For example, split tunneling can be done with a much higher level of granularity than was available previously, a great security improvement. But digging out the different features and getting them properly configured involves multiple screens and "Advanced" tabs that have to be opened. The result is that it's easier to not use this new feature, and have a less secure deployment.

While much of the VPN feature set can be configured using the command-line interface (CLI), making full use of the feature set requires you to use ASDM. The basic encryption and tunneling tools are all CLI-based and CLI-debuggable, but some parts of the client-side policy configuration rely on hidden files on the internal flash that are best left to ASDM to keep straight.

We built a basic ASA firewall using the CLI, and then we stuck entirely with ASDM. Once we got all of the licensing pieces worked out, our final configuration with RADIUS authentication, end-point security checking, and Web-based downloading of the AnyConnect client from the ASA appliance only took about an hour.

But that configuration was done with the help of one of Cisco's trainers. The solution has a lot of moving parts, and without hands-on guidance, we could have spent days covering the same territory. If you can possibly afford the time, sit down and read through the documentation or take some training.