A few days ago I wrote an article that explained the configuration steps required to implement a basic AnyConnect environment. That article was based on a pre-8.3 version of the ASA OS. Many organizations are starting to implement ASA 8.4 (and skipping over 8.3). This article describes the differences between implementing AnyConnect on 8.4, assuming familiarity with the 8.2 configuration.
The major difference with AnyConnect with 8.4, as opposed to 8.2, is the NAT configuration. Beyond that, there are minimum version prerequisites for the AnyConnect client versions. To demonstrate the differences, I simply went through the upgrade process from 8.2 to 8.4.
Prior to the upgrade, I upgraded the client images to meet Cisco’s prerequisites. According to Cisco, AnyConnect clients need to use the Cisco AnyConnect Secure Mobility Client version 2.5.0217 or above. This simply requires copying the images to the ASA via TFTP. Then the “webvpn” section of the configuration needs to be updated to include the new software images (see below). When the clients connect, the software will update.
webvpn enable outside anyconnect image disk0:/anyconnect-macosx-i386-2.5.2019-k9.pkg 1 anyconnect image disk0:/anyconnect-win-2.5.2019-k9.pkg 2 anyconnect enable
All of the other differences are related to the configuration changes in the NAT syntax. Prior to the upgrade, the NAT configuration looked like the following.
// ACL for NAT Exemption access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 // SPLIT Tunnel ACL (not NAT related) access-list SPLIT standard permit 192.168.1.0 255.255.255.0 // PAT on the interface global (outside) 1 interface // NAT Exemption nat (inside) 0 access-list NONAT // NAT any inside address to global "1" (above) nat (inside) 1 0.0.0.0 0.0.0.0 // Client Pool (not nat related, but shown to understand the NAT Exemption requirement) ip local pool client-pool 192.168.2.1-192.168.2.254 mask 255.255.255.0
After upgrading the configuration to 8.4, the NAT configuration is changed as follows.
// object group to represent 192.168.1.0/24 (inside addresses) object network obj-192.168.1.0 subnet 192.168.1.0 255.255.255.0 // object group to represent 192.168.2.0/24 (vpn pool addresses) object network obj-192.168.2.0 subnet 192.168.2.0 255.255.255.0 // object group to represent the "world" object network obj_any subnet 0.0.0.0 0.0.0.0 // ACL for NAT exemption -- no longer used and could be deleted access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 // SPLIT Tunnel ACL (not NAT related) access-list SPLIT standard permit 192.168.1.0 255.255.255.0 // Client Pool (not nat related, but shown to understand the NAT Exemption requirement) ip local pool client-pool 192.168.2.1-192.168.2.254 mask 255.255.255.0 // new NAT exemption syntax referencing the above object groups nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp // PAT configuration referencing the "world" object group and binding to the outside interface object network obj_any nat (inside,outside) dynamic interface
As this exercise has shown, a very simple ASA configuration has some material changes in version 8.4 as opposed to 8.2. However, these changes are exclusive to the new NAT syntax. There are new VPN features that can be implemented in 8.4 but are not part of our basic AnyConnect configuration.