I ran into a problem with Cisco 881 IOS 15.1M (or 12.4T2 also): zone based firewall is blocking access for anyconnect clients. There's SSLVPN-VIF0 interface but no way I can put it into any zone. So if I idsable ZFW - everything's fine... I found several cases with the same problem - no solution from Cisco. CBAC is not a case.
Quite a dissapoitment... If the same issue will be with ASA5510 - I guess $20K will go to checkpoint.
It should work fine.
With Anyclient, the the traffic will come through the WAN interface, then virtual-template and then only to the LAN interface. So the solution is that, you need to create a zone and asscoiate the zone to the virtual-template.
Since virtual-template is not part of any zone, anyclient traffic doesn't pass across the virtual template.
Basically, we will have three zones now - in, sslvpn and out.
Just do the following for these zone-pairs
in - sslvpn zone > permit any IP traffic
sslvpn zone - in > permit any IP traffic
out - sslvpn zone > permit any IP traffic
sslvpn zone - out > permit any IP traffic
You could be specific for the traffic, if you know what is IP address of anyclients.
This should solve the problem.