KB ID 0000943
Problem
Note: This is for Cisco ASA 5500, 5500-x, and Cisco FTD running ASA Code.
Also See Cisco ASA AnyConnect VPN ‘Using ASDM’
This procedure was done on Cisco ASA (post) version 8.4, so it uses all the newer NAT commands. I’m also going to use self signed certificates so you will see this error when you attempt to connect.
Solution
1. The first job is to go get the AnyConnect client package(s), download them from Cisco, (with a current support agreement). Then copy them into the firewall via TFTP. If you are unsure how to do that see the following article.
[box]
Petes-ASA(config)# copy tftp flash Address or name of remote host [10.254.254.183]? 192.168.80.1 Source filename []?anyconnect-win-4.7.02036-webdeploy-k9.pkg Destination filename [anyconnect-win-4.7.02036-webdeploy-k9.pkg]? {Enter} Accessing tftp://192.168.80.1/anyconnect-win-4.7.02036-webdeploy-k9.pkg .........!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Writing file disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 4807912 bytes copied in 549.790 secs (8757 bytes/sec) Petes-ASA(config)#
[/box]
2. Create a ‘pool’ of IP addresses that the ASA will allocate to the remote clients, also create a network object that covers that pool of addresses we will use later.
[box]
Petes-ASA(config)# ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0 Petes-ASA(config)# object network OBJ-ANYCONNECT-SUBNET Petes-ASA(config-network-object)# subnet 192.168.100.0 255.255.255.0
[/box]
3. Enable webvpn, set the package to the one you uploaded earlier, then turn on AnyConnect.
[box]
Petes-ASA(config)# webvpn Petes-ASA(config-webvpn)# enable outside INFO: WebVPN and DTLS are enabled on 'outside'. Petes-ASA(config-webvpn)# tunnel-group-list enable Petes-ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.02042-webdeploy-k9.pkg 1 Petes-ASA(config-webvpn)# anyconnect enable
[/box]
4. I’m going to create a LOCAL username and password, I suggest you do the same, then once you have proved it’s working OK, you can. change the authentication method, (see links below). I’m also going to create an ACL that we will use for split-tunneling in a minute.
[box]
Petes-ASA(config)# username PeteLong password Password123 Petes-ASA(config)# access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0
[/box]
5. Create a group policy, change the values to match your DNS server(s), and domain name accordingly.
[box]
Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE internal Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE attributes Petes-ASA(config-group-policy)# vpn-tunnel-protocol ssl-client Petes-ASA(config-group-policy)# dns-server value 10.0.0.10 10.0.0.11 Petes-ASA(config-group-policy)# split-tunnel-policy tunnelspecified Petes-ASA(config-group-policy)# split-tunnel-network-list value SPLIT-TUNNEL Petes-ASA(config-group-policy)# default-domain value petenetlive.com
[/box]
6. Create a matching tunnel-group that ties everything together.
[box]
Petes-ASA(config-group-policy)# tunnel-group ANYCONNECT-PROFILE type remote-access Petes-ASA(config)# tunnel-group ANYCONNECT-PROFILE general-attributes Petes-ASA(config-tunnel-general)# default-group-policy GroupPolicy_ANYCONNECT-PROFILE Petes-ASA(config-tunnel-general)# address-pool ANYCONNECT-POOL Petes-ASA(config-tunnel-general)# tunnel-group ANYCONNECT-PROFILE webvpn-attributes Petes-ASA(config-tunnel-webvpn)# group-alias ANYCONNECT-PROFILE enable
[/box]
7. Then stop any traffic that is going to, (or coming from) the remote clients from being NATTED.
[box]
Petes-ASA(config)# nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
[/box]
8. Save the changes.
[box]
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425
8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#
[/box]
9. Give it a test from a remote client.
AnyConnect Commands to Copy and Paste
Simply change the values shown in red;
[box]
! ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0 ! object network OBJ-ANYCONNECT-SUBNET subnet 192.168.100.0 255.255.255.0 ! webvpn enable outside tunnel-group-list enable anyconnect image disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg 1 anyconnect enable ! username PeteLong password Password123 ! access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.0.0.0 ! group-policy GroupPolicy_ANYCONNECT-PROFILE internal group-policy GroupPolicy_ANYCONNECT-PROFILE attributes vpn-tunnel-protocol ssl-client dns-server value 10.0.0.10 10.0.0.11 wins-server none split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT-TUNNEL default-domain value petenetlive.com ! tunnel-group ANYCONNECT-PROFILE type remote-access tunnel-group ANYCONNECT-PROFILE general-attributes default-group-policy GroupPolicy_ANYCONNECT-PROFILE address-pool ANYCONNECT-POOL tunnel-group ANYCONNECT-PROFILE webvpn-attributes group-alias ANYCONNECT-PROFILE enable ! nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup !
[/box]
Related Articles, References, Credits, or External Links
Cisco ASA AnyConnect VPN ‘Using ASDM’
AnyConnect: Allow ‘Local’ LAN Access
Cisco AnyConnect – Essentials / Premium Licences Explained
Cisco AnyConnect – PAT External VPN Pool To An Inside Address
AnyConnect (AAA) Authentication Methods
Kerberos Authentication (Cisco ASA)
LDAP Authenticaiton (Cisco ASA)
RADIUS Authentication(Cisco ASA)