Wednesday, April 30, 2014

HOWTO: Basic Cisco ASA AnyConnect VPN 8.3+

This is a brief how-to style guide for configuring an AnyConnect remote access VPN on an ASA running version 8.3(1) or greater.  The example below uses split tunneling and local authentication.  RADIUS authentication will be covered in a future post. (update: see here)

Before beginning, verify you have the AnyConnect essentials license (without this license, only two simultaneous sessions are permitted).
asa# sh ver | inc AnyConnect
AnyConnect Premium Peers          : 25             perpetual
AnyConnect Essentials             : 25             perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Enabled        perpetual

The following steps configure an AnyConnect VPN between the VPN subnet and LAN subnet.

Step 1) Create object for AnyConnect subnet:
asa(config)# object network ANYCONNECT-VPN-
asa(config-network-object)# subnet
asa(config-network-object)# exit 

Step 2) Create ACL for split tunneling VPN traffic:
asa(config)# access-list SplitTunnelACL standard permit

Step 3) Create IP pool for AnyConnect clients:
asa(config)# ip local pool AnyConnect-pool mask

Step 4) Configure NAT identity statement (8.3+ equivalent of nonat)
asa(config)# nat (inside,outside) source static INTERNAL-LAN- INTERNAL-LAN- destination static ANYCONNECT-VPN- ANYCONNECT-VPN-

The above NAT identity statement assumes your your internal LAN network object is as follows.  Modify as necessary based upon your IP scheme.
object network INTERNAL-LAN-

Step 5) Enable webvpn on the outside interface, configure the ASA to web-deploy the AnyConnect client, and enable AnyConnect:
asa(config)# webvpn
asa(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
asa(config-webvpn)# anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 1
asa(config-webvpn)# anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 2
asa(config-webvpn)# anyconnect image disk0:/anyconnect-linux-3.1.03103-k9.pkg 4mage disk0:/anyconnect-linux-64-3.1.03103-k9.pkg 3
asa(config-webvpn)# anyconnect image disk0:/anyconnect-linux-3.1.03103-k9.pkg 4
asa(config-webvpn)# anyconnect enable
asa(config-webvpn)# exit

Step 6) Configure a group-policy (change dns-server and default-domain accordingly):
asa(config)# group-policy AnyConnect-policy internal
asa(config)# group-policy AnyConnect-policy attributes
asa(config-group-policy)#  dns-server value
asa(config-group-policy)#  vpn-tunnel-protocol ssl-client
asa(config-group-policy)#  split-tunnel-policy tunnelspecified
asa(config-group-policy)#  split-tunnel-network-list value SplitTunnelACL
asa(config-group-policy)#  default-domain value cloud10solutions.local
asa(config-group-policy)#  address-pools value AnyConnect-pool
asa(config-group-policy)# exit

Step 7) Apply the address-pool and group-policy to a tunnel-group (in this case, the DefaultWEBVPNGroup)
asa(config)# tunnel-group DefaultWEBVPNGroup general-attributes
asa(config-tunnel-general)# address-pool AnyConnect-pool
asa(config-tunnel-general)# default-group-policy AnyConnect-policy
asa(config-tunnel-general)# exit

Step 8) If using local authentication, create local users for remote access:
asa(config)# username vpnuser password p@ssw0rd
asa(config)# username vpnuser attributes
asa(config-username)# service-type remote-access
asa(config-username)# exit

You should now be able to connect to your AnyConnect VPN:
asa# sh vpn-sessiondb
VPN Session Summary
                               Active : Cumulative : Peak Concur : Inactive
AnyConnect Client            :      1 :          1 :           1 :        0
  SSL/TLS/DTLS               :      1 :          1 :           1 :        0
Total Active and Inactive    :      1             Total Cumulative :      1
Device Total VPN Capacity    :     25
Device Load                  :     4%

Tunnels Summary
                               Active : Cumulative : Peak Concurrent
AnyConnect-Parent            :      1 :          1 :               1
SSL-Tunnel                   :      1 :          1 :               1
DTLS-Tunnel                  :      1 :          1 :               1
Totals                       :      3 :          3



  1. Thank you for your post, I hope that can help me.

    1. Glad to help! Feel free to post any questions you might have.

  2. What exactly is the meaning of 'peak concurrent' ?.is it possible like i have the base license of 2 and i have 50 users and still the peak concurrent shows 1

    1. "Peak concurrent" indicates the most users that have been connected at once. If "peak concurrent" shows 1, that means no more than one user has been connected to the VPN at the same time.