Cisco ASA AnyConnect VPN ‘Using ASDM’

KB ID 0000069

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

Below is a walk through for setting up a client to gateway VPN Tunnel using a Cisco Firepower ASA appliance. This was done via the ASDM console. The video was shot with ASA version 9.13(1) and ASDM 7.13(1).

Suggestion: If you are setting this up for the first time, I would suggest setting it up to use the ASA’s LOCAL database for usernames and passwords, (as shown in the video). Then once you have it working, you can change the authentication (AAA) to your preferred method (see links at bottom of page).

The original article was written with ASA version 8.0(4) and ASDM 6.1(3), which was a little more difficult so I will leave that procedure below just in case 🙂

Note: ASDM cannot be used on the normal port on the outside interface when using SSL VPN SSL VPN. SSL (HTTPS ot TCP port 443) needs to be free (i.e. NOT port forwarded to a web server / Exchange server etc. for this tow work).

Solution

For Older Versions of the ASA/ASDM

1. Open up the ADSM console. > Click Wizards >SSL VPN Wizard.

ssl vpn wizard

2. Select “Both Options”. > Next.

anyconnect and ssl

3. Enter a connection name > If you have a certificate already select it here or simply leave it on” -None-” and the ASA will generate an un trusted one. > Next.

vpn connection name

4. For this example we are going to use the ASA’s Local database to hold our user database (if you want to use RADIUS/Windows IAS select those options and follow the instructions (To set up IAS read my notes HERE) > Enter a username and Password.

local user database

5. Add. > Next.

add user

6. We are going to create a new policy in this case called SSL Users > Next.

ssl vpn policy

7. You can now add bookmarks (Links on the VPN portal page) > Manage > Add > Type in a name > Add. > OK.

vpn bookmarks

8. Give it a name and subtitle (look at step 18 to see how that displays) > Enter the internal URL for the web site > OK.

bookmark url cisco

9. Add > OK.

add hyperlink to vpn portal

10 OK.

vpn links

11 Next.

edit cisco bookmarks

12. Create an IP Pool (IP range to be leased to the VPN clients that is DIFFERENT to your LAN IP range) > New > enter a name, IP addresses, and the subnet mask > OK.

ssl vpn pool

13. Point the ASA to the Anyconnect client you want to use (Note you can upload a software image from your PC here as well) Next > Accept the warning about NAT Exemptions (Note if you do get a warning to add a NAT Exemption see the note at the end).

anyconnect client

14. Finish.

review and finish

15. Before it will work you need to Select Configuration > Remote Access VPN > Network (CLient) Access > AnyConnect Connection Profiles > . Double click the Connection profile you created earlier in step 3 > Enter a name in the Aliases section i.e. AnyConnect > OK. > Tick the box that says “Allow user to select connection profile by its alias………” > Apply.

anyconnect profile

16. File > Save running configuration to flash.

asdm save to flash

17. Connect externally to https://{public_IP} (Note this has to be in the browsers trusted site list) > Enter a username and password > Login.

vpn portal

18. You are now on the “Portal” site any bookmarks created above will be visible > Click the AnyConnect Tab.

portal bookmarks

19 Double click to launch AnyConnect.

launch anyconnect

20. The Anyconnect client will install if not used previously (User needs to be local admin) and connects.

NAT Exemptions: Note if you received a warning about needing to add the remote VPN pool as a NAT Exemption (After step 13) you will need to add the following lines to the ASA

Syntax

access-list {name} extended permit ip {LAN behind ASA} {Subnet behind ASA} {VPN Pool Range} {VPN Pool Subnet}

nat (inside) 0 access-list {name}

Working example

access-list nonat extended permit ip 10.254.254.0 255.255.255.0 10.254.253.0 255.255.255.0

nat (inside) 0 access-list nonat

WARNING: Make sure the name matches any existing no NAT ACLs or your IPsec vpns will fail!

install anyconnect

Related Articles, References, Credits, or External Links

Cisco ASA 5500 AnyConnect Setup From Command Line

Cisco AnyConnect – Essentials / Premium Licences Explained

Originally written 09/11/09

Author: Migrated

Share This Post On