Evil_TTL> show | s

ASA AnyConnect

Category:Cisco Systems -> Security

The easiest way to configure AnyConnect VPN on ASA is by using ASDM. To do this go to Wizards - VPN Wizards - AnyConnect VPN Wizard and follow the easy steps through the process. The only hesitation may happen when you come across inability to go to the next step because you don’t have a certificate which is a requirement. To overcome this issue, address the following page for details on how to quickly generate a self-signed certificate for ASA: ASA Self Signed Certificate.
As the result, ASA will generate configuration of the following kind:

webvpn
        enable outside
      object network NETWORK_OBJ_172.16.10.0_26
        subnet 172.16.10.0 255.255.255.192
      webvpn
        tunnel
-group-list enable
      
write client profile "disk0:/RemoteUser_client_profile.xml" to ASA
      webvpn
        anyconnect profiles RemoteUser_client_profile disk0
:/RemoteUser_client_profile.xml
      
exit
      
username RemoteUser password XXXXXXXXXXX encrypted privilege 2
      ip local pool RemoteUserPool 172.16.10.0
-172.16.10.50 mask 255.255.255.0
      group
-policy GroupPolicy_RemoteUser internal
      group
-policy GroupPolicy_RemoteUser attributes
        vpn
-tunnel-protocol ssl-client ikev2
        webvpn
          anyconnect profiles value RemoteUser_client_profile type user
      
exit
      
group-policy GroupPolicy_RemoteUser attributes
        dns
-server value 4.2.2.2 8.8.8.8
        wins
-server none
        
default-domain value company.local
      
exit
      
tunnel-group RemoteUser type remote-access
      tunnel
-group RemoteUser general-attributes
        
default-group-policy GroupPolicy_RemoteUser
        address
-pool  RemoteUserPool
      tunnel
-group RemoteUser webvpn-attributes
        group
-alias RemoteUser enable
      crypto ikev2 policy 1
        group 2 5
        encryption aes
-256
      crypto ikev2 policy 10
        group 2 5
        encryption aes
-192
      crypto ikev2 policy 20
        group 2 5
        encryption aes
      crypto ikev2 policy 30
        group 2 5
      crypto ikev2 policy 40
        group 2 5
        encryption des
      crypto ikev2 enable outside client
-services port 443
      crypto ikev2 remote
-access trustpoint self
      crypto ipsec ikev2 ipsec
-proposal AES256
        protocol esp encryption aes
-256
        protocol esp integrity sha
-1 md5
      crypto ipsec ikev2 ipsec
-proposal AES192
        protocol esp encryption aes
-192
        protocol esp integrity sha
-1 md5
      crypto ipsec ikev2 ipsec
-proposal AES
        protocol esp encryption aes
        protocol esp integrity sha
-1 md5
      crypto ipsec ikev2 ipsec
-proposal 3DES
        protocol esp encryption 3des
        protocol esp integrity sha
-1 md5
      crypto ipsec ikev2 ipsec
-proposal DES
        protocol esp encryption des
        protocol esp integrity sha
-1 md5
      crypto dynamic
-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  ikev2 ipsec-proposal  AES256 AES192 AES 3DES DES
      crypto map outside_map 65535 ipsec
-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
      crypto map outside_map 
interface  outside
      nat 
(inside,outside5 source static any any destination static NETWORK_OBJ_172.16.10.0_26 NETWORK_OBJ_172.16.10.0_26 no-proxy-arp route-lookup 

As you may have noticed this is tiresome to put down every line of configuration in CLI when it can be done in less than a minute in ASDM.

By the way, if for some reason you are not able to access any internal resources even after successful connection, try the following command:

sysopt connection permit-vpn 

If you can’t ping internal resources check if inspection rule is active:

policy-map global_policy
 
class inspection_default
  inspect icmp 

This is pretty much it. Have fun!

By privilege15