Cisco ASA Remote Access VPN

ReneMolenaar · December 19, 2016, 4:40pm

This topic is to discuss the following lesson::

max.fleurival9 · September 24, 2015, 6:06pm

Would , Remote Access VPN work with dynamic ip address within or behind Comcast module ? I tried, it did work.

ReneMolenaar · September 24, 2015, 9:43pm

Hi Max,

What is the comcast module? You can use dynamic IP addresses, it’s no problem.

Rene

max.fleurival9 · September 24, 2015, 9:55pm

Thanks for you feedback

ahmedilyas · October 29, 2015, 7:12pm

Hi
rene

I need to create the remote access vpn in my ASA but it has already site to site vpn running on it , so if i follow the above steps will that effect the site to site vpn please advice,

Regards

Ahmed

ReneMolenaar · October 30, 2015, 11:31am

Hi Ahmed,

It’s no problem, just make sure you don’t overwrite your current policies. At the bottom of your crypto map you can add an entry for the remote access VPN:

crypto map CRYPTO_VPN 10 match address SITE_TO_SITE
crypto map CRYPTO_VPN 10 set peer x.x.x.x 
crypto map CRYPTO_VPN 10 set ikev1 transform-set TRANSFORM_SET
crypto map CRYPTO_VPN 10 set security-association lifetime seconds 3600
crypto map CRYPTO_VPN 20 ipsec-isakmp dynamic REMOTE_ACCESS_VPN
crypto map CRYPTO_VPN interface OUTSIDE

Rene

ahmedilyas · October 30, 2015, 11:48am

Dear Rene,

My crypto map is as below so now in this last you mean to add the remote access vpn ? but if i run the wizard and just add the remote access vpn will that add the lines to the last as you mentioned:

crypto dynamic-map dyn1 1 set pfs group1
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set nat-t-disable
crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer y.y.y.y
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer z.z.z.z
crypto map outside_map 3 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0

Regards

Ahmed

ReneMolenaar · November 1, 2015, 2:31pm

Hi Adhmed,

I’m not a fan of the ASDM wizard since you never know what it comes up with…

In your example, your “outside_map” crypto map is active on the outside interface so I would add everything there:

crypto dynamic-map outside_map 4 set pfs group1
crypto dynamic-map outside_map 4 set transform-set xxxxx
crypto dynamic-map outside_map 4 set nat-t-disable
crypto dynamic-map outside_map 4 set reverse-route

Hope this helps!

Rene

sims · November 11, 2015, 5:03am

Hi Rene,

If i want to create another connection profile , do i need to create another policy in ipsec phase 1 (
crypto ikev1 policy 10)

Or is it one time configuration ,( Ipsec phase 1 and Phase 2 ) .
How to remove the tunnel group and group policy from command line

Thanks

ReneMolenaar · November 11, 2015, 7:34pm

If you want to use the same encryption / hashing algorithm and DH group then you only need one crypto ikev1 policy. If you want to use other parameters then you can use a second one. The two IPsec peers will negotiate to figure out what settings to use.

Removing something from the command line can be done by adding “no” in front of the command you want to remove.

bandumitra · December 21, 2015, 4:51am

Hi Rene,

I am currently using Remote Access IPSec VPN using ikev1 use my Mac OSX builtin client which only supports ikev1

but now from El Capitan Mac included inbuilt support for ikev2.

how can i configure Remote Access IPSec on Cisco ASA without SSL and able to use ikev2 ipsec client on MAC without using Cisco ANYConnect.

Regards,

Bandu

ReneMolenaar · December 28, 2015, 4:06pm

Hi Bandu,

Good question, I only have some examples for IKEv2 / Anyconnect.

Windows 7/8/10 also supports IKEv2 so I could try it perhaps.

Rene

net2 · February 17, 2016, 8:34am

I can’t ping from VPN User to 192.168.1.1. Do we need take a route on the ASA or R1?

ReneMolenaar · February 17, 2016, 11:21am

You will need a route on R1 towards the ASA but that’s it.

kalita2007 · March 3, 2016, 1:26pm

I can’t gain ping to R1. Do I have to add static route for the network 192.168.1.0 on my computer?

ReneMolenaar · March 3, 2016, 1:32pm

You won’t need to add a route yourself on the computer. The two configs I added at the bottom of the lesson are everything you need to make this work.

Zaman.rubd · April 7, 2016, 7:47pm

Hi Rene,

For Split Tunneling ,Internet Traffic will go to VPN GW first and then go the destination(There will be u- turn like Hair pinning) or will separate internet traffic from remote host user ?? That means VPN traffic choose Tunnel and internet traffic will not. It will separate from remote host ??

br//
zaman

ReneMolenaar · April 7, 2016, 8:31pm

Hi Zaman,

Without split tunneling, all traffic will be forwarded from the remote user to the ASA. This is the most secure solution.

If you enable split tunneling, then the VPN will only be used to access remote networks behind the ASA. Internet traffic will not go through the VPN.

Hope this helps.

Rene

Zaman.rubd · April 8, 2016, 4:44pm

Hi Rene,

Got your point .Thanks.I have one more questions, We are configuring Split Tunning only ASA end .So how remote user PC can recongnize it and seperate Internet & Remote network from PC end ??

br//
zaman

ReneMolenaar · April 8, 2016, 4:56pm

Hi Zaman,

These settings are pushed from the ASA to the VPN Client.

Your PC also has a routing table which defines which interfaces / next hops to use for certain networks. Try the “print route” command on a Windows computer and you’ll see it.

Rene