Welcome back to this series where we have been using the Cisco Adaptive Security Device Manager (ASDM) to configure the Cisco ASA. This will be the final article in this series and we will be configuring AnyConnect VPN (full-tunnel SSL VPN) on the Cisco ASA.

Our network diagram is shown below:

SSL VPN removes the need for remote access users to have a pre-installed VPN client on their system before a remote access VPN tunnel can be terminated. When the SSL VPN user successfully authenticates to the SSL VPN gateway, the AnyConnect VPN client is automatically downloaded and installed on the user’s PC; this means that the AnyConnect VPN client must first be uploaded on the router/firewall acting as the SSL VPN gateway. Another cool thing is that the gateway will determine the OS of the remote user’s computer and install the required AnyConnect VPN client, e.g., Windows, MacOS, or Linux. Of course, you must have the AnyConnect VPN client packages for the different operating systems that will be connecting.

Note: The AnyConnect VPN client can also be pre-installed on a user’s PC, thereby removing the need to open a web browser to connect; the user can just connect directly from the installed client.

CCNA Training – Resources (Intense)

As in the last article, we will use the wizards provided by ASDM to configure our AnyConnect VPN. You can access these wizards from the menu bar by navigating to Wizards > VPN wizards, as shown below:

I will select AnyConnect VPN Wizard from the list above which presents me with the start screen.

On the next screen, I will specify the connection profile name and the interface on which SSL VPN connections will be made to. I have used “SSLVPN” as my connection profile name. Keep this name in mind, as we will see where it comes up later.

AnyConnect can use either SSL or IPsec (IKEv2) to protect traffic; you can enable both on the ASA. This article talks about AnyConnect IKEv2 IPsec VPN.

As the screen above shows, I currently don’t have any device certificate selected. Normally, you may want to install a digital certificate from a valid CA but, because this is a lab, I will generate a self-signed certificate on the ASA to be used as the device certificate. To do this, I will click on the Manage button.

I will add my self-signed certificate by clicking on the Add button.

Before I can create a certificate, I must first generate a key pair using the New button.

Note: The command to be sent to the ASA to generate the key pair and self-signed certificate are:

crypto key generate rsa label SSLVPN noconfirm
crypto ca trustpoint ASDM_TrustPoint0
        revocation-check none
        keypair SSLVPN
        id-usage ssl-ipsec
        no fqdn
        subject-name CN=ASA
        enrollment self
crypto ca enroll ASDM_TrustPoint0 noconfirm

My certificate is now generated and I can move on with the SSL VPN wizard.

On the screen below, we can add AnyConnect images on the ASA that will be downloaded when an SSL VPN user connects. These files are in .pkg format, although I noticed the Linux one I downloaded was .zip. I will upload two images: one for Windows OS and the other for Linux.

Hint: Uploading files using the ASDM is much faster compared to when I used TFTP on a Cisco router.

We will be using the local database for authentication, so I will add a new user called “sslvpn.”

AnyConnect VPN is similar to IPsec remote access VPN that we configured in the previous article, so many of the concepts we configured in the last article are also applicable here; one such is the IP address pool from which connected users will be assigned IP addresses. Below, I have created a local IP pool called SSLVPN_POOL with IP addresses in the range of 192.168.150.1 through 192.168.150.10.

In an enterprise network, you will probably want to set up DNS settings and domain names for your remote access users. This is a test network, so we are not particular about these settings. Nevertheless, I will add them, as shown below:

NAT exemption may be something you want to configure so that VPN users can access internal networks freely; the next screen allows you to do that.

As we mentioned earlier, remote users accessing an SSL VPN service do not need to have a pre-installed VPN client; this client can be automatically installed when they connect to the ASA (Web launch). The other alternative is to preinstall the Cisco AnyConnect VPN client on remote users’ PCs and Cisco provides this pre-deployment packages. You can go to this Cisco article for more information about pre-deployment.

Finally, we are presented with a summary screen of our setup:

The configuration to be sent to the ASA is:

ip local pool SSLVPN_POOL 192.168.150.1-192.168.150.10 mask 255.255.255.0
webvpn
        enable outside
        anyconnect profiles SSLVPN_client_profile disk0:/SSLVPN_client_profile.xml
object network NETWORK_OBJ_192.168.150.0_28
        subnet 192.168.150.0 255.255.255.240
webvpn
        tunnel-group-list enable
        anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
        anyconnect image disk0:/anyconnect-linux-3.1.05170-k9.zip 2
        anyconnect enable
username sslvpn password 23PvxKMbYvWPD.mX encrypted privilege 2
ssl trust-point ASDM_TrustPoint0 outside
group-policy GroupPolicy_SSLVPN internal
group-policy GroupPolicy_SSLVPN attributes
        vpn-tunnel-protocol ssl-client
        dns-server value 8.8.8.8
        wins-server none
        default-domain value IntenseSchoolSSLVPN
        vpn-tunnel-protocol ssl-client ikev2
        webvpn
          anyconnect profiles value SSLVPN_client_profile type user
      exit
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
        default-group-policy GroupPolicy_SSLVPN
        address-pool  SSLVPN_POOL
tunnel-group SSLVPN webvpn-attributes
        group-alias SSLVPN enable
nat (inside,outside) 2 source static any any destination static NETWORK_OBJ_192.168.150.0_28 NETWORK_OBJ_192.168.150.0_28 no-proxy-arp route-lookup
crypto ikev2 policy 1
        group 2 5
        encryption aes-256
crypto ikev2 policy 10
        group 2 5
        encryption aes-192
crypto ikev2 policy 20
        group 2 5
        encryption aes
crypto ikev2 policy 30
        group 2 5
crypto ikev2 policy 40
        group 2 5
        encryption des
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ipsec ikev2 ipsec-proposal AES256
        protocol esp encryption aes-256
        protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
        protocol esp encryption aes-192
        protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
        protocol esp encryption aes
        protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
        protocol esp encryption 3des
        protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
        protocol esp encryption des
        protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  ikev2 ipsec-proposal  AES256 AES192 AES 3DES DES

Let’s test. I will open a web browser to https://192.168.20.1/ and authenticate using the sslvpn user we created. Also, notice that the group name is SSLVPN , which is what we configured as the connection profile name. We can create several groups with different settings and connect to the required group at login.

The screenshots below show the AnyConnect VPN client being automatically installed on my system.

When it finished downloading, I got an error dialog box shown below that my IE was running in protected mode so it can’t install. It asked me to add the secure gateway (https://192.168.20.1) to the Trusted Sites Zone in IE.

I will now retry the automatic installation.

Connected! We can see the statistics and route details. Notice, that because we did not configure split tunneling, all traffic will be encrypted (so I also lose my connection to the Internet).

Let’s see if we can ping a host on the internal network. We have a router connected on 192.168.10.5, so I will try to ping this device:

Note: I disconnected my laptop (loopback interface connected on the same VLAN as the ASA’s inside interface) from the 192.168.10.0/24 network so that this ping will flow through the VPN tunnel. You can check that the “Bytes Sent” and “Bytes Received” fields are increasing during the ping to make sure it is actually going through the tunnel.

Final note: Although the IPsec VPN client did not work when I initiated it from my GNS3 host, as I mentioned in the previous article, the AnyConnect VPN client worked from the GNS host.

Summary

This brings us to the end of this article, in which we have configured AnyConnect VPN on the Cisco ASA running in GNS3 using ASDM. As we have mentioned before, the AnyConnect VPN is similar to the IPsec remote access VPN except that users do not need to have a pre-installed VPN client on their systems.

Moving forward, it seems IKEv2 is gaining some momentum and I think it will be valuable to read up on it. This article also brings us to the end of this series and I hope you have found it insightful.

Further Reading