ASA Dialup VPN Configuration

07 June 2014

This Cisco dialup VPN configuration worked for ASA 5505 running on version 8.4(7). All upper case letters are labels and should be changed according to your standards and taste. IP addresses are representational.

Network Object Mapping

object network OBJ_VPN_ENDPOINT1
subnet 10.175.0.0 255.255.128.0
description OBJ_VPN_ENDPOINT1 is a label

DHCP Pool

ip local pool VPN_DHCP_POOL1 10.0.20.10-10.0.20.14

Access Control List

access-list ACL_SPLIT_TUNNEL standard permit 10.175.0.0 255.255.128.0
access-list OUTSIDE-INSIDE extended permit ip object VPN_DHCP_POOL1 object OBJ_VPN_ENDPOINT1

Network Address Translation

  nat (outside,outside) source static VPN_DHCP_POOL1 VPN_DHCP_POOL1 destination
    static OBJ_VPN_ENDPOINT1 OBJ_VPN_ENDPOINT1
    description NAT EXEMPTION FOR VPN CLIENT IPs TO VPN ENDPOINTS

Crypto Map

crypto dynamic-map DYN_CMAP_OUTSIDE 1 set ikev1 transform-set 3DES_SHA
crypto dynamic-map DYN_CMAP_OUTSIDE 1 set reverse-route
crypto map CMAP_OUTSIDE 99 ipsec-isakmp dynamic DYN_CMAP_OUTSIDE

Group Policy

group-policy GPOLICY_POLICY1 internal
group-policy GPOLICY_POLICY1 attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev1 ikev2
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL_SPLIT_TUNNEL

Tunnel Group

tunnel-group DIALUP_TUNNEL_GROUP type remote-access
tunnel-group DIALUP_TUNNEL_GROUP general-attributes
 address-pool VPN_DHCP_POOL1
 default-group-policy GPOLICY_POLICY1
tunnel-group DIALUP_TUNNEL_GROUP ipsec-attributes
 ikev1 pre-shared-key ********

Dialup Credentials

username USERNAME password INSECURE encrypted
username USERNAME attributes
 service-type remote-access