This topic is to discuss the following lesson::
Would , Remote Access VPN work with dynamic ip address within or behind Comcast module ? I tried, it did work.
What is the comcast module? You can use dynamic IP addresses, it’s no problem.
s for you feedback
I need to create the remote access vpn in my ASA but it has already site to site vpn running on it , so if i follow the above steps will that effect the site to site vpn please advice,
It’s no problem, just make sure you don’t overwrite your current policies. At the bottom of your crypto map you can add an entry for the remote access VPN:
crypto map CRYPTO_VPN 10 match address SITE_TO_SITE crypto map CRYPTO_VPN 10 set peer x.x.x.x crypto map CRYPTO_VPN 10 set ikev1 transform-set TRANSFORM_SET crypto map CRYPTO_VPN 10 set security-association lifetime seconds 3600 crypto map CRYPTO_VPN 20 ipsec-isakmp dynamic REMOTE_ACCESS_VPN crypto map CRYPTO_VPN interface OUTSIDE
My crypto map is as below so now in this last you mean to add the remote access vpn ? but if i run the wizard and just add the remote access vpn will that add the lines to the last as you mentioned:
crypto dynamic-map dyn1 1 set pfs group1 crypto dynamic-map dyn1 1 set transform-set FirstSet crypto dynamic-map dyn1 1 set nat-t-disable crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer x.x.x.x crypto map outside_map 1 set transform-set ESP-AES-256-SHA crypto map outside_map 1 set nat-t-disable crypto map outside_map 2 match address outside_cryptomap crypto map outside_map 2 set pfs crypto map outside_map 2 set peer y.y.y.y crypto map outside_map 2 set transform-set ESP-AES-256-SHA crypto map outside_map 3 match address outside_3_cryptomap crypto map outside_map 3 set pfs crypto map outside_map 3 set peer z.z.z.z crypto map outside_map 3 set transform-set ESP-AES-256-SHA crypto map outside_map interface outside crypto ca trustpoint ASDM_TrustPoint0
I’m not a fan of the ASDM wizard since you never know what it comes up with…
In your example, your “outside_map” crypto map is active on the outside interface so I would add everything there:
crypto dynamic-map outside_map 4 set pfs group1 crypto dynamic-map outside_map 4 set transform-set xxxxx crypto dynamic-map outside_map 4 set nat-t-disable crypto dynamic-map outside_map 4 set reverse-route
Hope this helps!
If i want to create another connection profile , do i need to create another policy in ipsec phase 1 (
crypto ikev1 policy 10)
Or is it one time configuration ,( Ipsec phase 1 and Phase 2 ) .
How to remove the tunnel group and group policy from command line
If you want to use the same encryption / hashing algorithm and DH group then you only need one crypto ikev1 policy. If you want to use other parameters then you can use a second one. The two IPsec peers will negotiate to figure out what settings to use.
Removing something from the command line can be done by adding “no” in front of the command you want to remove.
I am currently using Remote Access IPSec VPN using ikev1 use my Mac OSX builtin client which only supports ikev1
but now from El Capitan Mac included inbuilt support for ikev2.
how can i configure Remote Access IPSec on Cisco ASA without SSL and able to use ikev2 ipsec client on MAC without using Cisco ANYConnect.
Good question, I only have some examples for IKEv2 / Anyconnect.
Windows 7/8/10 also supports IKEv2 so I could try it perhaps.
I can’t ping from VPN User to 192.168.1.1. Do we need take a route on the ASA or R1?
You will need a route on R1 towards the ASA but that’s it.
I can’t gain ping to R1. Do I have to add static route for the network 192.168.1.0 on my computer?
You won’t need to add a route yourself on the computer. The two configs I added at the bottom of the lesson are everything you need to make this work.
For Split Tunneling ,Internet Traffic will go to VPN GW first and then go the destination(There will be u- turn like Hair pinning) or will separate internet traffic from remote host user ?? That means VPN traffic choose Tunnel and internet traffic will not. It will separate from remote host ??
Without split tunneling, all traffic will be forwarded from the remote user to the ASA. This is the most secure solution.
If you enable split tunneling, then the VPN will only be used to access remote networks behind the ASA. Internet traffic will not go through the VPN.
Hope this helps.
Got your point .Thanks.I have one more questions, We are configuring Split Tunning only ASA end .So how remote user PC can recongnize it and seperate Internet & Remote network from PC end ??
These settings are pushed from the ASA to the VPN Client.
Your PC also has a routing table which defines which interfaces / next hops to use for certain networks. Try the “print route” command on a Windows computer and you’ll see it.