Cisco ASA Split-Tunnel VPN

This example will apply to Cisco ASA/PIX v8.x-v9.x

For this tutorial, we will assume that you already have the following:

  • WAN Address/Interface configured
  • LAN Address/Interface configured
  • Cisco ASA version 9.x with at least a Base License

If you do not have a configured ASA, you can follow my guide Cisco ASA Basic Setup and then come back.

This tutorial will cover configuring an IKEv1 VPN Tunnel, IKEv2 will be covered in another tutorial using Certificates.

For my network, i will use 192.168.55.123 as my WAN Address and my internal LAN will be 10.10.10.0/24.

Need a Cisco ASA for studying? Buy one here - https://amzn.to/2JnBp6G

Configure Split-Tunnel VPN

1. First we create an IKE Policy to specify the authentication method and set of parameters to use during the negotiation and enable IKEv1 on your WAN interface.

ciscoasa# configure terminal
ciscoasa(config)# crypto ikev1 policy 1
ciscoasa(config-ikev1-policy)# encryption aes-256
ciscoasa(config-ikev1-policy)# group 2
ciscoasa(config-ikev1-policy)# hash sha
ciscoasa(config-ikev1-policy)# lifetime none
ciscoasa(config-ikev1-policy)# authentication pre-share
ciscoasa(config-ikev1-policy)# exit
ciscoasa(config)# crypto ikev1 enable outside

NOTE: For lifetime, we are setting it to none meaning unlimited. Optionally, you can set the lifetime in seconds with a max of 2147483647.

NOTE: For Encryption, we are going to use the fastest and most secure.

2. Create an IP POOL to use for your Remote VPN Clients to use, this should be completely different from your internal LAN and the local LAN of the remote users so there is no confusion when connecting.

ciscoasa(config)# ip local pool VPNPOOL 200.15.8.10-200.15.8.20 mask 255.255.255.0

NOTE: Create your VPN Pool in accordance to how many VPN Users you will have.

3. Add users that will connect to the VPN with privilege of 0 to only give VPN Access.

ciscoasa(config)# username linuxman password linuxman privilege 0

4. Configure a Transform Set for IKEv1 which combines an encryption method and an authentication method to ensure data integrity.

ciscoasa(config)# crypto ipsec ikev1 transform-set TFS esp-aes-256 esp-sha-hmac

5. Create a Tunnel Group to configure tunnel connection policies, address pool, group policy and other options.

For now, we will create the tunnel-group with type of remote-access and assign it our address pool we created in step 2 under general-attributes.

ciscoasa(config)# tunnel-group SPLITTUNNEL type remote-access
ciscoasa(config)# tunnel-group SPLITTUNNEL general-attributes
ciscoasa(config-tunnel-general)# address-pool VPNPOOL
ciscoasa(config-tunnel-general)# exit

6. Now assign the tunnel-group ipsec attributes for the pre-shared-key we will use to authenticate the client connection.

When connecting a client, the pre-shared-key must be identical to the one configured on the ASA and make is secure!

ciscoasa(config)# tunnel-group SPLITTUNNEL ipsec-attributes
ciscoasa(config-tunnel-ipsec)# ikev1 pre-shared-key 44kkaol59636jnfx
ciscoasa(config-tunnel-ipsec)# exit

7. Lets create a Dynamic Crypto Map to identify the transform set for the connection which we created back in step 4.

ciscoasa(config)# crypto dynamic-map DYNMAP 1 set ikev1 transform-set TFS

8. Create a Crypto Map entry to tell the ASA to use the Dynamic Crypto Map we created back in step 7 to set the IPsec security associations. Then enable the map on the WAN interface.

ciscoasa(config)# crypto map CMAP 1 ipsec-isakmp dynamic DYNMAP
ciscoasa(config)# crypto map CMAP interface outside

This should now allow you to connect to the VPN Tunnel but you will not be able to access your remote resources. To allow access to internal resources we have to make an ACL to allow the VPN LAN, a NAT rule to NAT the internal LAN to the VPN, and a group-policy to configure the tunnel to allow the ACL.

9. First, for simplicity, we will create a standard ACL to allow our VPNPOOL Subnet that we created in step 2.

ciscoasa(config)# access-pool SPLIT_TUNNEL standard permit 200.15.8.0 255.255.255.0

10. Next we need to create network objects to define our VPN Subnet and Internal LAN subnet (if you don't have one already).

ciscoasa(config)# object network vpn
ciscoasa(config-network-object)# subnet 200.15.8.0 255.255.255.0
ciscoasa(config-network-object)# exit
ciscoasa(config)# object network inside
ciscoasa(config-network-object)# subnet 10.10.10.0 255.255.255.0
ciscoasa(config-network-object)# exit

11. Now we create our group-policy and configure the split tunnel policies and networks to allow through the tunnel. The networks we allow will be the ACL that we created in step 9 for our VPN Pool.

ciscoasa(config)# group-policy DGP internal
ciscoasa(config)# group-policy DGP attributes
ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)# split-tunnel-network-list value SPLIT_TUNNEL
ciscoasa(config-group-policy)# exit

There are other options you can configure such as DHCP Server, DNS Servers, idle timeout and much more to your preference.

12. Assign our tunnel-group the group-policy under general-attributes.

ciscoasa(config)# tunnel-group SPLITTUNNEL general-attributes
ciscoasa(config-tunnel-general)# default-group-policy DGP
ciscoasa(config-tunnel-general)# exit

13. Finally we will create the NAT rule to NAT our internal LAN to our VPN Clients.

ciscoasa(config)# nat (inside,outside) source static inside inside destination static vpn vpn no-proxy-arp

Configure Shrewsoft VPN Client

1. Download the Shrewsoft VPN Client from the following site and install on your client: Shrewsoft Download

NOTE: If you are using linux, the Shrewsoft client is known as "ikeqt-gui" so you can install it using the following commands.

For Debian/Ubuntu:

sudo apt install ikeqt-gui

For CentOS/Fedora:

sudo yum install ikeqt-gui

2. Once installed launch the program and create a new VPN Connection.

Most settings will be left default but change the following:

  • General Tab:
    • Host Name or IP Address: WAN IP Address, in our case 192.168.55.123.
  • Name Resolution Tab:
    • Enable DNS: Disable DNS if you don't need it, this is optional.
  • Authentication Tab:
    • Local Identity Tab:
      • Identification Type: Set to Key Identifier, the value will be our Tunnel-Group name. In this case SPLITTUNNEL.
    • Credentials Tab:
      • Authentication Method: Set to Mutual PSK + XAuth.
      • Pre-Shared Key: Set the Pre-Shared key we gave our tunnel, 44kkaol59636jnfx.
  • Phase 1 Tab:
    • Exchange Type: aggressive
    • DH Exchange: Set this to the group we assigned our ikev1 policy, which is group 2.

3. Connect to the VPN Connection using the username we created.

Test Connectivity

1. Lets verify that we pulled an address by running IP CONFIG in a command prompt.

Ethernet adapter Local Area Connection* 12:

  Connection-specific DNS Suffix . :
  Link-local IPv6 Address . . . . . : fe80::f427:9ba2:9da7:4154%11
  IPv4 Address. . . . . . . . . . . : 200.15.8.10
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . :

Notice we dont get a default gateway.

2. Now lets run ROUTE PRINT.

Active Routes:
Network Destination        Netmask        Gateway       Interface Metric
           0.0.0.0         0.0.0.0  192.168.212.1  192.168.212.38     35
    192.168.55.123 255.255.255.255  192.168.212.1  192.168.212.38     36
         127.0.0.0       255.0.0.0        On-link       127.0.0.1    331
         127.0.0.1 255.255.255.255        On-link       127.0.0.1    331
   127.255.255.255 255.255.255.255        On-link       127.0.0.1    331
        10.10.10.0   255.255.255.0        On-link     200.15.8.10     56
      10.10.10.255 255.255.255.255        On-link     200.15.8.10    311
     192.168.212.0   255.255.255.0        On-link  192.168.212.38    291
    192.168.212.38 255.255.255.255        On-link  192.168.212.38    291
   192.168.212.255 255.255.255.255        On-link  192.168.212.38    291
        200.15.8.0   255.255.255.0        On-link     200.15.8.10    311
       200.15.8.10 255.255.255.255        On-link     200.15.8.10    311
      200.15.8.255 255.255.255.255        On-link     200.15.8.10    311
         224.0.0.0       240.0.0.0        On-link       127.0.0.1    331
         224.0.0.0       240.0.0.0        On-link  192.168.212.38    291
         224.0.0.0       240.0.0.0        On-link     200.15.8.10    311
   255.255.255.255 255.255.255.255        On-link       127.0.0.1    331
   255.255.255.255 255.255.255.255        On-link  192.168.212.38    291
   255.255.255.255 255.255.255.255        On-link     200.15.8.10    311

Notice how our Default Gateway remains primary with a metric of 35 and our Remote LAN's priority is second with a metric of 56.

3. Lastly, lets ping a host on the remote LAN, i will ping my Linux server at 10.10.10.13.

Pinging 10.10.10.13 with 32 bytes of data:
Reply from 10.10.10.13: bytes=32 time=78ms TTL=64
Reply from 10.10.10.13: bytes=32 time=60ms TTL=64
Reply from 10.10.10.13: bytes=32 time=52ms TTL=64
Reply from 10.10.10.13: bytes=32 time=55ms TTL=64

Ping statistics for 10.10.10.13:
  Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
  Minimum = 52ms, Maximum = 78ms, Average = 61ms

Here, notice the time is quite large. Be aware that its normal for VPN Connection to be slightly slower.

You can view Cisco's full documentation on their website here: CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8

Need a Cisco ASA for studying? Buy one here - https://amzn.to/2JnBp6G