Welcome back to this series where we have been using the Cisco Adaptive Security Device Manager (ASDM) to configure the Cisco ASA. This will be the final article in this series and we will be configuring AnyConnect VPN (full-tunnel SSL VPN) on the Cisco ASA.
Our network diagram is shown below:
SSL VPN removes the need for remote access users to have a pre-installed VPN client on their system before a remote access VPN tunnel can be terminated. When the SSL VPN user successfully authenticates to the SSL VPN gateway, the AnyConnect VPN client is automatically downloaded and installed on the user’s PC; this means that the AnyConnect VPN client must first be uploaded on the router/firewall acting as the SSL VPN gateway. Another cool thing is that the gateway will determine the OS of the remote user’s computer and install the required AnyConnect VPN client, e.g., Windows, MacOS, or Linux. Of course, you must have the AnyConnect VPN client packages for the different operating systems that will be connecting.
Note: The AnyConnect VPN client can also be pre-installed on a user’s PC, thereby removing the need to open a web browser to connect; the user can just connect directly from the installed client.
CCNA Training – Resources (Intense)
As in the last article, we will use the wizards provided by ASDM to configure our AnyConnect VPN. You can access these wizards from the menu bar by navigating to Wizards > VPN wizards, as shown below:
I will select AnyConnect VPN Wizard from the list above which presents me with the start screen.
On the next screen, I will specify the connection profile name and the interface on which SSL VPN connections will be made to. I have used “SSLVPN” as my connection profile name. Keep this name in mind, as we will see where it comes up later.
AnyConnect can use either SSL or IPsec (IKEv2) to protect traffic; you can enable both on the ASA. This article talks about AnyConnect IKEv2 IPsec VPN.
As the screen above shows, I currently don’t have any device certificate selected. Normally, you may want to install a digital certificate from a valid CA but, because this is a lab, I will generate a self-signed certificate on the ASA to be used as the device certificate. To do this, I will click on the Manage button.
I will add my self-signed certificate by clicking on the Add button.
Before I can create a certificate, I must first generate a key pair using the New button.
Note: The command to be sent to the ASA to generate the key pair and self-signed certificate are:
crypto key generate rsa label SSLVPN noconfirm crypto ca trustpoint ASDM_TrustPoint0 revocation-check none keypair SSLVPN id-usage ssl-ipsec no fqdn subject-name CN=ASA enrollment self crypto ca enroll ASDM_TrustPoint0 noconfirm
My certificate is now generated and I can move on with the SSL VPN wizard.
On the screen below, we can add AnyConnect images on the ASA that will be downloaded when an SSL VPN user connects. These files are in .pkg format, although I noticed the Linux one I downloaded was .zip. I will upload two images: one for Windows OS and the other for Linux.
Hint: Uploading files using the ASDM is much faster compared to when I used TFTP on a Cisco router.
We will be using the local database for authentication, so I will add a new user called “sslvpn.”
AnyConnect VPN is similar to IPsec remote access VPN that we configured in the previous article, so many of the concepts we configured in the last article are also applicable here; one such is the IP address pool from which connected users will be assigned IP addresses. Below, I have created a local IP pool called SSLVPN_POOL with IP addresses in the range of 192.168.150.1 through 192.168.150.10.
In an enterprise network, you will probably want to set up DNS settings and domain names for your remote access users. This is a test network, so we are not particular about these settings. Nevertheless, I will add them, as shown below:
NAT exemption may be something you want to configure so that VPN users can access internal networks freely; the next screen allows you to do that.
As we mentioned earlier, remote users accessing an SSL VPN service do not need to have a pre-installed VPN client; this client can be automatically installed when they connect to the ASA (Web launch). The other alternative is to preinstall the Cisco AnyConnect VPN client on remote users’ PCs and Cisco provides this pre-deployment packages. You can go to this Cisco article for more information about pre-deployment.
Finally, we are presented with a summary screen of our setup:
The configuration to be sent to the ASA is:
ip local pool SSLVPN_POOL 192.168.150.1-192.168.150.10 mask 255.255.255.0 webvpn enable outside anyconnect profiles SSLVPN_client_profile disk0:/SSLVPN_client_profile.xml object network NETWORK_OBJ_192.168.150.0_28 subnet 192.168.150.0 255.255.255.240 webvpn tunnel-group-list enable anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1 anyconnect image disk0:/anyconnect-linux-3.1.05170-k9.zip 2 anyconnect enable username sslvpn password 23PvxKMbYvWPD.mX encrypted privilege 2 ssl trust-point ASDM_TrustPoint0 outside group-policy GroupPolicy_SSLVPN internal group-policy GroupPolicy_SSLVPN attributes vpn-tunnel-protocol ssl-client dns-server value 220.127.116.11 wins-server none default-domain value IntenseSchoolSSLVPN vpn-tunnel-protocol ssl-client ikev2 webvpn anyconnect profiles value SSLVPN_client_profile type user exit tunnel-group SSLVPN type remote-access tunnel-group SSLVPN general-attributes default-group-policy GroupPolicy_SSLVPN address-pool SSLVPN_POOL tunnel-group SSLVPN webvpn-attributes group-alias SSLVPN enable nat (inside,outside) 2 source static any any destination static NETWORK_OBJ_192.168.150.0_28 NETWORK_OBJ_192.168.150.0_28 no-proxy-arp route-lookup crypto ikev2 policy 1 group 2 5 encryption aes-256 crypto ikev2 policy 10 group 2 5 encryption aes-192 crypto ikev2 policy 20 group 2 5 encryption aes crypto ikev2 policy 30 group 2 5 crypto ikev2 policy 40 group 2 5 encryption des crypto ikev2 enable outside client-services port 443 crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
Let’s test. I will open a web browser to https://192.168.20.1/ and authenticate using the sslvpn user we created. Also, notice that the group name is SSLVPN , which is what we configured as the connection profile name. We can create several groups with different settings and connect to the required group at login.
The screenshots below show the AnyConnect VPN client being automatically installed on my system.
When it finished downloading, I got an error dialog box shown below that my IE was running in protected mode so it can’t install. It asked me to add the secure gateway (https://192.168.20.1) to the Trusted Sites Zone in IE.
I will now retry the automatic installation.
Connected! We can see the statistics and route details. Notice, that because we did not configure split tunneling, all traffic will be encrypted (so I also lose my connection to the Internet).
Let’s see if we can ping a host on the internal network. We have a router connected on 192.168.10.5, so I will try to ping this device:
Note: I disconnected my laptop (loopback interface connected on the same VLAN as the ASA’s inside interface) from the 192.168.10.0/24 network so that this ping will flow through the VPN tunnel. You can check that the “Bytes Sent” and “Bytes Received” fields are increasing during the ping to make sure it is actually going through the tunnel.
Final note: Although the IPsec VPN client did not work when I initiated it from my GNS3 host, as I mentioned in the previous article, the AnyConnect VPN client worked from the GNS host.
This brings us to the end of this article, in which we have configured AnyConnect VPN on the Cisco ASA running in GNS3 using ASDM. As we have mentioned before, the AnyConnect VPN is similar to the IPsec remote access VPN except that users do not need to have a pre-installed VPN client on their systems.
Moving forward, it seems IKEv2 is gaining some momentum and I think it will be valuable to read up on it. This article also brings us to the end of this series and I hope you have found it insightful.
IKEv2 IPSec Remote Access VPN with Anyconnect on Cisco ASA: http://www.networkgalaxy.org/2013/07/ikev2-ipsec-remote-access-vpn-with.html
Deploying the AnyConnect Secure Mobility Client: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac02asaconfig.html