Defining A Tunnel Group - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 32
Configuring Remote Access IPSec VPNs
To configure a transform set, in global configuration mode enter the crypto ipsec transform-set
Step 1
command. The syntax is:
crypto ipsec transform-set
The following example configures a transform set with the name FirstSet, esp-3des encryption, and
esp-md5-hmac authentication:
hostname(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac
hostname(config)#
Save the changes.
Step 2
hostname(config)# write memory
hostname(config)#
Defining a Tunnel Group
A tunnel group is a set of records that contain tunnel connection policies. You configure a tunnel group
to identify AAA servers, specify connection parameters, and define a default group policy. The security
appliance stores tunnel groups internally.
There are two default tunnel groups in the security appliance system: DefaultRAGroup, which is the
default IPSec remote-access tunnel group, and DefaultL2Lgroup, which is the default IPSec
LAN-to-LAN tunnel group. You can change them but not delete them. The security appliance uses these
groups to configure default tunnel parameters for remote access and LAN-to-LAN tunnel groups when
there is no specific tunnel group identified during tunnel negotiation.
To establish a basic remote access connection, you must set three attributes for a tunnel group:
•
•
•
To set the connection type to IPSec remote access, enter the tunnel-group command. The command
Step 1
syntax is tunnel-group name type type, where name is the name you assign to the tunnel group, and type
is the type of tunnel. The tunnel types as you enter them in the CLI include the following:
•
•
In the following example the name of the tunnel group is testgroup.
hostname(config)# tunnel-group testgroup type ipsec-ra
hostname(config)#
To configure an authentication method for the tunnel group, enter the general-attributes mode and then
Step 2
enter the address-pool command to create the address pool. In the following example the name of the
group is testgroup and the name of the address pool is testpool.
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
OL-10088-01
Set the connection type to IPSec remote access.
Configure the address assignment method, in the following example, address pool.
Configure an authentication method, in the following example, preshared key.
ipsec-ra (IPSec remote access)
ipsec-l2l (IPSec LAN to LAN)
transform-set-name
encryption-method authentication-method
Cisco Security Appliance Command Line Configuration Guide
Defining a Tunnel Group
32-5
Advertisement
Table of Contents
Troubleshooting
