Cisco ASA5500 AnyConnect SSL VPN

(This method uses the ASA to hold the user database) Also see Update: Securing AnyConnect with Certificates

KB ID 0000069


Below is a walk through for setting up a client to gateway VPN Tunnel using a Cisco ASA appliance.This was done via the ASDM console. The video was shot with ASA version 8.4(2) and ASDM 6.4(5) and the setup process is a lot less painful than it used to be.

The original article was written with ASA version 8.0(4) and ASDM 6.1(3), which was a little more difficult so I will leave that procedure below just in case 🙂

ASDM cannot be used on the normal port on the outside interface when using SSL VPN SSL VPN AnyConnect from within an RDP session is not supported (and fails – even with a /console switch). SSL (HTTPS ot TCP port 443) needs to be free (i.e. NOT port forwarded to a web server / exchange server etc).


For Older Versions of the ASA/ASDM

1. Open up the ADSM console. > Click Wizards >SSL VPN Wizard.

ssl vpn wizard

2. Select “Both Options”. > Next.

anyconnect and ssl

3. Enter a connection name > If you have a certificate already select it here or simply leave it on” -None-” and the ASA will generate an un trusted one. > Next.

vpn connection name

4. For this example we are going to use the ASA’s Local database to hold our user database (If you want to use RADIUS/Windows IAS select those options and follow the instructions (To set up IAS read my notes HERE) > Enter a username and Password.

local user database

5. Add. > Next.

add user

6. We are going to create a new policy in this case called SSL Users > Next.

ssl vpn policy

7. You can now add bookmarks (Links on the VPN portal page) > Manage > Add > Type in a name > Add. > OK.

vpn bookmarks

8. Give it a name and subtitle (look at step 18 to see how that displays) > Enter the internal URL for the web site > OK.

bookmark url cisco

9. Add > OK.

add hyperlink to vpn portal

10 OK.

vpn links

11 Next.

edit cisco bookmarks

12. Create an IP Pool (IP range to be leased to the VPN clients that is DIFFERENT to your LAN IP range) > New > enter a name, ip addresses, and the subnet mask > OK.

ssl vpn pool

13. Point the ASA to the Anyconnect client you want to use (Note you can upload a software image from your PC here as well) Next > Accept the warning about NAT Exemptions (Note if you do get a warning to add a NAT Exemption see the note at the end).

anyconnect client

14. Finish.

review and finish

15. Before It will work you need to Select Configuration > Remote Access VPN > Network (CLient) Access > AnyConnect Connection Profiles > . Double click the Connection profile you created earlier in step 3 > Enter a name in the Aliases section i.e. AnyConnect > OK. > Tick the box that says “Allow user to select connection profile by its alias………” > Apply.

anyconnect profile

16. File > Save running configuration to flash.

asdm save to flash

17. Connect externally to https://{public_IP} (Note this has to be in the browsers trusted site list) > Enter a username and password > Login.

vpn portal

18. You are now on the “Portal” site any bookmarks created above will be visible > Click the AnyConnect Tab.

portal bookmarks

19 Double click to launch AnyConnect.

launch anyconnect

20. The Anyconnect client will install if not used previously (User needs to be local admin) and connects.

NAT Exemptions: Note if you received a warning about needing to add the remote VPN pool as a NAT Exemption (After step 13) you will need to add the following lines to the ASA


access-list {name} extended permit ip {LAN behind ASA} {Subnet behind ASA} {VPN Pool Range} {VPN Pool Subnet}

nat (inside) 0 access-list {name}

Working example

access-list nonat extended permit ip

nat (inside) 0 access-list nonat

WARNING: Make sure the name matches any existing no NAT ACLs or your IPsec vpns will fail!

install anyconnect

Related Articles, References, Credits, or External Links

Cisco ASA 5500 AnyConnect Setup From Command Line

Cisco AnyConnect – Essentials / Premium Licences Explained

Originally written 09/11/09

Author: Migrated

Share This Post On