Professional Documents
Culture Documents
Microsoft Cisco VMware Certi cates Advertise on PeteNetLive The Author ‘Pete Long’ Contact ‘The Archives’
Note: This is for Cisco ASA 5500, 5500-x, and Cisco FTD running ASA Code.
Also See Cisco ASA AnyConnect VPN ‘Using ASDM’ Subscribe
This procedure was done on Cisco ASA (post) version 8.4, so it uses all the newer NAT commands. I’m also going
to use self signed certi cates so you will see this error when you attempt to connect.
Solution
1. The rst job is to go get the AnyConnect client package(s), download them from Cisco, (with a current support
agreement). Then copy them into the rewall via TFTP. If you are unsure how to do that see the following article.
Accessing tftp://192.168.80.1/anyconnect-win-4.7.02036-webdeploy-k9.pkg
.........!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
2. Create a ‘pool’ of IP addresses that the ASA will allocate to the remote clients, also create a network object that
covers that pool of addresses we will use later.
3. Enable webvpn, set the package to the one you uploaded earlier, then turn on AnyConnect.
Petes-ASA(config)# webvpn
Petes-ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
Petes-ASA(config-webvpn)# tunnel-group-list enable
Petes-ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.02042-webdeploy-k9.pkg 1
Petes-ASA(config-webvpn)# anyconnect enable
4. I’m going to create a LOCAL username and password, I suggest you do the same, then once you have proved
it’s working OK, you can. change the authentication method, (see links below). I’m also going to create an ACL that
we will use for split-tunneling in a minute.
5. Create a group policy, change the values to match your DNS server(s), and domain name accordingly.
7. Then stop any tra c that is going to, (or coming from) the remote clients from being NATTED.
Petes-ASA(config)# nat (inside,outside) 2 source static any any destination static OBJ-ANYCONN
ECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
!
ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
!
object network OBJ-ANYCONNECT-SUBNET
subnet 192.168.100.0 255.255.255.0
!
webvpn
enable outside
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg 1
anyconnect enable
!
username PeteLong password Password123
!
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.0.0.0
!
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
vpn-tunnel-protocol ssl-client
dns-server value 10.0.0.10 10.0.0.11
wins-server none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
!
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
!
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCON
NECT-SUBNET no-proxy-arp route-lookup
!
Author: Migrated
Share This Post On