Monday, January 5, 2015

HOWTO: Basic Cisco ASA AnyConnect VPN 8.2(5)

A while back I posted a how-to for configuring AnyConnect in ASA version 8.3+.  I recently received a request to post the 8.2(5) configuration, so here it is.  The example below uses split tunneling and local authentication.  For RADIUS authentication, see this post.

Before beginning, verify you have the AnyConnect essentials license (without this license, only two simultaneous sessions are permitted).
asa# sh ver | inc AnyConnect
AnyConnect Premium Peers          : 25             perpetual
AnyConnect Essentials             : 25             perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Enabled        perpetual

The following steps configure an AnyConnect VPN between the VPN subnet and LAN subnet.

Step 1) Create ACL for split tunneling VPN traffic:
asa(config)# access-list SplitTunnelACL standard permit 

Step 2) Create IP pool for AnyConnect clients:
asa(config)# ip local pool AnyConnect-pool mask 

Step 3) Configure NAT exemption (nonat)
asa(config)# access-list nonat extended permit ip 
asa(config)# nat (inside) 0 access-list nonat

Step 4) Enable webvpn on the outside interface, configure the ASA to web-deploy the AnyConnect client, and enable AnyConnect:
asa(config)# webvpn 
asa(config-webvpn)# enable outside 
INFO: WebVPN and DTLS are enabled on 'outside'. 
asa(config-webvpn)# svc image disk0:/anyconnect-win-3.1.05152-k9.pkg 1 
asa(config-webvpn)# svc image disk0:/anyconnect-macosx-i386-3.1.05152-k9.pkg 2 
asa(config-webvpn)# svc image disk0:/anyconnect-linux-64-3.1.05152-k9.pkg 3 
asa(config-webvpn)# svc image disk0:/anyconnect-linux-3.1.05152-k9.pkg 4 
asa(config-webvpn)# svc enable 
asa(config-webvpn)# exit 

Step 5) Configure a group-policy:
asa(config)# group-policy AnyConnect-policy internal 
asa(config)# group-policy AnyConnect-policy attributes 
asa(config-group-policy)#  dns-server value 
asa(config-group-policy)#  vpn-tunnel-protocol svc webvpn 
asa(config-group-policy)#  split-tunnel-policy tunnelspecified 
asa(config-group-policy)#  split-tunnel-network-list value SplitTunnelACL 
asa(config-group-policy)#  default-domain value cloud10solutions.local 
asa(config-group-policy)#  address-pools value AnyConnect-pool 
asa(config-group-policy)# exit 

Step 6) Apply address-pool and group-policy to tunnel-group (in this case, the DefaultWEBVPNGroup) 
asa(config)# tunnel-group DefaultWEBVPNGroup general-attributes 
asa(config-tunnel-general)# address-pool AnyConnect-pool 
asa(config-tunnel-general)# default-group-policy AnyConnect-policy 
asa(config-tunnel-general)# exit 

Step 7) If using local authentication, create local users for remote access:
asa(config)# username vpnuser password p@ssw0rd
asa(config)# username vpnuser attributes
asa(config-username)# service-type remote-access
asa(config-username)# exit

You should now be able to connect to your AnyConnect VPN:
asa# sh vpn-sessiondb 
VPN Session Summary 
                               Active : Cumulative : Peak Concur : Inactive 

AnyConnect Client            :      1 :          1 :           1 :        0 
  SSL/TLS/DTLS               :      1 :          1 :           1 :        0 
Total Active and Inactive    :      1             Total Cumulative :      1 
Device Total VPN Capacity    :     25 
Device Load                  :     4% 

Tunnels Summary 
                               Active : Cumulative : Peak Concurrent 
AnyConnect-Parent            :      1 :          1 :               1 
SSL-Tunnel                   :      1 :          1 :               1 
DTLS-Tunnel                  :      1 :          1 :               1 
Totals                       :      3 :          3 



  1. Good information. Could you please guide me where we configured Pre Login / Post Login Messages on ASDM. And do you have any suggestion/review about cloakvpn?

  2. Wille, I don't often use ASDM, but the following guide might help:

    I can't comment on that VPN service. I use VPNs to provide access to internal resources remotely. I do not have any experience with 3rd party VPN services that provide tunnels for the purpose of obscuring traffic from your ISP.

  3. Hi Matt. Your example is great! Thanks a lot. I tested it in my ASA 8.25 and it works perfect. FTP and HTTP traffic works fine but I can't ping or use RDP to reach nodes inside the LAN from my AnyConnect client computer. Can you please add some lines to your example to allow that kind of traffic?

    1. Thanks Emilio! I appreciate the feedback.

      It is possible to restrict the traffic that is permitted from the AnyConnect VPN subnet to the internal subnet. Normally you would use the vpn-filter parameter under the group-policy you want to restrict.

      However, in the above example, no traffic is being restricted. There is no vpn-filter. The split-tunnel-network-list parameter puts the route for in the routing table of the AnyConnect clients. The nonat ACL makes sure this traffic is not natted. Therefore, all traffic from to should flow unrestricted.

      Based upon what you describe, the most likely culprit is Windows Firewall. Check your Windows Firewall settings and report back.

  4. Yes, You are right.I closed the Windows firewall and I was able to ping my "inside" computer. I still can not access it trough RDP but is just because I'm running Windows 7 Home Premium and that Windows version have some restrictions using RDP.
    Again, thanks a lot for your time. People like you make the Internet much better and useful.
    Have a nice week!


  5. Nice Article. Worked the first time. Bravo!!!!