AnyConnect · ASA

Cisco ASA AnyConnect configuration

The first step is to configure the ASA to Web-deploy the AnyConnect Client. Prior to version 8.0(2) it was necessary to configure WebVPN to listen on a different port to the ASDM client. This is no longer the case.

 ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# port 443
ciscoasa(config-webvpn)# enable outside
ciscoasa(config-webvpn)# anyconnect image disk0:/anyconnect-win-3.1.04066-k9.pkg
ciscoasa(config-webvpn)# anyconnect enable
ciscoasa(config-webvpn)# tunnel-group-list enable
ciscoasa(config)# ip local pool POOL_vpn_client mask

A Group Policy is a set of key/value pairs used to store user attributes which are applied to sets of user instead of individually. These polices can be held internally on the device or external on a RADIUS or LDAP server.

From below split tunnelling is worth explaining. From a security view point (and Cisco recommendation) split tunnelling should not be used, however in the interest of performance it is useful. Once the VPN tunnel is up and split tunnelling is enabled, an administrator can define which subnets the user will use the VPN tunnel to connect to. All other traffic will go via the users local gateway. In the example below, I want any packets destined to to go via the tunnel, everything else via the users local default gateway. Without a split tunnel the VPN client would install a default route with a low metric forwarding packets to the tunnel endpoint located on the ASA.

 ciscoasa(config)# access-list ACL_VPN_CLIENT_split_tunnel standard permit
ciscoasa(config)# group-policy GROUP_POLICY_vpn_client internal
ciscoasa(config)# group-policy GROUP_POLICY_vpn_client attributes
ciscoasa(config-group-policy)# dns-server value
ciscoasa(config-group-policy)# vpn-simultaneous-logins 25
ciscoasa(config-group-policy)# vpn-tunnel-protocol ssl-client
ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)# split-tunnel-network-list value ACL_VPN_CLIENT_split_tunnel

A local user account will be created, with the attribute ‘service-type remote-access’ being set to deny management access.
We will leave the default Tunnel Groups (DefaultRAGroup and DefaultL2LGroup) and create our own (VPN) as an IPSec Remote Access (ipsec-ra) group, combining the various attributes and policies created in previous steps.

All being well, when connecting from a Windows 7 desktop you should be greeted with the following:



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s