You can create a local

John Clausen · ‎03-11-2015

Hello all,

I am attempting to set up an Anyconnect VPN on our 5512. Most of the examples I find online have some type of error or depreciated command in them. Could someone please show me a working command line example the allows the VPN to connect AND access any machine in the local network?

Right now, my inside network is 192.9.200.0 and vpn pool needs to be 192.168.201.10 - 50.

Thanks a bunch!! I really do appreciate the help!

John

jj27 · ‎03-11-2015

Define local VPN Pool

ip local pool vpnpool 192.168.201.10-192.168.201.50

Split tunnel access list, so your internet traffic goes out your local internet connection, but traffic for your home network is sent across the VPN.

access-list split standard permit 192.9.200.0 255.255.255.0

Group policy to specify dns server, allowed protocol, domain name, etc.

group-policy SSLVPN attributes

dns-server value 192.9.200.x

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split

default-domain value domain.local

Tunnel-group to provide the connectivity profile for the VPN.

tunnel-group SSL-VPN type remote-access

tunnel-group SSL-VPN general-attributes

address-pool vpnpool

default-group-policy SSL-VPN

tunnel-group SSL-VPN webvpn-attributes

group-alias SSL-VPN enable

Create your objects so we can reference them in NAT

object network inside-network

subnet 192.9.200.0 255.255.255.0

object network vpnpool

subnet 192.168.201.0 255.255.255.192

NAT rule to allow inside->vpn communication via real IPs.

nat (inside,outside) source static inside-network inside-network destination static vpnpool vpnpool

Webvpn configuration - the anyconnect packages will be different based on what you have uploaded to your ASA.

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-4.0.00051-k9.pkg 2 regex "Windows NT"

anyconnect image disk0:/anyconnect-macosx-i386-4.0.00051-k9.pkg 3 regex "Intel Mac OS X"

anyconnect enable

tunnel-group-list enable

John Clausen · ‎03-11-2015

Thanks!!

Do I need to do anything with certificates?

Just add users and it's ready?

Does this look right?

username vpnuser password VpnuserPassword
username vpnuser attributes
service-type remote-access

Thanks again for your help,

John

Rejohn Cuares · ‎03-11-2015

You can create a local account or use RADIUS/LDAP if you have a centralized authentication server.

Please rate replies and mark question as "answered" if applicable.

John Clausen · ‎03-17-2015

When I get to this line I get an error:

group-policy SSLVPN attributes

^

Invalid input detected at '^' marker. (It's under the a in attributes)

Thansk again,

John

jj27 · ‎03-17-2015

Sorry, you need the following line first:

group-policy SSLVPN internal

There's a typo in the tunnel group default group policy line too. Remove the hyphen.

John Clausen · ‎03-17-2015

SSLVPN instead of SSL-VPN?

Thanks,

John

John Clausen · ‎03-17-2015

It's working great! However.... I provided the information to the people needing the VPN. They say that it needs to be a Cisco connect VPN not Anyconnect. Is there such a thing? All I can find is a reference to EZVPN which seems to have been phased out. Am I correct?

Thank you,

John

Anyconnect VPN on ASA 5512 Need help please