Configure SSL VPN on a Cisco ASA

      3 Comments on Configure SSL VPN on a Cisco ASA

SSL VPN is the new buzz phrase among VPN solutions.  Cisco decided to stop supporting their standard IPSec client in 64 bit OS’s.  While some won’t agree with me, I believe this to be a pretty clear indication that Cisco wants us to start using SSL for our client VPN solutions.  IPSec will continue to rule the world of L2L(LAN to LAN) VPN’s for the time being. 

The configuration is actually pretty straightforward.  I’ll walk through the commands below and then follow up with some comments.  I’m going to assume here that you are using a different subnet for your VPN network and your local network.  I’m also assuming you will be using Local authentication.  We may configure Radius in a later post.

-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them

Define or add a No Nat ACL
ASA(config)# access-list nonat extended permit ip <local access range> <subnet> <vpn access range> <subnet>

Apply the No Nat ACL
ASA(config)# nat (inside) 0 access-list nonat

Define your Split Tunnel ACL
ASA(config)# access-list splitVPN standard permit <local access range> <local access subnet>

Define the Group Policy for the WebVPN
ASA(config)# group-policy GP_SSLVPN internal 
ASA(config)# group-policy GP_SSLVPN attributes 
ASA(config-group-policy)# vpn-tunnel-protocol svc webvpn
ASA(config-group-policy)# webvpn 
ASA(config-group-webvpn)# split-tunnel-policy tunnelspecified
ASA(config-group-webvpn)# split-tunnel-network-list value splitVPN
ASA(config-group-webvpn)# split-dns value <dns domain (Ex:>
ASA(config-group-webvpn)# dns-server value <ip address>

Define a DHCP pool for the clients to use
ASA(config)# ip local pool SSL_Pool <VPN Range> mask <Range Mask>

Define a local user to use for the VPN
ASA(config)# username <username> password <password> privilege 0
ASA(config)# username <username> attributes 
ASA(config-username)# vpn-group-policy GP_SSLVPN

Enable WebVPN
ASA(config)# webvpn 
ASA(config-webvpn)# enable outside
ASA(config-webvpn)# svc image disk0:/<anyconnect image file name> 1
ASA(config-webvpn)# svc image disk0:/<2nd anyconnect image file name (for Mac or Linux)> 2
ASA(config-webvpn)# svc enable

Define the tunnel group
ASA(config)# Tunnel-group TG_SSLVPN type remote-access
ASA(config)# Tunnel-group TG_SSLVPN general-attributes
ASA(config-tunnel-general)# default-group-policy GP_SSLVPN
ASA(config-tunnel-general)# address-pool SSL_Pool

Link the tunnel group to WebVPN
ASA(config)# webvpn
ASA(config-webvpn)# tunnel-group-list enable
ASA(config-webvpn)# exit
ASA(config)# tunnel-group TG_SSLVPN webvpn-attributes 
ASA(config-tunnel-webvpn)# group-alias AnyConnect enable

Wrap it up by saving the config
ASA(config)# write

After you have finished entering the above commands you should have the base AnyConnect solution configured.  If you browse to the secure (https://) external address of your ASA you should get the login page for the WebVPN Portal.  Keep in mind that we haven’t configured a certificate for the ASA yet, so anyone browsing to your portal page will get an error indicating that the certificate is invalid.  The ASA will use a self generated certificate any time it doesn’t have a third party one defined.  The VPN solution will work fine without a certificate but clicking on all of the error messages can be annoying.  In one of our next posts we will install a certificate from a third part CA so we don’t get the annoying security warnings.

3 thoughts on “Configure SSL VPN on a Cisco ASA

  1. canadian vpn service

    Thanks for writing this awesome article. I’m reading your blog since a
    long time already but I never compelled to leave
    a comment. I saved your blog in my rss feed and shared it on my
    Twitter. Thanks again for this great post!


Leave a Reply

Your email address will not be published. Required fields are marked *