05 Nov 12 Configuring Cisco Any Connect on Cisco ASA 8.4

Cisco Any Connect configuration on Cisco ASA 5520 – 8.4 code

As most of us know by now that Cisco has announced End of Sale and End of Life for Cisco VPN Client, Details Here. Our migration option from Cisco VPN Client is Cisco AnyConnect. Cisco AnyConnect is supported by 32 as well as 64 bit version of Windows. And yes there is licensing involved too. Here is some information on the Cisco ASA and Cisco AnyConnect Licensing. So now my notes on configuring Cisco AnyConnect VPN on Cisco ASA 5520 Firewall running 8.4 Code.

There are different ways to accomplish this i.e; Command Line or utilizing Cisco ASDM. I actually used a mixture of both. It is pretty easy and fast to configure Cisco AnyConnect profile via ASDM Wizard initially so I used that procedure:

  • After opening up the ASA’s ASDM form the top I picked the option Wizard –> VPN wizard –> AnyConnect VPN wizard. Here is what the first screen looks like:
  • Next you name the connection profile, now note here that multiple profiles can be created for different purposes such as a profile for the IT department, profile for the executives, profile for the regular users and give them access accordingly.
  • On the next screen under VPN Protocols – SSL/IPSec I picked out both protocols for now, however eventually I am going to change that as I will be getting the Essentials license which gives me Cisco AnyConnect IPSec license. But for now by default I have two SSL licenses so I wanted to use them at least for testing purposes. Also under Device Certificate I picked the self signed certificate for now however eventually I will be adding a valid third party SSL Certificate and will have a separate how to on that.
  • Next I had to specify the Cisco AnyConnect client image. I already had it loaded on the ASA 5520 Firewall, so I simply clicked on Browse Flash and added it from there, however you also have the option to upload it here if you do not have it already loaded on the Cisco ASA. I was using the latest version, file name: anyconnect-win-3.1.00495-k9.pkg.

  • Next screen asks for the Authentication Methods. Since I already have the Microsoft NPS 2008 server setup, I picked RADIUS. Note: I will have a separate how to on setting up the Microsoft NPS 2008 Server as RADIUS server for Cisco AnyConnect. You can also use other type of Authentication methods such as Kerberos, LDAP etc if you like.

  • Next screen asks for the DHCP Pool to be used for the Cisco AnyConnect VPN Clients. If there is one already defined that can be used I defined a new scope by clicking on the New button. This can also be created easily via command line as well in advance.

    ip local pool AnyConnect_DHCP mask

  • In the next section I specified the DNS Servers that Cisco AnyConnect Clients will use after connecting
  • Next screen was for >NAT Exempt. Which means it was asking me if I want the Cisco AnyConnect VPN Clients network to be excluded from any kind of NAT. On the top first lines says, If network address translation is enabled on the ASA, the VPN traffic must b exempt from this translation. Well NAT is enabled so I check the box. If you forget to check it or leave it for now, it can easily be done via command line

    object-group network Inside_Net
    object network AnyConnect
    nat (inside,outside) source static Inside_Net Inside_Net destination static AnyConnect AnyConnect
    object network VPN-Pool-internet
    nat (outside,outside) dynamic second-public-ip (This is the outgoing Public IP for the VPN)

  • Next screen I checked the option to Allow Web Launch
  • Next screen is the last screen and just shows the summary of everything. I simply clicked on “Finish” and that is it

Article Resources

Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂

Tags: , , , , ,

WordPress SEO