This post will describe how to setup a Cisco Adaptive Security Appliance (ASA) device to perform remote access SSL VPN with the stand-alone Cisco AnyConnect VPN client. I followed a few tutorials on the web (including a couple of examples from the Cisco website), but I failed to implement a complete solution. The following recipe has been thoroughly tested and verified.
Ingredients used for the recipe:
1. Copy AnyConnect package to the Cisco ASA device
2. Create an IP address pool
3. Enable and configure WebVPN
4. Create access-list entries that allow traffic between the inside and remote users and also an entry for the split tunnel
5. Verify sysopt command is enabled
6. Configure a group policy
7. Create a new user account
8. Configure a tunnel group
9. Configure PAT and enable NAT exemption for the VPN clients
Ingredients used for the recipe:
- Cisco 5500 Series ASA that runs software version 8.0(2)
- Cisco AnyConnect SSL VPN client version for Windows 2.3.0254
1. Copy AnyConnect package to the Cisco ASA device
ciscoasa# copy tftp flash
Address or name of remote host ? 192.168.100.30
Source filename ? anyconnect-win-2.3.0254-k9.pkg
Destination filename [anyconnect-win-2.3.0254-k9.pkg]?
2. Create an IP address pool
ciscoasa(config)# ip local pool VPNPOOL 192.168.20.1-192.168.20.100 mask 255.255.255.0
3. Enable and configure WebVPN
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# enable outside
ciscoasa(config-webvpn)# svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
ciscoasa(config-webvpn)# tunnel-group-list enable
ciscoasa(config-webvpn)# http redirect outside 80
ciscoasa(config-webvpn)# svc enable
4. Create access-list entries that allow traffic between the inside and remote users and also an entry for the split tunnel
ciscoasa(config)# access-list VPN-EXEMPT-NAT permit ip 192.168.100.0 255.255.255.0 192.168.20.0 255.255.255.0
ciscoasa(config)# access-list SPLIT-TUNNEL standard permit 192.168.100.0 255.255.255.0
5. Verify sysopt command is enabled
ciscoasa(config)# sysopt connection permit-vpn
6. Configure a group policy
ciscoasa(config)# group-policy CLIENTGROUP internal
ciscoasa(config)# group-policy CLIENTGROUP attributes
ciscoasa(config-group-policy)# dns-server value 192.168.100.10
ciscoasa(config-group-policy)# vpn-tunnel-protocol svc
ciscoasa(config-group-policy)# group-lock value SSLGROUP
ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)# split-tunnel-network-list value SPLIT-TUNNEL
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# svc keep-installer installed
ciscoasa(config-group-webvpn)# svc rekey time 30
ciscoasa(config-group-webvpn)# svc rekey method ssl
ciscoasa(config-group-webvpn)# svc ask none default svc
7. Create a new user account
ciscoasa(config)# username ssluser1 password ssluser1
8. Configure a tunnel group
ciscoasa(config)# tunnel-group SSLGROUP type remote-access
ciscoasa(config)# tunnel-group SSLGROUP general-attributes
ciscoasa(config-tunnel-general)# address-pool VPNPOOL
ciscoasa(config-tunnel-general)# default-group-policy CLIENTGROUP
ciscoasa(config-tunnel-general)# tunnel-group SSLGROUP webvpn-attributes
ciscoasa(config-tunnel-webvpn)# group-alias SSL-VPN enable
9. Configure PAT and enable NAT exemption for the VPN clients
ciscoasa(config)# global (outside) 1 interface
ciscoasa(config)# nat (inside) 1 0.0.0.0 0.0.0.0
ciscoasa(config)# nat (inside) 0 access-list VPN-EXEMPT-NAT
