Friday, June 15, 2007

Missing command on ASA for dynamic VPN.

There seems to be an update on how ASA's handle dynamic IP VPN connections. You used to be able to use the command 'authentication-server-group none' on the DefaultRAGroup general attributes. In the 7.2.2 version, this command is considered deprecated and won't work! This goes for new installs or upgrades.

The key command to add under the DefaultRAGroup is now:
isakmp ikev1-user-authentication (outside) none
outside is the interface name of course. Take note that if you are in the DefaultRAGroup and do a ? after isakmp, you won't see this command, it's hidden. Trying to make it easy for people I suppose...

The guide to configure this can be found here:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
The 7.2.2 code should only need the updates listed here to work.

No comments: