Anyconnect VPN Configuration Using Multiple Subinterfaces

I’ve been trying to configure a Remote Access (Anyconnect/Secure Client) on our Cisco ASA 5508-X. However, I keep running into issues. I think my core problem is correctly configuring my PAT and NAT Exemption. However, it also seems like my Secure Client Profile is not being used, and it is choosing the default profiles instead.

Here is a sanitized version of my configuration:

  • Static External IP *

interface GigabitEthernet1/1
nameif external
security-level 0
ip address XX.XX.XX.XX

  • Internal Subinterfaces *

interface GigabitEthernet1/5
description Connected to Switch01 GigabitEthernet0/25
no shut
no nameif
security-level 0
no ip address
interface GigabitEthernet1/5.20
description inside20 vlan
vlan 20
nameif inside20
security-level 100
ip address XX.XX.20.1
interface GigabitEthernet1/5.30
description inside30 vlan
vlan 30
nameif inside30
security-level 100
ip address XX.XX.30.1
interface GigabitEthernet1/5.40
description inside40 vlan
vlan 40
nameif inside40
security-level 100
ip address XX.XX.40.1

  • Network Objects *

object network OBJECT-NAT-ALL
object network inside20
subnet XX.XX.20.0
object network inside30
subnet XX.XX.30.0
object network inside40
subnet XX.XX.40.0.0
object network VPN_Pool range X.X.X.200 X.X.X.220


nat (inside20,external) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
object network OBJECT-NAT-ALL
nat (any,external) dynamic interface


route external XX.XX.XX.XX 1

  • CRYPTO *

crypto ca trustpoint INT_CA
enrollment terminal
enrollment interface inside40
subject-name CN=XYZ.XYZ.XYZ,O=Company,OU=Division,L=Locality,ST=State
keypair int.key
crl configure
no protocol http
no protocol ldap
crypto ca trustpool policy
crypto ca certificate chain INT_CA

crypto ikev2 policy 10
encryption aes-gcm-256 aes-gcm-192 aes-gcm
integrity null
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable external client-services port 443
crypto ikev2 remote-access trustpoint INT_CA
telnet timeout 5
no vpn-addr-assign dhcp
vpn-addr-assign local
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
vpn-sessiondb max-other-vpn-limit 100
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 100
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl trust-point (I have this for each nameif)

  • WEB VPN *

enable external
max-age 31536000
no preload
anyconnect image disk0:/cisco-secure-client-win.pkg 1 regex “Windows NT”
anyconnect image disk0:/cisco-secure-client-linux64.pkg 2 regex “Linux”
anyconnect profiles Team_client_profile disk0:/Team_client_profile.xml
anyconnect enable
error-recovery disable

  • Group Policy *

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec
group-policy GroupPolicy_Team internal
group-policy GroupPolicy_Team attributes
wins-server none
dns-server value XX.XX.40.10 XX.XX.40.20
vpn-tunnel-protocol ikev2 ssl-client
default-domain value XYZ.XYZ
anyconnect profiles value Team_client_profile type user
dynamic-access-policy-record DfltAccessPolicy

  • Local Users *

username user1 password priviledge 15
username user2 password priviledge 15
username user1 attributes
vpn-group-policy GroupPolicy_Team
group-lock value Team
tunnel-group Team type remote-access
tunnel-group Team general-attributes
address-pool VPN_Pool
authentication-server-group RADIUSSERVERS LOCAL
default-group-policy GroupPolicy_Team
tunnel-group Team webvpn-attributes
group-alias Team enable

Any help is appreciated!

Hello Kevin

From your configuration, it appears that you have correctly set up most of the necessary components for remote access VPN. However, there are a few potential issues that might be causing problems.

NAT Exemption: Your NAT exemption rule should exempt VPN traffic from being translated. Make sure you’re using the correct object for your VPN pool in the NAT rule. The NAT exemption rule should look something like this:

nat (any,external) source static NETWORK_OBJ LOCAL_NETWORK_OBJ destination static VPN_POOL_OBJ VPN_POOL_OBJ

Group Policy: Make sure the correct group policy is applied to the tunnel group. In your configuration, you have assigned the GroupPolicy_Team to the Team tunnel group, which seems correct. However, ensure that this group policy has the correct settings for your VPN.

Secure Client Profile: If your secure client profile is not being used, it might be because the profile is not correctly uploaded to the ASA or not correctly specified in the group policy. Check the disk0:/ path and ensure that the profile is correctly uploaded and specified in the group policy.

User Attributes: Ensure that the users have the correct attributes. The vpn-group-policy attribute should match the group policy you have defined.

If you’ve checked all these and are still having issues, I would recommend enabling debug for IKEv2 and SSL on the ASA to get more detailed information about what might be going wrong. You can do this with the following commands:

debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127
debug webvpn anyconnect 255

You can also take a look at this Cisco documentation for more details on using debugs for this purpose:

Take a look at all of these and let us know how you get along. If you need any further help, you know where to find us!

I hope this has been helpful!