Configure Remote Client VPN on ASA 5520

Posted on 2009-05-14
Last Modified: 2013-11-16
I am trying to configure my ASA for Remote Client VPN Usage thru the CLI.  I am having trouble figuring out where I am going wrong. Here is what I did:  Am I missing an entry somewhere .. not sure as the ASDM seems to junk up my config when I do anything from it..  I am not sure if my NATS, ACLS are correct either.
1- First configure the ASA interface

Interface name

Security level

IP address

Enable crypto isakmp on ASA

2- Configure IP pool

Pool name

Range of IP addresses to be used in pool

3- Configure user accounts



4- First define the ISAKMP Policy.





5- Establish IPsec transform set.





6- Configure tunnel group

Group name      

Group policies    

: Saved


ASA Version 7.2(2) 


hostname WATER-FW

domain-name WATER.local

enable password XXXXXXXXXXXXX encrypted

no names


interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 


interface GigabitEthernet0/1


 nameif DMZ1

 security-level 75

 no ip address


interface GigabitEthernet0/2

 nameif INSIDE

 security-level 100

 ip address 


interface GigabitEthernet0/3

 nameif DMZ2

 security-level 50

 no ip address


interface Management0/0


 nameif management

 security-level 10

 ip address 



passwd XXXXXXXXXXXXXXX encrypted

boot system disk0:/asa722-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup DMZ1

dns domain-lookup INSIDE

dns domain-lookup DMZ2

dns server-group DefaultDNS


 domain-name WATER.local

access-list WATER_Split_TunnelACL remark WATER LAN for Split Tunnel

access-list WATER_Split_TunnelACL standard permit 

pager lines 24

logging enable

logging timestamp

logging trap informational

logging asdm informational

logging host INSIDE

mtu outside 1500

mtu DMZ1 1500

mtu INSIDE 1500

mtu DMZ2 1500

mtu management 1500

ip local pool Users mask

ip verify reverse-path interface outside

no failover

monitor-interface outside

monitor-interface DMZ1

monitor-interface INSIDE

monitor-interface DMZ2

monitor-interface management

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply outside

icmp permit any outside

icmp permit any DMZ1

icmp permit any echo-reply DMZ1

icmp permit any INSIDE

icmp permit any echo-reply INSIDE

icmp permit any DMZ2

icmp permit any echo-reply DMZ2

icmp permit any management

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (INSIDE) 1 interface

global (DMZ2) 1 interface

nat (DMZ1) 1

nat (INSIDE) 1

nat (DMZ2) 1

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy WATERVPN internal

group-policy WATERVPN attributes

 wins-server value

 dns-server value

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value WATER_Split_TunnelACL

 default-domain value WATER.local

username admin password XXXXXXXXXXXXXXXXXX encrypted privilege 15

http server enable

http outside

http DMZ1


no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 30

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

crypto isakmp nat-traversal  21

tunnel-group WATER type ipsec-ra

tunnel-group WATER general-attributes

 address-pool Users

tunnel-group WATER ipsec-attributes

 pre-shared-key *

telnet DMZ1

telnet INSIDE

telnet timeout 5

ssh outside


ssh timeout 60

console timeout 0

management-access INSIDE

dhcpd address INSIDE

dhcpd dns interface INSIDE

dhcpd wins interface INSIDE

dhcpd enable INSIDE



class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

  inspect dns 


service-policy global_policy global

prompt hostname context 


: end

asdm image disk0:/asdm-522.bin

no asdm history enable

Open in new window

Question by:ssimmons1
  • 4
LVL 15

Accepted Solution

bignewf earned 500 total points
ID: 24391960
Here is one problem:

this is your inside interface:
interface GigabitEthernet0/2
 nameif INSIDE
 security-level 100
 ip address

your ip pool for remote vpn users is on the same network as your internal lan:
ip local pool Users mask  THIS NEEDS TO BE ON A DIFFERENT NETWORK - I.E  

also, don't see nat0 statements- i.e
access-list nonat extended permit ip

then nat (inside) 0 access-lis nonat
the above example suggests is your vpn client ip pool as an example

also add:

sysopt connection permit-ipsec (or permit-vpn depending on IOS version)

try these to start, enclosed are pdf's from cisco with a sample cli config and asdm

experience has shown that the cli is better to use for vpn configs, the asdm often produces errors


Author Comment

ID: 24392243
I just reset to factory defaults and I am starting from scratch.  I inherited this box so I suppose this is the best course.  My first goal is to access internet and PAT my internal users.  Then I am going to try the VPN.. bear with me. for a couple.. these are great resources and will let you know my results.

By any chance do you have any initial config docs handy.
I have this: 
However your ASDM guide is much better.

Author Comment

ID: 24392333
quick Q, when you reset factory default do you wipe the VPN license?  I had 750 lic

Author Closing Comment

ID: 31591509
I had to put this down for a bit, but bignewf addressed correclty on both of the issues.  I had to do some followup reading, but that was due to my lack of understanding.  Thanks!
One being the NAT and the other the DHCP scope.  Thanks, sorry for the delay in grading.

Author Comment

ID: 24606437
And to answer my other q, no, it doesnt wipe the license info....

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
RA VPN error (service provider in your location is restricting access) 4 111
RDP Sonicwall 8 67
Static route question 6 35
SSL VPN 3 19
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now