How to Configure AnyConnect Client VPN on Cisco ASA 5505

This is certainly not the first article written about a “Quick Guide to Setting Up a VPN with Cisco Devices,” but we still hope this guide serves as a one-stop resource for ASA 5505 users looking to configure VPN and internet connectivity.

The ASA comes with a setup wizard, but it doesn鈥檛 cover every aspect of the work required, and some steps are explained rather vaguely, leaving users confused. In practice, the process can be broken down into four steps: setting up SSL authentication, configuring the VPN, setting the correct NAT rules, and finally, enabling split-tunneling if needed. SSL authentication allows users to access internal corporate network resources from the internet through an encrypted tunnel. In the following walkthrough, a self-signed certificate is used for testing; in a production environment, you should obtain an SSL certificate from a third-party certification authority. VPN configuration is relatively straightforward. We鈥檒l then dive into the details of what the wizard covers and the configuration steps. The final step allows users to access both internal and external network resources simultaneously. The configuration steps below are based on a lab environment that can connect to both internal and external networks, features a DMZ, and has Cisco ASDM and CLI installed.

Setting Up SSL Certificates

Click the Configuration button at the top and select Remote Access VPN

Click Certificate Management and then click Identity Certificates

Click Add and then select Add a new identity certificate.

Click New and enter a name for the new VPN (e.g., VPN)

Click Generate Now.

You need to enter the FQDN (Fully Qualified Domain Name), for example, CN=vpn.domain.com, and then click OK.

Check Generate Self Signed Certificate and then click Add Certificate.

Click OK.

Setting Up AnyConnect Remote Access VPN:

Click Wizards and go to the VPN Wizard interface

Check AnyConnect SSL VPN Client (AnyConnect VPN Client)

Choose a connection name (e.g., VPN)

Ensure the Outside interface is selected

In the certificate dropdown menu, select the certificate we just created.

Note the address for client VPN access (e.g., ip.add.re.ss:444)

Click Next

You can use local database users (create a few users yourself) or use LDAP information (such as your Active Directory users)

Click Next

Create a new policy and give it a name (e.g., AnyConnect), then click Next

Click New to create an address pool for users. Be careful not to use the same subnet as the internal network. For example, if the internal network uses 192.168.100.0/24, the VPN address pool could use 192.168.104.0/24. If you only want 20 IP addresses in the pool, you can set the start IP to 192.168.104.20 and the end IP to 192.168.104.40.

Select the newly created address pool from the dropdown menu. If the internal network does not use IPv6, you can ignore the IPv6 address pool settings.

As for the AnyConnect image, you can browse your local files or log into the Cisco website with a SMARTnet account to download and upload it here.

Click Finish. You can also click Apply first to save the settings.

Creating NAT Exemption Rules (Using CLI for Speed)

Connect to the firewall鈥檚 CLI

Enter the following commands in configuration mode:

access-list NAT-EXEMPT extended permit ip 192.168.100.0 255.255.255.0 192.168.104.0 255.255.255.0

tunnel-group VPN general-attributes

address-pool AnyConnect (This is the name of the address pool we created earlier)

Now you can connect to the internal network environment via VPN. However, users may encounter restrictions when accessing the internet. So next, we will configure split-tunneling to allow these VPN users to access the internet. If extreme security is required, do not configure split-tunnel. This is a trade-off between usability and security鈥攅veryone can weigh the pros and cons before deciding. After all, VPN users certainly don鈥檛 want to have to disconnect from the VPN just to look something up on Google or check their personal email.

Configuring Split-Tunnel:

Go back to the ASDM interface, click Configure, then Remote Access VPN, then Network Access. Select Group Policies.

Click the group policy we created in the wizard, then select Edit.

Expand Advanced and then click Split Tunneling

Uncheck Inherit Policy and select Tunnel Network List Below from the dropdown menu

Uncheck Network List and then click Manage

Click Add and then Add ACL

Give the ACL a name, then click Add again and select Add ACE

In the Add ACE window, click Permit and then select the internal network address (192.168.100.0)

Click OK and ensure the new ACL appears in the Network List.

Click OK again.

Click Apply and then click Save.

Now your VPN should be fully functional, and VPN clients can directly access the internet while connected to the VPN.

銆怑ditor鈥檚 Picks銆?/p>

Leave a Comment

Your email address will not be published.