93 Days to CCIE SEC v6.1 Lab

January 10, 2026 / Balaji Bandi / 0 Comments

AnyConnect Remote Access VPN on ASA1v / ASA11v

ISE + Active Directory Authentication, ASA DHCP Pool, and ISE DACL-Based Authorization

Cisco Remote Access VPN

A Remote Access VPN extends a private corporate network across a public infrastructure (the Internet). Unlike a Site-to-Site VPN, which connects two fixed locations, a Remote Access VPN allows individual users to establish a secure, encrypted “tunnel” from any location using a software client like Cisco AnyConnect Secure Mobility Client.

The VPN client (for example, Cisco AnyConnect) establishes an encrypted tunnel to a VPN headend (ASA, Firepower, or Secure Firewall), ensuring confidentiality, integrity, and user authentication.

How Remote Access VPN Works (High-Level Flow)

  1. User launches the VPN client (AnyConnect)
  2. Client establishes a secure tunnel to the VPN gateway
  3. User authenticates (credentials, certificates, or MFA)
  4. VPN gateway assigns:
    • IP address
    • DNS settings
    • Security policies
  5. User traffic is encrypted and forwarded into the enterprise network

From a networking perspective, the remote user becomes a logical extension of the internal network, subject to routing, NAT, and firewall policies.

VPN Tunnel Types Used in Remote Access

Cisco AnyConnect supports multiple tunnel mechanisms:

SSL/TLS VPN

  • Uses TCP/443
  • Works through most firewalls
  • Ideal for Internet-based access

IKEv2/IPsec

  • Strong cryptography
  • Efficient control plane
  • Often combined with SSL for fallback

Modern deployments typically use: SSL + IKEv2 with DTLS for performance

Control Plane vs Data Plane

A Remote Access VPN consists of two logical planes:

Control Plane

  • User authentication
  • Authorization decisions
  • Tunnel establishment

Data Plane

  • Encrypted user traffic
  • Policy enforcement (ACLs, DACLs)
  • NAT and routing decisions

In advanced designs (like the one in this blog), authentication and authorisation are offloaded to Cisco ISE, while enforcement remains on the ASA.

Cisco AnyConnect Remote Access VPN remains a cornerstone technology in enterprise remote access designs. While modern Zero Trust solutions are evolving rapidly, ASA + AnyConnect + ISE + AD is still widely deployed and extremely relevant for CCIE Security–level understanding of:

  • Authentication vs Authorization separation
  • AAA control-plane design
  • Dynamic access enforcement using Downloadable ACLs (DACLs)
  • Real-world VPN policy enforcement

This blog walks through a complete deployment using:

  • ASA1v / ASA11v (enforcement)
  • Cisco ISE for authentication and authorisation (policy brain)
  • Microsoft Active Directory as the identity store
  • DHCP address assignment from the ASA
  • ISE DACLs to allow access to only specific internal sites
  1. ASA Base Configuration

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.100.2 255.255.255.0

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0

2. Routing

route outside 0.0.0.0 0.0.0.0 192.168.100.1

3. AnyConnect WebVPN Configuration

webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.x.x-k9.pkg 1
anyconnect enable

4. DHCP Pool on ASA (VPN Clients)

The ASA acts as a DHCP server for VPN clients.

ip local pool AC_POOL 10.20.20.10-10.20.20.100 mask 255.255.255.0

5. Group Policy (Minimal – DACL Will Enforce Access)

No split tunnel ACL — access will be controlled via ISE DACL

group-policy GP_ANYCONNECT internal
group-policy GP_ANYCONNECT attributes
vpn-tunnel-protocol ssl-client ikev2

6. Tunnel Group Configuration

tunnel-group AC_VPN type remote-access

tunnel-group AC_VPN general-attributes
address-pool AC_POOL
default-group-policy GP_ANYCONNECT
authentication-server-group ISE

tunnel-group AC_VPN webvpn-attributes
group-alias AnyConnect enable

ASA–ISE Integration

aaa-server ISE protocol radius
aaa-server ISE (inside) host 10.10.10.50
key radius123

Join ISE to Active Directory

  • Administration → Identity Management → External Identity Sources → AD
  • Join domain (e.g. lab.local)
  • Verify successful join

Add ASA as Network Device

  • Administration → Network Devices
  • Add ASA IP
  • Enable RADIUS Authentication Settings
  • Configure shared secret

ISE Downloadable ACL (DACL)

Example Requirement

Allow VPN users to access only:

  • Internal Web Server: 10.10.10.100
  • Internal DNS: 10.10.10.10

DACL Configuration

Policy → Policy Elements → Results → Authorization → Downloadable ACLs

permit tcp any host 10.10.10.100 eq 443
permit udp any host 10.10.10.10 eq 53
permit tcp any host 10.10.10.10 eq 53
deny ip any any

ISE Authorization Policy

IF
  AD-Group = VPN_Users_Limited
THEN
  PermitAccess
  Apply DACL = VPN_LIMITED_DACL

💡 Authentication still succeeds, but access is restricted dynamically.

NAT Configuration (Critical)

NAT Exemption (Inside ↔ VPN Pool)

object network INSIDE_NET
 subnet 10.10.10.0 255.255.255.0

object network VPN_POOL
 subnet 10.20.20.0 255.255.255.0

nat (inside,outside) source static INSIDE_NET INSIDE_NET destination static VPN_POOL VPN_POOL

Outside Interface ACL

access-list OUTSIDE_IN permit tcp any host 203.0.113.10 eq 443
access-group OUTSIDE_IN in interface outside

End-to-End Connection Flow (Deep Dive)

AnyConnect client connects to ASA

ASA forwards credentials to ISE

ISE authenticates user against AD

ISE returns:

Access-Accept

DACL name

ASA:

Assigns IP from DHCP pool

Applies DACL dynamically

Traffic is filtered per-user

Validation & Testing

On ASA

show vpn-sessiondb anyconnect
show aaa-server ISE
show access-list

Look for:
  • DACL applied to session
  • Correct IP assignment

On ISE

  • Operations → RADIUS → Live Logs
  • Confirm:
    • Authentication = AD
    • Authorization Profile = DACL

Troubleshooting

ASA Debugs

debug webvpn 255
debug radius 255
debug aaa authentication

Happy Labinggggggggggggggggggggggg !