Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
292
Views
5
Helpful
2
Replies

Anyconnect VPN Config ASA

Go to solution
Mokhalil82
Level 4
Level 4

‎09-06-2015 02:42 PM - edited ‎03-11-2019 11:33 PM

Hi

I am new to configuring Anyconnect VPN using the command line. Previously I have just used the Anyconnect Wizard using ASDM. 

I need to configure anyconnect VPN and I want to start using the command line. I have 2 questions for anyone kind enough to answer

1) I have the following template, can someone please verify if this config will be correct. The text in red is what I need to fill according to the network.

2) If I need to allow different customer to VPN in, can I separate them and how. Is a different external IP required for different customers and is a separate profile required.

 

ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
object network OBJ-ANYCONNECT-SUBNET
subnet 192.168.100.0 255.255.255.0
webvpn
enable outside
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
anyconnect enable
username User1 password Password123
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
vpn-tunnel-protocol ssl-client
dns-server value 10.0.0.10 10.0.0.11
wins-server none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value mynetwork.lan
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎09-06-2015 02:58 PM

1) That config looks ok.

2) You don't use different IPs for that. The VPN is always terminated on the public IP of the ASA.

The easiest method is to configure a new group-policy for each customer. In the user-setting, the group-policy is applied. In the group-policy you could specify a vpn-filter (an ACL that specifies to which destinations a client can connect), different DNS-servers, domain-names or also different IP-pools per customer.

View solution in original post

2 Replies 2

Go to solution
Karsten Iwen
VIP
VIP

‎09-06-2015 02:58 PM

1) That config looks ok.

2) You don't use different IPs for that. The VPN is always terminated on the public IP of the ASA.

The easiest method is to configure a new group-policy for each customer. In the user-setting, the group-policy is applied. In the group-policy you could specify a vpn-filter (an ACL that specifies to which destinations a client can connect), different DNS-servers, domain-names or also different IP-pools per customer.

Go to solution
Mokhalil82
Level 4
Level 4
In response to Karsten Iwen

‎09-08-2015 12:18 AM

Thanks Karsten

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card