ISR Computing -
Knowledge Base CCIE Security Pursuit CCIE Security - VPN Study Guide - Cisco Any Connect and SSL VPNCCIE Security - VPN Study Guide - Cisco Any Connect and SSL VPN
Task:
Provide ability for end-users to access corporate resources via Any Connect Client or Clientless SSL VPN.
Scenario:
Internal network is 192.168.1.1/24
VPN network is 192.168.2.0/27
TFTP Server 192.168.1.10
Step 1: Download "anyconnect-win-2.5.0217-k9.pkg" from www.cisco.com
Step 2: Copy file from TFTP to Cisco ASA
fw# copy tftp: flash:
Address or name of remote host [192.168.1.10]?
Source filename [anyconnect-win-2.5.0217-k9.pkg]? anyconnect-win-2.5.0217-k9.pkg
Destination filename [anyconnect-win-2.5.0217-k9.pkg]?
Accessing tftp://192.168.1.10/anyconnect-win-2.5.0217-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-2.5.0217-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
3866773 bytes copied in 6.430 secs (644462 bytes/sec)
fw# dir
Directory of disk0:/
<output_skipped>
12169 -rw- 3866773 13:46:54 Jun 27 2010 anyconnect-win-2.5.0217-k9.pkg
127111168 bytes total (73404416 bytes free)
fw#
Step 4: Add VPN pool, split tunnel and NAT statements that will help us in future.
access-list SPLIT standard permit 192.168.1.0 255.255.255.0
ip local pool LOCAL_POOL 192.168.2.1-192.168.2.20 mask 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.224
nat (inside) 0 access-list NONAT
Step 5: Allow VPN traffic to bypass ACLs:
fw(config)# sysopt connection permit-vpn
Step 6: Enable SSL VPN and Any Connect on the outside interface:
fw(config)#
fw(config)# webvpn
fw(config-webvpn)# svc image disk0:/anyconnect-win-2.5.0217-k9.pkg
fw(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
fw(config-webvpn)# svc enable
fw(config-webvpn)# exit
Step 7: Create policy and group for client connecting with Cisco Any Connect Client:
fw(config)# group-policy ANY_CONNECT_POLICY internal
fw(config)# group-policy ANY_CONNECT_POLICY attributes
fw(config-group-policy)# address-pools value LOCAL_POOL
fw(config-group-policy)# webvpn
fw(config-group-webvpn)# vpn-tunnel-protocol svc
fw(config-group-policy)# exit
fw(config)# tunnel-group ANY_CONNECT_GROUP type remote-access
fw(config)# tunnel-group ANY_CONNECT_GROUP general-attributes
fw(config-tunnel-general)# default-group-policy ANY_CONNECT_POLICY
fw(config-tunnel-general)# tunnel-group ANY_CONNECT_GROUP webvpn-attributes
fw(config-tunnel-webvpn)# group-alias RemoteAccess enable
Step 8: Create Any Connect Client user:
fw(config)# username vpnuser1 password vpnuser1
fw(config)# username vpnuser1 attributes
fw(config-username)# service-type remote-access
fw(config-username)# group-lock value ANY_CONNECT_GROUP
fw(config-username)# exit
Step 9: Repeat process for Clientless SSL VPN
group-policy SSL_VPN_POLICY internal
group-policy SSL_VPN_POLICY attributes
vpn-tunnel-protocol webvpn
address-pools value LOCAL_POOL
tunnel-group SSL_VPN_GROUP type remote-access
tunnel-group SSL_VPN_GROUP general-attributes
default-group-policy SSL_VPN_POLICY
tunnel-group SSL_VPN_GROUP webvpn-attributes
group-alias Manufacturing enable
username vpnuser2 password vpnuser2
username vpnuser2 attributes
service-type remote-access
group-lock value SSL_VPN_GROUP
exit
Step 10: When you created group aliases for your VPN groups, you can make them available to users through combo-box on the login page. To enable this feature:
fw(config-tunnel-webvpn)# webvpn
fw(config-webvpn)# tunnel-group-list enable
Common SSL VPN issues
Sometimes you might get "Session could not be established: session limit of 2 reached" error.
This usually happens when you have people connected as Any Connect Clients through web, but they didn't finish installation of the Any Connect. For example because they don't have administrative privileges on their PC. It is sort of embryonic connection.
This is ASA bug. To clear it, execute:
conf t
webvpn
no enable outside
enable outside
To see who is logged in:
fw(config-webvpn)# show vpn-sessiondb webvpn
Session Type: WebVPN
Username : vpnuser1 Index : 14
Public IP : 144.56.103.12
Protocol : Clientless
License : SSL VPN
Encryption : RC4 Hashing : SHA1
Bytes Tx : 41597 Bytes Rx : 9959
Group Policy : ANY_CONNECT_POLICY Tunnel Group : ANY_CONNECT_GROUP
Login Time : 14:43:05 EST Sun Jun 27 2010
Duration : 0h:02m:54s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
fw(config-webvpn)#
To test your setup connect to outside ASA interface via HTTPS:
https://[outside ASA IP]
You should see some thing like this:
Search
Moving your apps to Amazon or Miscrosoft Clouds?
We can help you analyze your existing infrastructure, identify the cost savings we can achieve by migrating to a cloud provider. We can then execute end-to-end migration plan of your infrastructure and bringing down your TCO.
Ready for IPv6 Migration?
The Internet is running out of the equivalent of phone numbers - familiar problem, non-trivial solution.
The world has to move to IPv6, with its 128-bit addresses. But that's easier said than done.
Are you fluent in "Linux"?
Learn Linux from a leading expert and quickly master you Linux skills.
Learn how to simplify your workflow and increase your productivity using tips and techniques of the pros.
Ideal training for Corporate IT Beginners and Advanced IT Admins alike.
Who's Online
We have 7 guests and no members online