from where i can get this

manu.mp · ‎11-02-2016

Dear Friends,

Please help me to configure ipsec vpn in my cisco asa 5515. I want to connect my internal ip through a cisco anyconnect client

Pawan Raut · ‎11-02-2016

ASA Configuration

The remote user will be able to download the anyconnect VPN client from the ASA so we need to store it somewhere. Each operating system has a different installation file and we need to have them on the flash memory of the ASA:

ASA1# show flash:
--#-- --length-- -----date/time------ path
10 8192 Dec 02 2014 19:09:34 log
18 8192 Dec 02 2014 19:09:44 crypto_archive
106 25088760 Aug 04 2014 13:59:20 asdm-731.bin
109 27113472 Aug 25 2014 13:10:56 asa915-k8.bin
112 31522773 Aug 09 2014 15:01:52 anyconnect-win-3.1.03103-k9.pkg
113 9993060 Aug 09 2014 15:06:50 anyconnect-linux-3.1.03103-k9.pkg
114 11293375 Aug 09 2014 15:08:34 anyconnect-macosx-i386-3.1.03103-k9.pkg

255426560 bytes total (149487616 bytes free)
There is a different PKG file for each operating system. Above you can see that I have one for Windows, Linux and Mac OS X. If you don’t have them already, make sure you copy them to the flash memory of the ASA.

Our next step is to enable clientless WebVPN:

ASA1(config)# webvpn
Now we specify which anyconnect PKG files we want to use:

ASA1(config-webvpn)# anyconnect image flash:/anyconnect-win-3.1.03103-k9.pkg
I’m only specifying the anyconnect client for Windows but if you want to support Linux or Mac OS X users, make sure to add them here. Now we can enable client WebVPN on the outside interface:

ASA1(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'OUTSIDE'.
This enables WebVPN on the outside interface. We also need to enable anyconnect:

ASA1(config-webvpn)# anyconnect enable
When you have an inbound access-list on the outside interface then all your decrypted traffic from the SSL WebVPN has to match the inbound access-list. You can either create some permit statements for the decrypted traffic or you can just tell the ASA to let this traffic bypass the access-list:

ASA1(config)# sysopt connection permit-vpn
When remote users connect to our WebVPN they have to use HTTPS. The following option is not required but useful, whenever someone accesses the ASA through HTTP then they will be redirected to HTTPS:

ASA1(config)# http redirect OUTSIDE 80
The ASA will assign IP addresses to all remote users that connect with the anyconnect VPN client. We’ll configure a pool with IP addresses for this:

ASA1(config)# ip local pool VPN_POOL 192.168.10.100-192.168.10.200 mask 255.255.255.0
Remote users will get an IP address from the pool above, we’ll use IP address range 192.168.10.100 – 200.

By default all traffic will be sent through the tunnel once the remote user is connected. If you want to allow remote users to access the Internet once they are connected then you need to configure split tunneling. We will configure an access-list that specifies what networks we want to reach through the tunnel:

ASA1(config)# access-list SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0
This means that the SSL VPN tunnel will only be used to reach the 192.168.1.0 /24 network. Now we can configure the anyconnect group policy:

ASA1(config)# group-policy ANYCONNECT_POLICY internal
ASA1(config)# group-policy ANYCONNECT_POLICY attributes
ASA1(config-group-policy)# vpn-tunnel-protocol ssl-client ssl-clientless
ASA1(config-group-policy)# split-tunnel-policy tunnelspecified
ASA1(config-group-policy)# split-tunnel-network-list value SPLIT_TUNNEL
ASA1(config-group-policy)# dns-server value 8.8.8.8
ASA1(config-group-policy)# webvpn
ASA1(config-group-webvpn)# anyconnect keep-installer installed
ASA1(config-group-webvpn)# anyconnect ask none default anyconnect
ASA1(config-group-webvpn)# anyconnect dpd-interval client 30
There’s quite some stuff in the group policy, let me break it down for you:

The group policy is called “ANYCONNECT_POLICY” and it’s an internal group policy which means that we configure it locally on the ASA. An external group policy could be on a RADIUS server.
The VPN tunnel protocol is ssl-client (for anyconnect) and also ssl-clientless (clientless SSL VPN).
Split tunneling has been enabled and we refer to the access-list “SPLIT_TUNNEL” that we just created.
The DNS server 8.8.8.8 will be assigned to remote VPN users.
Normally when the remote VPN user terminates the session, the anyconnect installer will be uninstalled. The anyconnect keep-installer installed command leaves it installed on the user’s computer.
The anyconnect ask command specifies how the anyconnect client will be installed on the user’s computer. The none default anyconnect part tells the ASA not to ask the user if he/she wants to use WebVPN or anyconnect but just starts the download of the anyconnect client automatically.
The anyconnect dpd-interval command is used for Dead Peer Detection. The remote user’s anyconnect client will check every 30 seconds if the ASA is still responding or not. You can also use dpd-interval gateway so that the ASA checks if the remote user is still responding.
After the group policy configuration we have to create a tunnel group which binds the group policy and VPN pool together:

ASA1(config)# tunnel-group MY_TUNNEL type remote-access
ASA1(config)# tunnel-group MY_TUNNEL general-attributes
ASA1(config-tunnel-general)# default-group-policy ANYCONNECT_POLICY
ASA1(config-tunnel-general)# address-pool VPN_POOL
ASA1(config-tunnel-general)# exit

manu.mp · ‎11-08-2016

thank you for the reply. i will try this one and let you know the status.

manu.mp · ‎11-09-2016

from where i can get this anyconnect-win-3.1.03103-k9.pkg . my assa have ASA 5515 Security Plus license

Remote type ip sec vpn configuration in ASA 5515