Category:Cisco Systems -> Security
The easiest way to configure AnyConnect VPN on ASA is by using ASDM. To do this go to Wizards - VPN Wizards - AnyConnect VPN Wizard and follow the easy steps through the process. The only hesitation may happen when you come across inability to go to the next step because you don’t have a certificate which is a requirement. To overcome this issue, address the following page for details on how to quickly generate a self-signed certificate for ASA: ASA Self Signed Certificate.
As the result, ASA will generate configuration of the following kind:
webvpn
enable outside
object network NETWORK_OBJ_172.16.10.0_26
subnet 172.16.10.0 255.255.255.192
webvpn
tunnel-group-list enable
! write client profile "disk0:/RemoteUser_client_profile.xml" to ASA
webvpn
anyconnect profiles RemoteUser_client_profile disk0:/RemoteUser_client_profile.xml
exit
username RemoteUser password XXXXXXXXXXX encrypted privilege 2
ip local pool RemoteUserPool 172.16.10.0-172.16.10.50 mask 255.255.255.0
group-policy GroupPolicy_RemoteUser internal
group-policy GroupPolicy_RemoteUser attributes
vpn-tunnel-protocol ssl-client ikev2
webvpn
anyconnect profiles value RemoteUser_client_profile type user
exit
group-policy GroupPolicy_RemoteUser attributes
dns-server value 4.2.2.2 8.8.8.8
wins-server none
default-domain value company.local
exit
tunnel-group RemoteUser type remote-access
tunnel-group RemoteUser general-attributes
default-group-policy GroupPolicy_RemoteUser
address-pool RemoteUserPool
tunnel-group RemoteUser webvpn-attributes
group-alias RemoteUser enable
crypto ikev2 policy 1
group 2 5
encryption aes-256
crypto ikev2 policy 10
group 2 5
encryption aes-192
crypto ikev2 policy 20
group 2 5
encryption aes
crypto ikev2 policy 30
group 2 5
crypto ikev2 policy 40
group 2 5
encryption des
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint self
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
nat (inside,outside) 5 source static any any destination static NETWORK_OBJ_172.16.10.0_26 NETWORK_OBJ_172.16.10.0_26 no-proxy-arp route-lookup
As you may have noticed this is tiresome to put down every line of configuration in CLI when it can be done in less than a minute in ASDM.
By the way, if for some reason you are not able to access any internal resources even after successful connection, try the following command:
sysopt connection permit-vpn
If you can’t ping internal resources check if inspection rule is active:
policy-map global_policy
class inspection_default
inspect icmp
This is pretty much it. Have fun!
By privilege15