Cisco Anyconnect SSL VPN Setup Guide CLI

1. Create vpn pool

ip local pool anyconnectpool 172.16.20.1-172.16.20.10 mask 255.255.255.240

2. Create access-list for nonat/nat exempt and Split Tunneling

access-list nonat extended permit ip 10.10.20.0 255.255.255.0 172.16.20.0 255.255.255.240 access-list ANYCONNECT-SPLIT standard permit 10.10.20.0 255.255.255.0 access-list ANYCONNECT-SPLIT standard permit 67.214.125.0 255.255.255.0 access-list ANYCONNECT-SPLIT standard permit 10.0.0.0 255.0.0.0

3. Create Group Policy

group-policy anyconnect-policy internal group-policy anyconnect-policy attributes dns-server value 8.8.8.8 4.2.2.2 vpn-tunnel-protocol svc split-tunnel-policy tunnelspecified split-tunnel-network-list value ANYCONNECT-SPLIT banner value Enter banner

4. Create Tunnel Group

tunnel-group HomeOfficeVPN type remote-access tunnel-group HomeOfficeVPN general-attributes address-pool anyconnectpool default-group-policy Annconnect tunnel-group HomeOfficeVPN webvpn-attributes group-alias HomeOfficeVPN enable

5. Apply Annyconnect Image(s):

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1 svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 2 svc enable tunnel-group-list enable

5. Add Windows NT log-in for Anyconnect users:

aaa-server windows protocol nt aaa-server windows (inside) host <ip address of the server/domain controller> nt-auth-domain-controller <hostname of the server/domain controller> tunnel-group HomeOfficeVPN general-attributes authentication-server-group windows