https://community.cisco.com/t5/network-security/help-with-remote-access-object-groups-split-tunneling-commands/m-p/1237659#M875424 <HTML><HEAD></HEAD><BODY><P>object-groups ????? </P><P>! </P><P>ip local pool uservpnpool 172.30.0.1-172.30.0.254 mask 255.255.255.0 </P><P>ip local pool engvpnpool 172.30.1.1-172.30.1.254 mask 255.255.255.0 </P><P>! </P><P>access-lists split_tunnel_list1 standard permit x.x.x.x 255.x.x.x </P><P>access-lists split_tunnel_listx ???? </P><P>access-lists nonat extended permit ip any 192.168.x.x 255.255.255.x </P><P>access-lists nonat extended permit ip any 192.168.x.x 255.255.255.x </P><P>access-lists nonat extended permit ip any 192.168.252.0 255.255.255.0 </P><P>access-lists ????? </P><P>! </P><P>global (Airband) 1 interface </P><P>nat (Inside) 0 access-list nonat </P><P>nat (Inside) 1 192.168.0.0 255.255.0.0 </P><P>! </P><P>webvpn </P><P>enable XO </P><P>enable Airband </P><P>svc image disk0:/ anyconnect-win-2.2.pkg 1 </P><P>svc image disk0:/ anyconnect-linux...pkg2 </P><P>svc image disk0:/ anyconnect-mac.....pkg3 </P><P>svc enable </P><P>! </P><P>crypto isakmp policy 1 authentication pre-share </P><P>crypto isakmp policy 1 encryption aes-256 </P><P>crypto isakmp policy 1 hash sha </P><P>crypto isakmp policy 1 group 2 </P><P>crypto isakmp policy 1 lifetime 86400 </P><P>crypto isakmp enable ISP1 </P><P>crypto isakmp enable ISP2 </P><P>crypto ipsec transform-set transform_set_namex esp-aes-256 esp-sha-hmac </P><P>crypto dynamic-map dyn_map_nameX set transform-set transform_set_nameX </P><P>crypto dynamic-map dyn_map_nameX set pfs group2 </P><P>crypto map map_namex 65534 ipsec-isakmp dynamic dyn_map_nameX </P><P>crypto map map_namex interface ISP2_interface </P><P>! </P><P>username ???? (in a couple of weeks, I will add an ACS server and start using ldap authentication) </P><P>! </P><P>group-policy uservpn_policy1 internal </P><P>group-policy uservpn_policy1 attributes </P><P>banner value xxxxxxxx </P><P>banner value Autorized Persons Only! </P><P>dns-server value 192.168.x.x 192.168.x.x </P><P>vpn-tunnel-protocol webvpn </P><P>vpn-idle-timeout 30 </P><P>vpn-session-timeout 30 </P><P>split-tunnel-policy tunnelspecified </P><P>split-network-list value split_tunnel_list1 </P><P>default-domain value domain_name </P><P>webvpn </P><P>default-domain value domain_name </P><P>split-dns value ???? </P><P>! </P><P>group-policy engvpn_policy1 internal </P><P>group-policy engvpn_policy1 attributes </P><P>banner value xxxxxxxxx </P><P>banner value Autorized Persons Only! </P><P>dns-server value 192.168.x.x 192.168.x.x </P><P>vpn-tunnel-protocol webvpn </P><P>vpn-idle-timeout 30 </P><P>vpn-session-timeout 30 </P><P>split-tunnel-policy tunnelspecified </P><P>split-network-list value split_tunnel_list1 </P><P>default-domain value domain_name </P><P>webvpn </P><P>default-domain value domain_name </P><P>split-dns value ?????? </P><P>! </P><P>group-policy ssl_policy internal </P><P>group-policy ssl_policy attributes </P><P>banner value xxxxxxxx </P><P>banner value Autorized Persons Only! </P><P>dns-server value 192.168.x.x 192.168.x.x </P><P>vpn-tunnel-protocol webvpn </P><P>vpn-idle-timeout 30 </P><P>vpn-session-timeout 30 </P><P>split-tunnel-policy tunnelspecified </P><P>split-network-list value split_tunnel_list1 </P><P>default-domain value domain_name </P><P>webvpn </P><P>url-list havent read documentation yet </P><P>svc keep-installer </P><P>svc keepalive </P><P>svc rekey </P><P></P><P></P><P>! </P><P>tunnel-group uservpn_tunnel type remote-access </P><P>tunnel-group uservpn_tunnel general-attributes </P><P>address-pool uservpnpool </P><P>default-group-policy uservpn_policy1 </P><P>tunnel-group uservpn_tunnel webvpn-attributes </P><P>tunnel-group uservpn_tunnel ipsec-attributes </P><P>pre-shared-key XXXXXXXX </P><P>isakmp keepalive threshold 360 retry 10 </P><P>! </P><P>tunnel-group engvpn_tunnel type remote-access </P><P>tunnel-group engvpn_tunnel general-attributes </P><P>address-pool engvpnpool </P><P>default-group-policy engvpn_policy1 </P><P>tunnel-group engvpn_tunnel webvpn-attributes </P><P>tunnel-group engvpn_tunnel ipsec-attributes </P><P>pre-shared-key XXXXXXXX </P><P>isakmp keepalive threshold 360 retry 10 </P><P>! </P><P>tunnel-group ssl_tunnel type remote-access </P><P>tunnel-group ssl_tunnel general-attributes </P><P>address-pool engvpnpool </P><P>default-group-policy ssl_policy </P><P>tunnel-group ssl_tunnel webvpn-attributes </P><P>tunnel-group ssl_tunnel ipsec-attributes </P><P>pre-shared-key XXXXXXXX </P><P>isakmp keepalive threshold 360 retry 10</P><P></P><P></P></BODY></HTML> Tue, 03 Mar 2009 18:13:05 GMT billy_anonymous 2009-03-03T18:13:05Z https://community.cisco.com/t5/network-security/help-with-remote-access-object-groups-split-tunneling-commands/m-p/1237658#M875423 <P>I'm tasked with designing a remote access solution through an ASA v8.0 and I started by creating a text file with configuration details like group-policy, tunnel-groups, crypto (the text file looks as if you typed show run)â&#128;¦ I'm tasked with only the remote access portion of solution, not the full ACL, NAT statements. </P><P></P><P>Can someone please proof-read what I have so far? Attached is a basic net diagram that will be the completed project. </P><P></P><P>I have questions on the following: </P><P>1. What should the object-groups be if this firewall configured for remote-access? </P><P>2. How do I configure the split-tunneling portion? </P><P>3. Do I need more or less group-policies and tunnel-groups? </P><P>a. There is very little difference between the uservpn and engvpn groups </P><P></P><P>If anyone can help, I will be most appreciative. Keep in mind I'm still working on which commands to use so some of the config commands are missing. </P><P></P><P>BillyBob </P><P></P><P></P><P> </P><P></P> Mon, 11 Mar 2019 15:00:07 GMT https://community.cisco.com/t5/network-security/help-with-remote-access-object-groups-split-tunneling-commands/m-p/1237658#M875423 billy_anonymous 2019-03-11T15:00:07Z https://community.cisco.com/t5/network-security/help-with-remote-access-object-groups-split-tunneling-commands/m-p/1237659#M875424 <HTML><HEAD></HEAD><BODY><P>object-groups ????? </P><P>! </P><P>ip local pool uservpnpool 172.30.0.1-172.30.0.254 mask 255.255.255.0 </P><P>ip local pool engvpnpool 172.30.1.1-172.30.1.254 mask 255.255.255.0 </P><P>! </P><P>access-lists split_tunnel_list1 standard permit x.x.x.x 255.x.x.x </P><P>access-lists split_tunnel_listx ???? </P><P>access-lists nonat extended permit ip any 192.168.x.x 255.255.255.x </P><P>access-lists nonat extended permit ip any 192.168.x.x 255.255.255.x </P><P>access-lists nonat extended permit ip any 192.168.252.0 255.255.255.0 </P><P>access-lists ????? </P><P>! </P><P>global (Airband) 1 interface </P><P>nat (Inside) 0 access-list nonat </P><P>nat (Inside) 1 192.168.0.0 255.255.0.0 </P><P>! </P><P>webvpn </P><P>enable XO </P><P>enable Airband </P><P>svc image disk0:/ anyconnect-win-2.2.pkg 1 </P><P>svc image disk0:/ anyconnect-linux...pkg2 </P><P>svc image disk0:/ anyconnect-mac.....pkg3 </P><P>svc enable </P><P>! </P><P>crypto isakmp policy 1 authentication pre-share </P><P>crypto isakmp policy 1 encryption aes-256 </P><P>crypto isakmp policy 1 hash sha </P><P>crypto isakmp policy 1 group 2 </P><P>crypto isakmp policy 1 lifetime 86400 </P><P>crypto isakmp enable ISP1 </P><P>crypto isakmp enable ISP2 </P><P>crypto ipsec transform-set transform_set_namex esp-aes-256 esp-sha-hmac </P><P>crypto dynamic-map dyn_map_nameX set transform-set transform_set_nameX </P><P>crypto dynamic-map dyn_map_nameX set pfs group2 </P><P>crypto map map_namex 65534 ipsec-isakmp dynamic dyn_map_nameX </P><P>crypto map map_namex interface ISP2_interface </P><P>! </P><P>username ???? (in a couple of weeks, I will add an ACS server and start using ldap authentication) </P><P>! </P><P>group-policy uservpn_policy1 internal </P><P>group-policy uservpn_policy1 attributes </P><P>banner value xxxxxxxx </P><P>banner value Autorized Persons Only! </P><P>dns-server value 192.168.x.x 192.168.x.x </P><P>vpn-tunnel-protocol webvpn </P><P>vpn-idle-timeout 30 </P><P>vpn-session-timeout 30 </P><P>split-tunnel-policy tunnelspecified </P><P>split-network-list value split_tunnel_list1 </P><P>default-domain value domain_name </P><P>webvpn </P><P>default-domain value domain_name </P><P>split-dns value ???? </P><P>! </P><P>group-policy engvpn_policy1 internal </P><P>group-policy engvpn_policy1 attributes </P><P>banner value xxxxxxxxx </P><P>banner value Autorized Persons Only! </P><P>dns-server value 192.168.x.x 192.168.x.x </P><P>vpn-tunnel-protocol webvpn </P><P>vpn-idle-timeout 30 </P><P>vpn-session-timeout 30 </P><P>split-tunnel-policy tunnelspecified </P><P>split-network-list value split_tunnel_list1 </P><P>default-domain value domain_name </P><P>webvpn </P><P>default-domain value domain_name </P><P>split-dns value ?????? </P><P>! </P><P>group-policy ssl_policy internal </P><P>group-policy ssl_policy attributes </P><P>banner value xxxxxxxx </P><P>banner value Autorized Persons Only! </P><P>dns-server value 192.168.x.x 192.168.x.x </P><P>vpn-tunnel-protocol webvpn </P><P>vpn-idle-timeout 30 </P><P>vpn-session-timeout 30 </P><P>split-tunnel-policy tunnelspecified </P><P>split-network-list value split_tunnel_list1 </P><P>default-domain value domain_name </P><P>webvpn </P><P>url-list havent read documentation yet </P><P>svc keep-installer </P><P>svc keepalive </P><P>svc rekey </P><P></P><P></P><P>! </P><P>tunnel-group uservpn_tunnel type remote-access </P><P>tunnel-group uservpn_tunnel general-attributes </P><P>address-pool uservpnpool </P><P>default-group-policy uservpn_policy1 </P><P>tunnel-group uservpn_tunnel webvpn-attributes </P><P>tunnel-group uservpn_tunnel ipsec-attributes </P><P>pre-shared-key XXXXXXXX </P><P>isakmp keepalive threshold 360 retry 10 </P><P>! </P><P>tunnel-group engvpn_tunnel type remote-access </P><P>tunnel-group engvpn_tunnel general-attributes </P><P>address-pool engvpnpool </P><P>default-group-policy engvpn_policy1 </P><P>tunnel-group engvpn_tunnel webvpn-attributes </P><P>tunnel-group engvpn_tunnel ipsec-attributes </P><P>pre-shared-key XXXXXXXX </P><P>isakmp keepalive threshold 360 retry 10 </P><P>! </P><P>tunnel-group ssl_tunnel type remote-access </P><P>tunnel-group ssl_tunnel general-attributes </P><P>address-pool engvpnpool </P><P>default-group-policy ssl_policy </P><P>tunnel-group ssl_tunnel webvpn-attributes </P><P>tunnel-group ssl_tunnel ipsec-attributes </P><P>pre-shared-key XXXXXXXX </P><P>isakmp keepalive threshold 360 retry 10</P><P></P><P></P></BODY></HTML> Tue, 03 Mar 2009 18:13:05 GMT https://community.cisco.com/t5/network-security/help-with-remote-access-object-groups-split-tunneling-commands/m-p/1237659#M875424 billy_anonymous 2009-03-03T18:13:05Z https://community.cisco.com/t5/network-security/help-with-remote-access-object-groups-split-tunneling-commands/m-p/1237660#M875426 <HTML><HEAD></HEAD><BODY><P>bump</P></BODY></HTML> Wed, 04 Mar 2009 14:29:51 GMT https://community.cisco.com/t5/network-security/help-with-remote-access-object-groups-split-tunneling-commands/m-p/1237660#M875426 billy_anonymous 2009-03-04T14:29:51Z