Cisco ASA Anyconnect Remote Access VPN

Hello Willie

Hmm, that’s interesting. It could be the syntax of the command. When you type anyconnect image ? what options does it give you? Does it include “flash” as an option? Also, you may find that on some devices it uses flash0 instead of flash.
One other thing is this. Take a look at the following command reference.

Take a look at the command history:
image

Prior to 8.4(1), the command was part of the SVC image. Since you’re using 8.2(1) it could be that you don’t have this image. Issue the following command: show webvpn svc image and see what results you get.

Take a look at these issues and see if they help in the troubleshooting process, and let us know.

I hope this has been helpful!

Laz

HI,

In the lesson we can see that client not get the IP address of the default gateway once the vpn is UP.

C:UsersVPN>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : VPN-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
   Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.10.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   **Default Gateway . . . . . . . . . :**
   DNS Servers . . . . . . . . . . . : 8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

How does the PC know to reach Internet or any others network accessible only through VPN?

Hello Giovanni

What you will find is that if you enabled split tunneling, you will see no default gateway. If you’ve disabled split tunneling, then the first IP from the client’s IP address and subnet mask combination will be chosen as the default gateway. There is no way to configure this parameter as it is hard coded into the way AnyConnect works.

Now having said that, the default gateway of a VPN client is really of no consequence. The default gateway is only significant when configured on an interface in a more traditional setting. However, when using VPNs such as AnyConnect, which uses a virtual interface, it doesn’t need a default gateway. The VPN connection is being treated as a point to point connection, so you really don’t care about the next hop IP. You just send everything out of the virtual interface.

The routing logic of an AnyConnect client is that all interesting traffic is sent to the upstream VPN peer using the encrypted link. This link uses the peer address and not a default gateway address. So the actual value in the default gateway, whether blank or anything else, is just ignored.

I hope this has been helpful!

Laz

PS Take a look at this Cisco Community link for more info:

I am searching for SSL VPN for mentioned Router an found the command webvpn, but my router don’t know this command.
My router has the feature security.
What do I need?

Regards, Hannes

Hello Johann

The webvpn feature being used in this particular lesson is applied on a Cisco ASA. The ASA is a firewall device.

However, WebVPN is also available on Cisco IOS devices. However, you must remember that WebVPN is an end-of-life technology, and has been replaced with FlexVPN. That means you won’t find it on some platforms such as the c1111 as described in this Cisco community post.

For more information about FlexVPN, take a look at this lesson:

I hope this has been helpful!

Laz

1 Like

Oh, so great!
Thanks a lot!

1 Like

I have connected to 100 Mbps internet.
After connecting to office cisco any connect vpn i am getting less speed when i do speed test.

Is there any reason for this.

In my ASA all traffic is going through tunnel and specified acl traffic going through my home internet
Is this full tunnel?

in secured routes we have 0.0.0.0/0 --so this mean we are not using split tunnel and all traffic going through vpn and unsecured routes going through local internet. Pls clarify.

Hello Pavan

The first thing that came to mind was that all your internet traffic may be routed over the VPN, and that the split tunnelling is not operating correctly. If that is indeed the case, then it would make sense that your speedtest is slower. How much slower is it? If it is substantially slower, then it is likely that this is the case. However, you can verify this…

If this is indeed how you have configured it, then yes, you should be OK. Your internet traffic should be routed out of your local internet connection, and your traffic that goes to your office should be routed over the VPN.

If you are routing all of your traffic over the VPN, then you will get a much slower speed. A way to check this is to run a traceroute to a destination on the Internet, say 8.8.8.8 (Google’s DNS server), with and without the VPN. See if there is a difference in how it is routed. From the IP addresses in the output, you should be able to determine if the traffic is exiting your local Internet connection or is being routed over the VPN and out via your office’s Internet connection. Once you determine this, then you can continue troubleshooting the problem.

Let us know how you get along!

I hope this has been helpful!

Laz

Hello Community, I am new to this and I have some questions about a scenario that I have at work. I am new to this VPN topic so I am not sure how to achieve this.

Peter and Mary have access to the Main Plants IP 192.168.150.6 and 192.168.160.10 and Peter is working on a project with a special team 192.168.120.240. While they are at the Plant, Peter can use all three IP addresses with no problem. Mary can only use the Main Plants and doesn’t have access to the third one. When they go off site, both Peter and Mary could use the Cisco AnyConnect to connect to the Main Plants IP Addresses. So I want to add 192.168.120.240 to the cisco AnyConnect so Peter can connect to it offsite. Is there there any possible way that I can achieve this? Do I need to change anything in ASDM? Is this related to a tunnel group addition or AnyConnect profile?

Thanks for taking the time to check at this!

Hello Johan

From my understanding, you want to allow Peter and Mary to have access to the IP addresses of specific hosts. So when Peter is on site, he has access to:

  • 192.168.150.6
  • 192.168.160.10
  • 192.168.120.240 (special project)

At the same time, Mary has access to the first two addresses but not to the third.

Now you want to be able to recreate these same allowances and restrictions for their AnyConnect connection.

In the scenario where Peter and Mary are both on-site, I assume this restriction is achieved using access lists. Using an extended access list, you can match Mary’s IP address as a source and the special team address as a destination and block any communication.

Now how can you achieve this using AnyConnect? Well, there are a couple of ways you can do this. Assuming AnyConnect gives you access to all your internal networks and assuming that each AnyConnect user is assigned the same IP address every time they connect (or at least the same IP address range), then you can use the same extended access list solution to achieve the same results. In this case, AnyConnect configurations are not directly involved in the allowing or disallowing of access. It’s still the access lists internally on the network that are doing this.

Alternatively, you can configure AnyConnect to give access to particular subnets within the corporate network. From the Cisco ASA Anyconnect Remote Access VPN lesson, you can use the split tunnel feature to specify in that access list what traffic will be sent over the VPN (based on destination) and what will be routed over the local internet.

You can also find additional information that will help you to decide how to set it up in the following Cisco documentation:

I hope this has been helpful!

Laz

1 Like

The information has been extremely helpful! Thanks a lot for taking the time to respond!
Much appreciated!

1 Like

Hello group.
Good afternoon to everyone. I have a scenario in my company:
My company has bought around 100 computers with ARM64 architecture and we have around 200 computers with Win11 running Anyconnect 4.10.
Our CEO wants all of those, computers running but our production Anyconnect will not be compatible with ARM64 so we will have to install another Anyconnect version with ARM64, which means two Anyconnect packages will be running in the same ASA. Does someone know how to achieve this?
I have never seen a case where this might be needed, but the time has come and I am totally lost with it.

Thanks everyone for taking a look into this.

Hello Johan

The short answer is that you can run different AnyConnect packages on the same ASA. One for each client type, such as Windows x64/ARM64, Linux, MacOS, etc.

I hope this has been helpful!

Laz

1 Like

It has been extremely helpful. Thanks a lot for the answer!

1 Like

Hello, some questions regarding the topic:

  1. In this case, when we use the Anyconnect client, is the tunnel protection mechanism SSL?
  2. Is there any other VPN client that I can use to replace anyconnect?

Hello Juan

In the case of the lesson, within the group policy, we see this command:

ASA1(config-group-policy)# vpn-tunnel-protocol ssl-client ssl-clientless

This command indicates that the VPN tunnel when used with a client, will indeed be using SSL. The syntax for this command is:

vpn-tunnel-protocol { ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless }

You can specify multiple protection protocols in the order of preference that you wish them to be used. If no VPN tunnel protection is configured, then IPSec is the default. Note that the only clientless option is the use of SSL.

There are many VPN clients that you can use, many of which are freely available including OpenConnect, Shrew Soft VPN client, and WireGuard to name a few. You can do a search online for one that fits your needs. Windows has a native VPN client that you can use as well. All of these can be configured to work with the ASA.

I hope this has been helpful!

Laz

Hello, I have a question

If within the group-policy ANYCONNECT_POLICY attributes setting I use the excludespecified option, then everything will be sent over the VPN except what is on the access list?
Do you mean it’s the opposite of tunnelspecified?
Thank you

Can you help me with this question?

Hello Juan

The command you are referring to is the split-tunnel-policy command which has three options:

  • tunnelall
  • tunnelspecified
  • excludespecified

These are further described in this Cisco ASA CLI command reference:

Yes, the excludespecified option is the opposite of the tunnelspecified option in that the former specifies what traffic to send “in the clear” (i.e. not encrypt and tunnel) and the latter specifies what traffic to tunnel and encrypt.

Concerning the question you shared, theoretically, there are two answers. You could use either tunnelspecified or excludespecified.

However, the most correct answer would be tunnelspecified. This is because you would typically specify what traffic should be tunneled (i.e. the traffic destined to the corporate network). All the rest would not be tunneled.

It would be quite difficult to use excludespecified to achieve the same results.

I hope this has been helpful!

Laz