Post

Cisco ASA - Anyconnect Remote Access VPN

Posted
By Sena Perdiana 2 min read


AnyConnect Remote Access VPN is a secure virtual private network (VPN) solution developed by Cisco. It enables remote users to connect to a corporate network over the internet with strong encryption and authentication, ensuring data privacy and security.



Configuring Certificate

First, lets update the certificate on ASA using CA Signed Certificate.

On ASDM, go to Configuration » Device Management » Identity Certificates, select Enroll ASA SSL Certificate with Entrust

x


Select new

x


Give it a name, and click Generate Now

x


Fill in the details, then select Generate Request

x


After that we’ll get the CSR, copy the text and hit save

x


Go to the CA Server and sign the CSR

x


Then go back to ASDM and install the signed certificate

x


Don’t forget to also install the Root CA Certificate

x



Network Topology

Here’s the network topology for this VPN deployment

x



Configuring Any Connect Package

First, we need to prepare the Anyconnect software for the client to use.
Download the package from Cisco Software Center

x


Then on ASDM, go to Tools » File Management, upload the package to the disk0:, then close the window.

x



Configuring Anyconnect Remote Access VPN Wizard

Now we configure the VPN configuration, go to Wizards » VPN Wizards » Anyconnect VPN Wizard

x


Give the connection profile a name and select the outside interface

x


Select SSL Protocol and use the certificate created earlier

x


For client images, use the package uploaded earlier

x


Select local users and create the users that will connect to the VPN

x


Next create a pool of IP Address for the VPN clients

x


Provide the DNS Server for the VPN clients

x


Exempt the VPN traffic from NAT translations and select the inside subnet as the network that can be accessed by the VPN clients

x


Review the summary and click finish

x



Configuring Anyconnect Client Profile

On Configuration » Remote Access VPN » Anyconnect Client Profile, add new.
Give it a name and select the VPN Group Policy generated by the wizard

x


Select the profile and click edit, On VPN Establishment select AllowRemoteUsers

x


Thats pretty much it on the ASDM side. Save the configuration



Configuring Split Tunnel Access List

Last one, on CLI, create an access-list containing the inside segment that should be advertised to the VPN clients

1

access-list SPLIT_TUNNEL standard permit 63.0.0.0 255.255.255.0


Apply the access-list on the group policy attributes

1
2
3

group-policy GroupPolicy_helena_vpn attributes
 split-tunnel-policy tunnelspecified 
 split-tunnel-network-list value SPLIT_TUNNEL


That should wraps everything up



Connecting to VPN form the Client

On the client PC, access the FQDN / IP Address of the VPN Gateway on web browser, and login with the local user

x


The page to download the anyconnect client should show up. Click download and install the package

x


Run the client, fill in the VPN gateway

x


Select the group and input the local user, and hit OK

x


After a second we should be connected.
We’re able to ping the inside network, and on statistics we can see the details of the VPN connection

x


On Route Details, we can also see the advertised network that was set on the SPLIT_TUNNEL access-list

x


Going back to ASDM, on Monitor » VPN » Sessions, we can see the currently connected VPN clients

x


Security, Cisco Adaptive Security Appliance (ASA)
ASA
This post is licensed under CC BY 4.0 by the author.