The first step is to configure the ASA to Web-deploy the AnyConnect Client. Prior to version 8.0(2) it was necessary to configure WebVPN to listen on a different port to the ASDM client. This is no longer the case.
ciscoasa(config)# webvpn ciscoasa(config-webvpn)# port 443 ciscoasa(config-webvpn)# enable outside ciscoasa(config-webvpn)# anyconnect image disk0:/anyconnect-win-3.1.04066-k9.pkg ciscoasa(config-webvpn)# anyconnect enable ciscoasa(config-webvpn)# tunnel-group-list enable ciscoasa(config)# ip local pool POOL_vpn_client 10.10.10.64-10.10.10.96 mask 255.255.255.224
A Group Policy is a set of key/value pairs used to store user attributes which are applied to sets of user instead of individually. These polices can be held internally on the device or external on a RADIUS or LDAP server.
From below split tunnelling is worth explaining. From a security view point (and Cisco recommendation) split tunnelling should not be used, however in the interest of performance it is useful. Once the VPN tunnel is up and split tunnelling is enabled, an administrator can define which subnets the user will use the VPN tunnel to connect to. All other traffic will go via the users local gateway. In the example below, I want any packets destined to 10.10.30.0/24 to go via the tunnel, everything else via the users local default gateway. Without a split tunnel the VPN client would install a default route with a low metric forwarding packets to the tunnel endpoint located on the ASA.
ciscoasa(config)# access-list ACL_VPN_CLIENT_split_tunnel standard permit 10.10.30.0 255.255.255.0 ciscoasa(config)# group-policy GROUP_POLICY_vpn_client internal ciscoasa(config)# group-policy GROUP_POLICY_vpn_client attributes ciscoasa(config-group-policy)# dns-server value 126.96.36.199 ciscoasa(config-group-policy)# vpn-simultaneous-logins 25 ciscoasa(config-group-policy)# vpn-tunnel-protocol ssl-client ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified ciscoasa(config-group-policy)# split-tunnel-network-list value ACL_VPN_CLIENT_split_tunnel
A local user account will be created, with the attribute ‘service-type remote-access’ being set to deny management access.
We will leave the default Tunnel Groups (DefaultRAGroup and DefaultL2LGroup) and create our own (VPN) as an IPSec Remote Access (ipsec-ra) group, combining the various attributes and policies created in previous steps.
All being well, when connecting from a Windows 7 desktop you should be greeted with the following: