Cisco ASAv - Client Remote Access VPN (IKEv1) Part 1

Phase 1 policy:
crypto ikev1 policy 65535
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

Phase 2 parameters:
crypto ipsec ikev1 transform-set my_transform_set esp-aes-256 esp-sha-hmac

IP Pool:
ip local pool VPNPool 192.168.254.1-192.168.254.5 mask 255.255.255.248

Access list for split vpn tunnel:
access-list SPLIT_TUNNEL standard permit 10.0.0.0 255.255.255.0

group-policy ipsec_policy internal
group-policy ipsec_policy attributes
dns-server value 10.0.0.100 10.0.0.111
vpn-idle-timeout 15
vpn-filter value outside_access_in

split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL

tunnel-group ipsec_tunnel type remote-access
tunnel-group ipsec_tunnel general-attributes
address-pool VPNPool
default-group-policy ipsec_policy
authentication-server-group LOCAL
tunnel-group ipsec_tunnel ipsec-attributes
ikev1 pre-shared-key mysecureC1scopresharedkey

crypto dynamic-map dyn_map 65535 set ikev1 transform-set my_transform_set
crypto map outside_map 65535 ipsec-isakmp dynamic dyn_map
crypto map outside_map interface outside

Set a reverse route on the ASA to the VPN client when a VPN connection is established (the route will be removed when the VPN session is disconnected:
crypto dynamic-map dyn_map 65535 set reverse-route

Enable IKEv1 on the Outside interface:
crypto ikev1 enable outside

Create a user for VPN access:
username vpnuser1 password q7eGvpv2PbdBYpq encrypted privilege 0

Set up NAT exemption to prevent the ASA NATing traffic between the VPN and the internal network:

object network LAN
subnet 10.0.0.0 255.255.255.0

object network VPN_POOL
subnet 192.168.254.0 255.255.255.0

NAT exemption:
nat (inside,outside) source static LAN LAN destination static VPN_POOL VPN_POOL no-proxy-arp route-lookup

comments powered by Disqus