Cisco ASA Remote Access VPN

Hi Zaman,

Without split tunneling, all traffic will be forwarded from the remote user to the ASA. This is the most secure solution.

If you enable split tunneling, then the VPN will only be used to access remote networks behind the ASA. Internet traffic will not go through the VPN.

Hope this helps.


Hi Rene,

Got your point .Thanks.I have one more questions, We are configuring Split Tunning only ASA end .So how remote user PC can recongnize it and seperate Internet & Remote network from PC end ??


Hi Zaman,

These settings are pushed from the ASA to the VPN Client.

Your PC also has a routing table which defines which interfaces / next hops to use for certain networks. Try the “print route” command on a Windows computer and you’ll see it.


Thanks Dear.Many Thanks

Can we create a group policy only for a specific set of users? For example, if we want that a certain group of users should only access certain set of servers.

Hi Amit,

Yes you can, you’ll need to create an additional policy group and tunnel group for this. Here’s a quick example:

group-policy VIRL_VPN internal
group-policy VIRL_VPN attributes
 vpn-filter value VIRL
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VIRL_SPLIT_TUNNEL

access-list VIRL_SPLIT_TUNNEL standard permit

access-list VIRL extended permit tcp any object VIRL object-group VIRL_PORTS 
access-list VIRL extended permit tcp any object VIRL2 object-group VIRL_PORTS

tunnel-group VIRL_TUNNEL type remote-access
tunnel-group VIRL_TUNNEL general-attributes
 address-pool VIRL_VPN_USERS
 default-group-policy VIRL_VPN
tunnel-group VIRL_TUNNEL ipsec-attributes
 ikev1 pre-shared-key *****

The group policy called “VIRL_VPN” uses an access-list called VIRL to define what resources the remote user can access. It also uses split tunneling, this VPN is only used to reach the networks in access-list VIRL_SPLIT_TUNNEL.

In the tunnel-group, you can see we refer to the VIRL_VPN group-policy.

Hope this helps!


I have added the below command but am able to connect successfully but I cant access LAN device either through ping, tracert, telnet, ssh etc.

ASA1(config)# object network LAN  
ASA1(config-network-object)# subnet

ASA1(config)# object network VPN_POOL
ASA1(config-network-object)# subnet

I wasn’t able to configure the below command since am running an 8.2 version. What am I missing?

ASA1(config)# nat (INSIDE,OUTSIDE) source static LAN LAN destination static VPN_POOL VPN_POOL

Hi Muhammed,

That NAT rule is an important one. It tells the ASA not to translate traffic between and If you don’t have it then traffic from to will be translated which is probably why you don’t have any connectivity.

For ASA versions before 8.3, you can try this:

ASA1(config)# access-list NO_NAT extended permit ip

ASA1(config)# nat (inside) 0 access-list NONAT

ASA 8.2 has been EOL since April 2014 so it’s not a bad idea to upgrade :slight_smile:



IPsec Tunnel always speak of New IP Header being applied to the original header when an example is given. Can you give a real world example that shows the newly created Ip addresses in the header and the original ip addresses? I am trying to see how packets are routed from the client with a remote vpn client installed.


Hi Edwin,

For such request, you can post your idea in the following URL “Member Ideas” on our website where your idea can be voted so Rene can pick it up and make a new lesson from it.

Thanks for following our lessons.


I need to create to remote access VPN but my outside interface have private adddress with ISP conecction.
My DMZ have public address.

Can do I make to VPN remote access in my ASA 5520 with NAT to one public address ??

best regars

Hi Rene,

Can do I make a VPN if my outside interface have private address IP, but I have public IP address for my DMZ interface ?

Hi Rene,

I have private ip address in the outside interface connected the ISP, and DMZ interface have public IP for diferent service. then the question is:

Can do I use a IP public address from my pool of DMZ for get up my VPN remote access?

how do I make this ?

best regards

Hi Gabriel,

It is possible. Most devices, including the ASA firewall, support NAT traversal for IPsec.

Is your public IP addresses NATed 1-to-1 to the private IP address that your ASA uses? If so, give it a shot.


19 posts were merged into an existing topic: Cisco ASA Remote Access VPN


When the tunnel is brought up on the ASA does it create a logical tunnel interface and assign it an ip address from the vpn pool?

what show commands could i use to see this interface on the asa ?


Hi @sclarke1210,

You won’t see a tunnel interface directly. If you want to verify that a user has connected and see the IP address that was assigned from the VPN pool, it’s best to use these two commands:

ASA# show crypto ikev1 sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

2   IKE Peer:
    Type    : user            Role    : responder 
    Rekey   : no              State   : AM_ACTIVE 

Above you can see that a user has connected. The IP addresses you can see below:

ASA# show crypto ipsec sa user renemolenaar
username: renemolenaar
    Crypto map tag: RMCS_VPN, seq num: 10, local addr:

      local ident (addr/mask/prot/port): (
      remote ident (addr/mask/prot/port): (
      current_peer:, username: renemolenaar
      dynamic allocated peer ip:
      dynamic allocated peer ip(ipv6):

      #pkts encaps: 67, #pkts encrypt: 67, #pkts digest: 67
      #pkts decaps: 75, #pkts decrypt: 75, #pkts verify: 75
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 67, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.:, remote crypto endpt.:
      path mtu 1500, ipsec overhead 82(52), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 029C51AC
      current inbound spi : 323F5F7F
    inbound esp sas:
      spi: 0x323F5F7F (843014015)
         transform: esp-aes esp-sha-hmac no compression 
         in use settings ={RA, Tunnel,  NAT-T-Encaps, IKEv1, }
         slot: 0, conn_id: 4460544, crypto-map: RMCS_VPN
         sa timing: remaining key lifetime (sec): 28722
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
    outbound esp sas:
      spi: 0x029C51AC (43798956)
         transform: esp-aes esp-sha-hmac no compression 
         in use settings ={RA, Tunnel,  NAT-T-Encaps, IKEv1, }
         slot: 0, conn_id: 4460544, crypto-map: RMCS_VPN
         sa timing: remaining key lifetime (sec): 28722
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

Above you can see the dynamic allocated peer ip, which is the IP address from the VPN pool.


1 Like

A post was merged into an existing topic: Cisco ASA Anyconnect Remote Access VPN

Hi Rene,

Hope you are doing well and safe.
Did you make any guide with IKEv2 with VPN client (NOT Anyconnect)
Please let me know

Hello Zeeshan

There is no lesson that specifically includes the use of IKEv2 with VPN hosts as clients without using Anyconnect. The specific configuration would depend on the specific VPN client that you are using on the host end. You can find some examples of IKEv2 VPNs with use with Windows or Android VPN clients on a Cisco ASA device at the following links:

For more specific VPN client configurations, it is best to use your favourite search engine to find configs for your particular clients.

I hope this has been helpful!