Follow Us:

How to configure Anyconnect SSL VPN on Cisco ASA Firewall

This tutorial will configure AnyConnect Remote access VPN on the Cisco ASA Firewall. AnyConnect, a Cisco SSL VPN client, supports IPSec and SSL connectivity. We will configure full-tunnel and split-tunnel configurations on Cisco ASA for AnyConnect VPN. Let’s get started!



You must have read-write access to the Cisco ASA Firewall. Further, to test AnyConnect VPN connectivity, you should have hosts inside and outside your organization.

Before configuring the Anyconnect VPN, let’s understand our Lab setup.


We have a Cisco ASA firewall connected with an Internet Service Provider (ISP). Two additional interfaces are configured for Inside and DMZ.

Split-Tunnel vs Full Tunnel

Remote access VPNs, such as AnyConnect, can be configured in two ways, i.e., Split-Tunnel and Full-Tunnel.

In Full-Tunnel, we route all of the network traffic toward the firewall. So, if a user has to access the Public Internet, it will first go to the gateway and then route the traffic to their ISP. SSL VPN clients will configure a default route, i.e.,, in the host’s routing table.


In Split Tunnel, we only configure private networks for the SSL VPN clients. So, if a user needs to access internal servers, the traffic will route through the VPN. All of their Internet traffic will go directly without reaching the firewall.


First, we will configure a Full tunnel VPN, and later in this article, we will see examples of split tunnels.

Cisco ASA Firewall Initial Configuration

We will perform the initial configurations on the Cisco ASA Firewall. First, we will configure the network interface, and further, we will set up different configurations for AnyConnect.

Setting up Cisco ASA Interfaces

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address

Now, add a default route on ASA towards the ISP:

route outside

Now, we will configure the AnyConnect VPN configuration.

Step 1: Downloading the AnyConnect VPN client and uploading on Cisco ASA

To ensure users can download the Any Connect client directly by accessing the firewall web vpn page, ensure you have a valid AnyConnect package on the Cisco ASA.

To download the AnyConnect image, you can visit the Cisco software and download it for free.


Once you have these files, you can upload them to the ASA via different methods. I will use the http server to upload these files in ASA.

ciscoasa# copy http: disk0:

Address or name of remote host []?

Source filename []? anyconnect-win-4.4.02039-webdeploy-k9.pkg

Destination filename [anyconnect-win-4.4.02039-webdeploy-k9.pkg]?

Writing file disk0:/anyconnect-win-4.4.02039-webdeploy-k9.pkg...
30076867 bytes copied in 3.500 secs (10025622 bytes/sec)

Now, you should have AnyConnect image in the disk partition:

ciscoasa# show disk0:
--#-- --length-- -----date/time------ path
10 4096 Nov 13 2023 21:37:56 smart-log
11 8777 Jan 11 2024 15:51:38 smart-log/agentlog
7 4096 Nov 13 2023 21:36:40 log
9 1250 Jan 10 2024 13:45:59 log/asa-appagent.log
12 4096 Nov 13 2023 21:38:00 coredumpinfo
13 59 Nov 13 2023 22:07:42 coredumpinfo/coredump.cfg
79 7667 Nov 13 2023 22:30:16 object
94 30076867 Jan 11 2024 18:20:55 q
90 6591 Jan 11 2024 15:50:10 base-config
95 30076867 Jan 11 2024 18:22:22 anyconnect-win-4.4.02039-webdeploy-k9.pkg

Now, we can move to the next steps.

Step 2: Configuring the AnyConnect VPN IP Pool and Users to Authenticate on Cisco ASA

We must configure the IP pool for AnyConnect VPN users. Cisco ASA allows us to define the IP Pools for different purposes. You can hit the below command to configure an IP Pool for SSL VPN:

ip local pool anyconnect-vpn-pool mask

Let’s also configure a network object to use in NAT and ACLs:

object network anyconnect-vpn-subnet

We can use a local user database or a remote authentication server, such as Radius, Tacaces+, etc.

For this example, we will use only the local user database. To create a user on Cisco ASA, hit the below command in global configuration mode:

username user1 password Passw0rd

Additionally, we need to set the user attribute to use it for remote access authentication.

username user1 attributes
service-type remote-access

Step 3: Configuring the Group Policy on Cisco ASA for SSL VPN

On Cisco ASA, Group policy allows us to configure different parameters for Remote Access. A few parameters are DNS, full-tunnel, split-tunnel, configurations, etc.

To configure Group Policy, you can execute the below commands in global configuration mode:

group-policy ssl-vpn-policy internal
group-policy ssl-vpn-policy attributes
dns-server value
vpn-tunnel-protocol ssl-client

Step 4: Configuring the Tunnel Group on Cisco ASA for AnyConnect SSL VPN

Tunnel Group allows us to bind the IP Pool and Group Policy configurations defined in previous steps. Execute the below commands to create a tunnel group and assign the group policy and VPN IP Pool.

tunnel-group ssl-vpn-tunnel-group type remote-access
tunnel-group ssl-vpn-tunnel-group general-attributes
address-pool anyconnect-vpn-pool
default-group-policy ssl-vpn-policy

Now, configure the web VPN attributes for this tunnel group.

tunnel-group ssl-vpn-tunnel-group webvpn-attributes
group-alias Internal-VPN enable

Step 5: Enabling the Web VPN and Cisco AnyConnect on the Outside Interface

This is the last step of the Cisco AnyConnect VPN configuration. First, we will enable the Web VPN on the Outside interface. Further, we need to enable the AnyConnect VPN on the outside interface.

enable outside
anyconnect image disk0:/anyconnect-win-4.4.02039-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable

Now, you should access the internal resources using a remote access VPN.

Step 6: Configuring the ACLs (Access Control List) to and NAT for AnyConnect SSL VPN Traffic

Since we configured Full-Tunnel Remote VPN, the internet traffic will hit the outside interface and go again to the ISP through the same interface. So, we must configure Hairpin NAT on Cisco ASA to send this traffic to the ISP. You can use the below command to configure a Hairpin NAT for this traffic:

nat (outside,outside) source dynamic anyconnect-vpn-subnet interface

Since the traffic is getting in and out from the same interface, we must allow the same security-level traffic on ASA.

same-security-traffic permit intra-interface

That’s it. Now, you should connect to the ASA using AnyConnect and access inside and internet resources through the firewall.

Step 7: Verifying the Cisco AnyConnect SSL VPN Connectivity

Now, go to your remote computer and try to access the outside interface IP Address, i.e., You should get a Web VPN page with an authentication prompt.

Sign in using the defined credentials, i.e., user1, and proceed with the Cisco AnyConnection installation. Once completed, try to connect the SSL VPN on


If you noticed, we haven’t defined any certificate throughout the configuration. This means we are using a factory default certificate. By default, if you connect to AnyConnect, you will get the below warning message: Untrusted Server BLocked! AnyConnect cannot verify server:


You can click on the change setting and unselect block connection to untrusted servers. You will get another warning due to the factory default certificate.


Once you click Connect Anyway, you need to log in with your credentials.


Finally, AnyConnect VPN should connect.


Let’s try to access the Internal Web Server from the external PC:


Pinging with 32 bytes of data:
Reply from bytes=32 time=1ms TTL=64
Reply from bytes=32 time=1ms TTL=64
Reply from bytes=32 time=42ms TTL=64
Reply from bytes=32 time=20ms TTL=64

Ping statistics for
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 42ms, Average = 16ms

Since we are using a full-tunnel VPN, Let’s try to access the internet:

Pinging with 32 bytes of data:
Reply from bytes=32 time=72ms TTL=113
Reply from bytes=32 time=74ms TTL=113
Reply from bytes=32 time=56ms TTL=113
Reply from bytes=32 time=76ms TTL=113

Ping statistics for
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 56ms, Maximum = 76ms, Average = 69ms

Step 8: Enabling the split tunnel for SSL VPN on Cisco ASA

To enable a split tunnel, first, define the interested traffic using an ACL. We have two different subnets, i.e., Inside and DMZ, that we will access through the Remote VPN. Let’s create a standard ACL by hitting the below command:

access-list anyconnect-vpn-networks standard permit
access-list anyconnect-vpn-networks standard permit

Now, add this access list to the group policy created earlier.

group-policy ssl-vpn-policy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value anyconnect-vpn-networks

Now, let’s try to connect to the AnyConnect VPN and check the routes. You will only get and networks. You will also get the route of the internal DNS server.


Further Reading


Cisco AnyConnect VPN is a Remote Access VPN solution that can easily connect with ASA and other firewalls and provide secure access to internal resources. First, we uploaded the AnyConnect Image on ASA, then defined the IP Pool and users. Further, we configured the Group and Tunnel Policy. Last, we applied the Hairpin NAT to forward the full-tunnel traffic to the ISP.

Did you find this article helpful? Please share it on social media platforms and show us some love 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

Copy link is now!