Cisco ASA AnyConnect SSL VPN

As promised, here is the summarised walkthrough for getting ASA AnyConnect SSL VPN’s setup on their ASA with a quick copy/paste. It’s again, a convenient note to myself and saves me having to trawl around finding Cisco’s documentation. That being said, the documentation for this particular config is exceptionally good and this is shamelessly ripped from this Configuration Guide simply using the important assumptions from the last RA VPN post I created.

Extra Assumptions from the last post:

  • You’re using the latest (as of writing) AnyConnect SVC images 2.3.0254
  • Your edge device is called firewall and your internet domain name is mydomain.com 😉 – seriously though, your certificate fqdn which you use in the config here should resolve to the firewalls interface IP that you’re expecting to connect to or you’ll have to punch through all the browser warnings of the certificate being invalid.

crypto key generate rsa label sslvpnkeypair
crypto ca trustpoint localtrust
enrollment self
fqdn firewall.mydomain.com
subject-name CN=firewall.mydomain.com
keypair sslvpnkeypair
crypto ca enroll localtrust noconfirm
ssl trust-point localtrust outside
webvpn
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc image disk0:/anyconnect-linux-2.3.0254-k9.pkg 2
enable outside
svc enable
ip local pool SSLClientPool 192.168.0.9-192.168.0.14 mask 255.255.255.0
group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 192.168.0.3
vpn-tunnel-protocol svc
default-domain value internaldomain.local
address-pools value SSLClientPool
sysopt connection permit-vpn
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
webvpn
tunnel-group-list enable
access-list nonat_inside extended permit ip any 192.168.0.8 255.255.255.248
username localvpnuser password 12345678 privilege 0
username localvpnuser attributes
service-type remote-access

Hope this helps!

Advertisements

1 thought on “Cisco ASA AnyConnect SSL VPN”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s