The ASA’s Remote Access VPN solution can be implemented using either software or hardware, depending on the deployment needs. On the software side, AnyConnect/Secure Client clients are commonly used to establish secure connections. These clients provide user-friendly interfaces and are compatible with various operating systems, making them ideal for individual users and mobile workforces.

 

How Remote Access VPN Works

The operational flow of a Remote Access VPN session is designed to be secure and efficient. Here’s how it typically works:

  1. Client Initiation: The process begins when the remote client initiates a VPN connection by sending a proposal to the VPN server. This proposal includes a pre-defined policy specifying how the client intends to communicate.
  2. Policy Matching: The server compares the incoming client proposal with its own configured policies. If a match is found, the connection proceeds.
  3. Authentication: The server then prompts the user for a username and password. This step ensures that only authorized users can gain access.
  4. Policy Delivery: Upon successful authentication, the server sends a policy to the client. This includes key information such as the assigned internal IP address, subnet mask, and the definition of “interesting traffic”—the types of traffic that should be encrypted and tunneled through the VPN.
  5. Routing Configuration: To complete the setup, the server installs a reverse route into its routing table. This allows return traffic to be properly routed back to the remote client’s internal IP address.

This structured process ensures secure, policy-driven access while preserving the integrity and confidentiality of the enterprise network.

 

AnyConnect/Secure Client Remote Access VPN Overview

Cisco AnyConnect is a robust remote access VPN solution that supports both SSL and IKEv2 VPN clients, providing flexibility based on deployment preferences and client capabilities. We will walk through the configuration steps and highlights key modular features included in the AnyConnect ecosystem.

 

AnyConnect/Secure Client Setup

To begin configuring Cisco AnyConnect, you must ensure the AnyConnect client image (such as anyconnect.pkg) is properly loaded into the device flash memory. This image is crucial for enabling SSL VPN client access.

Enable WebVPN on the ASA’s external interface using the following commands:

webvpn
enable outside

 

Then, enable the AnyConnect feature and reference the image:

anyconnect enable
anyconnect image flash:/anyconnect.pkg

 

Group Policy and Tunnel Configuration

Define a group policy for the VPN clients, specifying internal usage and SSL client tunneling:

group-policy SALES internal
group-policy SALES attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall

The split-tunnel-policy tunnelall line ensures all traffic from the client is tunneled through the VPN. You can modify this depending on your desired split-tunneling behavior.

 

Next, define an IP address pool that will be assigned to VPN clients:

ip local pool SSLPOOL 192.168.1.10-192.168.1.254 mask 255.255.255.0

 

Link the address pool and group policy to a tunnel group. This associates the client configuration with the VPN connection profile:

tunnel-group SSLTUNNEL type remote-access
tunnel-group SSLTUNNEL general-attributes
address-pool SSLPOOL
default-group-policy SALES
tunnel-group-list enable

 

User Authentication

You can configure local user credentials for VPN access using:

username kmac password cisco123
username kmac attributes
vpn-group-policy SALES

 

AnyConnect Modular Features

AnyConnect is modular and includes a suite of optional components designed to extend security and visibility:

  • VPN Core Module – Enables SSL and IPsec/IKEv2 tunneling.
  • AMP Enabler – Integrates Anti-Malware Protection (introduced in AnyConnect v4.1).
  • ISE Posture Module – A built-in Network Access Control (NAC) agent for Cisco Identity Services Engine.
  • Web Sentry – Connects the client to Cisco Cloud Web Security (CWS).
  • NAM (Network Access Manager) – Acts as an 802.1X supplicant to manage network authentication.
  • Feedback Service Profile – Used for collecting client experience data.
  • Telemetry – Legacy module for basic usage tracking.
  • Network Visibility Module (NVM) – Introduced in AnyConnect 4.2, this module captures rich flow-based endpoint telemetry and exports it to a NetFlow collector for advanced network analysis.

This setup provides a scalable and feature-rich remote access VPN solution for both enterprise and SMB networks. Whether you’re focused on security, posture enforcement, or enhanced visibility, AnyConnect’s modular design allows you to tailor the deployment to your needs.

 

Configuring AnyConnect/Secure Client Profiles via ASDM

For administrators who prefer a GUI-based configuration approach, Cisco’s Adaptive Security Device Manager (ASDM) offers a convenient way to create and manage AnyConnect client profiles.

To begin, navigate through the ASDM interface to: Configuration > Remote Access VPN > AnyConnect Client Profile

Once there, you can create a new profile by selecting the “Add” button. The “Add AnyConnect Client Profile” dialog will allow you to input a profile name, select the appropriate usage (e.g., VPN profile, Feedback, NAM, Web Security, Telemetry, or ISE Posture), and link it to a group policy. You can either upload a custom XML file or browse the flash memory for existing profiles. This allows you to granularly control how AnyConnect behaves for users, including Always-On VPN settings, client behavior customizations, and posture validation.

This modular profile setup is especially useful in environments that use multiple AnyConnect features such as network access control (NAC), anti-malware integration, or endpoint telemetry.

 

Transport Protocols: TLS and DTLS

Cisco AnyConnect uses TLS or DTLS as its transport mechanisms. Understanding these helps you make informed decisions regarding performance and compatibility:

  • TLS (Transport Layer Security): This is based on TCP/443 and functions similarly to SSLv3. While SSLv3 was licensed by Netscape and is now deprecated, TLS is the open and modern replacement. TLS can act as a fallback transport if DTLS is unavailable.
  • DTLS (Datagram TLS): Operating over UDP/443, DTLS offers performance improvements for latency-sensitive applications such as voice or video. Because it avoids the overhead of TCP, DTLS is generally preferred for faster, real-time traffic.

By default, AnyConnect attempts to establish a DTLS tunnel first. If unsuccessful, due to a firewall or NAT traversal issue, it will gracefully fall back to TLS. This automatic negotiation ensures optimal performance without compromising accessibility.

 

Advanced AnyConnect/Secure Client Features via XML Profiles

Cisco AnyConnect supports a wide range of advanced capabilities that can be enabled through XML profiles deployed to the client. These profiles allow administrators to tightly control VPN behavior based on enterprise security policies and user experience goals.

SSL and IKEv2 VPN Support

At its core, AnyConnect supports both SSL and IKEv2 VPN protocols, providing administrators with flexibility in selecting the best transport mechanism for their environment. IKEv2 is often favored for its resilience and support for modern cryptographic suites, while SSL provides broader compatibility, especially through firewalls and NAT.

Always-On VPN

The Always-On feature ensures that users remain continuously connected to the VPN regardless of their location. This is particularly useful in environments where traffic must always be routed through corporate infrastructure, such as when enforcing web proxy policies or DLP solutions. Even when users try to access public internet resources, all traffic is first tunneled through the ASA. Many organizations complement this setup with internal proxy servers to redirect outbound traffic appropriately.

Trusted Network Detection (TND)

Trusted Network Detection allows the AnyConnect client to identify when a user is on a trusted corporate network, such as when connected to the office LAN. If the client detects that it is within the trusted network, it automatically suspends the VPN session instead of disconnecting entirely. This provides seamless user experience without requiring manual intervention, and the VPN session resumes if the user moves off the trusted network.

Auto-Reconnect

The Auto-Reconnect feature ensures VPN continuity even when a user switches between networks (e.g., from Wi-Fi to Ethernet) or experiences brief connectivity interruptions. Rather than requiring the user to manually reconnect, the AnyConnect client attempts to restore the session with the ASA automatically, preserving productivity and minimizing disruption.

Optimal Gateway Selection (OGS)

Optimal Gateway Selection enhances efficiency by selecting the best ASA gateway based on round-trip time (RTT). This is particularly beneficial in global deployments where users may be traveling and need to connect to the geographically closest and fastest ASA endpoint. OGS dynamically evaluates latency and connects the client to the optimal location in real-time.

Sign Before Logon (SBL)

Finally, Sign Before Logon (SBL) allows the VPN tunnel to be established even before the user logs into the Windows host or joins the Active Directory domain. This is particularly useful for domain-joined machines that rely on group policy objects (GPOs) or authentication services that require VPN connectivity at the login stage.

These XML-based features make Cisco AnyConnect more than just a VPN client, they transform it into a highly adaptable secure access solution suitable for diverse enterprise needs. From seamless reconnection to intelligent gateway selection and continuous protection, AnyConnect delivers both flexibility and control.

 

Creating and Editing AnyConnect/Secure Client Profiles in ASDM

  1. To configure a new AnyConnect Client Profile using ASDM, navigate to Configuration > Remote Access VPN > AnyConnect Client Profile, then click Add.
  2. In the “Add AnyConnect Client Profile” window, provide a profile name, select the profile usage (e.g., AnyConnect VPN Profile), associate it with a group policy, and if needed, enable the “Always-On VPN” feature. This setting enforces constant VPN connectivity, which is especially useful for secure environments.
  3. Before applying the configuration, it’s a good practice to go to Tools > Preferences in ASDM and enable Preview commands before sending to the device. This helps administrators verify the CLI commands generated by the ASDM GUI and avoid misconfigurations.

After creating the profile, select Edit to configure key options such as:

  • Start Before Login (SBL): Establish the VPN before OS login.
  • Pre-Connect Message: Display custom messages before tunnel initiation.
  • Certificate Store: Define where user certificates are stored (if using cert-based auth).
  • Auto Connect On Start: Automatically launch the tunnel on client boot.
  • Local LAN Access: Allow client access to local network resources during VPN use.
  • Captive Portal Detection: Detect and notify users about captive portals (e.g., hotel Wi-Fi).
  • Auto-Reconnect: Automatically restore the VPN if the connection drops or changes (e.g., Wi-Fi to LAN).
  • Auto-Update: Fetch updated profiles from the ASA.
  • RSA Secure ID / Windows Login Enforcement: Enforce user token authentication or restrict to one login session.
  • Windows VPN Establishment: Allow/disallow VPN access pre-login for remote AD domain access.
  • Protocol Preferences: Choose IPv4, IPv6, or both.
  • Certificate Handling: Disable automatic certificate selection if manual control is needed.

 

Advanced Profile Features and Security Controls

The AnyConnect profile editor in ASDM also allows administrators to fine-tune more advanced behaviors:

  • Proxy Settings: Override system settings if needed.
  • Optimal Gateway Selection (OGS): Select ASA gateways based on RTT and availability.
  • Automatic VPN Policies: Define behaviors for trusted/untrusted networks, DNS domains, or DNS servers.
  • Trusted Servers: Prevent spoofing by checking certificates on specific ports.
  • Always-On Modes: Enforce continuous VPN connectivity, with or without disconnect options.
  • Manual Host Input: Allow users to manually enter ASA IP/hostname.
  • Backup Servers: List fallback VPN gateways.
  • Certificate Matching: Match certificate fields like DN during authentication.
  • Certificate Enrollment: Let ASA proxy SCEP certificate requests.
  • Mobile Policy: Control behavior on mobile devices (e.g., device lock).
  • Server List: Populate dropdowns in the AnyConnect client with custom ASA entries.

The Server List feature is especially powerful. It enables the admin to predefine ASA gateways, group URLs, load balancing options, and backup servers in a user-friendly format. This way, end-users can simply select their location or group from a dropdown without knowing the underlying IP or hostname.

 

Applying the Profile and Server List via CLI

Once a profile is applied, the next connection attempt by the AnyConnect client will automatically use the updated settings. For administrators wanting to define group URLs manually for use in server lists, the following CLI example can be used:

tunnel-group SALES webvpn-attributes
group-url https://asa.cisco.local/sales enable

This binds a specific group URL to the “SALES” tunnel group, allowing it to appear in the server list dropdown.

 

Managing Client-Side Profile Files

If troubleshooting is necessary or you wish to inspect or delete a local profile, the AnyConnect client stores them in the following path:

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\profile.xml

Note: You must enable viewing of hidden files in Windows Explorer to access this directory.

 

Using a Router as a Certificate Authority (CA) in a Lab

When testing in a lab environment or when a standalone CA is not available, a router can serve as a certificate authority. The following commands configure the router to generate and issue a certificate:

crypto key generate rsa modulus 2048 label WIN7 exportable
crypto pki trustpoint WIN7
enrollment url http://self/192.0.2.20
rsakeypair WIN7
subject-name cn=win7sales.cisco.local,o=CISCO,ou=SALES,c=us
fqdn
subject-alt-name win7sales.cisco.local
exit

crypto pki authenticate WIN7
crypto pki enroll WIN7

crypto pki export WIN7 pkcs12 terminal password cisco123

After executing these commands, copy the exported certificate from the terminal output into a .txt file, change the file extension to .p12, and import it into the Windows certificate store under User > Personal.

 

Enabling Certificate Authentication on the ASA

Once the certificate is available on the client, configure the ASA to accept certificate-based authentication under the relevant tunnel group:

tunnel-group SALES webvpn-attributes
authentication certificate

In ASDM, edit the connection profile to select Certificate or Both under the Authentication Method, and associate it with the appropriate group policy (e.g., SALES_POLICY). Make sure that both SSL and/or IPsec (IKEv2) protocols are checked depending on your desired connectivity options.

 

Verifying Connections

To verify active AnyConnect sessions, use the following command on the ASA:

show vpn-sessiondb anyconnect

This displays session details including IP, tunnel type (SSL/DTLS/IPSec), username (CN if using certs), assigned group policy, and duration.

 

Configuring AnyConnect with IKEv2

If you want to use IKEv2 instead of SSL, you can configure the server list entry in ASDM to use IPsec as the primary protocol and remove the group association (since IKEv2 handles this differently). In the server list, ensure “Primary Protocol” is set to IPsec, and under the profile itself, ensure that Enable IKEv2 is checked.

You’ll also need to configure the IKEv2 proposal and policies on the ASA:

crypto ipsec ikev2 ipsec-proposal TS
protocol esp encryption aes-192
protocol esp integrity sha-1

crypto dynamic-map DYNMAP 10 set ikev2 ipsec-proposal TS
crypto map CMAP 100 ipsec-isakmp dynamic DYNMAP
crypto map CMAP interface outside

tunnel-group FINANCE ipsec-attributes
ikev2 local-authentication certificate CA1
ikev2 remote-access trustpoint CA1

group-policy FINANCE_POLICY attributes
address-pools value AC

ASA CLI Tips and Wizard Commands

The ASA CLI provides helpful tools for administrators new to VPN configuration. The help command acts as a built-in manual and can show valid syntax for configuration commands:

help vpnsetup

 

To walk through the VPN configuration via an interactive CLI wizard, use:

vpnsetup ssl-remote-access steps

 

This guides you through key steps including interface setup, enabling WebVPN, and setting default routes. For example:

interface GigabitEthernet0/0
ip address 10.10.4.200 255.255.255.0
nameif outside
no shutdown

webvpn
enable outside

route outside 0.0.0.0 0.0.0.0 10.10.4.200

Group Policies: Centralized Configuration Containers

Group Policies act as containers that define user-specific or connection-specific settings such as banners, IP address pools, DNS settings, and split-tunneling lists. Rather than configuring each of these parameters directly under the tunnel-group, it is best practice to define them once in a group policy and then reuse that policy across multiple tunnel-groups. This approach reduces redundancy and improves manageability.

Cisco ASA includes some default group policies that aren’t visible in the running configuration by default. However, issuing the show run all command reveals them. One such default is DfltGroupPolicy, which comes with a broad set of predefined attributes.

Important Group Policy Attributes

Some of the notable attributes in group policies include:

  • vpn-filter: Assigns an access list to the VPN session, which is useful for restricting access to specific networks or resources.
  • vpn-tunnel-protocol: Specifies the tunneling protocols allowed for VPN connections (e.g., ikev1, ikev2, l2tp-ipsec, ssl-clientless). AnyConnect is not enabled here by default.
  • group-lock: Ensures that only users assigned to a particular group can authenticate using the corresponding tunnel-group.
  • pfs: Perfect Forward Secrecy settings for IPsec.
  • split-tunnel-policy: Determines whether all traffic or only specific subnets go through the VPN tunnel. The default is tunnelall.
  • address-pools: This is a mandatory setting that defines the IP pool assigned to VPN clients. Without this, clients cannot receive IP addresses from the ASA.

 

WebVPN: Customizing the Clientless Experience

WebVPN (clientless SSL VPN) is another feature configurable within group policies. This allows administrators to customize the web portal that users see after authentication. Common attributes include:

  • url-list: Acts like bookmarks presented to the user.
  • filter: Controls content access.
  • port-forwarding: Enables access to internal applications.
  • anyconnect options: AnyConnect deployment can also be enabled via WebVPN. This allows clients to download the AnyConnect client directly from the ASA.

 

Configuring Client Profiles (XML)

Client Profiles for AnyConnect are defined using XML files that are downloaded by the client after connecting to the ASA. These profiles contain client-specific configurations, such as:

  • AnyConnect connection preferences
  • Certificate store locations
  • Lists of headend servers
  • RDP settings (e.g., allowing connections only under certain conditions)

There are two main ways to create and edit client profiles:

  1. ASDM GUI Profile Editor – Built into the ASA management interface.
  2. Standalone Profile Editor – A separate executable for offline editing. Once configured, the profiles must be uploaded to the ASA and associated with a group policy or tunnel-group.

 

Static IP Assignment via User Accounts

If a specific user must always be assigned the same IP address when connecting via VPN, that configuration must be done at the user account level. This ensures consistent IP assignment, which may be required for logging, firewall rules, or internal system access policies.

 

Configuring SSL VPN with AnyConnect (Thick Client) on Cisco ASA

To set up an SSL VPN for AnyConnect clients on a Cisco ASA, the first step is enabling WebVPN on the ASA’s outside interface. This makes the ASA capable of serving the AnyConnect client installer and hosting the SSL VPN portal.

webvpn 
enable outside-interface-name
anyconnect image disk0:/image-file.pkg 
anyconnect enable

 

Once WebVPN is active, you need to create a custom group policy that specifies the tunneling protocols you want to allow. For AnyConnect clients, you typically enable both ssl-client and ssl-clientless:

group-policy policy-name internal 
group-policy policy-name attributes 
vpn-tunnel-protocol ssl-clientless ssl-client

 

After creating the group policy, return to WebVPN configuration mode to specify user experience parameters. These include keeping the AnyConnect installer on the client device after installation (keep-installer installed) and allowing the ASA to prompt users for the AnyConnect client if it’s not already present:

webvpn 
anyconnect keep-installer installed 
anyconnect ask enable

 

Next, configure an IP address pool that will be used to assign internal IPs to connected VPN clients:

ip local pool pool-name x.x.x.x - x.x.x.x

 

With the pool and policy in place, create and configure a tunnel-group. The tunnel-group ties together the group policy, address pool, and a user-facing alias that will appear on the ASA’s login portal:

tunnel-group group-name type webvpn 
tunnel-group group-name general-attributes 
address-pool pool-name
default-group-policy policy-name
tunnel-group group-name webvpn-attributes 
group-alias alias-name

 

Finally, go back into the WebVPN context and enable the tunnel group selection list. This ensures users can see available connection profiles (aliases) during login:

webvpn 
tunnel-group-list enable

With these configurations complete, the ASA is now set up to support AnyConnect SSL VPN connections. Users can navigate to the ASA’s public IP or hostname, select the desired connection profile, and connect using their credentials. If the AnyConnect client is not yet installed, the ASA will offer it for download through the WebVPN portal.

 

SSL VPN with AnyConnect Using Advanced DHCP Address Assignment

In some deployment scenarios, you may prefer to assign IP addresses to remote VPN clients using an external DHCP server rather than an internal IP pool. Cisco ASA supports this configuration, and it’s particularly useful in environments that rely on centralized DHCP for IP management, tracking, or integration with directory services.

Step-by-Step Configuration

Start by enabling WebVPN on the ASA’s external interface and uploading the AnyConnect image:

webvpn 
enable outside-interface-name
anyconnect image disk0:/image-file.pkg 
anyconnect enable

 

Next, define a new group policy that will govern client attributes and allowed protocols. The vpn-tunnel-protocol command ensures the VPN supports both clientless SSL VPN and AnyConnect SSL VPN:

group-policy policy-name internal 
group-policy policy-name attributes 
vpn-tunnel-protocol ssl-clientless ssl-client

 

Return to the WebVPN context to specify additional options for client behavior and DHCP:

webvpn 
anyconnect keep-installer installed 
anyconnect ask enable 
dhcp-network-scope x.x.x.x

The dhcp-network-scope defines the subnet from which IPs will be leased. This needs to align with your DHCP server configuration to ensure proper address assignment.

 

Now configure the tunnel-group, tying together the group policy, DHCP settings, and alias users will see when selecting their VPN connection:

tunnel-group group-name type webvpn 
tunnel-group group-name general-attributes 
default-group-policy policy-name
dhcp-server x.x.x.x 
tunnel-group group-name webvpn-attributes 
group-alias alias-name

Make sure the specified DHCP server IP address is reachable by the ASA and properly configured to handle IP requests for VPN clients.

 

Finally, go back to the WebVPN context and enable the tunnel group selection list so users can choose the appropriate connection profile:

webvpn 
tunnel-group-list enable

With this configuration, your Cisco ASA will dynamically assign IP addresses to AnyConnect VPN clients using a designated DHCP server, offering greater flexibility and integration with enterprise IPAM and directory services.

 

SSL VPN with AnyConnect: Advanced Split-Tunnel Configuration

Split tunneling is a powerful feature that allows VPN clients to route only specific traffic through the encrypted tunnel, while all other traffic—like general internet browsing—uses the client’s local network. This reduces bandwidth usage on the VPN headend and avoids unnecessary backhauling of public traffic.

Initial Setup

Begin by enabling WebVPN and uploading the AnyConnect package to the ASA’s external interface:

webvpn 
enable outside-interface-name
anyconnect image disk0:/image-file.pkg 
anyconnect enable

 

Next, create a group policy that enables SSL VPN protocols. This policy will be referenced later by the tunnel-group:

group-policy policy-name internal 
group-policy policy-name attributes 
vpn-tunnel-protocol ssl-clientless ssl-client

 

Return to the WebVPN context and configure additional session parameters:

webvpn 
anyconnect keep-installer installed 
anyconnect ask enable

 

Then define an IP address pool that will be assigned to VPN clients:

ip local pool pool-name x.x.x.x - x.x.x.x

 

Tunnel Group Configuration

Set up the tunnel-group and associate it with the group policy and address pool you just defined:

tunnel-group group-name type webvpn 
tunnel-group group-name general-attributes 
address-pool pool-name 
default-group-policy policy-name 
tunnel-group group-name webvpn-attributes 
group-alias alias-name

 

To make the connection profile (group alias) visible to users, enable the tunnel group list:

webvpn 
tunnel-group-list enable

 

Defining the Split Tunnel Access List

Now comes the key part: defining the split-tunnel policy. First, create an access list that specifies the internal subnets that should be routed through the VPN:

access-list acl-name permit x.x.x.x subnet-mask

This ACL defines the list of networks the client should access via the VPN tunnel (e.g., internal corporate LANs).

 

Finally, update the group policy to apply the split-tunnel configuration:

group-policy policy-name attributes 
split-tunnel-network-list value acl-name
split-tunnel-policy tunnelspecified

With this setup, all client traffic destined for the internal subnets defined in the ACL will be encrypted and sent through the VPN. Everything else will use the client’s local internet connection—ensuring performance and bandwidth efficiency.

 

SSL VPN with AnyConnect: Advanced Group-Lock Configuration

In some environments, it’s essential to restrict which users can connect to which tunnel-group. Cisco ASA offers the Group-Lock feature for this purpose. It ensures that a user can only connect to the specific group (i.e., connection profile) assigned to them—enhancing security and reducing misconfigurations.

Step-by-Step Configuration

As in other setups, begin by enabling WebVPN on the ASA’s external interface and specifying the AnyConnect image:

webvpn 
enable outside-interface-name]
anyconnect image disk0:/image-file.pkg 
anyconnect enable

 

Then, define a group policy that allows SSL VPN connections:

group-policy policy-name internal 
group-policy policy-name attributes 
vpn-tunnel-protocol ssl-clientless ssl-client

 

Next, go back to WebVPN configuration mode to configure client behavior:

webvpn
anyconnect keep-installer installed
anyconnect ask enable

 

Create an IP pool that will be used to assign internal IP addresses to the VPN clients:

ip local pool pool-name x.x.x.x - x.x.x.x

 

Then, configure the tunnel-group by tying it to the group policy, the IP pool, and an alias users will see in the VPN portal:

tunnel-group group-name type webvpn 
tunnel-group group-name general-attributes 
address-pool pool-name 
default-group-policy policy-name
tunnel-group group-name webvpn-attributes 
group-alias alias-name

 

Once again, enable the tunnel-group selection list in WebVPN:

webvpn 
tunnel-group-list enable

 

Enforcing Group-Lock

To ensure that a specific user can only connect using a specific group, you apply the group-lock setting to their user account. This is done under the username configuration:

username username attributes 
group-lock value group-name

This binds the user to the designated tunnel-group. If they try to authenticate through a different group, the connection will be denied. This is especially useful in multi-department or partner VPN environments where each group may have different policies, ACLs, or IP address pools.

This configuration enhances access control in your remote access VPN deployment, ensuring users only reach the resources and policies assigned to their group.

 

SSL VPN with AnyConnect: Advanced Time-Based Access Control (Time-ACL)

Controlling when users are allowed to establish VPN connections is a powerful security and compliance feature. Cisco ASA supports time-based policies via the vpn-access-hours attribute within group policies. This allows you to restrict VPN access to specific times of the day, enforcing operational windows and reducing risk from after-hours access.

Initial Setup

As with all AnyConnect SSL VPN configurations, start by enabling WebVPN and uploading the AnyConnect client image:

webvpn 
enable outside-interface-name
anyconnect image disk0:/image-file.pkg 
anyconnect enable

 

Create a group policy that enables SSL-based VPN connections:

group-policy policy-name internal 
group-policy policy-name attributes 
vpn-tunnel-protocol ssl-clientless ssl-client

 

Configure WebVPN parameters that define how the AnyConnect client behaves:

webvpn 
anyconnect keep-installer installed 
anyconnect ask enable

 

Define the IP address pool to be assigned to clients during the VPN session:

ip local pool pool-name x.x.x.x - x.x.x.x

 

Configure the Tunnel Group

Bind the tunnel-group to the group policy and address pool:

tunnel-group group-name type webvpn 
tunnel-group group-name general-attributes 
address-pool pool-name
default-group-policy policy-name 
tunnel-group group-name webvpn-attributes 
group-alias alias-name

 

Then enable the tunnel-group selection menu so users can choose the appropriate profile:

webvpn 
tunnel-group-list enable

 

Defining Time-Based Access

Now, configure the time range during which VPN access is allowed. This is done using the time-range command. For example, to allow access only between 8:00 AM and 6:00 PM daily:

time-range range-name 
periodic daily 08:00 to 18:00

 

Finally, bind this time range to your group policy using the vpn-access-hours command:

group-policy policy-name attributes 
vpn-access-hours value range-name

Once this is configured, VPN connections from users in this group will only be allowed during the specified time range. Attempts outside the allowed window will be denied by the ASA.

Time-based access control is a simple yet highly effective layer of defense. It can be particularly valuable for enforcing company policies, minimizing attack surface during off-hours, or managing contractor access.

 

SSL VPN with AnyConnect: Authentication via ISE TACACS+

Integrating Cisco ASA with Cisco ISE using TACACS+ provides centralized authentication for SSL VPN users. This is especially useful for enterprise-grade environments where user access needs to be managed consistently across network devices and services.

ASA Configuration for TACACS+ Authentication

Start by enabling WebVPN and uploading the AnyConnect image to the ASA’s external interface:

webvpn 
enable outside-interface-name
anyconnect image disk0:/image-file.pkg 
anyconnect enable

 

Then, create the group policy to allow SSL VPN access:

group-policy policy-name internal 
group-policy policy-name attributes 
vpn-tunnel-protocol ssl-clientless ssl-client

 

Next, configure WebVPN behavior for AnyConnect clients:

webvpn 
anyconnect keep-installer installed 
anyconnect ask enable

 

Define the IP address pool that will be assigned to clients:

ip local pool pool-name x.x.x.x - x.x.x.x

 

Now configure the tunnel-group, tying it to the group policy and IP pool:

tunnel-group group-name type webvpn 
tunnel-group group-name general-attributes 
address-pool pool-name 
default-group-policy policy-name
tunnel-group group-name webvpn-attributes 
group-alias alias-name

 

Make sure users can see the connection profile by enabling the tunnel-group list:

webvpn 
tunnel-group-list enable

 

Configuring the ASA to Use TACACS+

Create the AAA server object and define the TACACS+ parameters:

aaa-server server-name protocol tacacs+ 
aaa-server server-name interface-name host x.x.x.x 
timeout seconds 
key shared-secret

 

Then apply this server group to the tunnel-group:

tunnel-group group-name general-attributes 
authentication-server-group server-name

 

Configuring Cisco ISE for TACACS+ Authentication

Step 1: Add the ASA as a Network Device

  1. In the ISE GUI, navigate to:
    Administration> Network Resources > Network Devices 
  2. Click “Add” and add your ASA.
  3. Enter the IP address and shared secret used in the ASA configuration.
  4. Ensure TACACS+ is selected as the protocol.

Step 2: Create a User in ISE

  1. Go to:
    Administration > Identity Management > Identities > Users
  2. Click “Add.”
  3. Enter the username and assign a password.
  4. Optionally, assign the user to an Identity Group and configure password policies or expiration settings.

Once this is complete, users can authenticate to the SSL VPN using credentials managed in ISE via TACACS+. The ASA forwards authentication requests to ISE, which validates them based on the policies you’ve defined.

This configuration provides centralized access control with scalable authentication and auditing capabilities, ideal for regulated environments and role-based access scenarios.

 

SSL VPN with AnyConnect: Authentication via ISE RADIUS

RADIUS is a widely adopted protocol for remote authentication, particularly in Cisco environments using ISE. Integrating Cisco ASA with Cisco ISE using RADIUS ensures centralized control over VPN access, policy enforcement, and user management.

ASA Configuration for RADIUS Authentication

Start by enabling WebVPN and uploading the AnyConnect package to the ASA’s external interface:

webvpn
enable [utside-interface-name
anyconnect image disk0:/image-file.pkg
anyconnect enable

 

Next, define the group policy that will be associated with the SSL VPN connection:

group-policy policy-name internal
group-policy policy-name attributes
vpn-tunnel-protocol ssl-clientless ssl-client

 

Configure WebVPN behavior:

webvpn
anyconnect keep-installer installed
anyconnect ask enable

 

Then, define the IP address pool that the ASA will assign to VPN clients:

ip local pool pool-name x.x.x.x - x.x.x.x

 

Create the tunnel-group and bind it to the group policy, address pool, and a visible alias name:

tunnel-group group-name type webvpn
tunnel-group group-name general-attributes
address-pool pool-name
default-group-policy policy-name
tunnel-group group-name webvpn-attributes
group-alias alias-name

 

Enable the tunnel-group list so users can select their connection profile:

webvpn
tunnel-group-list enable

 

Define RADIUS AAA Server on ASA

Create and configure the AAA server group for RADIUS:

aaa-server server-name protocol radius
aaa-server server-name interface-name host x.x.x.x
timeout seconds
key shared-secret

 

Then apply the AAA group to the tunnel-group:

tunnel-group group-name general-attributes
authentication-server-group server-name

 

ISE RADIUS Configuration

Step 1: Add the ASA as a Network Device

  1. In Cisco ISE, go to:
    Administration> Network Resources > Network Devices 
  2. Click “Add.”
  3. Add your ASA’s IP address and select the RADIUS option.
  4. Enter the shared secret that matches what you configured on the ASA.

 

Step 2: Create a User in ISE

  1. Go to:
    Administration > Identity Management > Identities > Users
  2. Click “Add” and input the username, password, and any desired account policies such as expiration, lockout thresholds, or password complexity requirements.

Once this setup is complete, the ASA will delegate authentication requests to the ISE server using RADIUS. Successful logins depend on ISE validating credentials and matching configured policies.

This setup ensures a consistent, scalable, and secure authentication framework for SSL VPN access using Cisco AnyConnect, with centralized policy and identity management.

 

Useful ASA Show Commands for AnyConnect and WebVPN

These commands provide insight into current session activity, licensing status, authentication behavior, and applied policies.

Certificate and Session Verification

  • show crypto ca cert – Displays the installed CA certificate(s) and identifies if a trustpoint is missing a certificate.
  • show vpn-sessiondb webvpn – Shows active WebVPN sessions, including user details, group policy, protocol (SSL/TLS/DTLS), assigned public IPs, encryption and hashing algorithms used, byte counters, and tunnel group.

Example output reveals:

Username : Katherine
Protocol : Clientless
License : AnyConnect Premium
Encryption : AES-GCM-128
Tunnel Group: DefaultWEBVPNGroup


General VPN Session Overview

  • show vpn-sessiondb – Provides a summary of all VPN sessions—clientless and client-based—along with usage metrics such as peak concurrent connections and total active/inactive sessions.
  • show version – Outputs licensing information for VPN features on the ASA. Look for entries like:
    • AnyConnect Premium Peers
    • AnyConnect Essentials
    • Total VPN Peers

This helps confirm whether your license supports the number of required users and necessary features like IKEv2 or SSL VPN.

 

Tunnel Group and Policy Inspection

  • show run all tunnel – Lists all tunnel group configurations, including default groups like DefaultRAGroup for remote access and DefaultL2LGroup for LAN-to-LAN VPNs. Also shows the default-group-policy assignments.
  • show run group-policy – Displays detailed group policy configurations such as WebVPN banners, smart tunnels, file-entry permissions, and web features. Example:
group-policy SALES_POLICY attributes
banner value WELCOME TO SALES!!!
webvpn
smart-tunnel enable SMART-APPS

 

Deep Connection Details

  • show nat details – Helpful for confirming NAT exemption or matching NAT rules relevant to VPN traffic.
  • show vpn-sessiondb anyconnect – This command specifically filters for AnyConnect client sessions. It displays the connection type (e.g., DTLS), encryption methods, assigned IPs, and connection duration. It’s excellent for verifying IKEv2, SSL, and tunnel fallback behavior.

 

Additional Monitoring and Maintenance Commands

  • vpn-sessiondb logoff webvpn – Forces termination of all active WebVPN sessions.
  • vpn-sessiondb logoff all – Terminates all VPN sessions across protocols and client types.
  • logging class svc mon 7 – Enables detailed logging for AnyConnect services. Setting the logging level to 7 gives verbose output, useful for troubleshooting session failures or posture issues.

These show commands are critical for validating a successful AnyConnect deployment and ensuring long-term operability. Whether you’re confirming user logins, monitoring license capacity, or debugging a certificate chain, these tools offer the visibility needed to maintain a secure and efficient remote access environment.