Configuring SSL VPN on Cisco ASA

Starting a few years ago, Cisco began to phase out their support of the long standing VPN Client software which used IPsec. Basically, they didn’t make a 64-bit version to run on Windows 7 and 8, so unless you use XP, its very hard to use the old Cisco VPN client software. The replacement is AnyConnect, which can be launched via the web. AnyConnect does not use IPsec for the vpn tunnel, it uses SSL. The downside is it requires additional licensing, most ASA’s only come with 1 SSLVPN user license, and 10 IPSec.

Here is how you configure a typical ASA (running IOS 8.3) to use webvpn and AnyConnect.


1. The outside or public WAN IP of the ASA is
2. The inside or local access range is
3. The VPN IP pool that we will create is

Here is the complete config with some comments.

Create and apply a nonat access list:
ASA(config)# access-list nonat extended permit ip
ASA(config)# nat (inside) 0 access-list nonat

Define a split tunnel access list:

ASA(config)# access-list splitvpn standard permit

Define the Group Policy for the WebVPN:

ASA(config)# group-policy SSLVPN_POLICY internal
ASA(config)# group-policy SSLVPN_POLICY attributes
ASA(config-group-policy)# vpn-tunnel-protocol svc webvpn
ASA(config-group-policy)# webvpn
ASA(config-group-webvpn)# split-tunnel-policy tunnelspecified
ASA(config-group-webvpn)# split-tunnel-network-list value splitvpn
ASA(config-group-webvpn)# split-dns value
ASA(config-group-webvpn)# dns-server value X.X.X.X

In the above case, would be your local DNS search suffix. The X.X.X.X would be the IP of your local DNS server if you used one, if not you can leave it out or insert a public DNS server IP like

Define a DHCP pool for the clients to use:
ASA(config)# ip local pool vpnpool mask

Define a local user to use for the VPN:
ASA(config)# username johndoe password ABC123 privilege 0
ASA(config)# username johndoe attributes
ASA(config-username)# vpn-group-policy SSLVPN_POLICY

Enable WebVPN:
ASA(config)# webvpn
ASA(config-webvpn)# enable outside
ASA(config-webvpn)# svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
ASA(config-webvpn)# svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
ASA(config-webvpn)# svc enable

The above location/filename of the AnyConnect software may vary, to verify just type the “dir” command from the main prompt to see a file listing showing the exact filename versions.

Define the tunnel group:
ASA(config)# Tunnel-group SSLVPN_TUNNEL type remote-access
ASA(config)# Tunnel-group SSLVPN_TUNNEL general-attributes
ASA(config-tunnel-general)# default-group-policy SSLVPN_POLICY
ASA(config-tunnel-general)# address-pool vpnpool

Link the tunnel group to WebVPN:

ASA(config)# webvpn
ASA(config-webvpn)# tunnel-group-list enable
ASA(config-webvpn)# exit
ASA(config)# tunnel-group SSLVPN_TUNNEL webvpn-attributes
ASA(config-tunnel-webvpn)# group-alias AnyConnect enable

Total Views: 7527 ,