Cisco Asa remote access vpn - example 1 - preshared key with split-tunneling




  • create ACL for split tunneling(this traffic will be tunneled)

(config)#access-list standard ra_vpn permit

  • create pool of addresses for remote  clients

 (config)#ip local pool ra_vpn_pool mask

  • create internal group policy

(config)# group-policy RA_VPN_Policy internal
(config)# group-policy RA_VPN_Policy attributes

(config-group-policy)# dns-server value

(config-group-policy)# default-domain value

(config-group-policy)# banner login "Welcome on Remote Access VPN at"

set split-tunneling(options are: tunnel all, excludespecified and tunnelspecified).

(config-group-policy)# split-tunnel-policy tunnelspecified

configure network which should be tunneled

(config-group-policy)# split-tunnel-network-list value ra_vpn

  • create tunnel-group

(config)# tunnel-group RA_VPN_tunnel_group type ipsec-ra

(config)# tunnel-group RA_VPN_tunnel_group general-attributes

specify ip address assignment(our local ip address pool)

(config-tunnel-general)# address-pool ra_vpn_pool

specify policy for vpn connection(our RA_VPN_Policy)

 (config-tunnel-general)# default-group-policy RA_VPN_Policy

 (config)# tunnel-group RA_VPN_tunnel_group ipsec-attributes

define pre-shared-key

(config-tunnel-ipsec)# pre-shared-key xxxxxxxxxxxxxxxxxxxxx

  • configure crypto map

configure transformset(phase2)

(config)# crypto ipsec transform-set RA_VPN_transformset esp-aes-256 esp-sha-hmac

configure dynamic map 

crypto dynamic-map RA_VPN_dynamic 5000 set transform-set RA_VPN_transformset

crypto map RA_VPN_map 100 ipsec-isakmp dynamic RA_VPN_dynamic

enable crypto-map on outside interface

(config)# crypto map RA_VPN_map interface outside 


  • enable isakmp on external interface

(config)#crypto isakmp enable outside

  • define isakmp policy(ipsec phase1)

(config)# isakmp policy 100

(config-isakmp-policy)# group 2

(config-isakmp-policy)# encryption  aes-256

(config-isakmp-policy)# authentication pre-share

  •  configure natting (DO NOT NAT remote access traffic!!!)

ACL for excempt nat

 access-list nonat line 1 extended permit ip any

  nat (inside) 0 access-list nonat

  • create user for remote access

 (config)#username danpol password ....

(config)# username adrianda attributes

(config-username)# vpn-group-policy RA_VPN_Policy


  • Configure VPN client profile




Connection Entry - name of profile

Description - short info about this profile

Group Authentication-Name - name of tunnel-group

Password - pre-shared-key we typed in tunnel-group configuration


dzbanek 2012-12-01

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.