Cisco ASA Remote Access VPN

In this lesson we’ll take a look how to configure remote access IPsec VPN using the Cisco VPN client. This allows remote users to connect to the ASA and access the remote network through an IPsec encrypted tunnel.

The remote user requires the Cisco VPN client software on his/her computer, once the connection is established the user will receive a private IP address from the ASA and has access to the network.

The Cisco VPN client is end-of-life and has been replaced by the Cisco Anyconnect Secure Mobility Client. It’s not supported any more but still widely in use nowadays.

This is the topology that we will use for this example:

R1 ASA1 Remote VPN Client

The ASA has two interfaces: inside and outside. Imagine the outside interface is connected to the Internet where a remote user wants to connect to the ASA. On the inside we find R1, I will only use this router so the remote user has something to connect to on the inside network. Let’s look at the configuration!


VPN Pool

First we will configure a pool with IP addresses that we will assign to remote VPN users:

ASA1(config)# ip local pool VPN_POOL

I will use IP address – for our VPN users. We need to tell the ASA that we will use this local pool for remote VPN users:

ASA1(config)# vpn-addr-assign local

This is done with the vpn-addr-assign command.

NAT Exemption

If you have NAT enabled on the ASA then we need to make sure that traffic between /24 (the local network) and /24 (our remote VPN users) doesn’t get translated. To accomplish this we will configure NAT excemption. The example below is for ASA version 8.3 or higher:

ASA1(config)# object network LAN  
ASA1(config-network-object)# subnet

ASA1(config)# object network VPN_POOL
ASA1(config-network-object)# subnet

ASA1(config)# nat (INSIDE,OUTSIDE) source static LAN LAN destination static VPN_POOL VPN_POOL

We create two network objects, one for our local network and another one for the remote VPN users. The NAT rule tells the ASA not to translate traffic between the two networks.

Group Policy

When the remote user has established the VPN, he or she will be unable to access anything on the Internet…only the remote network is reachable. For security reasons this is a good practice as it forces you to send all traffic through the ASA. If you don’t want this then you can enable split tunneling. With split tunneling enabled, we will use the VPN only for access to the remote network. Here’s how to enable it:

ASA1(config)# access-list SPLIT_TUNNEL standard permit

Now we can create a group policy. This allows you to assign different remote users to different groups with different attributes. You might want to have a group policy for “network engineers” and another one for “regular users” each with different DNS servers, timeout settings, etc. Here’s an example:

ASA1(config)# group-policy VPN_POLICY internal
ASA1(config)# group-policy VPN_POLICY attributes
ASA1(config-group-policy)# dns-server value
ASA1(config-group-policy)# vpn-idle-timeout 15
ASA1(config-group-policy)# split-tunnel-policy tunnelspecified
ASA1(config-group-policy)# split-tunnel-network-list value SPLIT_TUNNEL

The group policy is called VPN_POLICY and it’s an internal group policy which means it is created locally on the ASA. You can also specify an external group policy on a RADIUS server. I added some attributes, for example a DNS server and an idle timeout (15 minutes). Split tunneling is optional but I added it to show you how to use it, it refers to the access-list we created earlier.

If you want to configure an access-list so the remote VPN users can only reach certain networks, IP addresses or ports then you can apply this under the group policy.

Let’s continue and create a user for remote access:


ASA1(config)# username VPN_USER password MY_PASSWORD

We configured a group policy and user but we haven’t configured any IPsec settings yet. Let’s configure phase 1…

IPsec Phase 1

ASA1(config)# crypto ikev1 policy 10
ASA1(config-ikev1-policy)# encryption aes
ASA1(config-ikev1-policy)# hash sha
ASA1(config-ikev1-policy)# authentication pre-share 
ASA1(config-ikev1-policy)# group 2
ASA1(config-ikev1-policy)# lifetime 86400

This is just a basic example. We will use AES for encryption, SHA for integrity, a pre-shared key and Diffie-Hellman group 2 for key exchange. The lifetime before we have to do a renegotiation is 86400 seconds. Let’s enable this IKEv1 policy on the outside interface:

ASA1(config)# crypto ikev1 enable OUTSIDE
ASA1(config)# crypto isakmp identity address

And we can continue with phase 2:

IPsec Phase 2

ASA1(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac

We will configure a transform set called “MY_TRANSFORM_SET” and we use ESP with AES/SHA. The next step is to configure a crypto map, this has to be a dynamic crypto map since the remote VPN users probably are behind dynamic IP addresses and we don’t know which ones:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 739 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

545 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Hi Amit,

    Yes you can, you’ll need to create an additional policy group and tunnel group for this. Here’s a quick example:

    group-policy VIRL_VPN internal
    group-policy VIRL_VPN attributes
     vpn-filter value VIRL
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value VIRL_SPLIT_TUNNEL
    access-list VIRL_SPLIT_TUNNEL standard permit
    access-list VIRL extended permit tcp any object VIRL object-group VIRL_PORTS 
    access-list VIRL extended permit tcp any object VIRL2 object-group VIRL_PORTS
    tunnel-group VIRL_TUNNEL type remote-ac
    ... Continue reading in our forum

  2. Hi Rene,

    I have private ip address in the outside interface connected the ISP, and DMZ interface have public IP for diferent service. then the question is:

    Can do I use a IP public address from my pool of DMZ for get up my VPN remote access?

    how do I make this ?

    best regards

  3. Hi @sclarke1210,

    You won’t see a tunnel interface directly. If you want to verify that a user has connected and see the IP address that was assigned from the VPN pool, it’s best to use these two commands:

    ASA# show crypto ikev1 sa
    IKEv1 SAs:
       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    2   IKE Peer:
        Type    : user            Role    : responder 
        Rekey   : no              State   : AM_ACTIVE 

    Above you can see that a user has connected. The IP addresses you can see below:

    ... Continue reading in our forum

  4. Hello Alberto

    This is actually correct. This is what is called “Twice NAT” or “Identity NAT”. Take a look at the image of the network:

    The ASA has NATing enabled, so any traffic going from INSIDE to OUTSIDE, or visa versa, will be NATed.

    The VPN client on the OUTSIDE network is on the subnet. When it connects via VPN, its connection is tunneled over this subnet, and the internal IP address it is provided is in the sub

    ... Continue reading in our forum

35 more replies! Ask a question or join the discussion by visiting our Community Forum