The previous post shows you how to configure a basic IPsec Remote Access VPN using a Cisco IPsec VPN client with minimal configuration. This post is in continuation to the previous one, so do have a look at Part 1 which covers the basic configuration of an IPsec Remote Access VPN using the Cisco IPsec VPN Client.

Additional and optional configuration:-

1. vpn-filter

This allows you to manage what all network resources the clients are allowed to access once they are connected via the remote access VPN.

In the below example, the remote client IP is allowed to only access port 80 on the internal server via the VPN tunnel.

access-list vpnfilter extended permit tcp host 192.168.1.1 host 172.21.1.10 eq www log
!
group-policy ipsec_ra_policy attributes
 vpn-filter value vpnfilter

2. dns-server

This is the DNS server the clients will use for DNS queries.

group-policy ipsec_ra_policy attributes
 dns-server value 172.21.1.100 172.21.1.111

3. reverse-route

It injects a route for the remote client that is successfully connected to the firewall.

“The primary benefits of RRI are that it enables the routing of IPSec traffic to a specific VPN headend device in environments with multiple (redundant) VPN headend devices, and ensures predictable failover time of remote sessions between headend devices when using IKE keepalives”

– extract from cisco.com.

crypto dynamic-map dyn_map 65535 set reverse-route

ASA# show route
! output omitted for brevity
C 1.1.1.0 255.255.255.0 is directly connected, outside
 C 172.21.1.0 255.255.255.0 is directly connected, inside
 S 192.168.1.1 255.255.255.255 [1/0] via 1.1.1.2, outside
 S* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.2, outside

Notice the route for 192.168.1.1. That is a remote client that has successfully connected to our gateway and with the reverse-route injection the ASA added a host route for that client. When the client disconnects, the route is removed from the routing table.

4. split-tunnel

Split-tunnel basically means telling the remote client to bifurcate and send the encrypted traffic across the tunnel and the clear-text traffic via it’s default-gateway. By default, split-tunnel is configured to tunnel all traffic through the VPN. This means that all traffic the user generates, including the ‘internet’ traffic will be routed across the VPN! You definitely don’t want this unless you want to scan all user traffic through an IPS or something in similar lines.

Under normal scenarios, you configure a split-tunnel which basically puts a route in the remote client specifying the destination to which the remote user will send the traffic through the tunnel (thus encrypting it). The traffic that doesn’t match that route will use the default-gateway configured on the remote client (unencrypted traffic).

Here are the options that you can use as per your requirement;

ASA(config-group-policy)# split-tunnel-policy ?
group-policy mode commands/options:
 excludespecified   Exclude only networks specified by split-tunnel-network-list
 tunnelall          Tunnel everything
 tunnelspecified    Tunnel only networks specified by split-tunnel-network-list

access-list split_tunnel_acl standard permit 172.21.1.0 255.255.255.0 
!
group-policy ipsec_ra_policy internal
group-policy ipsec_ra_policy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel_acl

5. group-lock

Group-lock is yet another interesting command. What it does is, it locks the group policy to a specific tunnel-group. So when a user is assigned a group-policy under its own attributes and that group-policy is locked to a tunnel-group, the user is restricted to connect to only that tunnel-group.

tunnel-group ipsec_ra_tunnel_1 type remote-access
tunnel-group ipsec_ra_tunnel_1 general-attributes
 address-pool client_pool
tunnel-group ipsec_ra_tunnel_1 ipsec-attributes
 ikev1 pre-shared-key c1sc01
!
group-policy ipsec_ra_policy_1 internal
group-policy ipsec_ra_policy_1 attributes
 dns-server value 172.21.1.100 172.21.1.111
 vpn-filter value vpnfilter1
 group-lock value ipsec_ra_tunnel_1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel_acl
!
username officeguy1 password strongpassword
username officeguy1 attributes
 vpn-group-policy ipsec_ra_policy_1

This can be used where it’s not feasible to distribute different .pcf files to hundreds of new users joining in or leaving the organization, maybe contractors. So you distribute a common .pcf file to the users which has information of all the tunnel-groups, but the user can only connect to the tunnel-group that has been locked to the group-policy assigned under the user’s attributes.

6. vpn-idle-timeout

This is pretty straight forward, the VPN session will be disconnected at the end of the idle-timeout value specified. The value is configured in minutes.

group-policy ipsec_ra_policy_1 attributes
 vpn-idle-timeout 5

7. vpn-access-hours

This is quite a useful one. You can restrict/allow the remote client’s access to the company network by specifying a time-range.

time-range ipsec_ra_access_hours
periodic weekdays 9:00 to 22:00
!
group-policy ipsec_ra_policy attributes
 vpn-access-hours value ipsec_ra_access_hours

TIP: The group-policy attributes can either be configured via the group level or per user level.