Cisco ASA Anyconnect Remote Access VPN

neuralping · December 16, 2019, 5:01pm

OK. I understand. Thanks for you help

Zaman.rubd · February 19, 2020, 2:13am

Thanks Rene for the great tutorial. Is it necessary to have Radius server to configure the Anyconnect VPN?

lagapidis · February 19, 2020, 8:49am

Hello Mohammad

No it is not necessary to have a RADIUS server running in order to configure AnyConnect. When configuring the group policy, you can choose to use an internal group policy, as in the lesson, where we configure it locally on the ASA. You can also choose to use an external server-group where you would specify an external RADIUS server.

I hope this has been helpful!

Laz

chandima.ediriweera · March 9, 2020, 8:22am

HI Rene

I would like tom know the configuration for anyconnect remote access VPN for IKEV2 tunnel-protocol

Thanks
Chandi

lagapidis · March 9, 2020, 9:15am

Hello Chandima

You can see an example configuration for Anyconnect using IKEv2 in the following Cisco documentation.

Take a look and if you have any questions, let us know!

Laz

chandima.ediriweera · March 13, 2020, 1:05am

Hi Laz,

Thanks for the info I have a virual lab set up for anyconnect . it works with ssl protocol
however when vpn tunnel protocol is changed to IKEV2 gets an error message "unauthorized connection mechanism

So i want to make sure what is the cause of the problem. attached the config file
asa1-anyconnect.txt (6.1 KB)

Thanks
chandima

lagapidis · March 13, 2020, 7:22am

Hello Chandima

At first glance, there doesn’t seem to be a problem with the configuration that you have shared. However, this error may appear due to many reasons. A mismatch in the VPN mechanism, attributes on the local user account, if the VPN tunnel protocol is not specified correctly, or a misconfigured group policy. You will have to check various aspects of the configuration.

Take a look at this Cisco community post, as it may give you more insight into what you may need to do.

I hope this has been helpful!

Laz

sims · March 15, 2020, 3:50pm

Hi, can you explain about DNS and anyconnect
(split -dns and other dns parameters

lagapidis · March 16, 2020, 6:42am

Hello Sims

An excellent resource on DNS and anyconnect, and they way in which various operating systems deal with this feature can be found here:

It explains in detail split vs standard DNS, as well as how DNS behaves in a tunnel all configuration. It also describes the difference in behaviour for AnyConnect versions before 4.2 and after 4.2 as the behaviour has changed.

Take a look and if you have any more detailed questions, let us know!

I hope this has been helpful!

Laz

sims · March 17, 2020, 2:53am

Hi,
The article is about behavioral difference ,I have seen already .
I am looking for some examples
Thanks

ReneMolenaar · March 17, 2020, 2:33pm

Hi Sims,

You mean configuration examples?

Rene

sims · March 26, 2020, 8:38am

it would be great if you give configuration example .

ReneMolenaar · March 27, 2020, 11:17am

Hi Sims,

I don’t have anything else on anyconnect besides this lesson at the moment. If I do, I’ll update this topic and let you know.

Rene

jose.gro1992 · June 10, 2020, 4:27am

Hello Rene,

I read your article for remote VPN, and there is something that I could not figure out,
How is the security/privacy/encryption of this kind of VPN achieved? I understand for example that for IPsec VPN there is a lot of configuration regard authentication, encryption, integrity and so on, and it was an important part in the IPsec VPN explanation, as it is in a real scenario of course. I was expecting something like encryption algorithm and that kind of stuff also here, lol. But it does not look like that is part of the SSL VPN implementation. Maybe this is an obvious matter, lol, but I just did not get it, thank you in advance.

lagapidis · June 11, 2020, 5:49am

Hello Jose

This particular lesson is focused on the configuration of the devices involved in order to achieve the desired result. In general lessons here concentrate more on the actual application of a technology, although the theory is also covered in a relatively detailed manner.

In a remote access VPN using SSL, the actual tunnelling occurs between the web browser on the client’s device and the ASA. The information sent by the browser that traverses this path is all encrypted using digital certificates. Much of the actual encryption and security mechanisms are not visible or accessible during installation and configuration due to the fact that much of it is automated in this particular example. A lesson that will provide a little more insight into these mechanisms is the following:

If you want to find out more about the theory behind VPNs in general, take a look at the following lessons:

For anything more detailed as far as theory goes, you can share your specific questions here on the forum.

I hope this has been helpful!

Laz

jose.gro1992 · June 11, 2020, 7:07pm

Thank you Laz,
You answered my question:
" The information sent by the browser that traverses this path is all encrypted using digital certificates. Much of the actual encryption and security mechanisms are not visible or accessible during installation and configuration due to the fact that much of it is automated in this particular example."
I was confused since I thought that for SSL VPN we also had to specify values such as hash and encryption… but instead, security is achieved by the certificates, its kind of a different approach,
thank you!!

mohammadi · August 17, 2020, 8:23pm

Hello,

I have followed all the steps, the AnyConnect is working, users are able to connect successfully, but they are not able to access any of the servers or computers in the network.
the only reachable resource is the ASA inside IP (singable) no other resources are reachable.

I hope to get help on how to solve it.

thank you

lagapidis · August 20, 2020, 8:50am

Hello Mohammad

With the configuration as applied in the lesson, you should be able to ping all of the IP addresses within the same subnet as the ASA’s INSIDE interface. Using the lab topology as an example, the client should be able to ping all active devices with IP addresses within the 192.168.1.0/24 subnet.

If your servers are on this subnet and you fail to ping them, then I suggest you attempt to troubleshoot this using the following lesson as a guide:

This should help you pinpoint where the packets are being dropped so you can resolve the problem.

If your servers are on another subnet behind another router in your enterprise, then the issue is not with the VPN configuration, but with routing configured on the ASA and your internal infrastructure.

Let us know how your troubleshooting is coming along.

I hope this has been helpful!

Laz

mitcheb70 · November 5, 2020, 3:56pm

Hello everyone~
Does anyone have a straightforward way to ensure the Anyconnect client shows up at Windows Log On screen ? Various KB’s on different variations of SBL and features…but a little confirmation would be appreciated. Thanks~

lagapidis · November 8, 2020, 9:31am

Hello Brian

I haven’t personally implemented this so I couldn’t confirm it for you from personal experience. However, a good source of information that includes the actual application of these features is the Cisco community. The following link contains a comprehensive conversation about this very issue for Windows 10 that may be of benefit to your requirements:

There are additional such threads that may be useful for you. Alternatively, there may be users on our forum that have implemented this that may be able to respond with their own personal experiences.

I hope this has been helpful!

Laz