I apologize it did not even occur to me to mention what I am utilizing currently. I have a 5508-X. Being that the 5506-X would be configured the same as my 5508 then I will use this... I am just uncertain as to procedure.
You mention SSL-VPN or IKEv2/IPSec VPN with AnyConnect so that will be my path to take.
Thank you

Ok. Here are some examples:- SSLVPN or IKEv2/IPSec

 

It's pretty straight forward to configure either. The examples use RADIUS for authentication but you can use a local account on the ASA or just certificate authentication, as long as the client device and ASA mutual trust the certificates used.

HTH

Thank you so much. Tonight I will look into this and when I complete it or if I have more questions I’ll  let you know. 

To verify my understanding, the 2 links you gave me are the authentication methods to use once I have already configured the server on the ASA?

Hi,
You won't need to define the AAA (ISE) server/group as per the links. When you come to configure the tunnel-group you'd select local (to use the local database). You would also have to create the users locally on the ASA.

HTH

Thank you, that definitely clears up that portion of the document but hopefully not sounding too ignorant, what I mean is where would I define which IP address to use (dhcp) when the connection is established as well as which IP/Server/Port to define when connecting?

You would define the VPN Pool, then reference the VPN Pool under group-policy. Any user that successfully authenticates would receive an IP address from that VPN Pool.

HTH

Would these be sufficient ;

For VPN Pool

https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/vpnadd.html#wp999102

For Group Policy

https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/vpngrp.html#wp1166190

And then either of your links for security?

Well actually the SSL-VPN link I provided gives an example for a VPN Pool and how to attach in a group-policy :)

Yes, these links you provided give good examples also.

HTH

Well I am making progress but still so not there.

 

The SSLVPN method must be following a version of the ASA/ASDM that I do not have because none of it is adding up.

 

Where I am at is, on my iphone AnyConnect I can connect but it drops saying No License. On my Windows PC I connect and it works. I connect to the ASA via VPN but then it kills my Internet connectivity and I can not mount or do anything.

What I am seeing is it is configuring WEBVPN which I only have an image for Windows on my ASA but I want to connect via iPhone. Clearly there is a lot I am missing. My latest attempt, shown here, was the ASDM Wizard, Cisco Anyconnect SSL. My main concern and only internet is for, when I am on the VPN, I am able to access a NAS on 10.0.2.111 through the 10.0.2.115 IP on Interface 1/8.

 

: Serial Number: JAD192402FY
: Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
:
ASA Version 9.6(2)2
!
hostname ciscoasa
enable password $sha512$5000$VxGVpbbYO1zrechJNeV1wg==$GTQ23G8/TbyeZGPCsWdOjA== pbkdf2
names
ip local pool homevpn 10.0.3.101-10.0.3.105 mask 255.255.255.0

!
interface GigabitEthernet1/1
description WAN
nameif outside
security-level 0
pppoe client vpdn group pppoewan
ip address pppoe setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
description TPLink
nameif tplink
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/4
description mail
nameif mail
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet1/5
description fhc
nameif fhc
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface GigabitEthernet1/6
description vpn
nameif vpn
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface GigabitEthernet1/7
description Open
nameif Open
security-level 90
ip address 10.0.1.115 255.255.255.0
!
interface GigabitEthernet1/8
description NAS
nameif NAS
security-level 90
ip address 10.0.2.115 255.255.255.0
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network TPLink
host 192.168.2.177
description TPLink
object network mail
host 192.168.3.180
description mail
object network fhc
host 192.168.4.181
description fhc
object network dlink
host 192.168.5.178
description dlink
object network NETWORK_OBJ_10.0.3.96_28
subnet 10.0.3.96 255.255.255.240
object-group network DM_INLINE_NETWORK_1
network-object host x.x.x.180
network-object object mail
object-group service imapssl tcp
description imapssl
port-object eq 993
object-group network DM_INLINE_NETWORK_4
network-object host x.x.x.180
network-object object mail
object-group network DM_INLINE_NETWORK_2
network-object host x.x.x.180
network-object object mail
object-group network DM_INLINE_NETWORK_3
network-object host x.x.x.180
network-object object mail
object-group network DM_INLINE_NETWORK_5
network-object host x.x.x.180
network-object object mail
object-group service smtpd tcp
description smtpd
port-object eq 587
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq smtp
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 object-group imapssl
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_3 eq ssh
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_5 object-group smtpd inactive
access-list AnyConnect_Client_Local_Print extended permit ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu tplink 1500
mtu mail 1500
mtu fhc 1500
mtu vpn 1500
mtu Open 1500
mtu NAS 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (NAS,outside) source static any any destination static NETWORK_OBJ_10.0.3.96_28 NETWORK_OBJ_10.0.3.96_28 no-proxy-arp route-lookup
!
object network TPLink
nat (any,any) static x.x.x.177
object network mail
nat (any,any) static x.x.x.180
object network fhc
nat (any,any) static x.x.x.181
object network dlink
nat (any,any) static x.x.x.178
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.182 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 18dad19e267de8bb4a2158cdcc6b3b4a
308204d3 308203bb a0030201 02021018 dad19e26 7de8bb4a 2158cdcc 6b3b4a30
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d30
36313130 38303030 3030305a 170d3336 30373136 32333539 35395a30 81ca310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313a30 38060355 040b1331 28632920 32303036 20566572 69536967
6e2c2049 6e632e20 2d20466f 72206175 74686f72 697a6564 20757365 206f6e6c
79314530 43060355 0403133c 56657269 5369676e 20436c61 73732033 20507562
6c696320 5072696d 61727920 43657274 69666963 6174696f 6e204175 74686f72
69747920 2d204735 30820122 300d0609 2a864886 f70d0101 01050003 82010f00
3082010a 02820101 00af2408 08297a35 9e600caa e74b3b4e dc7cbc3c 451cbb2b
e0fe2902 f95708a3 64851527 f5f1adc8 31895d22 e82aaaa6 42b38ff8 b955b7b1
b74bb3fe 8f7e0757 ecef43db 66621561 cf600da4 d8def8e0 c362083d 5413eb49
ca595485 26e52b8f 1b9febf5 a191c233 49d84363 6a524bd2 8fe87051 4dd18969
7bc770f6 b3dc1274 db7b5d4b 56d396bf 1577a1b0 f4a225f2 af1c9267 18e5f406
04ef90b9 e400e4dd 3ab519ff 02baf43c eee08beb 378becf4 d7acf2f6 f03dafdd
75913319 1d1c40cb 74241921 93d914fe ac2a52c7 8fd50449 e48d6347 883c6983
cbfe47bd 2b7e4fc5 95ae0e9d d4d143c0 6773e314 087ee53f 9f73b833 0acf5d3f
3487968a ee53e825 15020301 0001a381 b23081af 300f0603 551d1301 01ff0405
30030101 ff300e06 03551d0f 0101ff04 04030201 06306d06 082b0601 05050701
0c046130 5fa15da0 5b305930 57305516 09696d61 67652f67 69663021 301f3007
06052b0e 03021a04 148fe5d3 1a86ac8d 8e6bc3cf 806ad448 182c7b19 2e302516
23687474 703a2f2f 6c6f676f 2e766572 69736967 6e2e636f 6d2f7673 6c6f676f
2e676966 301d0603 551d0e04 1604147f d365a7c2 ddecbbf0 3009f343 39fa02af
33313330 0d06092a 864886f7 0d010105 05000382 01010093 244a305f 62cfd81a
982f3dea dc992dbd 77f6a579 2238ecc4 a7a07812 ad620e45 7064c5e7 97662d98
097e5faf d6cc2865 f201aa08 1a47def9 f97c925a 0869200d d93e6d6e 3c0d6ed8
e6069140 18b9f8c1 eddfdb41 aae09620 c9cd6415 3881c994 eea28429 0b136f8e
db0cdd25 02dba48b 1944d241 7a05694a 584f60ca 7e826a0b 02aa2517 39b5db7f
e784652a 958abd86 de5e8116 832d10cc defda882 2a6d281f 0d0bc4e5 e71a2619
e1f4116f 10b595fc e7420532 dbce9d51 5e28b69e 85d35bef a57d4540 728eb70e
6b0e06fb 33354871 b89d278b c4655f0d 86769c44 7af6955c f65d3208 33a454b6
183f685c f2424a85 3854835f d1e82cf2 ac11d6a8 ed636a
quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group pppoewan request dialout pppoe
vpdn group pppoewan localnamex.x.x
vpdn group pppoewan ppp authentication chap
vpdn username x.x.x password *****

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.4.04030-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_HomeVPN internal
group-policy GroupPolicy_HomeVPN attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
default-domain none
dynamic-access-policy-record DfltAccessPolicy
username ciscovpn password Rmuje5N3tcV5V6yA encrypted
tunnel-group HomeVPN type remote-access
tunnel-group HomeVPN general-attributes
address-pool homevpn
default-group-policy GroupPolicy_HomeVPN
tunnel-group HomeVPN webvpn-attributes
group-alias HomeVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:382381121f568db659f13b79fe48f35a
: end

Hi,

If you want to just tunnel specific networks you can use split tunnel. E.g:-

 

access-list SPLIT_TUNNEL standard permit 10.0.2.0 255.255.255.0

group-policy GroupPolicy_HomeVPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL

You may need a license to connect from iPhone, you can check your license info under the "show version" and "show activation-key".

 

HTH

Ahhh, I knew about the Licensing but was assuming it was for larger deployment... It looks as if I do not have it for Mobile.

Cisco Adaptive Security Appliance Software Version 9.6(2)2
Device Manager Version 7.8(2)

Compiled on Fri 07-Oct-16 09:38 PDT by builders
System image file is "disk0:/asa962-2-lfbff-k8.SPA"
Config file at boot was "startup-config"

ciscoasa up 8 hours 18 mins

Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
Internal ATA Compact Flash, 8192MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Number of accelerators: 1

1: Ext: GigabitEthernet1/1 : address is 188b.9d1e.bb2e, irq 255
2: Ext: GigabitEthernet1/2 : address is 188b.9d1e.bb2f, irq 255
3: Ext: GigabitEthernet1/3 : address is 188b.9d1e.bb30, irq 255
4: Ext: GigabitEthernet1/4 : address is 188b.9d1e.bb31, irq 255
5: Ext: GigabitEthernet1/5 : address is 188b.9d1e.bb32, irq 255
6: Ext: GigabitEthernet1/6 : address is 188b.9d1e.bb33, irq 255
7: Ext: GigabitEthernet1/7 : address is 188b.9d1e.bb34, irq 255
8: Ext: GigabitEthernet1/8 : address is 188b.9d1e.bb35, irq 255
9: Int: Internal-Data1/1 : address is 188b.9d1e.bb2d, irq 255
10: Int: Internal-Data1/2 : address is 0000.0001.0002, irq 0
11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0
12: Int: Internal-Data1/3 : address is 0000.0001.0003, irq 0
13: Ext: Management1/1 : address is 188b.9d1e.bb2d, irq 0
14: Int: Internal-Data1/4 : address is 0000.0100.0001, irq 0

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 100 perpetual
Total VPN Peers : 100 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 320 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual
VPN Load Balancing : Enabled perpetual

Serial Number: JAD192402FY
Running Permanent Activation Key: 0x3739ec51 0xb095abb1 0x50314d10 0xa5e83cac 0x811720bf
Configuration register is 0x1
Image type : Release
Key Version : A
Configuration last modified by enable_15 at 05:34:27.899 UTC Sat Mar 30 2019

Oh I forgot to ask; I had every intention of following the SSLVPN Guide but everything before the “ASA CONFIGURATION” seems completely foreign to my ASDM. How do I implement the first portion?