Client IPSEC VPN Configurations on a Cisco ASA 5500

Below I've put together a rough configuration of what I did to build my own home Remote Access VPN on a Cisco ASA5505.  I really put this up for my own personal reference, but feel free to post any questions.  Most of this may seem vague if you're unfamiliar with the ASA platform/configurations.



Basic Crypto configurations required for my example:

Declare the P2 encryption to be used:

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

Crypto Map is named "outside_map" and applied to the outside interface:

crypto map outside_map interface outside

I also used ikev1:

crypto ikev1 enable outside

Phase 1 configuration:

crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha   
 group 2    
 lifetime 86400

Have a local user account to test with:

username cisco password cisco privilege 15



Beginning of configuration:

Create the Objects that reference your internal networks and User IP Pool:

object network obj-vpn-users
 subnet 192.168.99.0 255.255.255.248

object network obj-internal
 subnet 192.168.1.0 255.255.255.0



Create the ACLs that will be applied to the user at time of VPN authentication:

access-list ACL_USER extended permit ip 192.168.99.0 255.255.255.248 192.168.1.0 255.255.255.0


Create the Split Tunnel ACLs:

access-list ACL_Split-tunnel-USER standard permit 192.168.1.0 255.255.255.0


Create the IP Pool for VPN assignment:

ip local pool POOL_USER 192.168.99.2-192.168.99.6 mask 255.255.255.248


Create the No NAT policy for inside traffic to reach the VPN user (make sure that this is in your configuration before any dynamic PAT policy:

nat (inside,outside) source static obj-internal obj-internal destination static obj-vpn-users obj-vpn-users description USER_VPN


Create a dynamic map to support the VPN connection from any location and set the transform-set and reverse-route:

crypto dynamic-map VPN-USER 1 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map VPN-USER 1 set reverse-route

crypto map outside_map 999 ipsec-isakmp dynamic VPN-USER


Configure the Group Policy:


group-policy GP_USER internal
group-policy GP_USER attributes
 vpn-filter value ACL_USER
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL_Split-tunnel-USER

Finally Create your tunnel group specifying the group policy and pre shared key:


tunnel-group VPN-USER type remote-access
tunnel-group VPN-USER general-attributes
 address-pool POOL_USER
 default-group-policy GP_USER
tunnel-group VPN-USER ipsec-attributes
 ikev1 pre-shared-key cisco123