Anyconnect VPN using local account

Network diagram


Configure inside and outside interface

ciscoasa(config)# int gi0/1
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# ip address dhcp setroute
ciscoasa(config-if)# no shut
ciscoasa(config-if)# int gi0/0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address
ciscoasa(config-if)# no shut

Self signed certificate

ciscoasa(config)# hostname vpn
vpn(config)# domain-name
vpn(config)# clock timezone SGT 8
vpn(config)# ntp server prefer

vpn(config)# sh ntp associations
      address         ref clock     st  when  poll reach  delay  offset    disp
 ~     2     3    64    0     8.5  35742.  16000.
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

vpn(config)# crypto key generate rsa label rsa-key modulus 2048 noconfirm
INFO: The name for the keys will be: rsa-key
Keypair generation process begin. Please wait...

vpn(config)# crypto ca trustpoint self
vpn(config-ca-trustpoint)# keypair rsa-key
vpn(config-ca-trustpoint)# fqdn
vpn(config-ca-trustpoint)# subject-name
vpn(config-ca-trustpoint)# enrollment self
vpn(config-ca-trustpoint)# exit
vpn(config)# crypto ca enroll self

% The fully-qualified domain name in the certificate will be:

% Include the device serial number in the subject name? [yes/no]: yes

Generate Self-Signed Certificate? [yes/no]: yes

Trustpoint is the container for certificate. The enrollment self command means self-signed certificate.

Enable the self-signed trustpoint

The self-signed certificate will be enabled on the interface where the VPN will terminate, in this lab is outside interface

vpn(config)# ssl trust-point self outside

Export the certificate to the vpn user computer

vpn(config)# crypto ca export self identity-certificate

The PEM encoded identity certificate follows:

Copy and paste from BEGIN CERTIFICATE until END CERTIFICATE and save as cert.cer. If you are using Windows you can use certmgr.msc and import the certificate. See screenshot below.


On Linux:
cyrus@cyrus-vm:~$ sudo nano /usr/local/share/ca-certificates/cert.cer
Then copy the certificate:


SSL VPN begins….

vpn(config)# username cyrus password P@ssw0rd
vpn(config)# username cyrus attributes
vpn(config-username)# service-type remote-access

This account solely for remote access vpn only.

vpn(config)# ip local pool VPN mask

Allocate a pool for vpn user after successfully login.

vpn(config)# webvpn
vpn(config-webvpn)#anyconnect image disk0:/anyconnect-linux-64-4.0.00048-k9.pkg
vpn(config-webvpn)# anyconnect enable
vpn(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
vpn(config-webvpn)# tunnel-group-list enable

anyconnect enable to enable anyconnect and enable outside and enable webvpn on the outside interface. tunnel-group-list enable to enable drop down box on the anyconnect vpn client for group selection.

vpn(config)# group-policy VPN internal

Internal means the group-policy is stored locally.

vpn(config)# group-policy VPN attributes
vpn(config-group-policy)# address-pools value VPN
vpn(config-group-policy)# dns-server value
vpn(config-group-policy)# gateway-fqdn value
vpn(config-group-policy)# vpn-tunnel-protocol ssl-client ssl-clientless
vpn(config)#access-list SPLIT-TUNNEL standard permit
vpn(config)# group-policy VPN attributes
vpn(config-group-policy)# split-tunnel-policy tunnelspecified
vpn(config-group-policy)# split-tunnel-network-list value SPLIT-TUNNEL
vpn(config-group-policy)# split-tunnel-all-dns disable
vpn(config-group-policy)# split-dns value
vpn(config-group-policy)# default-domain value
vpn(config-group-policy)# vpn-idle-timeout 60
vpn(config-group-policy)# vpn-simultaneous-logins 1

This group-policy defines which VPN address assignment after successfully login, and also perform split tunnel.
Any traffic that matches SPLIT-TUNNEL is tunneled through the vpn.
Only DNS query for * will be tunneled through else the rest of the dns queries will not be tunneled.
The vpn idle timeout is set to 1 hour and only one login at any time no concurrent login is allowed.
To specify for ssl anyconnect client connection or webvpn (browser based) clientless connection methods.

vpn(config)# tunnel-group VPN type remote-access
vpn(config)# tunnel-group VPN general-attributes
vpn(config-tunnel-general)# default-group-policy VPN

Only need to define the default group policy, the rest leave as default. Anything default will be inherited from this “invisible” default group-policy DfltGrpPolicy, you can only see this group-policy when you issue show run all group-policy. This default group-policy cannot be deleted.

vpn(config-tunnel-general)# tunnel-group VPN webvpn-attributes
vpn(config-tunnel-webvpn)# group-alias VPN

Only create a group which will be displayed as a drop down box in Anyconnect client. The rest will be default settings inherited from “invisible” default tunnel group known as DefaultWEBVPNGroup similar to DfltGrpPolicy this cannot be deleted and can only be shown by using show run all tunnel-group

vpn(config)# vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2

Ok this is stupid in my opinion, this command should not even exist!

If you do not specify there will be no connection available! If you buy license for example like 300 make sure you use this command and make the number to 300! Otherwise you will have users complaining cannot connect! This command simply means allowing 2 concurrent anyconnect vpn.

vpn(config)# sysopt connection permit-vpn

This command tells ASA to close a blind-eye whenever vpn traffic enters. Yeah it simply bypass whatever rules you set…

vpn(config)# http redirect outside 80

Ok simply to redirect http request to https… make your vpn user easier when they use the clientless.

Let’s test it!


Ok the redirection works, i used http instead of https…


On linux is a bit problematic on installing Cisco anyconnect client, so I use openconnect instead

apt install network-manager-openconnect

It is command line….:

cyrus@cyrus-vm:~/Downloads/binaries$ sudo openconnect
Attempting to connect to server
SSL negotiation with
Server certificate verify failed: signer not found

Certificate from VPN server "" failed verification.
Reason: signer not found
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on
Got HTTP response: HTTP/1.0 302 Object Moved
Attempting to connect to server
SSL negotiation with
Server certificate verify failed: signer not found
Connected to HTTPS on
Got HTTP response: HTTP/1.0 302 Object Moved
SSL negotiation with
Server certificate verify failed: signer not found
Connected to HTTPS on
Please enter your username and password.
Please enter your username and password.
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected tun0 as, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-256-CBC)-(SHA1).

Ok a new virtual interface appears known as tun0


Ok so from my Cisco ASA gateway I can see this connection:


This entry was posted in General stuffs, VPN and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s