AnyConnect Design and Configuration for Cisco ASA

I am a big fan of building a separate layer for VPN client services kinda like what we used to do with the old school VPN concentrators.  To accomplish this I like to use the ASAv…it’s inexpensive and easy to manage. Check out my videos, configuration and links below to learn more.  As always let me know if you have any questions.

Anyconnect + ASAv Design- learn about vpn client design on the ASAv.

ASAv AnyConnect Configuration–  learn how to configure AnyConnect on ASAv .

Meraki MX Perimeter Firewall + ASAv VPN Concentrator-  In my above videos, I recommend leveraging a separate firewall for VPN client services. You can present your VPN concentrator to the public in a few different ways like one to one nat, port forwarding, etc. In my lab I configured port forwarding (443) to my ASAv. Check out the below video to learn how to configure the MX for this use case.

ASAv Configuration Template

#######################Interface Configuration################
#OUTSIDE configuration
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 192.168.1.252 255.255.255.0
no shut
!

#Inside interface configuration
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 192.168.30.252 255.255.255.0
no shut

hostname ASAv-VPN
username admin password cisco123
enable password cisco123

########################SSH and Routing##################################

#Setup ssh access
crypto key generate rsa modulus 4096

aaa authentication ssh console LOCAL
ssh 192.168.0.0 255.255.0.0 INSIDE
ssh version 2
#Setup routing configuration
route inside 192.168.5.0 255.255.255.0 192.168.30.1
route inside 192.168.100.0 255.255.255.0 192.168.30.1
route outside 0.0.0.0 0.0.0.0 192.168.1.1

#################VPN CLIENT CONFIGURATION############################

#Copy VPN client package to ASA
copy tftp disk0:anyconnect-win-4.4.01054-webdeploy-k9.pkg

#setup default route for VPN clients, I do not have split tunnel configured for my lab
route inside 0.0.0.0 0.0.0.0 192.168.30.1 tunneled
#Anyconnect network object
object network VPN_CLIENT_VLAN30
subnet 192.168.30.0 255.255.255.0

#Anyconnect VPN client DHCP – you could use your own DHCP server
ip local pool VPN_CLIENT_VLAN30_POOL 192.168.X.50-192.168.X.70 mask 255.255.255.0
#######################ENABLE SSL VPN#######################################
#enable anyconnect webvpn
webvpn
enable outside
tunnel-group-list enable
anyconnect enable
#image for anyconnect – part of webvpn
anyconnect image disk0:/anyconnect-win-4.4.01054-webdeploy-k9.pkg

#################GROUP POLICY##############################################
#group-policy configuration – define VPN attributes (DNS server, domain name etc.)
group-policy GP_VPN internal
group-policy GP_VPN attributes
vpn-tunnel-protocol ssl-client
#DNS server configuration for client, note using my internal Umbrella Virtual Server
dns-server value X.X.X.X
default-domain value ccietim.com

#sub group policy – split tunnel (If split)
#split-tunnel-policy tunnelspecified
#split-tunnel-network-list value SPLIT-TUNNEL
############TUNNEL GROUP##############################
#create tunnel group – Core of VPN configuration, define GP, address pool, etc.
#Pre login requirements connection protocol, aaa authentication etc.
Finally we should create a tunnel group:

tunnel-group VPN_PROFILE type remote-access
tunnel-group VPN_PROFILE general-attributes
default-group-policy GP_VPN
address-pool VPN_CLIENT_VLAN30_POOL

tunnel-group VPN_PROFILE webvpn-attributes
group-alias VPN_PROFILE enable

##########NAT####################################

#NAT exception even if not enable
nat (inside,outside) 2 source static any any destination static VPN_CLIENT_VLAN30 VPN_CLIENT_VLAN30 no-proxy-arp route-lookup
#####################Filtering, if controlling access to what VPN clients can access##################
#access-list vpn-filter permit tcp 192.168.30.0 255.255.255.0 192.168.5.0 255.255.255.0 eq 22

#group-policy VPN-POLICY attributes
#vpn-filter value VPN-FILTER