We are configuring remote access VPN using below topology. we are using router for create a LAN (behind ASA firewall) and one more router to create the ISP environment and one windows PC. there is no need of installing anyconnect software in advance (on PC ). It can be download from ASA by accessing the ASA IP address in browser. for example https:X.X.X.X
LAN———-ASA—————-ISP——————–PC (Anyconnect)
LAN (Router)
Router#conf t
Router(config)#hostname LAN
LAN(config)#ip http server
LAN(config)#interface Ethernet1/0
LAN(config-if)#ip address 10.10.10.100 255.255.255.0
LAN(config-if)#no shut
LAN(config-if)#exit
LAN(config)#ip route 0.0.0.0 0.0.0.0 10.10.10.254
LAN(config)#ip domain name xyz.com
LAN(config-if)#end
LAN#wr
ISP (Router)
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname ISP
ISP(config)#interface Ethernet1/0
ISP(config-if)#ip address 88.1.1.1 255.255.255.0
ISP(config-if)#no shut
ISP(config-if)#exit
ISP(config)#interface Ethernet1/1
ISP(config-if)#ip address 199.1.1.1 255.255.255.252
ISP(config-if)#no shut
ISP(config-if)#end
ISP#wr
ASA
Ciscoasa#conf t
Ciscoasa(config)#hostname ASA-1
ASA-1(config)#interface GigabitEthernet0/0
ASA-1(config-if)# nameif inside
ASA-1(config-if)# security-level 100
ASA-1(config-if)# ip address 10.10.10.254 255.255.255.0
ASA-1(config-if)# no shut
ASA-1(config-if)#exit
ASA-1(config)#interface GigabitEthernet0/1
ASA-1(config-if)# nameif outside
ASA-1(config-if)# security-level 0
ASA-1(config-if)# ip address 199.1.1.2 255.255.255.252
ASA-1(config-if)#no shut
ASA-1(config-if)#exit
ASA-1(config)# route outside 0.0.0.0 0.0.0.0 199.1.1.1
ASA-1(config)# username eve password eve
ASA-1(config)# crypto key generate rsa modulus 4096
WARNING: You have a RSA keypair already defined named .
Do you really want to replace them? [yes/no]: y
Keypair generation process begin. Please wait…
ASA-1(config)#
ASA-1(config)# aaa authentication ssh console LOCAL
ASA-1(config)# ssh 10.10.10.0 255.255.255.0 inside
ASA-1(config)# ssh version 2
ASA-1(config)#exit
ASA-1# copy tftp disk0:/anyconnect-win-4.5.05030-webdeploy-k9.pkg
ASA-1# conf t
ASA-1(config)# object network VPN
ASA-1(config-network-object)# subnet 20.20.20.0 255.255.255.0
ASA-1(config-network-object)# nat (inside,outside) source static any any destination static VPN VPN no-proxy-arp
ASA-1(config)# ip local pool VPN_POOL 20.20.20.100-20.20.20.110 mask 255.255.255.0
ASA-1(config)# webvpn
ASA-1(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on ‘outside’.
ASA-1(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.5.05030-webdeploy-k9.pkg 1
ASA-1(config-webvpn)# anyconnect enable
ASA-1(config-webvpn)# tunnel-group-list enable
ASA-1(config-webvpn)# group-policy VPN_POLICY internal
ASA-1(config)# group-policy VPN_POLICY attributes
ASA-1(config-group-policy)# vpn-tunnel-protocol ssl-client
ASA-1(config-group-policy)# default-domain value xyz.com
ASA-1(config-group-policy)# dns-server value 8.8.8.8
ASA-1(config)# tunnel-group SALES_USERS type remote-access
ASA-1(config)# tunnel-group SALES_USERS general-attributes
ASA-1(config-tunnel-general)# address-pool VPN_POOL
ASA-1(config-tunnel-general)# default-group-policy VPN_POLICY
ASA-1(config-tunnel-general)# tunnel-group SALES_USERS webvpn-attributes
ASA-1(config-tunnel-general)# group-alias SALES_USERS enable