How to configure Cisco ASA 5500 for AnyConnect Client

So i was testing some stuff with the Authentication on the ASA Firewall and the AnyConnect client in the last days. So i feel it is time to write things down a little bit.

First i discovered we have the same problem with Windows 7 Firewall. Windows is not detecting the Interface so the Firewall do not say here we are part of the domain:-( Sad very Sad. But as i described here, there is a workaround but this is not supported by Cisco in any way.
But anyhow, we have to move to the AnyConnect Client to get VPN running with WWAN Cards.

So lets begin with a basic setup, only localusers and connect to the ASA with the AnyConnect Client.
No complex things, just connectivity. So we will start here with the configuration.
In the next posts we will go to the more complex things.

A Basic Configuration

Down below you will find a more complete example to use for configuration, be aware the examples a maybe collapsed to save space.

The AnyConnect Client

First you need the AnyConnect Client Package from the Cisco Download Website, either as predeploy or as web install package for your platform. We will use Windows 7 (x64) on our new clients so we will test in the first step the Windows packages.

Assuming we are using Version 2.5.1025, the Package is called anyconnect-win-2.5.1025-k9.pkg.

To install the Package on the ASA you can do following steps on the CLI:

[sourcecode gutter=”false”]
ASA# copy tftp://192.168.0.2/anyconnect-win-2.5.1025-k9.pkg flash:
Address or name of remote host [192.168.0.2]?
Source filename [anyconnect-win-2.5.1025-k9.pkg]?
Destination filename [anyconnect-win-2.5.1025-k9.pkg]?
Accessing tftp://192.168.0.2/anyconnect-win-2.5.1025-k9.pkg…!!!!!!!!!!!
Writing file disk0:/anyconnect-win-2.5.1025-k9.pkg…!!!!!!!!!!!
4436544 bytes copied in 37.750 secs (119906 bytes/sec)
ASA#
[/sourcecode]

Then make the package usable by the webvpn service:

[sourcecode gutter=”false”]
ASA# configure terminal
ASA(config)# webvpn
ASA(config-webvpn)# ! The regex will make the selection of the platform specific package much faster.
ASA(config-webvpn)# svc image disk0:/anyconnect-win-2.5.1025-k9.pkg 1 regex "Windows NT"
ASA(config-webvpn)# exit
ASA(config)# exit
ASA#
[/sourcecode]

The installation via the ASDM-IDM UI is as easy. 😉 Go to “Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Settings” and follow the pictures.

To install the Predeploy package execute the msi file, in my example it is anyconnect-win-2.5.1025-k9.msi.

The Cisco ASA Configuration

Enabling the WebVPN Service

Assuming we have called the interface pointing to the Internet “Outside”.

[sourcecode gutter=”false”]
ASA# configure terminal
ASA(config)# webvpn
ASA(config-webvpn)# enable Outside
ASA(config-webvpn)# svc enable
ASA(config-webvpn)# exit
ASA(config)# exit
ASA#
[/sourcecode]

AnyConnect Essentials

We are using the AnyConnect essentials only;-) Have your toughts.

[sourcecode gutter=”false”]
ASA# configure terminal
ASA(config)# webvpn
ASA(config-webvpn)# anyconnect-essentials
ASA(config-webvpn)# exit
ASA(config)# exit
ASA#
[/sourcecode]

Client IP Addresses

For the moment we use a local pool and for testing we will only use 16 addresses it is enought;-)

[sourcecode gutter=”false”]
ASA# configure terminal
ASA(config)# ip local pool SSLClientPool 10.2.9.240-10.2.9.255 mask 255.255.255.240
ASA(config)# exit
ASA#
[/sourcecode]

The client policy

[sourcecode gutter=”false”]
ASA# configure terminal
ASA(config)# group-policy SSLCLientPolicy internal
ASA(config-group-policy)#exit
ASA(config)# group-policy SSLCLientPolicy attributes
ASA(config-group-policy)# banner value Welcome to the MyVPN Service
ASA(config-group-policy)# dns-server value 192.168.10.1
ASA(config-group-policy)# vpn-tunnel-protocol svc
ASA(config-group-policy)# default-domain value example.com
ASA(config-group-policy)# address-pools value SSLClientPool
ASA(config-group-policy)# exit
ASA(config)# exit
ASA#
[/sourcecode]

Create a tunnel group

here we define connection parameters.

[sourcecode gutter=”false”]
ASA# configure terminal
ASA(config)# tunnel-group SSLClientProfile type remote-access
ASA(config)# tunnel-group SSLClientProfile general-attributes
ASA(config-tunnel-general)# default-group-policy SSLCLientPolicy
ASA(config-tunnel-general)# exit
ASA(config)# tunnel-group SSLClientProfile webvpn-attributes
ASA(config-tunnel-webvpn)# group-alias SSLVPNClient enable
ASA(config-tunnel-webvpn)# exit
ASA(config)# webvpn
ASA(config-webvpn)# tunnel-group-list enable
ASA(config-webvpn)# exit
ASA(config)# exit
ASA#
[/sourcecode]

How to connect
The complete code

[sourcecode collapse=”true” gutter=”false”]
webvpn
! The regex will make the selection of the platform specific package much faster.
svc image disk0:/anyconnect-win-2.5.1025-k9.pkg 1 regex "Windows NT"
enable Outside
svc enable
anyconnect-essentials
exit
!
ip local pool SSLClientPool 10.2.9.240-10.2.9.255 mask 255.255.255.240
!
group-policy SSLCLientPolicy internal
exit
!
group-policy SSLCLientPolicy attributes
banner value Welcome to the MyVPN Service
dns-server value 192.168.10.1
vpn-tunnel-protocol svc
default-domain value example.com
address-pools value SSLClientPool
exit
!
tunnel-group SSLClientProfile type remote-access
!
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
exit
!
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
exit
!
webvpn
tunnel-group-list enable
exit
!
[/sourcecode]

If you feel this helps a bit or may be not ? Please leave a comment.

Leave a Reply