone Remote Access VPN. Cisco IOS routers with IPSec capability and the older VPN3000 Concentrators DO NOT support the iPhone VPN feature.

This feature enables teleworkers to connect remotely to their Enterprise central network via secure VPN tunnel using their Apple iPhone. The VPN can use both Wi-Fi and Cellular Mobile Data networks for setting up the tunnel. The authentication methods supported for establishing the secure remote VPN tunnel are:

• Password
• RSA SecurID
• CRYPTOCard
• Certificate

Regarding the configuration on Cisco ASA appliance, this is exactly the same configuration as a normal Cisco IPSec VPN client software. You need to configure an IP Pool for the iPhone to receive IP address from. This pool range will then have access to the internal network behind the ASA.

In addition to IPSEc VPN support, Cisco firewalls support also the SSL Web VPN technology for providing access to resources for remote users. The main difference between IPSEc VPN and SSL VPN is that the first one requires a VPN client installed on the user’s computer while the SSL VPN requires only a secure browser (HTTPs). Another difference is that IPSEc VPN provides full network connectivity to the central site for the remote user with the ability for the user to have full access to applications just like local LAN access. On the other hand, SSL VPN provides limited application access compared with IPSEc VPN. The applications that can be accessed by SSL VPN include Internal websites, Web-enabled applications, NT/Active Directory file shares, E-mail proxies, including POP3S, IMAP4S, and SMTPS, MS Outlook Web Access, and port forwarding access to some other TCP-based applications.
The diagram below shows a high level network topology for SSL VPN connectivity:

As you can see, the remote users can establish a secure SSL tunnel over the Internet and access application resources located in their central Enterprise LAN using a web browser (HTTPs).

Next we will describe how to enable SSL VPN on the firewall, and discuss how you can avoid a port conflict with ASDM (Web GUI management) when both are enabled on the same firewall interface.

Both SSL VPN and ASDM use the HTTPs protocol for communication which uses port 443 by default. If we need to enable ASDM management access on the same interface as SSL VPN (usually the “outside” interface), then we must change the listening port of either the SSL VPN or the ASDM. In our example below we will describe both scenarios.

A. Change the port of ASDM

ASA(config)# http server enable 444
ASA(config)# http 100.100.100.1 255.255.255.255 outside
ASA(config)# webvpn
ASA(config-webvpn)# enable outside

For the above scenario, ASDM listens on port 444 while SSL VPN uses the default port 443. With this configuration, the remote administrator user on address 100.100.100.1 initiates ASDM sessions by entering https://<Outside-Address>:444 in the browser. Normal SSL VPN users initiate SSL VPN sessions by entering https://<Outside-Address>

B. Change the port of SSL VPN

ASA(config)# http server enable
ASA(config)# http 100.100.100.1 255.255.255.255 outside
ASA(config)# webvpn
ASA(config-webvpn)# port 444
ASA(config-webvpn)# enable outside

For the above scenario, ASDM listens on default port 443 while SSL VPN uses port 444. With this configuration, the remote administrator user on address 100.100.100.1 initiates ASDM sessions by entering https://<Outside-Address> in the browser. Normal SSL VPN users initiate SSL VPN sessions by entering https://<Outside-Address>:444

The Cisco VPN Software Client is the most popular “Remote Access tool” for teleworkers and for remote mobile employees for any organization. It allows the user to establish a secure IPSec tunnel from any internet connection towards a central location (usually the user’s corporate central network). Once the tunnel is established, the user is attached to the central network and has full connectivity just like as he was connected locally.

The latest release (at the time of writing) is 5.0.03. This release can be installed on the following operating systems: 

• Windows 2000
• Windows XP
• Windows Vista (x86 / 32-bit only)
• Linux (Intel based)
• Mac OS X 10.4
• Solaris UltraSparc (32 and 64-bit)

Furthermore, the Cisco VPN Client is compatible with all Cisco VPN hardware products as listed below:

• Cisco Firewall ASA 5500 Series Software Version 7.0 and higher.
• Cisco Firewall PIX Security Appliance Software Version 6.0 and later.
• Cisco VPN 3000 Series Concentrator Software Version 3.0 and later.
• Cisco Routers with VPN IOS support Software Release 12.2(8)T and later.
• Cisco 6500 / 7600 IPSec VPNSM and VPN SPA IOS Software Release 12.2SX and later.

To obtain the Cisco VPN Client software you need a Cisco SMARTNet support contract and you can download the client from Cisco Software Center. Also, a CD with the VPN software client comes with any purchase of a Cisco ASA 5500 series firewall (except ASA 5505).