Cisco ASA 5505 Configuration Manual page 1353

Chapter 64 General VPN Setup
For more information about creating and deploying AnyConnect client profiles and controlling client
features, see the AnyConnect VPN Client Administrator Guide.
Fields
Profile Name—Specify a name for the profile you add.
Profile Usage—This feature is not currently supported. See the release notes for the AnyConnect VPN
client for the latest information on supported features.
Group Policy—Specify a group policy for this profile. The profile downloads to users belonging to the
group policy along with the AnyConnect client.
Profile Location—Specify a path to the profile file in the adaptive security appliance flash memory. If
the file does not exist, the adaptive security appliance creates one based on the profile template.
Exporting an AnyConnect Client Profile
Export an AnyConnect VPN client profile from this window. You can export to a local device or a remote
server.
For more information about creating and deploying AnyConnect client profiles and controlling client
features, see the AnyConnect VPN Client Administrator Guide.
Fields
Device Profile Path—Displays the path and filename of the profile file.
Local Path—Specify the path and filename to export the profile file.
Browse Local—Click to launch a window to browse the local device file system.
Exempting AnyConnect Traffic from Network Address Translation
If you have configured your ASA to perform network address translation (NAT), you must exempt your
remote access AnyConnect client traffic from being translated so that the AnyConnect clients, internal
networks, and corporate resources on a DMZ, can originate network connections to each other. Failing
to exempt the AnyConnect client traffic from being translated prevents the AnyConnect clients and other
corporate resources from communicating.
"Identity NAT" (also known as "NAT exemption") allows an address to be translated to itself, which
effectively bypasses NAT. Identity NAT can be applied between two address pools, an address pool and
a subnetwork, or two subnetworks.
This procedure illustrates how you would configure identity NAT between these hypothetical network
objects in our example network topology: Engineering VPN address pool, Sales VPN address pool,
inside network, a DMZ network, and the Internet. Each Identity NAT configuration requires one NAT
rule.
Table 64-1
Network or Address Pool
Inside network
Engineering VPN address pool Engineering-VPN
Sales VPN address pool
DMZ network
OL-20339-01
Network Addressing for Configuring Identity NAT for VPN Clients
Network or address pool name
inside-network
Sales-VPN
DMZ-network
Configuring AnyConnect (SSL) VPN Client Connections
Range of addresses
10.50.50.0 - 10.50.50.255
10.60.60.1 - 10.60.60.254
10.70.70.1 - 10.70.70.254
192.168.1.0 - 192.168.1.255
Cisco ASA 5500 Series Configuration Guide using ASDM
64-43