IKEv1 Remote Access VPN on Cisco ASA for Legacy VPN Client

Even after the release of Cisco AnyConnect Secure Mobility Client which supports SSL VPN in addition to IKEv2 remote-access IPSec VPN, still out there are number of people who use legacy Cisco VPN client to connect IKEv1 remote-access IPSec VPN.
In the present scenario, we have to configure IKEv1 remote access VPN for Sales department and Engineering department of a company. Engineering users will have to be provided with access to web server as well as FTP server, while sales users may only have access to the web server.

ip local pool RA_VPN_POOL mask
access-list IKE1_RA_VPN_SplitTunnelACL standard permit
access-list SALES_VPN_ACL extended permit tcp any host eq www
access-list SALES_VPN_ACL extended permit udp any host eq domain
access-list ENGR_VPN_ACL extended permit tcp any host eq www
access-list ENGR_VPN_ACL extended permit tcp any host eq ftp
access-list ENGR_VPN_ACL extended permit udp any host eq domain
tunnel-group IKE1_RA_VPN type remote-access
tunnel-group IKE1_RA_VPN general-attributes
 address-pool RA_VPN_POOL
tunnel-group IKE1_RA_VPN ipsec-attributes
 ikev1 pre-shared-key *****
crypto ipsec ikev1 transform-set ESP_AES_SHA esp-aes esp-sha-hmac
crypto dynamic-map IKE1_RA_VPN_DYNMAP 500 set pfs
crypto dynamic-map IKE1_RA_VPN_DYNMAP 500 set ikev1 transform-set ESP_AES_SHA
crypto map IKE1_RA_MAP 200 ipsec-isakmp dynamic IKE1_RA_VPN_DYNMAP
crypto map IKE1_RA_MAP interface OUTSIDE
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 20
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
group-policy SALES_RA_IKE1_VPN_GRP_POLICY internal
group-policy SALES_RA_IKE1_VPN_GRP_POLICY attributes
 dns-server value
 vpn-filter value SALES_VPN_ACL
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value IKE1_RA_VPN_SplitTunnelACL
 default-domain value pacificgroup.co.in
group-policy ENGR_RA_IKE1_VPN_GRP_POLICY internal
group-policy ENGR_RA_IKE1_VPN_GRP_POLICY attributes
 dns-server value
 vpn-filter value ENGR_VPN_ACL
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value IKE1_RA_VPN_SplitTunnelACL
 default-domain value pacificgroup.co.in
username salesuser password uXUrGApVTzN8lH14 encrypted
username salesuser attributes
 vpn-group-policy SALES_RA_IKE1_VPN_GRP_POLICY
 service-type remote-access
username engruser password osgMkcb3N.VlT8/u encrypted
username engruser attributes
 vpn-group-policy ENGR_RA_IKE1_VPN_GRP_POLICY
 service-type remote-access
object network VPN_USERS

object network INSIDE_NETWORK

To Verify the connected users, use the following command.
ASA# sh vpn-sessiondb ra-ikev1-ipsec

Session Type: IKEv1 IPsec

Username     : engruser       Index        : 2
Assigned IP  :     Public IP    :
Protocol     : IKEv1 IPsec   
License      : Other VPN
Encryption   : AES128         Hashing      : SHA1
Bytes Tx     : 3775           Bytes Rx     : 10230
Tunnel Group : IKE1_RA_VPN
Login Time   : 18:15:43 UTC Thu Jul 11 2013
Duration     : 0h:02m:52s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A             VLAN         : none

To manually disconnect remote access VPN users, following command can be used.
ASA# vpn-sessiondb logoff ra-ikev1-ipsec

ASA# vpn-sessiondb logoff index 4    
Do you want to logoff the VPN session(s)? [confirm]
INFO: Session with Index = 4 has been logged off

Jul 12 00:30:30 [IKEv1]Group = IKE1_RA_VPN, Username = engruser, IP =, Session is being torn down. Reason: Administrator Reset


Popular posts from this blog

Specifying SSH port in Ansible Inventory

Ansible-Playbook to display output of multiple show commands (using stdout_lines with Loop)

Filtering Routes in BGP using Route-maps and Prefix-list

Ansible Playbook for Network OS Upgrade with pre and post checks

Bypassing Proxy Server in Google Chrome

VMware NSX Traffic Flow — East-West & North-South

Export or Backup Azure Network Security Groups into CSV using PowerShell

Ansible-playbook for backing up running config of Cisco IOS