09-06-2015 02:42 PM - edited 03-11-2019 11:33 PM
Hi
I am new to configuring Anyconnect VPN using the command line. Previously I have just used the Anyconnect Wizard using ASDM.
I need to configure anyconnect VPN and I want to start using the command line. I have 2 questions for anyone kind enough to answer
1) I have the following template, can someone please verify if this config will be correct. The text in red is what I need to fill according to the network.
2) If I need to allow different customer to VPN in, can I separate them and how. Is a different external IP required for different customers and is a separate profile required.
ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
object network OBJ-ANYCONNECT-SUBNET
subnet 192.168.100.0 255.255.255.0
webvpn
enable outside
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
anyconnect enable
username User1 password Password123
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
vpn-tunnel-protocol ssl-client
dns-server value 10.0.0.10 10.0.0.11
wins-server none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value mynetwork.lan
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
Thanks
Solved! Go to Solution.
09-06-2015 02:58 PM
1) That config looks ok.
2) You don't use different IPs for that. The VPN is always terminated on the public IP of the ASA.
The easiest method is to configure a new group-policy for each customer. In the user-setting, the group-policy is applied. In the group-policy you could specify a vpn-filter (an ACL that specifies to which destinations a client can connect), different DNS-servers, domain-names or also different IP-pools per customer.
09-06-2015 02:58 PM
1) That config looks ok.
2) You don't use different IPs for that. The VPN is always terminated on the public IP of the ASA.
The easiest method is to configure a new group-policy for each customer. In the user-setting, the group-policy is applied. In the group-policy you could specify a vpn-filter (an ACL that specifies to which destinations a client can connect), different DNS-servers, domain-names or also different IP-pools per customer.
09-08-2015 12:18 AM
Thanks Karsten
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide