Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5505 AnyConnect config with IOS 8.3

Hi,

i found on the internet how to activate anyconnect feature on my ASA5505..  I'm not sure about the new no nat configuration with ios 8.3.  After i put that line, i'm able to connect..  i received an IP on .50.x subnet..  but i can't talk with our .0.x network.  i'm also looking for a split tunnel configuration.

Any help appreciate...

here is the command line;


webvpn

! Specify the AnyConnect image to be downloaded by users

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

! Enable AnyConnect access on the outside ASA interface
enable outside
svc enable
exit

! Create a local IP address pool to assign for remote users
ip local pool SSLClientPool 192.168.50.25-192.168.50.50 mask 255.255.255.0

! Configure NAT exemption for traffic between internal LAN and remote users
!access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0
!nat (inside) 0 access-list NONAT
object network InsideVlan0
subnet 192.168.0.0 255.255.255.0

object network RemoteVPN
subnet 192.168.50.0 255.255.255.0

nat (inside,outside) source static InsideVlan0 InsideVlan0 destination static RemoteVPN RemoteVPN


! Create usernames that will use the AnyConnect remote access only
username userA password test123
username userA attributes
service-type remote-access

username userB password test12345
username userB attributes
service-type remote-access

! Create a group policy with configuration parameters that should be applied to clients (there are two options available here according to the ASA version you are running)

group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 192.168.0.16 192.168.0.17
vpn-tunnel-protocol svc
address-pools value SSLClientPool

!OPTION 2
!ASA(config)# group-policy SSLCLientPolicy internal
!ASA(config)# group-policy SSLCLientPolicy attributes
!ASA(config-group-policy)# dns-server value 192.168.0.16 192.168.0.17
!ASA(config-group-policy)# address-pools value SSLClientPool
!ASA(config-group-policy)# webvpn
!ASA(config-group-webvpn))#vpn-tunnel-protocol svc

! Allow the AnyConnect traffic to bypass access lists
sysopt connection permit-vpn

! Create tunnel group profile to define connection parameters
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
webvpn
tunnel-group-list enable

Everyone's tags (4)
1 REPLY

Re: ASA 5505 AnyConnect config with IOS 8.3

"nat (inside,outside) source static InsideVlan0 InsideVlan0 destination static RemoteVPN RemoteVPN" is correct way to do "no nat" in 8.3 code.

You can find split tunnel example here.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml

3867
Views
0
Helpful
1
Replies
CreatePlease to create content