[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Cisco asa remote access VPN

Posted on 2014-08-10
Medium Priority
Last Modified: 2014-08-14
I've setup a Remote Access VPN using Cisco ASA for travel users to gain access into network applications. It connects using Cisco Client; however, I believe it's trying to act as ISP and I do not want it to. I only want staff to be able to access resources.
I believe when I did the wizard; it took me thru those settings, but what am I missing?
Question by:Spt_Us
  • 3
  • 2

Expert Comment

ID: 40252204
Set the ACL to take only the interesting traffic and not

Author Comment

ID: 40252776
Can you explain what you mean by 'interesting' traffic?

Author Comment

ID: 40252781
I don't have ACLs; could that be the issue? I used the RA wizard; shouldn't it have built the crypto/ACL etc. possibly missed?  IF I am using the Cisco VPN client to connect into ASA/Network

Accepted Solution

nickoarg earned 1500 total points
ID: 40253288
I was thinking about ISR IOS and not ASA. In IOS you define the ACL of the traffic that you want the client to send through the tunnel. Here is the CLI example from Cisco:

The following example shows how to configure Remote Access IPsec VPNs:

hostname(config)# interface ethernet0
hostname(config-if)# ip address
hostname(config-if)# nameif outside
hostname(config-if)# no shutdown
hostname(config)# crypto ikev2 policy 1
hostname(config-ikev2-policy)# group 2
hostname(config-ikev2-policy)# integrity sha
hostname(config-ikev2-policy)# lifetime 43200
hostname(config-ikev2-policy)# prf sha
hostname(config)# crypto ikev2 outside
hostname(config)# ip local pool testpool
hostname(config)# username testuser password 12345678
hostname(config)# crypto ipsec ikev2 ipsec-proposal FirstSet
hostname(config-ipsec-proposal)# protocol esp encryption 3des aes
hostname(config)# tunnel-group testgroup type remote-access
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config)# tunnel-group testgroup webvpn-attributes
hostname(config-webvpn)# authentication aaa certificate
hostname(config)# crypto dynamic-map dyn1 1 set ikev2 ipsec-proposal FirstSet
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route
hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside
hostname(config)# write memory

Open in new window

The line:
crypto dynamic-map dyn1 1 set reverse-route

Open in new window

pushes the routes of the ASA to the client, such as the default route ( causing the tunnel to "catch" the internet traffic that you don't want.

Author Closing Comment

ID: 40261366
It was a great help figuring out what I was missing!! THANKS

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses
Course of the Month20 days, 8 hours left to enroll

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question