Company: SecureAccess Financial Services Situation: SecureAccess Financial has employees working from home. They need secure remote access to internal servers — file server, web application, and database — from their laptops at home.
The security team requires:
- Remote employees authenticate with username and password
- All traffic to internal resources encrypted
- Internet traffic NOT through the VPN (split tunneling)
- Remote employees get IPs from a dedicated VPN pool
- ASA managed via ASDM from internal network
Your job: Deploy Cisco AnyConnect SSL VPN on ASA to give remote employees secure encrypted access to internal resources.
✅ STATUS: COMPLETED AND WORKING Remote client connected, assigned VPN IP 192.168.200.10, authenticated with local credentials, full access to DMZ servers.
---
╔══════════════════════════════════════════════════════════════╗
║ ENGINEER PHYSICAL PC ║
║ VMnet1: 192.168.81.x ← ASDM management ║
║ VMnet2: 192.168.91.204 ← AnyConnect client (remote user) ║
║ ║
║ Browser → https://192.168.91.11 → AnyConnect portal ║
║ Download client → connect → get 192.168.200.10 ║
╚══════════════════════════════════════════════════════════════╝
| |
\[Cloud-VMnet1] \[Cloud-VMnet2]
Management Simulated Internet
| |
Eth1 INSIDE Eth0 OUTSIDE
192.168.81.11 192.168.91.11
\[ ASA-GW ]
Eth2 DMZ
192.168.10.1
|
\[INT-SWITCH]
/ | \\
\[FILE-SRV] \[WEB-SRV] \[DB-SRV]
192.168.10.10 .20 .30
VPN Pool: 192.168.200.0/24
Remote employees get IP from this pool
(verified: client received 192.168.200.10 ✅)
---
| Device | Interface | IP Address | Purpose |
|---|---|---|---|
| ASA-GW | Eth0 | 192.168.91.11/24 | Outside (WAN/VPN) |
| ASA-GW | Eth1 | 192.168.81.11/24 | Inside (Management) |
| ASA-GW | Eth2 | 192.168.10.1/24 | DMZ (Servers) |
| FILE-SRV | Eth0/0 | 192.168.10.10/24 | File server |
| WEB-SRV | Eth0/0 | 192.168.10.20/24 | Web application |
| DB-SRV | Eth0/0 | 192.168.10.30/24 | Database server |
| Engineer PC | VMnet1 | 192.168.81.50 | ASDM management |
| Engineer PC | VMnet2 | 192.168.91.204 | AnyConnect client |
| VPN Pool | — | 192.168.200.10-100 | Remote employee IPs |
---
| URL | Username | Password |
|---|---|---|
| https://192.168.81.11 | admin | Admin@123 |
| URL | Users | Password |
|---|---|---|
| https://192.168.91.11 | employee1/2/3 | Emp@2024 |
---
Step 1 — Add devices:
1x Cisco ASAv (minimum 2048 MB RAM)
1x Ethernet Switch (INT-SWITCH)
3x Cisco IOSv Router (FILE-SRV, WEB-SRV, DB-SRV)
2x Cloud nodes (Cloud-VMnet1, Cloud-VMnet2)
Step 2 — Connect cables:
OUTSIDE: ASA Eth0 ──► Cloud-VMnet2 (VMnet2 adapter)
INSIDE: ASA Eth1 ──► Cloud-VMnet1 (VMnet1 adapter)
DMZ: ASA Eth2 ──► INT-SWITCH
INT-SWITCH ──► FILE-SRV / WEB-SRV / DB-SRV
Step 3 — Configure Cloud nodes:
Cloud-VMnet1 → select VMnet1 adapter
Cloud-VMnet2 → select VMnet2 adapter
CRITICAL: each cloud uses a DIFFERENT adapter
Step 4 — Verify engineer PC VMnet IPs:
ipconfig
VMnet1 → 192.168.81.x ✅
VMnet2 → 192.168.91.204 ✅
Step 5 — AnyConnect package already on ASA disk0:
anyconnect-win-4.5.04029-webdeploy-k9.pkg ✅
anyconnect-macos-4.5.04029-webdeploy-k9.pkg ✅
anyconnect-linux64-4.5.04029-webdeploy-k9.pkg ✅
Step 6 — Follow tasks in order
---
! FILE-SRV
hostname FILE-SRV
interface Ethernet0/0
ip address 192.168.10.10 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
! WEB-SRV
hostname WEB-SRV
interface Ethernet0/0
ip address 192.168.10.20 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
! DB-SRV
hostname DB-SRV
interface Ethernet0/0
ip address 192.168.10.30 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
---
---
hostname ASA-GW
! Outside — faces simulated internet (VMnet2)
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.91.11 255.255.255.0
no shutdown
! Inside — management via VMnet1
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.81.11 255.255.255.0
no shutdown
! DMZ — internal servers
interface Ethernet2
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
no shutdown
! Default route toward simulated internet (engineer PC)
route outside 0.0.0.0 0.0.0.0 192.168.91.204
---
http server enable
http 192.168.81.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
username admin password Admin@123 privilege 15
aaa authentication http console LOCAL
ssh 192.168.81.0 255.255.255.0 inside
ssh version 2
crypto key generate rsa modulus 2048
---
username employee1 password Emp@2024 privilege 0
username employee2 password Emp@2024 privilege 0
username employee3 password Emp@2024 privilege 0
username vpnadmin password VPN@2024 privilege 15
---
object network VPN-POOL
subnet 192.168.200.0 255.255.255.0
object network DMZ-SERVERS
subnet 192.168.10.0 255.255.255.0
! VPN to DMZ — no translation
nat (outside,dmz) source static VPN-POOL VPN-POOL
destination static DMZ-SERVERS DMZ-SERVERS
! DMZ to internet — PAT
object network DMZ-INSIDE
subnet 192.168.10.0 255.255.255.0
nat (dmz,outside) dynamic interface
---
This step was the FIRST major blocker. Without an SSL certificate on the outside interface, the AnyConnect portal returns SSL handshake failed and never loads.
! Generate RSA key
crypto key generate rsa modulus 2048 noconfirm
! Create self-signed trustpoint
crypto ca trustpoint SSL-CERT
enrollment self
subject-name CN=192.168.91.11
keypair SSL-CERT
crl configure
! Enroll the certificate
crypto ca enroll SSL-CERT noconfirm
! Apply certificate to outside interface
ssl trust-point SSL-CERT outside
! Verify
show ssl
→ outside interface: SSL-CERT ✅
---
This was the SECOND major blocker. The old ASA defaults to SSLv3 which modern browsers (Edge, Chrome, Firefox) reject with "connection reset" / INET_E_DOWNLOAD_FAILURE.
! Allow older TLS so portal loads in browser
ssl server-version tlsv1
ssl encryption des-sha1 3des-sha1 aes128-sha1 aes256-sha1 rc4-sha1
! In the browser, if it still blocks:
! Firefox about:config → security.tls.version.min = 1
! OR Edge → enable older TLS in settings
---
! Package already on disk0 — just reference it
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.5.04029-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.5.04029-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-linux64-4.5.04029-webdeploy-k9.pkg 3
anyconnect enable
! Verify
show webvpn anyconnect image
→ all 3 packages listed and active ✅
---
! VPN IP pool
ip local pool VPN-POOL 192.168.200.10-192.168.200.100
mask 255.255.255.0
! Group policy with split tunnel
group-policy SECUREACCESS-POLICY internal
group-policy SECUREACCESS-POLICY attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-ACL
dns-server value 8.8.8.8
vpn-idle-timeout 30
vpn-session-timeout 480
! Split tunnel ACL — only DMZ traffic through VPN
access-list SPLIT-ACL standard permit 192.168.10.0 255.255.255.0
---
This was the THIRD major blocker. The portal loaded and the client downloaded, but login looped asking for the password again. Cause: tunnel-group had no authentication-server-group, so it never checked the local user database.
tunnel-group SECUREACCESS-VPN type remote-access
tunnel-group SECUREACCESS-VPN general-attributes
address-pool VPN-POOL
default-group-policy SECUREACCESS-POLICY
authentication-server-group LOCAL ← THE FIX ✅
tunnel-group SECUREACCESS-VPN webvpn-attributes
group-alias SECUREACCESS-VPN enable
group-url https://192.168.91.11/secureaccess enable
! Also set default group so any connection authenticates
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LOCAL
default-group-policy SECUREACCESS-POLICY
address-pool VPN-POOL
In ASDM the same fix is: Configuration → Remote Access VPN → Network (Client) Access → AnyConnect Connection Profiles → SECUREACCESS-VPN → Edit → Basic → Authentication → Method: AAA → Server Group: LOCAL
---
FOURTH blocker. AnyConnect Connection Profiles must have SSL access enabled on the outside interface, otherwise the SSL client cannot launch.
In ASDM:
Configuration → Remote Access VPN
→ Network (Client) Access → AnyConnect Connection Profiles
Access Interfaces table:
✅ Enable Cisco AnyConnect VPN Client access
outside → SSL Access → Allow Access ✅
outside → Enable DTLS ✅
✅ Bypass interface access lists for inbound VPN sessions
Click Apply
---
access-list OUTSIDE-IN extended permit tcp any any eq 443
access-group OUTSIDE-IN in interface outside
---
! Step 1 — Engineer PC browser (Firefox with TLS lowered)
https://192.168.91.11
→ Accept certificate warning → Advanced → Proceed
→ Portal loaded ✅
! Step 2 — Login
Username: employee1
Password: Emp@2024
→ Authenticated ✅
! Step 3 — Download AnyConnect client → install ✅
! Step 4 — Open AnyConnect client
Server: 192.168.91.11
→ Connect Anyway (untrusted cert)
Username: employee1
Password: Emp@2024
→ CONNECTED ✅
! Step 5 — Verify IP assignment
ipconfig
→ AnyConnect adapter: 192.168.200.10 ✅
! Step 6 — Verify on ASA
show vpn-sessiondb anyconnect
→ employee1 connected, IP 192.168.200.10 ✅
---
! While connected:
ping 192.168.10.10 ← FILE-SRV ✅
ping 192.168.10.20 ← WEB-SRV ✅
ping 192.168.10.30 ← DB-SRV ✅
---
tracert 192.168.10.10
→ through VPN (192.168.200.x gateway) ✅
tracert 8.8.8.8
→ direct from PC, bypasses VPN ✅
---
! Monitor in ASDM
Monitoring → VPN → VPN Statistics → Sessions
→ employee1 session, bytes Tx/Rx ✅
! Force disconnect a user
vpn-sessiondb logoff name employee1
---
ASA-GW# show vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : employee1
Index : 1
Assigned IP : 192.168.200.10 ← VPN IP ✅
Protocol : AnyConnect-Parent SSL-Tunnel
Encryption : AES ← encrypted ✅
Bytes Tx : 5240 Bytes Rx: 3120 ✅
Login Time : UTC
Duration : 0h:05m:10s
Engineer PC CMD:
ipconfig
AnyConnect adapter: 192.168.200.10 ✅
ping 192.168.10.10
!!!!! ✅
---
Symptom : https://192.168.91.11 → connection reset
show asp drop → ssl-handshake-failed counter rising
Cause : No SSL certificate on outside interface
Fix : Generated self-signed cert SSL-CERT
ssl trust-point SSL-CERT outside
Lesson : AnyConnect is SSL VPN — needs a cert on the
interface before the portal can do HTTPS
Symptom : Edge and Firefox both reset the connection
even after cert applied
Cause : Old ASA defaults to SSLv3; modern browsers
refuse SSLv3 outright
Fix : ssl server-version tlsv1
Firefox about:config → security.tls.version.min = 1
Lesson : Old ASA images and modern browsers disagree on
TLS — lower the floor on both sides to connect
Symptom : Portal loads, client downloads, but login keeps
re-prompting for the password
Cause : tunnel-group had no authentication-server-group
so it never checked the local user database
Fix : tunnel-group SECUREACCESS-VPN general-attributes
authentication-server-group LOCAL
(also added to DefaultWEBVPNGroup)
Lesson : A tunnel group without an auth server silently
fails every login — always bind it to LOCAL
Symptom : AnyConnect Connection Profiles empty in ASDM,
or SSL Enabled column unchecked
Cause : AnyConnect client access not enabled on the
outside interface
Fix : ASDM → AnyConnect Connection Profiles
✅ Enable Cisco AnyConnect VPN Client access
outside → SSL Access → Allow Access
Lesson : The profile can exist in CLI but the client
won't launch until SSL access is enabled per
interface in the access table
Symptom : Could ping ASA on VMnet1 (inside) but not
VMnet2 (outside)
Cause : Cloud-VMnet2 node pointing at the wrong VMware
adapter / cable to wrong ASA port
Fix : Cloud-VMnet2 → select VMnet2 adapter,
cable to ASA Eth0 (outside)
Lesson : Each Cloud node must map to a distinct VMnet,
and connect to the correct ASA interface
---
Site-to-Site IPsec:
Fixed site to site, always on, no user login
crypto map, for branch offices
AnyConnect SSL VPN:
Remote access, any location, per-user login
HTTPS port 443 (works through any firewall)
webvpn + tunnel-group, for remote employees ✅
ASA SSL certificate (used here):
Encrypts the HTTPS portal connection
Required for the portal to load at all
User authentication certificate (NOT used here):
Installed on the employee's PC
For certificate-based login instead of password
This lab uses username + password (local AAA)
Without split tunnel → ALL traffic through VPN (slow)
With split tunnel → only 192.168.10.0/24 through VPN
internet goes direct from PC ✅
Remote users can't use internal IPs
They get a dedicated pool: 192.168.200.0/24
ASA tracks which user has which IP for auditing
Verified: client received 192.168.200.10 ✅
outside = 0 untrusted (internet / VPN clients)
dmz = 50 semi-trusted (servers)
inside = 100 trusted (management)
VPN clients come in at level 0, need NAT exemption
and ACL to reach DMZ servers at level 50
---