is it possible to have 2 RA VPNs on a ASA5505

Answered Question
Dec 12th, 2011

Hi there,

I am looking into setting up 2 remote access VPNs; one will have split tunnelling and the other won’t have split tunnelling configured other than that both are identical.

Below is the config I’m planning to use:

ASA Version 8.3(1)

ip local pool VPNPOOL 192.168.20.1-192.168.20.254

object network obj-vpnpool

subnet 192.168.XX.0 255.255.255.0

object network net_internal

subnet 10.0.XX.0 255.255.255.0

nat (inside,any) source static net_internal net_internal destination static obj-vpnpool obj-vpnpool

access-list ravpn_ex extended permit ip 10.0.XX.0 255.255.255.0 192.168.XX.0 255.255.255.0 log

access-list ravpn_ex extended permit icmp 10.0.XX.0 255.255.255.0 192.168.XX.0 255.255.255.0 log

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac

crypto dynamic-map DYN_MAP 10 set transform-set RA-TS

crypto map VPN_MAP 65535 ipsec-isakmp dynamic DYN_MAP

crypto map VPN_MAP interface outside

crypto isakmp enable outside

group-policy RA01-vpn internal

group-policy RA01-vpn attributes

dns-server value XX.XX.XX.XX XX.XX.XX.XX

vpn-idle-timeout 60

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ravpn_ex

tunnel-group RA01 type remote-access

tunnel-group RA01 general-attributes

address-pool VPNPOOL

default-group-policy RA01-vpn

tunnel-group RA01 ipsec-attributes

pre-shared-key *****

TUNNEL TWO:

group-policy RA02-vpn internal

group-policy RA02-vpn attributes

dns-server value XX.XX.XX.XX XX.XX.XX.XX

vpn-idle-timeout 60

tunnel-group RA02 type remote-access

tunnel-group RA02 general-attributes

address-pool VPNPOOL

default-group-policy RA02-vpn

tunnel-group RA02 ipsec-attributes

pre-shared-key *****

Can anyone confirm if this will work or if there is another way I can achieve the same outcome?

Regards

Dale

I have this problem too.
0 votes
Correct Answer by kmcelroy360 about 2 years 4 months ago

It is absolutely possible. Right now I do this on an ASA 5540 with 4 different RA groups for different departments.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
yiuyuenyan Mon, 12/12/2011 - 07:32

Hi there,

can you tell me which one vpn have split tunnelling and other wont' have split tunnelling ?

Correct Answer
kmcelroy360 Wed, 12/14/2011 - 11:54

It is absolutely possible. Right now I do this on an ASA 5540 with 4 different RA groups for different departments.

Actions

Login or Register to take actions

This Discussion

Posted December 12, 2011 at 5:28 AM
Stats:
Replies:2 Avg. Rating:5
Views:420 Votes:0
Shares:0

Related Content

Discussions Leaderboard