Virtual private networks, and really VPN services of many types, are similar in function but different in setup. In a previous post (anyconnect ssl vpn) I briefly explained the general functionality of a new remote access vpn technology, the AnyConnect SSL client VPN. The Cisco AnyConnect VPN is supported on the new ASA 8.x software version and provides remote access to users with just a secure Web Browser (https). The AnyConnect client software supports Windows Vista, XP, 2000, MAC OS X and Linux. The client can either be preinstalled to remote user’s PC or it can be loaded to ASA flash and uploaded to remote user’s PC when they connect to the ASA. You have also the option to uninstall the client from the remote user when he/she disconnects from the ASA.

EDIT: My new ebook, “Cisco VPN Configuration Guide – By Harris Andrea” provides a comprehensive technical tutorial about all types of VPNs that you can configure on Cisco Routers and ASA Firewalls (including of course SSL Anyconnect or IPSEC Remote Access VPNs).

In this post I will explain the technical details to configure AnyConnect SSL VPN on Cisco ASA 5500. I assume that we use the AnyConnect client version 2.0 which will be stored on ASA flash and uploaded to remote user on demand. The same configuration applies for newer versions of AnyConnect. The remote users, after successful authentication, will receive an IP address from local ASA pool 192.168.100.1-50. The internal ASA network will use subnet range 192.168.5.0/24

Therefore, after the remote user successfully authenticates on Cisco ASA with the AnyConnect client, he will receive an IP address in the range 192.168.100.1 to 50 and he will be able to access resources in the internal LAN network 192.168.5.0/24.

Upload AnyConnect to ASA

The first step is to obtain the AnyConnect client software from the Cisco Software Download Website. You will need to download the appropriate software version according to the Operating System that your users have on their computers.

Assume the software vpn client file is “anyconnect-win-2.0.0343-k9.pkg”.

ASA(config)# copy tftp flash
Address or name of remote host ? 192.168.5.10
Source filename ? anyconnect-win-2.0.0343-k9.pkg
Destination filename [anyconnect-win-2.0.0343-k9.pkg]?

Accessing tftp://192.168.5.10/anyconnect-win-2.0.0343-k9.pkg…!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-2.0.0343-k9.pkg…
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Configuring the Cisco ASA

! Specify the AnyConnect image to be downloaded by users
ASA(config)#webvpn
ASA(config-webvpn)#anyconnect image disk0:/anyconnect-win-2.0.0343-k9.pkg 1

! Enable AnyConnect access on the outside ASA interface
ASA(config-webvpn)#enable outside
ASA(config-webvpn)#anyconnect enable
ASA(config-webvpn)#exit

! Create a local IP address pool to assign for remote users
ASA(config)# ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0

! Configure NAT exemption for traffic between internal LAN and remote users

For ASA Version prior to 8.3
ASA(config)#access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0

ASA(config)# nat (inside) 0 access-list NONAT

For ASA Version 8.3 and later

object network INSIDE-HOSTS
 subnet 192.168.5.0 255.255.255.0
 !
 object network VPN-HOSTS
 subnet 192.168.100.0 255.255.255.0
 !
 nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS  destination static VPN-HOSTS VPN-HOSTS

! Create usernames that will use the AnyConnect remote access only
ASA(config)#username userA password test123
ASA(config)#username userA attributes
ASA(config-username)# service-type remote-access

ASA(config)#username userB password test12345
ASA(config)#username userB attributes
ASA(config-username)# service-type remote-access

! Create a group policy with configuration parameters that should be applied to clients (there are two options available here according to the ASA version you are running)

OPTION 1
ASA(config)# group-policy SSLCLientPolicy internal

ASA(config)# group-policy SSLCLientPolicy attributes
ASA(config-group-policy)# dns-server value 192.168.5.100
ASA(config-group-policy)# vpn-tunnel-protocol svc
ASA(config-group-policy)# address-pools value SSLClientPool

OPTION 2
ASA(config)# group-policy SSLCLientPolicy internal
ASA(config)# group-policy SSLCLientPolicy attributes
ASA(config-group-policy)# dns-server value 192.168.5.100
ASA(config-group-policy)# address-pools value SSLClientPool
ASA(config-group-policy)# webvpn
ASA(config-group-webvpn))#vpn-tunnel-protocol svc

! Allow the AnyConnect traffic to bypass access lists
ASA(config)# sysopt connection permit-vpn

! Create tunnel group profile to define connection parameters
ASA(config)# tunnel-group SSLClientProfile type remote-access
ASA(config)# tunnel-group SSLClientProfile general-attributes
ASA(config-tunnel-general)# default-group-policy SSLCLientPolicy
ASA(config-tunnel-general)# tunnel-group SSLClientProfile webvpn-attributes
ASA(config-tunnel-webvpn)# group-alias SSLVPNClient enable
ASA(config-tunnel-webvpn)# webvpn
ASA(config-webvpn)#tunnel-group-list enable

How to Connect

The user just needs to open a browser and go to https://[outside ASA IP]

The login screen is displayed as below example:

On “Group” field enter the name of the tunnel group SSLClientProfile or SSLVPNClient (group alias name).

On “Username” and “Password” field enter the user credentials (e.g UserA, test123)

Tagged with:

Filed under: Cisco ASA Configuration

Like this post? Subscribe to my RSS feed and get loads more!