Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Config Questions

Hello, I have a 5510 I am trying to get VPN working on and I am having problems. I can successfully establish a connection, for example, using Anyconnect on an iPad or a laptop, but after connecting, I can't seem to reach internal hosts, and once working, I also want to enable split-tunneling. Could someone please take a look and let me know what I need to add or change?

Here is my running config at the moment:

ASA Version 9.1(3)


hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted


ip local pool VPN_Pool mask


interface Ethernet0/0

description WAN Interface

nameif outside

security-level 0

ip address dhcp setroute


interface Ethernet0/1

description LAN Interface

nameif inside

security-level 100

ip address


interface Ethernet0/2


no nameif

no security-level

no ip address


interface Ethernet0/3


no nameif

no security-level

no ip address


interface Management0/0

description Management



nameif management

security-level 100

ip address


ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

object network net-192.168.0


access-list outside_access_in extended deny ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected


object network net-192.168.0

nat (inside,outside) dynamic interface


nat (inside,outside) after-auto source dynamic any interface

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

http server enable

http management

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment self

subject-name CN=ciscoasa

keypair key1


crl configure

crypto ca trustpool policy

crypto ca certificate chain ASDM_TrustPoint1

certificate 57e9a552

    30820234 3082019d a0030201 02020457 e9a55230 0d06092a 864886f7 0d010105

    0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648

    86f70d01 09021608 63697363 6f617361 301e170d 31333132 30393139 30323235

    5a170d32 33313230 37313930 3232355a 302c3111 300f0603 55040313 08636973

    636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081

    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b5 44acf762

    fddc6fd7 ade7b05d 7fc1fadf 35235f68 fa6d9008 172ef1bb 82e56bf0 e7f0e795

    5426bf34 f44cf648 52d94c68 8c6d862d 11a10323 cd083810 8426b1ce d9e881ce

    f00af2d0 9a0f65d6 8521cd3e 354bfec0 012c333f 059f0f47 0b2eba3d b746d05e

    05e0156a 981e125f d89167d2 5078bf84 4c04765a 0a1fea26 e28cf902 03010001

    a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04

    04030201 86301f06 03551d23 04183016 8014dcb1 017f3656 54a3a895 0698a6aa

    2e76aad7 9108301d 0603551d 0e041604 14dcb101 7f365654 a3a89506 98a6aa2e

    76aad791 08300d06 092a8648 86f70d01 01050500 03818100 51ec4061 48cc5c96

    c66421d7 a041a9dd 6b11e61b d2bb5fac f54b16ff 627f22e8 6c4a2e02 8f4c2c34

    14222a12 309ef05c 87fc09b0 abb1b17c 03140c50 6511fb3f afd5e792 a23ad6e1

    b43e1826 204c7ad1 2e520458 48bc9198 8c512806 102ebb2a a9569b7b 62e41afc

    a79ee2c7 1ccea212 4a486210 aedfba1b 1c3306ed ca9d81df


crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint1

client-update enable

telnet inside

telnet management

telnet timeout 5

ssh inside

ssh management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcp-client client-id interface outside

dhcpd address management

dhcpd enable management


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint1 outside


enable outside


anyconnect image disk0:/anyconnect-macosx-i386-3.1.04074-k9.pkg 1

anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 2

anyconnect profiles anyconnect_client_profile disk0:/anyconnect_client_profile.xml

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_anyconnect internal

group-policy GroupPolicy_anyconnect attributes

wins-server none

dns-server value

vpn-tunnel-protocol ikev2 ssl-client

default-domain value


  anyconnect profiles value anyconnect_client_profile type user

username admin password KvX48a46hrlNTwvf encrypted privilege 15

username robr password nJixs.T/EUAomNvd encrypted privilege 15

tunnel-group anyconnect type remote-access

tunnel-group anyconnect general-attributes

address-pool VPN_Pool

default-group-policy GroupPolicy_anyconnect

tunnel-group anyconnect webvpn-attributes

group-alias anyconnect enable


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options


service-policy global_policy global

prompt hostname context

no call-home reporting anonymous


: end

Super Bronze

Re: VPN Config Questions


First off since you dont seem to be using your Management interface I would remove its IP address as it overlaps with the VPN Pool network

Do this

interface Management0/0

no ip address

The problem with connectivity through VPN is caused by a missing NAT configuration to enable the VPN Client and the LAN hosts to communicate

You could add this configuration

object network LAN


object network VPN-POOL


nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

Essentially the above NAT configuration tells the ASA to NOT perform any NAT when the traffic is between these 2 networks. The reason the same "object" is mentioned twice is that the other one specifies the real address and other specifies the mapped address. Since we use identical "object" in the configuration it naturally means the source and destination addresses/subnets stay unchanged.

Without the above configuration the traffic from the VPN Client towards the LAN doesnt match anything but the RPF check (reverse check for NAT) fails because it would match the Dynamic PAT you have configured for Internet traffic.

To change the VPN to Split Tunnel so that only traffic towards the LAN network is forwarded to the VPN and rest uses the Clients local Internet connection, do this

access-list SPLIT-TUNNEL standard permit

group-policy GroupPolicy_anyconnect attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT-TUNNEL

Let me know how it goes

Hope it helps

- Jouni

New Member

Re: VPN Config Questions

Thanks once again, Jouni! Your responses were accurate and very quick! It seems to be working as expected. I had forgot about the NAT rules.

Super Bronze

VPN Config Questions


Glad to hear it helped

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

CreatePlease login to create content