Hi there,

I am looking into setting up 2 remote access VPNs; one will have split tunnelling and the other won’t have split tunnelling configured other than that both are identical.

Below is the config I’m planning to use:

ASA Version 8.3(1)

ip local pool VPNPOOL 192.168.20.1-192.168.20.254

object network obj-vpnpool

subnet 192.168.XX.0 255.255.255.0

object network net_internal

subnet 10.0.XX.0 255.255.255.0

nat (inside,any) source static net_internal net_internal destination static obj-vpnpool obj-vpnpool

access-list ravpn_ex extended permit ip 10.0.XX.0 255.255.255.0 192.168.XX.0 255.255.255.0 log

access-list ravpn_ex extended permit icmp 10.0.XX.0 255.255.255.0 192.168.XX.0 255.255.255.0 log

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac

crypto dynamic-map DYN_MAP 10 set transform-set RA-TS

crypto map VPN_MAP 65535 ipsec-isakmp dynamic DYN_MAP

crypto map VPN_MAP interface outside

crypto isakmp enable outside

group-policy RA01-vpn internal

group-policy RA01-vpn attributes

dns-server value XX.XX.XX.XX XX.XX.XX.XX

vpn-idle-timeout 60

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ravpn_ex

tunnel-group RA01 type remote-access

tunnel-group RA01 general-attributes

address-pool VPNPOOL

default-group-policy RA01-vpn

tunnel-group RA01 ipsec-attributes

pre-shared-key *****

TUNNEL TWO:

group-policy RA02-vpn internal

group-policy RA02-vpn attributes

dns-server value XX.XX.XX.XX XX.XX.XX.XX

vpn-idle-timeout 60

tunnel-group RA02 type remote-access

tunnel-group RA02 general-attributes

address-pool VPNPOOL

default-group-policy RA02-vpn

tunnel-group RA02 ipsec-attributes

pre-shared-key *****

Can anyone confirm if this will work or if there is another way I can achieve the same outcome?

Regards

Dale