Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4243
Views
0
Helpful
1
Replies

ASA 5505 AnyConnect config with IOS 8.3

c2innovations
Level 1
Level 1

‎08-10-2010 10:07 AM - edited ‎03-11-2019 11:23 AM

Hi,

i found on the internet how to activate anyconnect feature on my ASA5505..  I'm not sure about the new no nat configuration with ios 8.3.  After i put that line, i'm able to connect..  i received an IP on .50.x subnet..  but i can't talk with our .0.x network.  i'm also looking for a split tunnel configuration.

Any help appreciate...

here is the command line;


webvpn

! Specify the AnyConnect image to be downloaded by users

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

! Enable AnyConnect access on the outside ASA interface
enable outside
svc enable
exit

! Create a local IP address pool to assign for remote users
ip local pool SSLClientPool 192.168.50.25-192.168.50.50 mask 255.255.255.0

! Configure NAT exemption for traffic between internal LAN and remote users
!access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0
!nat (inside) 0 access-list NONAT
object network InsideVlan0
subnet 192.168.0.0 255.255.255.0

object network RemoteVPN
subnet 192.168.50.0 255.255.255.0

nat (inside,outside) source static InsideVlan0 InsideVlan0 destination static RemoteVPN RemoteVPN


! Create usernames that will use the AnyConnect remote access only
username userA password test123
username userA attributes
service-type remote-access

username userB password test12345
username userB attributes
service-type remote-access

! Create a group policy with configuration parameters that should be applied to clients (there are two options available here according to the ASA version you are running)

group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 192.168.0.16 192.168.0.17
vpn-tunnel-protocol svc
address-pools value SSLClientPool

!OPTION 2
!ASA(config)# group-policy SSLCLientPolicy internal
!ASA(config)# group-policy SSLCLientPolicy attributes
!ASA(config-group-policy)# dns-server value 192.168.0.16 192.168.0.17
!ASA(config-group-policy)# address-pools value SSLClientPool
!ASA(config-group-policy)# webvpn
!ASA(config-group-webvpn))#vpn-tunnel-protocol svc

! Allow the AnyConnect traffic to bypass access lists
sysopt connection permit-vpn

! Create tunnel group profile to define connection parameters
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
webvpn
tunnel-group-list enable

Labels:
0 Helpful
1 Reply 1

Yudong Wu
Level 7
Level 7

‎08-10-2010 11:44 AM

"nat (inside,outside) source static InsideVlan0 InsideVlan0 destination static RemoteVPN RemoteVPN" is correct way to do "no nat" in 8.3 code.

You can find split tunnel example here.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card