Changes Required for AnyConnect in 8.4

A few days ago I wrote an article that explained the configuration steps required to implement a basic AnyConnect environment. That article was based on a pre-8.3 version of the ASA OS. Many organizations are starting to implement ASA 8.4 (and skipping over 8.3). This article describes the differences between implementing AnyConnect on 8.4, assuming familiarity with the 8.2 configuration.

The major difference with AnyConnect with 8.4, as opposed to 8.2, is the NAT configuration. Beyond that, there are minimum version prerequisites for the AnyConnect client versions. To demonstrate the differences, I simply went through the upgrade process from 8.2 to 8.4.

Prior to the upgrade, I upgraded the client images to meet Cisco’s prerequisites. According to Cisco, AnyConnect clients need to use the Cisco AnyConnect Secure Mobility Client version 2.5.0217 or above. This simply requires copying the images to the ASA via TFTP. Then the “webvpn” section of the configuration needs to be updated to include the new software images (see below). When the clients connect, the software will update.

webvpn
 enable outside
 anyconnect image disk0:/anyconnect-macosx-i386-2.5.2019-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-2.5.2019-k9.pkg 2
 anyconnect enable

All of the other differences are related to the configuration changes in the NAT syntax. Prior to the upgrade, the NAT configuration looked like the following.

// ACL for NAT Exemption
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 

// SPLIT Tunnel ACL (not NAT related)
access-list SPLIT standard permit 192.168.1.0 255.255.255.0 

// PAT on the interface
global (outside) 1 interface
// NAT Exemption
nat (inside) 0 access-list NONAT
// NAT any inside address to global "1" (above)
nat (inside) 1 0.0.0.0 0.0.0.0

// Client Pool (not nat related, but shown to understand the NAT Exemption requirement)
ip local pool client-pool 192.168.2.1-192.168.2.254 mask 255.255.255.0

After upgrading the configuration to 8.4, the NAT configuration is changed as follows.

// object group to represent 192.168.1.0/24 (inside addresses)
object network obj-192.168.1.0
 subnet 192.168.1.0 255.255.255.0

// object group to represent 192.168.2.0/24 (vpn pool addresses)
object network obj-192.168.2.0
 subnet 192.168.2.0 255.255.255.0

// object group to represent the "world"
object network obj_any
 subnet 0.0.0.0 0.0.0.0

// ACL for NAT exemption -- no longer used and could be deleted
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 

// SPLIT Tunnel ACL (not NAT related)
access-list SPLIT standard permit 192.168.1.0 255.255.255.0 

// Client Pool (not nat related, but shown to understand the NAT Exemption requirement)
ip local pool client-pool 192.168.2.1-192.168.2.254 mask 255.255.255.0

// new NAT exemption syntax referencing the above object groups
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp

// PAT configuration referencing the "world" object group and binding to the outside interface
object network obj_any
 nat (inside,outside) dynamic interface

As this exercise has shown, a very simple ASA configuration has some material changes in version 8.4 as opposed to 8.2. However, these changes are exclusive to the new NAT syntax. There are new VPN features that can be implemented in 8.4 but are not part of our basic AnyConnect configuration.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Security, Technology and tagged , , . Bookmark the permalink.

5 Responses to Changes Required for AnyConnect in 8.4

  1. Azam says:

    Can you please check my SSL Anyconnect configuration that I will be doing in one of our client ASA5540 8.4(2)

    ============================================

    Identity Nat

    ============================================

    object network INSIDE_HOSTS

    subnet 172.16.0.0 255.255.0.0

    !

    object network RAVPN_HOSTS

    subnet 172.16.170.0 255.255.255.0

    !

    nat (inside,Sahara-internet) source static INSIDE_HOSTS INSIDE_HOSTS destination static RAVPN_HOSTS RAVPN_HOSTS

    ============================================

    Identity Nat

    ============================================

    object network INSIDE_HOSTS1

    subnet 172.18.0.0 255.255.0.0

    !

    object network RAVPN_HOSTS1

    subnet 172.16.170.0 255.255.255.0

    !

    nat (inside,Sahara-internet) source static INSIDE_HOSTS1 INSIDE_HOSTS1 destination static RAVPN_HOSTS1 RAVPN_HOSTS1

    ===============================================

    Define your Split Tunnel ACL

    ===============================================

    ASA(config)# access-list rbt_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0

    ASA(config)# access-list rbt_splitTunnelAcl standard permit 172.18.0.0 255.255.0.0

    =======================================

    Define the Group Policy for the WebVPN

    =======================================

    ASA(config)# group-policy NPC_SSLVPN internal

    ASA(config)# group-policy NPC_SSLVPN attributes

    ASA(config-group-policy)# vpn-tunnel-protocol svc webvpn

    ASA(config-group-policy)# webvpn

    ASA(config-group-webvpn)# split-tunnel-policy tunnelspecified

    ASA(config-group-webvpn)# split-tunnel-network-list value splitVPN

    ASA(config-group-webvpn)# split-dns value *****************

    ASA(config-group-webvpn)# dns-server value ************

    ============================

    Define a DHCP pool for the clients to use

    ============================

    ASA(config)#ip local pool NPCPOOL 172.16.170.51-172.16.170.200 mask 255.255.255.0

    ============================

    Define a local user to use for the VPN

    ============================

    ASA(config)# username password privilege 15

    ASA(config)# username attributes

    ASA(config-username)# vpn-group-policy NPC_SSLVPN

    =============================================

    Enable WebVPN

    =============================================

    ASA(config)# webvpn

    ASA(config-webvpn)#enable Sahara-internet

    ASA(config-webvpn)# anyconnect image disk0:/anyconnect-macosx-i386-2.5.2019-k9.pkg 1

    ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-2.5.2019-k9.pkg 2

    ASA(config-webvpn)# anyconnect enable

    =============================================

    Define the tunnel group

    =============================================

    ASA(config)# Tunnel-group TG_SSLVPN type remote-access

    ASA(config)# Tunnel-group TG_SSLVPN general-attributes

    ASA(config-tunnel-general)# default-group-policy NPC_SSLVPN

    ASA(config-tunnel-general)# address-pool NPCPool

    ===============================

    Link the tunnel group to WebVPN

    ===============================

    ASA(config)# webvpn

    ASA(config-webvpn)# tunnel-group-list enable

    ASA(config-webvpn)# exit

    ASA(config)# tunnel-group TG_SSLVPN webvpn-attributes

    ASA(config-tunnel-webvpn)# group-alias AnyConnect enable

    ====================

    saving the config

    ====================

    ASA(config)# write

    • Paul Stewart says:

      I hope to have time to look at this over the weekend.

    • Paul Stewart says:

      After a quick glance, it looks like it should mostly work. Obviously, I would recommend testing it in a lab and confirming all aspects of it. The only thing that looked a little strange to me was the split tunnel. For example, there is an acl called rbt_splitTunnelAcl. However, it appears that splitVPN is applied. Additionally the inclusion of 172.16.0.0/16 in rbt_splitTunnelAcl seems unnecessary unless there are parts of 172.16.0.0 that are on the inside. In that case, they also should be added to the nat exemption. Again, that was only a quick glance and I’ve not dropped the config on an actual device.

  2. Azam says:

    Thanks for your feedback
    Yes its a split tunnel configuration and there are two inside networks one is 172.18.0.0/16
    and other is 172.16.0.0/16
    I have mentioned the Identity nat for the 172.16.0.0 /16 subnet

  3. ALIS says:

    Please Paul, can you post a tutorial on how to configure advanced AnyConnect VPN with asa 8.4

Comments are closed.