23rd February 2019 Advice 15 Minutes

Right, let's start with a good helping of honesty for those that have landed straight here - this post gets more SEO traction than any other on our site, I feel it’s long-overdue an update with useful content for those wishing to navigate the minefield that is AnyConnect configuration.

If you benefit from the content, your feedback and interaction will genuinely be the difference between us making more of our technical advice available to the wider community. So, please comment or even share at the bottom with how this impacted you! Thank you!

What have you done choosing AnyConnect!?

I want to start with why we use AnyConnect before we get into the how, as right now you might be reconsidering your choice. Our clients are all SMEs in and around the South West (UK). For their internet breakout, they want a reliable device, at a great price point, with good to middle functionality.

Often, our clients are more concerned with VPN functionality and that’s where the duo of AnyConnect and ASA work wonders. AnyConnect is, in our opinion, better than all other VPN software on the market from the client perspective, but it comes with the caveat of configuring to the clients’ requirements.


Let's get into it...

The starting point for this guide is an ASA fully configured, an A record pointing to the public interface, AnyConnect license dealt with and working as an internet breakout. We’ll cover the following sections;

  1. SSL Certificate
    1. Create certificate Windows Server
    2. Install certificate on ASA
  2. AnyConnect Wizard
  3. Split Tunnel vs Full Tunnel
  4. Allow Local LAN access
  5. AnyConnect Client Profile
  6. Take away from here

Needless to say, AnyConnect is unbelievably customisable and this guide represents our base configuration. If you have any questions or want to comment with how you do it differently, please feel free to post.

Create certificate Windows Server

You can create an SSL certificate several ways, even directly on the ASA but we find it easier to create the certificate in Windows IIS and export the PFX to the ASA (and delete on the source). If you have your way of doing this, please ignore this section.

Login to any Windows server you have access to and open IIS Manager (you may need to install it). Open the "Server Certificates" section and open the "Create Certificate Request". I tend to complete the wizard as follows;

  • Common name: FQDN of VPN
  • Organization: Client Name
  • Organizational Unit: IT
  • City: Client City
  • State/Province: Client County
  • Country: GB
  • BUTTON: Next
  • Cryptographic service provider: Microsoft RSA SChannel Cryptographic Provider
  • Bit length: minimum 2048
  • Filename: wherever you wish but you’ll need to upload to your CA
  • BUTTON: Finish

Finish the wizard, save the CSR and supply it to your chosen Certificate Authority. Once you’ve verified with the CA, take the supplied public key (certificate) and run through the “Complete Certificate Request” wizard within IIS. I tend to complete the Wizard as follows;

  • Supply public key provided by CA
  • Friendly name: Client – AnyConnect
  • Certificate store: Personal

You’ll now have an installed certificate showing in “Server Certificates”. Both the public and private key have to be installed; otherwise, they won't show in that section. If you see your certificate, it means you completed the install successfully!

Select the certificate, click export. Provide a secure password as this protects your private key and note where you save the pfx. Take the pfx and copy to the machine you’re using for ASDM. We’ve finished with the Windows Server you can log out.


Install certificate on ASA

Open ASDM and navigate to Configuration > Device Management > Certificate Management > Identity Certificates > Add > Browse > Select your PFX file and provide the password created earlier.

AnyConnect Wizard

In the interest of not making things harder than they need to be, I use the wizard to complete the bulk of the configuration and then go back and make the changes our clients need.

In the interest of not making things harder than they need to be, I use the wizard to complete the bulk of the configuration and then go back and make the changes our clients need.

In the ASDM, go to Wizards > VPN Wizard > AnyConnect Wizard.

  • Introduction
    • CLICK Next
  • Connection Profile Identification
    • Connection Profile Name: AnyConnect
    • VPN Access Interface: Needs to be your outside interface
    • CLICK: Next
  • VPN Protocols
    • Untick IPSec box
    • Device Certificate with RSA Key: Select the certificate installed
    • Device certificate with ECDSA Key: None
    • CLICK: Next
  • Client Images
    • Upload the required Client Images for your clients and order in preference (Windows, Mac and Linux)
    • CLICK: Next
  • Authentication Methods
    I’m not covering authentication in this post. We primarily use RADIUS or SAML (with Duo)
    • AAA Server Group: LOCAL
    • User to be Added
      • Username: test (case sensitive)
      • Password & Confirm: whateveryouwant
    • SAML Configuration
      • CLICK Next
    • Client Address Assignment
      You can create whatever pool you want here but make sure it doesn’t overlap with your existing subnet and the object you create later on is the same.
      • Address Pool: New…
      • Add IPv4 Pool
        • Name: AnyConnect_POOL
        • Starting IP Address:
        • Ending IP Address:
        • Subnet Mask:
      • CLICK: Next
    • Network Name Resolution Servers
      • DNS Servers: Your DNS Servers
      • WINS Servers: Rarely needed
      • Domain Name: Your local network domain Name
      • CLICK: Next
    • NAT Exempt
      • Exempt VPN traffic from network address translation: Tick
      • Inside Interface: your inside interfacce
      • Local Network: Select or create object for inside subnet
      • CLICK: Next
    • AnyConnect Client Deployment
      • CLICK: Next
    • Summary
      • CLICK: Finish

Split Tunnel vs Full Tunnel

That should be enough for you to connect to AnyConnect using the public A record you designated, but you won't be able to access the internet on a client, pretty useless!

So, this is where you need to make an important decision, do you offer a split tunnel or full tunnel to the clients? Split tunnel does come with some security risks; the end-user can act as a gateway into the clients' corporate network, so we don’t offer it. If you want to as the bandwidth is important to you, you'll need to configure the Group Policy created to only include a network list and designate the list. 

Onwards with our full tunnel example. You’ll need to allow hairpinning which is done via enabling traffic between two or more hosts and a dynamic NAT rule.

To enable traffic between two or more hosts connected to the same interface. Open ASDM > Configuration > Interface Settings > Interfaces > Enable Traffic between two or more hosts connected to the same interface: tick

The NAT rule needed essentially allow VPN clients to return from the same interface they are connected to (outside) using PAT. We do this via an Object NAT rule, the same way as our ANY for the inside interface. Create the Network Object exactly the same as your AnyConnect Pool in the wizard;

This will show in the NAT rules section above your default PAT rule;

Allow Local LAN access

So, at this point, you’ll be able to login to the VPN from a client, have internet connection as if you’re in the office and be able to access the office subnet. The only thing that won't work is access to your local subnet. We normally see this in clients trying to print or access IoT devices.

To allow access, the AnyConnect client has to have "Allow Local LAN access" configured in the profile, but that itself isn’t enough. As an administrator you need to complete the following;

  • Configuration > Remote Access VPN > Expand “Network (Client) Access > Group Policies > Edit GroupPolicy_AnyConnect > Advanced > Split Tunneling
    • Policy
      • Untick Inherit
      • Exclude Network List Below
    • IPv6 Policy: Leave as Inherit
    • Network List
      • Untick Inherit
      • CLICK: Manage…
      • Add > ACL
        • Name: Local_Lan_Access
      • Add > ACE
        • Addresses:
      • CLICK: OK
    • CLICK: OK
  • CLICK: Apply

AnyConnect Client Profile

In the interest of not making things harder than they need to be, I use the wizard to complete the bulk of the configuration and then go back and make the changes our clients need.

Take away from here

In the interest of not making things harder than they need to be, I use the wizard to complete the bulk of the configuration and then go back and make the changes our clients need.

Like what you've read and want more? Get our advice delivered straight to your inbox, we promise it wont be overwhelming!

About the Author