Anyconnect Web VPN configuration on Cisco ASA firewalls

by Ras 21. January 2012 17:20

Here is a sample configuration of a Cisco ASA VPN with anyconnect:

### Creating the certificate

ciscoasa(config)#crypto key generate rsa label sslvpnkeypair

ciscoasa(config)#crypto ca trustpoint localtrust
ciscoasa(config-ca-trustpoint)#enrollment self
ciscoasa(config-ca-trustpoint)#fqdn sslvpn.cisco.com
ciscoasa(config-ca-trustpoint)#subject-name CN=sslvpn.cisco.com
ciscoasa(config-ca-trustpoint)#keypair sslvpnkeypair
ciscoasa(config-ca-trustpoint)#crypto ca enroll localtrust noconfirm

ciscoasa(config)# ssl trust-point localtrust outside

## Specify the anyconnect file location

ciscoasa(config)#copy tftp://192.168.50.5/anyconnect-win-2.0.0343-k9.pkg flash

ciscoasa(config)#webvpn
ciscoasa(config-webvpn)#svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
ciscoasa(config-webvpn)#enable outside
ciscoasa(config-webvpn)#svc enable

## Ip address pool configuration

ciscoasa(config)#ip local pool SSLClientPool 192.168.25.1-192.168.25.50 mask 255.255.255.0

## configuration of the policies

ciscoasa(config)#group-policy SSLCLientPolicy internal
ciscoasa(config)#group-policy SSLCLientPolicy attributes
ciscoasa(config-group-policy)#dns-server value 192.168.50.5
ciscoasa(config-group-policy)#vpn-tunnel-protocol svc
Ciscoasa(config-group-policy)#default-domain value tsweb.local
ciscoasa(config-group-policy)#address-pools value SSLClientPool

## Allow VPN

ciscoasa(config)#sysopt connection permit-vpn

## Main tunnel configuraiton

ciscoasa(config)#tunnel-group SSLClientProfile type remote-access
ciscoasa(config)#tunnel-group SSLClientProfile general-attributes
ciscoasa(config-tunnel-general)#default-group-policy SSLCLientPolicy
ciscoasa(config-tunnel-general)#tunnel-group SSLClientProfile webvpn-attributes
ciscoasa(config-tunnel-webvpn)#group-alias SSLVPNClient enable

## Assign the tunnel to web vpn

ciscoasa(config-tunnel-webvpn)#webvpn
ciscoasa(config-webvpn)#tunnel-group-list enable

## Acls and usernames

ciscoasa(config)#access-list no_nat extended permit
                  ip host 192.168.50.5 192.168.25.0 255.255.255.0
ciscoasa(config)#nat (inside) 0 access-list no_nat

ciscoasa(config)#username ras password pswd
ciscoasa(config)#username ras attributes
ciscoasa(config-username)#service-type remote-access

Tags:

Cisco | Security

E-Mail | Kick it! | DZone it! | del.icio.us
Permalink | Comments (3)

Comments (3) -

Prakash
Prakash India
2/16/2012 12:23:12 PM #

Excellent information. But in ASA842 command VPN configuration tried but

crypto isakmp enable outside

This command is not working...............

Reply

rasoolg
rasoolg United States
2/19/2012 3:54:10 PM #

This config is for below 8.2 versions. for the 8.4 I will create a new post soon.

Reply

illian
illian United States
5/29/2012 2:28:19 AM #

The best vpn is vpn ninja, you can take it from www.vpnninja.com

Reply

Add comment

  Country flag

biuquote
  • Comment
  • Preview
Loading

About the author

Ras is a network/Security professional working on multiple areas with multiple certificates like CCNP, CCIP, CCSP, CCSA, CCSE, LPI, PM, IPv6, ..

Month List