close
Top Panel
Top Panel
Top Panel
ASA: SSLVPN config PDF Print E-mail
Written by Alexei Spirin   
Monday, 18 June 2012 16:35
ASA Config: ASA SSLVPN Server with local authentication
access-list splitALL extended permit ip 10.0.0.0 255.0.0.0 any
ip local pool sslUsers 192.168.13.1-192.168.13.255 mask 255.255.255.0
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
crypto key generate rsa label SSL modulus 2048 noconfirm
crypto ca trustpoint LocalCA
enrollment self
keypair SSL
fqdn ssl.corporate.com
subject-name CN=ssl.corporate.com
crypto ca enroll LocalCA noconfirm
ssl trust-point LocalCA outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.0.4235-k9.pkg 1 !put on flash in advance
anyconnect image disk0:/anyconnect-macosx-i386-3.0.4235-k9.pkg 2
anyconnect enable
tunnel-group-list enable
group-policy sslUsers internal
group-policy sslUsers attributes
dns-server value 192.168.1.10
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitALL
default-domain value corporate.local
split-dns value corporate.local
webvpn
anyconnect keep-installer installed
anyconnect ssl rekey time 60
anyconnect ssl rekey method ssl
anyconnect ask none default anyconnect
anyconnect dpd-interval gateway 30
anyconnect dpd-interval client 30
tunnel-group sslUsers type remote-access
tunnel-group sslUsers general-attributes
address-pool sslUsers
default-group-policy sslUsers
tunnel-group sslUsers webvpn-attributes
group-alias run enable
group-url https://192.168.255.10/run enable !external ASA interface

Some notes:

User authentication is done via local database

10.0.0.0/8 is considered as an address range for corporate network

192.168.13.0/24 is considered as VPN user address range

For the first time user should log in via browser https://. Anyconnect client will install authomatically

updated due to missing 'subject-name' command in certificate configuration

Last Updated on Thursday, 22 January 2015 13:36