CISCO ASA 5505 Any Connect

Posted on 2013-01-31
Last Modified: 2013-01-31
Could someone please help me configure IN ASDM if possible or by commands, an ANY Connect SSL VPN from scratch. I was able to make a client connect and he was able to do remote desktop and use some features however as soon as a VPN was established he automatically lost the capability to browse the Internet. Any device on the ASA 5505 network can browse and do what its supposed to but a client using ANY Connect on a different network looses the ability to access the internet as soon as they connect with the VPN. I have read that it has to do with split tunneling but i was hoping someone could give help me get this up and running from the ground up.
Question by:kajumblies
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 20

Expert Comment

ID: 38840244

! standard access list tells the clients which destination subnets should go across the tunnel
access-list VPNCLIENTSPLITTUNNEL standard permit

ip local pool VPNCLIENTPOOL mask

nat (inside,outside) source static SUBNETS-INTERNAL SUBNETS-INTERNAL destination static SUBNET-VPNCLIENT SUBNET-VPNCLIENT
crypto isakmp identity address
crypto ikev1 enable outside

crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

port 4443
enable outside
dtls port 4443
anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.00495-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-3.1.00495-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-64-3.1.00495-k9.pkg 4
anyconnect enable
tunnel-group-list enable

group-policy VPNCLIENTGP internal
group-policy VPNCLIENTGP attributes
dns-server value x.x.x.x
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNCLIENTSPLITTUNNEL
default-domain value

tunnel-group VPNCLIENT type remote-access
tunnel-group VPNCLIENT general-attributes
address-pool VPNCLIENTPOOL
default-group-policy VPNCLIENTGP

tunnel-group VPNCLIENT webvpn-attributes
group-alias "group alias" enable

tunnel-group VPNCLIENT ipsec-attributes
ikev1 pre-shared-key xxxxxxxxxxxxx
LVL 57

Accepted Solution

Pete Long earned 500 total points
ID: 38840252
LVL 20

Expert Comment

ID: 38840275
Assumptions from above:

Your only inside network is Modify the splittunnelacl as needed
The IP's being handed out to the client is and shouldn't overlap with any other existing subnet in your network.
The object groups "SUBNETS-INTERNAL" and "SUBNET-VPNCLIENT" are defined and include the appropriate subnets.
To enable both ASDM and anyconnect, they cannot use the same port number. ASDM will now require https://[ip_address]:8443 to access the ASA
The anyconnect images should reflect the actual files you have loaded on your ASA.
No authentication server is defined so by default it will use local authentication. It is up to you to decide if that's ok or to use another method such as RADIUS or LDAP.
If you ONLY want users to connect via SSL, you don't need:
group-policy VPNCLIENTGP attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

tunnel-group VPNCLIENT ipsec-attributes
ikev1 pre-shared-key xxxxxxxxxxxxx

LVL 20

Expert Comment

ID: 38840301
I didn't realize until after responding that I've already worked with you on this.

The only thing missing from your config before was the split tunnel. The split tunnel must be defined for each group policy you want this applied.

Also, when posting firewall configs make sure you scrub the configs of identifying information such as full public IP address and usernames/passwords. Even if some of it is encrypted, a plain text username is still a starting point for someone to get on your network.

Author Closing Comment

ID: 38840461
This was exactly what i needed thanks so much

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s list some of the technologies that enable smooth teleworking. 
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question