This document describes how to configure the Adaptive Security
Appliance (ASA) to route the SSL VPN traffic through the tunneled default
gateway (TDG). When you create a default route with the tunneled option, all
traffic from a tunnel terminating on the ASA that cannot be routed using
learned or static routes is sent to this route. For traffic emerging from a
tunnel, this route overrides any other configured or learned default
Ensure that you meet these requirements before you attempt this
ASA that runs on version 8.x
Cisco SSL VPN Client (SVC) 1.x
Note: Download the SSL VPN Client package (sslclient-win*.pkg) from
(registered customers only)
. Copy the SVC to the flash memory on the ASA. The SVC needs to
be downloaded to the remote user computers in order to establish the SSL VPN
connection with the ASA.
The information in this document is based on these software and
Cisco 5500 Series ASA that runs software version
Cisco SSL VPN Client version for Windows 126.96.36.199
PC that runs Windows 2000 Professional or Windows
Cisco Adaptive Security Device Manager (ASDM) version
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Refer to the
Technical Tips Conventions for more information on document
The SSL VPN Client (SVC) is a VPN tunneling technology that gives
remote users the benefits of an IPSec VPN client without the need for network
administrators to install and configure IPSec VPN clients on remote computers.
The SVC uses the SSL encryption that is already present on the remote computer
as well as the WebVPN login and authentication of the Security
In the current scenario, there is an SSL VPN client connecting to the
internal resources behind the ASA through the SSL VPN tunnel. The split-tunnel
is not enabled. When the SSL VPN client is connected to the ASA, all the data
will be tunneled. Besides accessing the internal resources, the main criterion
is to route this tunneled traffic through the Default Tunneled Gateway
You can define a separate default route for tunneled traffic along with
the standard default route. Unencrypted traffic received by the ASA, for which
there is no static or learned route, is routed through the standard default
route. Encrypted traffic received by the ASA, for which there is no static or
learned route, will be passed to the DTG defined through the tunneled default
In order to define a tunneled default route, use this command:
route <if_name> 0.0.0.0 0.0.0.0 <gateway_ip> tunneled
In this section, you are presented with the information to configure
the features described in this document.
Note: Use the
Command Lookup Tool
(registered customers only)
to obtain more information on
the commands used in this section.
This document uses this network setup:
In this example, the SSL VPN Client accesses the inside network of the
ASA through the tunnel. The traffic meant for destinations other than the
inside network are also tunneled, as there is no split-tunnel configured, and
are routed through the TDG (192.168.100.20).
After the packets are routed to the TDG, which is Router 2 in this
case, it performs the address translation to route those packets ahead to the
Internet. For more information on configuring a router as an Internet Gateway,
to Configure a Cisco Router Behind a Non-Cisco Cable Modem.
This document assumes the basic configurations, such as interface
configuration, are complete and work properly.
Note: Refer to
HTTPS Access for ASDM for information on how to allow the ASA to be
configured by the ASDM.
Note: WebVPN and ASDM cannot be enabled on the same ASA interface unless
you change the port numbers. Refer to
and WebVPN Enabled on the Same Interface of ASA for more
Complete these steps in order to configure the SSL VPN by using the SSL
From the Wizards menu, choose SSL VPN
Click the Cisco SSL VPN Client check box, and
Enter a name for the connection in the Connection Name field, and
then choose the interface that is being used by the user to access the SSL VPN
from the SSL VPN Interface drop-down list.
Choose an authentication mode, and click Next.
(This example uses local authentication.)
Create a new group policy other than the existing default group
Create a new pool of addresses which will be assigned to the SSL
VPN client PCs once they get connected.
A pool of range 192.168.10.40-192.168.10.50 has been created by
Click Browse in order to choose and upload the SSL
VPN Client image to the flash memory of the ASA.
Click Upload in order to set the file path from
the local directory of the machine.
Click Browse Local Files in order to select the
directory where the sslclient.pkg file exists.
Click Upload File in order to upload the selected
file to the flash of ASA.
Once the file is uploaded on to the flash of ASA, click
OK to complete that task.
Now it shows the latest anyconnect pkg file uploaded on to the
flash of ASA. Click Next.
The summary of the SSL VPN client configuration is shown. Click
Finish to complete the wizard.
The configuration shown in ASDM mainly pertains to the SSL VPN client
In the CLI, you can observe some additional configuration. The complete
CLI configuration is shown below and important commands have been
ASA Version 8.0(4)
enable password 8Ry2YjIyt7RRXU24 encrypted
ip address 188.8.131.52 255.255.255.224
ip address 192.168.100.2 255.255.255.0
ip address 10.1.1.1 255.255.255.0
no ip address
no ip address
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
!--- ACL to define the traffic to be exempted from NAT.
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu manage 1500
!--- Creating IP address block to be assigned for the VPN clients
ip local pool newpool 192.168.10.40-192.168.10.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
!--- The traffic permitted in "nonat" ACL is exempted from NAT.
nat (inside) 1 192.168.100.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 184.108.40.206 1
!--- Default route is configured through "inside" interface
for normal traffic.
route inside 0.0.0.0 0.0.0.0 192.168.100.20 tunneled
!--- Tunneled Default route is configured through "inside" interface
for encrypted traffic
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
!--- Configuring the ASA as HTTP server.
http 10.1.1.0 255.255.255.0 manage
!--- Configuring the network to be allowed for ASDM access.
!--- Output is suppressed
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection statistics access-list
policy-map type inspect dns preset_dns_map
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
!--- Output suppressed
!--- Enable WebVPN on the outside interface
svc image disk0:/sslclient-win-220.127.116.11.pkg 1
!--- Assign the AnyConnect SSL VPN Client image to be used
!--- Enable the ASA to download SVC images to remote computers
group-policy grppolicy internal
!--- Create an internal group policy "grppolicy"
group-policy grppolicy attributes
!--- Specify SSL as a permitted VPN tunneling protocol
username cisco password ffIRPGpDSOJh9YLq encrypted privilege 15
!--- Create a user account "cisco"
tunnel-group Test type remote-access
!--- Create a tunnel group "Test" with type as remote access
tunnel-group Test general-attributes
!--- Associate the address pool vpnpool created
!--- Associate the group policy "clientgroup" created
prompt hostname context
The commands given in this section can be used to verify this
Output Interpreter Tool
(registered customers only)
(OIT) supports certain
show commands. Use the OIT to view an analysis of
show command output.
There is currently no specific troubleshooting information available
for this configuration.