CISCO ASA – setting up a client VPN – cli

Reading Time: 3 minutes


In this document we we are going to review setting up a CISCO ASA for use with VPN. We are going to leverage our choice of public ip addresses. In my opinion a lot of the tutorials out there use one of the RFC 1811 (172., 192.168, … or 10.) for this task. Lets put RFC 5737 to good use for once.


This is what we are using for our basic “Lab” setup. We will use this theme and variants thereof throughout these posts.

interface GigabitEthernet0/0
ip address
nameif outside
no shutdown

interface GigabitEthernet0/1
ip address
nameif inside
no shutdown

As part of the initial configuration we are going to count that we can route traffic through the outside interface.

route outside 1


Now let’s also assume we set the device up to allow traffic out. This is a nasty assumption – and isn’t going to be true for anything resembling a secure environment.

object network obj_any 

object network obj_any
 nat (inside,outside) dynamic interface

STEP 2: Now we will consider the steps in configuring and preparing the ASA to serve as a VPN server. First let’s establish a pool of addresses that we will had out to clients.

While we are at it we can create some values which we will use later.

ip local pool ssl_vpnpool mask

STEP 3: We will create some object for later use

object network ssl_vpnpool
object network local_net
object-group network local_nets
  network-object object local_net

STEP 4: Now in this case we will enable the the device for VPN

  enable outside
  tunnel-group-list enable
  anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
  anyconnect enable
group-policy SPARELAB internal
group-policy SPARELAB attributes
  dns-server value
  vpn-tunnel-protocol ssl-client
  default-domain value
  vpn-tunnel-protocol svc
  address-pool value ssl_vpnpool
tunnel-group SPARELAB type remote-access
tunnel-group SPARELAB general-attributes
 default-group-policy SPARELAB
tunnel-group SPARELAB webvpn-attributes
 group-alias SPARELAB enable

STEP 5: Allow SSLVPN traffic

access-list ssl_vpnfilter extended permit ip object ssl_vpnpool object local_net

STEP 6: Now we create the NAT for the VPN traffic

object-group network local_nonat_destinations
  network-object object ssl_vpnpool
nat (inside,outside) source static local_net local_net destination static local_nonat_destinations local_nonat_destinations no-proxy-arp

STEP 7: Let’s create a user – for a Mr. John Smith with password of “l3tm3in”. This results in the following.

username jsmith password l3tm3in
username jsmith attributes
service-type remote-access

Next, I would install the Anyconnect VPN client for the OS you are using. If this is for Windows I would suggest making sure you reboot afterwards. Now we can connect to our VPN host.

Now… because this is new we are going to get a warning. In a follow up post we will review some basic care and maintenance – including replacing how to replace the cert with a commercial version.

And to verify are connection information from the ASA:

ciscoasa# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username     : jsmith                 Index        : 2
Assigned IP  :             Public IP    :
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)AES128  SSL-Tunnel: (1)AES128  DTLS-Tunnel: (1)none
Hashing      : AnyConnect-Parent: (1)SHA1  SSL-Tunnel: (1)SHA1  DTLS-Tunnel: (1)none
Bytes Tx     : 17963624               Bytes Rx     : 1084994
Group Policy : SSLCLient              Tunnel Group : SSLClient
Login Time   : 17:04:38 UTC Sun Dec 13 2020
Duration     : 0h:08m:48s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none


This entry was posted in Cisco. Bookmark the permalink.