Cisco asa remote access VPN

Posted on 2014-08-10
Last Modified: 2014-08-14
I've setup a Remote Access VPN using Cisco ASA for travel users to gain access into network applications. It connects using Cisco Client; however, I believe it's trying to act as ISP and I do not want it to. I only want staff to be able to access resources.
I believe when I did the wizard; it took me thru those settings, but what am I missing?
Question by:Spt_Us
    LVL 3

    Expert Comment

    Set the ACL to take only the interesting traffic and not

    Author Comment

    Can you explain what you mean by 'interesting' traffic?

    Author Comment

    I don't have ACLs; could that be the issue? I used the RA wizard; shouldn't it have built the crypto/ACL etc. possibly missed?  IF I am using the Cisco VPN client to connect into ASA/Network
    LVL 3

    Accepted Solution

    I was thinking about ISR IOS and not ASA. In IOS you define the ACL of the traffic that you want the client to send through the tunnel. Here is the CLI example from Cisco:

    The following example shows how to configure Remote Access IPsec VPNs:

    hostname(config)# interface ethernet0
    hostname(config-if)# ip address
    hostname(config-if)# nameif outside
    hostname(config-if)# no shutdown
    hostname(config)# crypto ikev2 policy 1
    hostname(config-ikev2-policy)# group 2
    hostname(config-ikev2-policy)# integrity sha
    hostname(config-ikev2-policy)# lifetime 43200
    hostname(config-ikev2-policy)# prf sha
    hostname(config)# crypto ikev2 outside
    hostname(config)# ip local pool testpool
    hostname(config)# username testuser password 12345678
    hostname(config)# crypto ipsec ikev2 ipsec-proposal FirstSet
    hostname(config-ipsec-proposal)# protocol esp encryption 3des aes
    hostname(config)# tunnel-group testgroup type remote-access
    hostname(config)# tunnel-group testgroup general-attributes
    hostname(config-general)# address-pool testpool
    hostname(config)# tunnel-group testgroup webvpn-attributes
    hostname(config-webvpn)# authentication aaa certificate
    hostname(config)# crypto dynamic-map dyn1 1 set ikev2 ipsec-proposal FirstSet
    hostname(config)# crypto dynamic-map dyn1 1 set reverse-route
    hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
    hostname(config)# crypto map mymap interface outside
    hostname(config)# write memory

    Open in new window

    The line:
    crypto dynamic-map dyn1 1 set reverse-route

    Open in new window

    pushes the routes of the ASA to the client, such as the default route ( causing the tunnel to "catch" the internet traffic that you don't want.

    Author Closing Comment

    It was a great help figuring out what I was missing!! THANKS

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now