cisco anyconnect ip address assignment

Cisco ASA Anyconnect Remote Access VPN

Lesson Contents

In this lesson we will see how you can use the anyconnect client for remote access VPN. Anyconnect is the replacement for the old Cisco VPN client and supports SSL and IKEv2 IPsec. When it comes to SSL, the ASA offers two SSL VPN modes:

• Clientless WebVPN
• AnyConnect VPN

The clientless WebVPN method does not require a VPN client to be installed on the user’s computer. You just open your web browser, enter the IP address of the ASA and you will get access through a web portal. You only have limited access to a number of applications, for example:

• Internal websites (HTTP and HTTPS)
• Web applications
• Windows file shares
• Email servers (POP3, IMAP, SMTP)
• Microsoft Outlook Web Access

There is no full network access when you use clientless WebVPN.

Anyconnect VPN offers full network access. The remote user will use the anyconnect client to connect to the ASA and will receive an IP address from a VPN pool, allowing full access to the network.

In this lesson we will use clientless WebVPN only for the installation of the anyconnect VPN client. The remote user will open a web browser, enters the IP address of the ASA and then it will automatically download the anyconnect VPN client and establishes the connection. Here’s the topology that we will use:

Above we have the ASA firewall with two security zones: inside and outside. The remote user is located somewhere on the outside and wants remote access with the Anyconnect VPN client. R1 on the left side will only be used so that we can test if the remote user has access to the network. Let’s take a look at the configuration!

ASA Configuration

The remote user will be able to download the anyconnect VPN client from the ASA so we need to store it somewhere. Each operating system has a different installation file and we need to have them on the flash memory of the ASA:

There is a different PKG file for each operating system. Above you can see that I have one for Windows, Linux and Mac OS X. If you don’t have them already, make sure you copy them to the flash memory of the ASA.

Our next step is to enable clientless WebVPN:

Now we specify which anyconnect PKG files we want to use:

I’m only specifying the anyconnect client for Windows but if you want to support Linux or Mac OS X users, make sure to add them here. Now we can enable client WebVPN on the outside interface:

This enables WebVPN on the outside interface. We also need to enable anyconnect:

When you have an inbound access-list on the outside interface then all your decrypted traffic from the SSL WebVPN has to match the inbound access-list. You can either create some permit statements for the decrypted traffic or you can just tell the ASA to let this traffic bypass the access-list:

When remote users connect to our WebVPN they have to use HTTPS. The following option is not required but useful, whenever someone accesses the ASA through HTTP then they will be redirected to HTTPS:

The ASA will assign IP addresses to all remote users that connect with the anyconnect VPN client. We’ll configure a pool with IP addresses for this:

Remote users will get an IP address from the pool above, we’ll use IP address range 192.168.10.100 – 200.

By default all traffic will be sent through the tunnel once the remote user is connected. If you want to allow remote users to access the Internet once they are connected then you need to configure split tunneling. We will configure an access-list that specifies what networks we want to reach through the tunnel:

This means that the SSL VPN tunnel will only be used to reach the 192.168.1.0 /24 network. Now we can configure the anyconnect group policy:

There’s quite some stuff in the group policy, let me break it down for you:

• The group policy is called “ANYCONNECT_POLICY” and it’s an internal group policy which means that we configure it locally on the ASA. An external group policy could be on a RADIUS server.
• The VPN tunnel protocol is ssl-client (for anyconnect) and also ssl-clientless (clientless SSL VPN).
• Split tunneling has been enabled and we refer to the access-list “SPLIT_TUNNEL” that we just created.

The DNS server 8.8.8.8 will be assigned to remote VPN users.

• Normally when the remote VPN user terminates the session, the anyconnect installer will be uninstalled. The anyconnect keep-installer installed command leaves it installed on the user’s computer.
• The anyconnect ask command specifies how the anyconnect client will be installed on the user’s computer. The none default anyconnect part tells the ASA not to ask the user if he/she wants to use WebVPN or anyconnect but just starts the download of the anyconnect client automatically.
• The anyconnect dpd-interval command is used for Dead Peer Detection . The remote user’s anyconnect client will check every 30 seconds if the ASA is still responding or not. You can also use dpd-interval gateway so that the ASA checks if the remote user is still responding.

After the group policy configuration we have to create a tunnel group which binds the group policy and VPN pool together:

When the remote user connects, the ASA will show a group name to the remote user, we can specify the group name like this:

You will see that when the remote user connects, the ASA will show the group name “SSL_USERS”. If you have multiple tunnel groups then your remote users should be able to select a certain tunnel group:

Now we can create a user account:

We need to tell the ASA that this user account is allowed to access the network:

Everything is now in place on the ASA. We can use the client to connect to the ASA and install the anyconnect client.

Client Configuration

I will use a Windows 7 client with Internet Explorer for this. Start the browser and enter the IP address of the ASA as the URL. If you use HTTP, you will be redirected to HTTPS:

The ASA is using a self-signed certificate that is not recognized by the browser so that’s why you see this error. Click continue and you will see the following screen:

Now you can authenticate yourself. Enter the username and password that we created earlier. The group name is the group alias that we created. Once you are authenticated you will see this:

The client tries to download the Anyconnect automatically, this is because of the anyconnect ask none default anyconnect command that we used. Since we are using a self-signed certificate you will get the following error message:

You need to click on the Change Setting button and you will see this:

Click on the Apply Change button and you will see this:

Click on the retry the connection link and you will see this:

We get one more warning that the certificate cannot be verified. Click on Connect Anyway and the download will finally start:

Once it is completed you will see this:

The Anyconnect client has been installed and the connection has been established. If you look in the Windows taskbar then you will find a small icon:

Click on it and it will open the Anyconnect client, here’s what it looks like:

It is connected and if you want to see some details you need to click on the little “gear” icon, it will give you a nice overview of the connection:

This shows you the IP address that the client has received and some statistics about how much bytes were sent/received. This is looking good but it’s important to verify a couple of things before we end this lesson…

Verification

Client verification.

First we’ll generate some traffic on the client, see if it can reach R1 on the inside network:

That’s looking good, let’s use ipconfig to see what IP address it has received:

You can see that we received IP address 192.168.10.100 (the first IP address from the VPN pool). Anyconnect creates an additional interface, just like the legacy Cisco VPN client does.

ASA Verification

Everything on the client was looking good, there’s also a useful command on the ASA to verify our work:

This shows us that user “SSL_USER” is connect, the IP address it has received and also that it is using a SSL tunnel…mission accomplished! I hope this lesson has been useful to learn about remote access VPN using the Anyconnect client. If you have any questions, feel free to leave a comment!

Tags: Anyconnect , IKE , Security , SSL , VPN

Forum Replies

For this part here -

When connected to the VPN, If the users are trying to access Internal Corporate machines via DNS name, should we provide an Internal DNS server address rather than 8.8.8.8

That would work yes, there are also some other solutions. Take a look at this Cisco post:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116016-technote-AnyConnect-00.html

Which ASA model does your configuration examples apply to? Would you give some thought to doing a video similar to the one about choosing routers and switches but topic would be choosing firewalls.

I used the ASA 5510 for most of these examples. The big difference between the ASA 5505 and all the other models is that it’s the only firewall that has 4 switchports.

The 5510 only has L3 interfaces, it doesn’t have switchports. The ASA 5506 that replaces the 5505 also doesn’t have switchports anymore.

A video for the different firewalls might be a good idea, for labs the ASA 5510 with security plus license is probably the best choice for now.

I was asking because Cisco Packet Tracer 6.2 has a 5505 under it’s Security device category. I will add an ASA 5510 to the physical lab after I pass the CCNA exam. I have to keep reminding myself to not spend a lot of time for now on things that are not going to be on the CCNA exam. It is easy to get distracted by topics not on the exam.

Thanks for your response

131 more replies! Ask a question or join the discussion by visiting our Community Forum

integrating IT

ASA AnyConnect VPN with Static Client IP Address

When using a Cisco ASA with the AnyConnect VPN Client software in some instances it is useful to assign the same static IP address to a client whenever they connect to the VPN. Within Active Directory you can configure per user a static IP address and use this IP address whenever the user connects to the VPN. The RADIUS Server (in this instance Cisco ISE 2.0) can be configured to query the attribute in AD which is the” msRADIUSFramedIPAddress” value and assign to the client whenever they connect.

This post only describes configuring a static IP address on a Cisco AnyConnect Remote Access VPN. Refer to the following posts for more detail instructions on how to configure ASA Remote Access VPN and integrated with Cisco ISE for authentication: ASA AnyConnect SSL-VPN ASA AnyConnect IKEv2/IPSec VPN

Software/Hardware Used:

Windows 7 SP1 (Client) Windows 2008 R2 (Active Directory Domain Controller) Cisco ISE 2.0 (RADIUS Server) Cisco ASAv v9.6(1) Cisco AnyConnect Client 4.2.01022

Cisco ASA Configuration

• Modify the existing IP Address Pool to decrease the number of IP addresses, leaving space at the end of the range (or beginning) to be used for statically assigned IP addresses.

AD Account Modification

• Select a test account within AD
• Modify the properties of the test account; select the “Dial-in” tab

• Tick the “Assign Static IP Address” box
• Click the “Static IP Address” button
• Tick “Assign a static IPv4 address” box and enter and IP address from within the IP address range defined on the Cisco ASA appliances

• Click “OK” to complete the configuration

Cisco ISE Configuration

Add ad attribute.

• Modify the configuration of the existing Active Directory External Identity Source and select Edit

• Click “Attributes” tab
• Click “Add” > “Select Attributes from Directory”
• Enter the name of the test user previously modified to add the Static IP address and select “Retrieve Attributes”

• Ensure you tick the box “msRADIUSFramedIPAddress” and click “Ok”

IMPORTANT – If you do not previously assign as static IP address to the user account you are using to query AD for the list of attributes the “msRADIUSFramedIPAddress” will not be in the list to select.

• Edit the attribute “msRADIUSFramedIPAddress” and change the “Type” value from STRING to IPv4

• Click “Save”

Create Authorization Profile

• Create a new “Authorization Profile” called “Static-VPN-IP-Address” – Policy > Policy Elements > Results > Authorization > Authorization Profiles

NOTE – “LAB_AD” will equal the name of YOUR Active Directory

Modify Policy Set

• Modify the existing Policy and the “Static-VPN-IP-Address” Authorization Profile

Test AnyConnect VPN Client

• Log in to the VPN using the test client, once successfully authenticated you can check to see if the client has been assigned the correct IP address

• Within the RADIUS authentication logs double check to confirm the Framed-IP-Address value was used

Repeating the test for a user that does NOT have a static IP address assigned with in AD continues to work and an IP address is assigned from configured IP Address Pool on the ASA.

Share this:

• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on LinkedIn (Opens in new window)

Published by integratingit

View all posts by integratingit

Leave a comment Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed .

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

• Community Platform Help
• Contact Community Team
• Meraki Documentation
• Meraki DevNet Developer Hub
• Meraki System Status
• Make-a-Wish

Cisco AnyConnect Static IP Assignment

• Subscribe to RSS Feed
• Mark Topic as New
• Mark Topic as Read
• Float this Topic for Current User
• Printer Friendly Page

• Mark as New
• Report Inappropriate Content
• All forum topics
• Previous Topic

• April 26: Meraki Go End of Sale - April 2025
• March 28: New Go Community look & feel, coming soon
• September 15: Become a Beta Tester!
• Mobile App 1
• Web Portal 1
• Community guidelines
• Cisco privacy
• Khoros privacy
• Terms of service