Cisco ASA: Remote Access VPN

Tunnel specified subnets

Pre 8.3 version

Pool of addresses that will be assigned to VPN clients:

ip local pool testpool 192.168.0.10-192.168.0.20 mask 255.255.255.0

Access to other networks from VPN subnet:

access-list Split_Tunnel_List standard permit 192.168.10.0 255.255.255.0
access-list Split_Tunnel_List standard permit 192.168.9.0 255.255.255.0
access-list Split_Tunnel_List standard permit 192.168.8.0 255.255.255.0

access-list NONAT extended permit ip 192.168.8.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NONAT extended permit ip 192.168.9.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NONAT extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0

If required, configure RADIUS authentication:

aaa-server RADUIS protocol radius
aaa-server RADUIS (inside) host 192.168.10.11
key *****
authentication-port 1812
accounting-port 1813
aaa-server RADUIS (inside) host 192.168.10.10
key *****
authentication-port 1812
accounting-port 1813

VPN group policy:

group-policy VPN internal
group-policy VPN attributes
banner value Welcome to Igloo Software. Unauthorized user disconnect immediately
dns-server value 192.168.10.10 192.168.10.11
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value igloosoftware.pvt
address-pools value testpool

VPN tunnel group:

tunnel-group igloovpn type remote-access
tunnel-group igloovpn general-attributes
authentication-server-group RADUIS LOCAL
default-group-policy VPN
tunnel-group igloovpn ipsec-attributes
ikev1 pre-shared-key *****

Post 8.2 version

Pool of addresses that will be assigned to VPN clients:

ip local pool testpool 192.168.0.10-192.168.0.20 mask 255.255.255.0

Access to other networks from VPN subnet:

access-list Split_Tunnel_List standard permit 192.168.10.0 255.255.255.0
access-list Split_Tunnel_List standard permit 192.168.9.0 255.255.255.0
access-list Split_Tunnel_List standard permit 192.168.8.0 255.255.255.0

object network obj-192.168.0.0-vpn
subnet 192.168.0.0 255.255.255.0
nat (inside,outside) source static any any destination static obj-192.168.0.0-vpn obj-192.168.0.0-vpn

If required, configure RADIUS authentication:

aaa-server RADUIS protocol radius
aaa-server RADUIS (inside) host 192.168.10.11
key *****
authentication-port 1812
accounting-port 1813
aaa-server RADUIS (inside) host 192.168.10.10
key *****
authentication-port 1812
accounting-port 1813

VPN group policy:

group-policy VPN internal
group-policy VPN attributes
banner value Welcome to Igloo Software. Unauthorized user disconnect immediately
dns-server value 192.168.10.10 192.168.10.11
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value igloosoftware.pvt
address-pools value testpool

VPN tunnel group:

tunnel-group igloovpn type remote-access
tunnel-group igloovpn general-attributes
authentication-server-group RADUIS LOCAL
default-group-policy VPN
tunnel-group igloovpn ipsec-attributes
ikev1 pre-shared-key *****

Tunnel all traffic

(everything including communication with hosts on the Internet will be routed through corporate network)

Pre 8.3 version

Pool of addresses that will be assigned to VPN clients:

ip local pool testpool_sap 192.168.102.10-192.168.102.20 mask 255.255.255.0

Permit traffic between interfaces with the same security level:

same-security-traffic permit intra-interface

Access to other networks from VPN subnet:

access-list NONAT extended permit ip 192.168.102.0 255.255.255.0 192.168.0.0 255.255.255.0

We assume here that NONAT access list has already been assigned to an interface:

nat (inside) 0 access-list NONAT

NAT from VPN subnet to outside

nat (outside) 1 192.168.102.0 255.255.255.0

Assuming that dynamica NAT is already in place:

global (outside) 1 interface

If required, configure RADIUS authentication:

aaa-server RADUIS protocol radius
aaa-server RADUIS (inside) host 192.168.10.11
key *****
authentication-port 1812
accounting-port 1813
aaa-server RADUIS (inside) host 192.168.10.10
key *****
authentication-port 1812
accounting-port 1813

VPN group policy:

group-policy VPN_SAP internal
group-policy VPN_SAP attributes
banner value Welcome to Igloo Software. Unauthorized user disconnect immediately
dns-server value 192.168.10.10 192.168.10.11
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value igloosoftware.pvt
address-pools value testpool_sap

VPN tunnel group:

tunnel-group igloovpn_sap type remote-access
tunnel-group igloovpn_sap general-attributes
authentication-server-group RADUIS LOCAL
default-group-policy VPN_SAP
tunnel-group igloovpn_sap ipsec-attributes
ikev1 pre-shared-key *****

Post 8.2 version

Pool of addresses that will be assigned to VPN clients:

ip local pool testpool_sap 192.168.102.10-192.168.102.20 mask 255.255.255.0

Permit traffic between interfaces with the same security level:

same-security-traffic permit intra-interface

Access to other networks from VPN subnet:

object network obj-192.168.102.0-vpn
subnet 192.168.102.0 255.255.255.0

NAT from VPN subnet to outside

nat (outside,outside) source dynamic obj-192.168.102.0-vpn interface
nat (outside,inside) source static obj-192.168.102.0-vpn obj-192.168.102.0-vpn

If required, configure RADIUS authentication:

aaa-server RADUIS protocol radius
aaa-server RADUIS (inside) host 192.168.10.11
key *****
authentication-port 1812
accounting-port 1813
aaa-server RADUIS (inside) host 192.168.10.10
key *****
authentication-port 1812
accounting-port 1813

VPN group policy:

group-policy VPN_SAP internal
group-policy VPN_SAP attributes
banner value Welcome to Igloo Software. Unauthorized user disconnect immediately
dns-server value 192.168.10.10 192.168.10.11
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value igloosoftware.pvt
address-pools value testpool_sap

VPN tunnel group:

tunnel-group igloovpn_sap type remote-access
tunnel-group igloovpn_sap general-attributes
authentication-server-group RADUIS LOCAL
default-group-policy VPN_SAP
tunnel-group igloovpn_sap ipsec-attributes
ikev1 pre-shared-key *****