Cisco ASA: VPN to IOS router

Cisco.com has very good article that decsribes in detail site-to-site VPN setup between ASA firewall and any other IOS router (Document ID: 112153).

On ASA as well as on Cisco router crypto map needs to be assigned to an interface, in most cases outside one. The issue with routers is that each interface can only have one crypto map assigned.

Imagine situation when you need to do both site-to-site and client access VPN with RADIUS authentication on the same router and on the same outside interface.

In this case you’ll need to use the same crypto map (i.e. cryptomap with the same name) for both VPNs with different IDs:

crypto map CRYPTOMAPNAME 11 ipsec-isakmp
set peer PEERIPADDRESS
set transform-set ASA-IPSEC
match address COLO_VPN_ACL
crypto map CRYPTOMAPNAME 99 ipsec-isakmp dynamic dynmap

For RADIUS authentication you’ll probably need something like

crypto map CRYPTOMAPNAME client authentication list userauthen
crypto map CRYPTOMAPNAME isakmp authorization list groupauthor

You’ll also need separate crypto policies for VPN users:

crypto isakmp client configuration group CRYPTOMAPNAME
key zwfw34ra2
dns 10.0.0.10
domain local.local
pool VPN-POOL
acl USER_VPN_ACL

and for peers:

crypto isakmp policy 2
authentication pre-share

and if you use pre-shared key for you site-to site VPN, no-xauth needs to be added at the end below which tells router to bypass authentication:

crypto isakmp key nd200412 address 216.16.234.224 no-xauth