Configure AnyConnect Client VPN on Cisco ASA 5505

Source: Internet
Author: User
Tags generate self signed certificate self signed certificate cisco asa 5505 cisco asdm

This is certainly not the first article on "Quick Guide to building a VPN using Cisco devices, however, we still hope that this guide will become an all-in-one guide for users who use ASA 5505 devices to set up VPN and connect to the Internet.

The ASA itself has a setup wizard, but this wizard does not cover all aspects of work required by the user, and some steps are vague, making it difficult for the user to adapt. In fact, our work can be divided into four steps: Set SSL authentication, configure VPN, then set the correct NAT rules, and finally enable split-tunneling if necessary. SSL Authentication allows users to access intranet resources from the Internet through an encrypted tunnel. In the following illustration, the self-signed authentication method is used for testing. If it is a practical application, you should obtain the SSL certificate through a third-party certification authority. VPN settings are relatively simple. Then we will introduce in detail the content and configuration steps of the wizard. The last step allows users to access both Intranet and Internet information. The following are the configuration steps for the experiment environment. The test environment can be connected to the Intranet and Internet, and DMZ is configured, and Cisco ASDM and CLI are installed.

Set SSL Certificate

Click the Configuration button at the top and select Remote Access VPN

Click Certificate Management and then click Identity Certificates

Click Add and select Add a new identity certificate.

Click New and enter a New VPN name (such as VPN)

Click Generate Now.

You need to enter FQDN (full name domain name), such as CN =, and then click OK.

Select Generate Self Signed Certificate and click Add Certificate.

Click OK.

Set AnyConnect Remote Access VPN:

Click Wizards and enter the VPN wizard interface.

Select AnyConnect ssl vpn Client (AnyConnect VPN Client)

Select a connection name (such as VPN)

Make sure that the Outside interface is selected.

Select the certificate we just created from the certificate drop-down menu.

Note the ip address used to access the VPN from the client (for example, ip. add. re. ss: 444)

Click Next

You can use a local database user (several users created by yourself) or LDAP information (for example, your active directory user)

Click Next

Create a new policy and name it (for example, AnyConnect). Then click Next

Click New to create an address pool for the user. Do not use the same subnet as the Intranet. For example, if the Intranet uses, the VPN address pool can use If you only want 20 IP addresses in the address pool, you can set the starting IP address to and ending IP address to

Select the address pool you just created from the drop-down menu. If Ipv6 is not used in the Intranet, you do not need to consider the Ipv6 address pool.

For AnyConnect images, you can browse your local computer or log on to the Cisco website using a SMARTnet account to download the images and upload them here.

Click Finish. You can also click Apply to save the settings.

Create a NAT exemption rule (for quick use of CLI)

Connect to the CLI of the firewall

In configuration mode, enter the following command:

Access-list NAT-EXEMPT extended permit ip

Tunnel-group VPN general-attributes

Address-pool AnyConnect (this is the name of the address pool we created earlier)

Now you can connect to the Intranet environment through VPN. However, users may encounter restrictions when connecting to the Internet. Therefore, we will configure split-tunneling to allow these VPN users to access the Internet. If you need to be extremely secure, do not configure split-tunnel. This is a trade-off between practicality and security. You can make a decision after making a trade-off. Because VPN users do not want to log out of the VPN just to search resources on google or to check their own private mailbox.

Configure split-tunnel:

Return to the ASDM interface and click Configure, then Remote Access VPN, and then select Network Access. select Group Policies.

Click the Group Policy we created in the wizard and select Edit.

Expand Advanced and click Split Tunneling.

Cancel the Inherit Policy and select Tunnel Network List Below from the drop-down List.

Cancel the Network List and Click Manage.

Click Add and then Add ACL

Name the ACL, click Add again, and select Add ACE.

Click Permit in the Add ACE window and select the Intranet address (

Click OK and make sure the new ACL exists in the Network List.

Click OK again.

Click Apply and then Save.

In this way, your VPN can run normally, and VPN customers can directly access the Internet through the VPN connection.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.