We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 606 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


367 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. sims says:

    Hi Rene,

    If i want to create another connection profile , do i need to create another policy in ipsec phase 1 (
    crypto ikev1 policy 10)

    Or is it one time configuration ,( Ipsec phase 1 and Phase 2 ) .
    How to remove the tunnel group and group policy from command line


  2. Hi Amit,

    Yes you can, you’ll need to create an additional policy group and tunnel group for this. Here’s a quick example:

    group-policy VIRL_VPN internal
    group-policy VIRL_VPN attributes
     vpn-filter value VIRL
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value VIRL_SPLIT_TUNNEL
    access-list VIRL_SPLIT_TUNNEL standard permit
    access-list VIRL extended permit tcp any object VIRL object-group VIRL_PORTS 
    access-list VIRL extended permit tcp any object VIRL2 object-group VIRL_PORTS
    tunnel-group VIRL_TUNNEL type remote-access
    tunnel-group VIRL_TUNNEL general-attributes
     address-pool VIRL_VPN_USERS
     default-group-policy VIRL_VPN
    tunnel-group VIRL_TUNNEL ipsec-attributes
     ikev1 pre-shared-key *****

    The group policy called “VIRL_VPN” uses an access-list called VIRL to define what resources the remote user can access. It also uses split tunneling, this VPN is only used to reach the networks in access-list VIRL_SPLIT_TUNNEL.

    In the tunnel-group, you can see we refer to the VIRL_VPN group-policy.

    Hope this helps!


  3. gurrav says:

    Hi Rene,

    I have private ip address in the outside interface connected the ISP, and DMZ interface have public IP for diferent service. then the question is:

    Can do I use a IP public address from my pool of DMZ for get up my VPN remote access?

    how do I make this ?

    best regards

  4. HI

    When the tunnel is brought up on the ASA does it create a logical tunnel interface and assign it an ip address from the vpn pool?

    what show commands could i use to see this interface on the asa ?


29 more replies! Ask a question or join the discussion by visiting our Community Forum