cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4046
Views
0
Helpful
1
Replies

ASA 5505 AnyConnect config with IOS 8.3

c2innovations
Beginner
Beginner

Hi,

i found on the internet how to activate anyconnect feature on my ASA5505..  I'm not sure about the new no nat configuration with ios 8.3.  After i put that line, i'm able to connect..  i received an IP on .50.x subnet..  but i can't talk with our .0.x network.  i'm also looking for a split tunnel configuration.

Any help appreciate...

here is the command line;


webvpn

! Specify the AnyConnect image to be downloaded by users

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

! Enable AnyConnect access on the outside ASA interface
enable outside
svc enable
exit

! Create a local IP address pool to assign for remote users
ip local pool SSLClientPool 192.168.50.25-192.168.50.50 mask 255.255.255.0

! Configure NAT exemption for traffic between internal LAN and remote users
!access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0
!nat (inside) 0 access-list NONAT
object network InsideVlan0
subnet 192.168.0.0 255.255.255.0

object network RemoteVPN
subnet 192.168.50.0 255.255.255.0

nat (inside,outside) source static InsideVlan0 InsideVlan0 destination static RemoteVPN RemoteVPN


! Create usernames that will use the AnyConnect remote access only
username userA password test123
username userA attributes
service-type remote-access

username userB password test12345
username userB attributes
service-type remote-access

! Create a group policy with configuration parameters that should be applied to clients (there are two options available here according to the ASA version you are running)

group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 192.168.0.16 192.168.0.17
vpn-tunnel-protocol svc
address-pools value SSLClientPool

!OPTION 2
!ASA(config)# group-policy SSLCLientPolicy internal
!ASA(config)# group-policy SSLCLientPolicy attributes
!ASA(config-group-policy)# dns-server value 192.168.0.16 192.168.0.17
!ASA(config-group-policy)# address-pools value SSLClientPool
!ASA(config-group-policy)# webvpn
!ASA(config-group-webvpn))#vpn-tunnel-protocol svc

! Allow the AnyConnect traffic to bypass access lists
sysopt connection permit-vpn

! Create tunnel group profile to define connection parameters
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
webvpn
tunnel-group-list enable

1 Reply 1

Yudong Wu
Rising star
Rising star

"nat (inside,outside) source static InsideVlan0 InsideVlan0 destination static RemoteVPN RemoteVPN" is correct way to do "no nat" in 8.3 code.

You can find split tunnel example here.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: