Cisco ASA AnyConnect VPN ‘Using CLI’

KB ID 0000943

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco FTD running ASA Code.

Also See Cisco ASA AnyConnect VPN ‘Using ASDM’

This procedure was done on Cisco ASA (post) version 8.4, so it uses all the newer NAT commands. I’m also going to use self signed certificates so you will see this error when you attempt to connect.

Solution

1. The first job is to go get the AnyConnect client package(s), download them from Cisco, (with a current support agreement). Then copy them into the firewall via TFTP. If you are unsure how to do that see the following article.

Install and Use a TFTP Server

[box]

Petes-ASA(config)# copy tftp flash

Address or name of remote host [10.254.254.183]? 192.168.80.1

Source filename []?anyconnect-win-4.7.02036-webdeploy-k9.pkg

Destination filename [anyconnect-win-4.7.02036-webdeploy-k9.pkg]? {Enter}

Accessing tftp://192.168.80.1/anyconnect-win-4.7.02036-webdeploy-k9.pkg
.........!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

4807912 bytes copied in 549.790 secs (8757 bytes/sec)
Petes-ASA(config)#

[/box]

2. Create a ‘pool’ of IP addresses that the ASA will allocate to the remote clients, also create a network object that covers that pool of addresses we will use later.

[box]

Petes-ASA(config)# ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
Petes-ASA(config)# object network OBJ-ANYCONNECT-SUBNET
Petes-ASA(config-network-object)# subnet 192.168.100.0 255.255.255.0

[/box]

3. Enable webvpn, set the package to the one you uploaded earlier, then turn on AnyConnect.

[box]

Petes-ASA(config)# webvpn
Petes-ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
Petes-ASA(config-webvpn)# tunnel-group-list enable
Petes-ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.02042-webdeploy-k9.pkg 1 
Petes-ASA(config-webvpn)# anyconnect enable

[/box]

4. I’m going to create a LOCAL username and password, I suggest you do the same, then once you have proved it’s working OK, you can. change the authentication method, (see links below). I’m also going to create an ACL that we will use for split-tunneling in a minute.

[box]

Petes-ASA(config)# username PeteLong password Password123
Petes-ASA(config)# access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0

[/box]

5. Create a group policy, change the values to match your DNS server(s), and domain name accordingly.

[box]

Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE internal
Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
Petes-ASA(config-group-policy)# vpn-tunnel-protocol ssl-client
Petes-ASA(config-group-policy)# dns-server value 10.0.0.10 10.0.0.11
Petes-ASA(config-group-policy)# split-tunnel-policy tunnelspecified
Petes-ASA(config-group-policy)# split-tunnel-network-list value SPLIT-TUNNEL
Petes-ASA(config-group-policy)# default-domain value petenetlive.com

[/box]

6. Create a matching tunnel-group that ties everything together.

[box]

Petes-ASA(config-group-policy)# tunnel-group ANYCONNECT-PROFILE type remote-access
Petes-ASA(config)# tunnel-group ANYCONNECT-PROFILE general-attributes
Petes-ASA(config-tunnel-general)# default-group-policy GroupPolicy_ANYCONNECT-PROFILE
Petes-ASA(config-tunnel-general)# address-pool ANYCONNECT-POOL
Petes-ASA(config-tunnel-general)# tunnel-group ANYCONNECT-PROFILE webvpn-attributes
Petes-ASA(config-tunnel-webvpn)# group-alias ANYCONNECT-PROFILE enable

[/box]

7. Then stop any traffic that is going to, (or coming from) the remote clients from being NATTED.

[box]

Petes-ASA(config)# nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup

[/box]

8. Save the changes.

[box]

PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#

[/box]

9. Give it a test from a remote client.

AnyConnect Commands to Copy and Paste

Simply change the values shown in red;

[box]

!
ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
!
object network OBJ-ANYCONNECT-SUBNET
 subnet 192.168.100.0 255.255.255.0
!
webvpn
enable outside
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg 1
anyconnect enable
!
username PeteLong password Password123
!
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.0.0.0
!
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
vpn-tunnel-protocol ssl-client
dns-server value 10.0.0.10 10.0.0.11
wins-server none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
!
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
!
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
!

[/box]

Related Articles, References, Credits, or External Links

Cisco ASA AnyConnect VPN ‘Using ASDM’

AnyConnect: Allow ‘Local’ LAN Access

Cisco AnyConnect – Essentials / Premium Licences Explained

Cisco AnyConnect – PAT External VPN Pool To An Inside Address

AnyConnect (AAA) Authentication Methods

Kerberos Authentication (Cisco ASA)

LDAP Authenticaiton (Cisco ASA)

RADIUS Authentication(Cisco ASA)

Duo 2FA Authentication (Cisco ASA)

Cisco – Testing AAA Authentication (Cisco ASA and IOS)