Chat with us, powered by LiveChat

Knowledge Base

Our knowledge base for your self-education

 

Design & Configure

Cisco ASA: Anyconnect configuration

Technology: FIREWALLS

Area: VPN

Vendor: CISCO

Software: CISCO ADAPTIVE SECURITY APPLIANCE (ASA) , ASA-OS

Platform: CISCO ASA 5500, 5500-X

 

Anyconnect Secure Mobility Client is software user-friendly application which creates VPN tunnel with VPN head end.  Anyconnet by default uses SSL protocol to encrypt packets (can use also ikev2 / IPSec protocols).

 

1. Anyconnect image definition:

webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.1.02011-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-4.1.02011-k9.pkg 2
anyconnect enable
tunnel-group-list enable

 

2. Local pool for IP addressing of anyconnect clients

ip local pool ACPOOL 172.19.0.1-172.19.0.254 mask 255.255.255.0

 

3. Nat exemption for excluding VPN traffic:

nat (inside,outside) source static DC DC destination static AC AC

 

4. Group policy definition for use in tunnel-group:

group-policy admin internal
group-policy admin attributes
banner value Welcome!
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACSPLIT
default-domain value trecom.local
split-tunnel-all-dns disable
address-pools value ACPOOL
webvpn
anyconnect ask enable

 

5. Tunnel Group definition:


tunnel-group admin type remote-access
tunnel-group admin general-attributes
default-group-policy admin
tunnel-group admin webvpn-attributes
group-alias admin enable

 

For quick troubleshooting:

GPD-FW-01# show vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : admin Index : 6
Assigned IP : 172.19.0.1 Public IP : 83.20.185.7
Protocol : AnyConnect-Parent SSL-Tunnel
License : AnyConnect Essentials
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES128
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1
Bytes Tx : 12570 Bytes Rx : 882
Group Policy : admin Tunnel Group : admin
Login Time : 15:19:55 PL Tue Aug 2 2016
Duration : 0h:00m:07s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a801010000600057a09dfb
Security Grp : none
GPD-FW-01#

 
Next

Recommended
training

Technology: Security, NG Firewalls

Level: Intermediate

Type: On site, Online

 

Newsletter