Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help with remote access object-groups/split-tunneling commands

I'm tasked with designing a remote access solution through an ASA v8.0 and I started by creating a text file with configuration details like group-policy, tunnel-groups, crypto (the text file looks as if you typed show run)… I'm tasked with only the remote access portion of solution, not the full ACL, NAT statements.

Can someone please proof-read what I have so far? Attached is a basic net diagram that will be the completed project.

I have questions on the following:

1. What should the object-groups be if this firewall configured for remote-access?

2. How do I configure the split-tunneling portion?

3. Do I need more or less group-policies and tunnel-groups?

a. There is very little difference between the uservpn and engvpn groups

If anyone can help, I will be most appreciative. Keep in mind I'm still working on which commands to use so some of the config commands are missing.

BillyBob

2 REPLIES
New Member

Re: Help with remote access object-groups/split-tunneling comman

object-groups ?????

!

ip local pool uservpnpool 172.30.0.1-172.30.0.254 mask 255.255.255.0

ip local pool engvpnpool 172.30.1.1-172.30.1.254 mask 255.255.255.0

!

access-lists split_tunnel_list1 standard permit x.x.x.x 255.x.x.x

access-lists split_tunnel_listx ????

access-lists nonat extended permit ip any 192.168.x.x 255.255.255.x

access-lists nonat extended permit ip any 192.168.x.x 255.255.255.x

access-lists nonat extended permit ip any 192.168.252.0 255.255.255.0

access-lists ?????

!

global (Airband) 1 interface

nat (Inside) 0 access-list nonat

nat (Inside) 1 192.168.0.0 255.255.0.0

!

webvpn

enable XO

enable Airband

svc image disk0:/ anyconnect-win-2.2.pkg 1

svc image disk0:/ anyconnect-linux...pkg2

svc image disk0:/ anyconnect-mac.....pkg3

svc enable

!

crypto isakmp policy 1 authentication pre-share

crypto isakmp policy 1 encryption aes-256

crypto isakmp policy 1 hash sha

crypto isakmp policy 1 group 2

crypto isakmp policy 1 lifetime 86400

crypto isakmp enable ISP1

crypto isakmp enable ISP2

crypto ipsec transform-set transform_set_namex esp-aes-256 esp-sha-hmac

crypto dynamic-map dyn_map_nameX set transform-set transform_set_nameX

crypto dynamic-map dyn_map_nameX set pfs group2

crypto map map_namex 65534 ipsec-isakmp dynamic dyn_map_nameX

crypto map map_namex interface ISP2_interface

!

username ???? (in a couple of weeks, I will add an ACS server and start using ldap authentication)

!

group-policy uservpn_policy1 internal

group-policy uservpn_policy1 attributes

banner value xxxxxxxx

banner value Autorized Persons Only!

dns-server value 192.168.x.x 192.168.x.x

vpn-tunnel-protocol webvpn

vpn-idle-timeout 30

vpn-session-timeout 30

split-tunnel-policy tunnelspecified

split-network-list value split_tunnel_list1

default-domain value domain_name

webvpn

default-domain value domain_name

split-dns value ????

!

group-policy engvpn_policy1 internal

group-policy engvpn_policy1 attributes

banner value xxxxxxxxx

banner value Autorized Persons Only!

dns-server value 192.168.x.x 192.168.x.x

vpn-tunnel-protocol webvpn

vpn-idle-timeout 30

vpn-session-timeout 30

split-tunnel-policy tunnelspecified

split-network-list value split_tunnel_list1

default-domain value domain_name

webvpn

default-domain value domain_name

split-dns value ??????

!

group-policy ssl_policy internal

group-policy ssl_policy attributes

banner value xxxxxxxx

banner value Autorized Persons Only!

dns-server value 192.168.x.x 192.168.x.x

vpn-tunnel-protocol webvpn

vpn-idle-timeout 30

vpn-session-timeout 30

split-tunnel-policy tunnelspecified

split-network-list value split_tunnel_list1

default-domain value domain_name

webvpn

url-list havent read documentation yet

svc keep-installer

svc keepalive

svc rekey

!

tunnel-group uservpn_tunnel type remote-access

tunnel-group uservpn_tunnel general-attributes

address-pool uservpnpool

default-group-policy uservpn_policy1

tunnel-group uservpn_tunnel webvpn-attributes

tunnel-group uservpn_tunnel ipsec-attributes

pre-shared-key XXXXXXXX

isakmp keepalive threshold 360 retry 10

!

tunnel-group engvpn_tunnel type remote-access

tunnel-group engvpn_tunnel general-attributes

address-pool engvpnpool

default-group-policy engvpn_policy1

tunnel-group engvpn_tunnel webvpn-attributes

tunnel-group engvpn_tunnel ipsec-attributes

pre-shared-key XXXXXXXX

isakmp keepalive threshold 360 retry 10

!

tunnel-group ssl_tunnel type remote-access

tunnel-group ssl_tunnel general-attributes

address-pool engvpnpool

default-group-policy ssl_policy

tunnel-group ssl_tunnel webvpn-attributes

tunnel-group ssl_tunnel ipsec-attributes

pre-shared-key XXXXXXXX

isakmp keepalive threshold 360 retry 10

New Member

Re: Help with remote access object-groups/split-tunneling comman

bump

159
Views
0
Helpful
2
Replies