{"id":2078,"date":"2015-03-08T23:59:42","date_gmt":"2015-03-09T03:59:42","guid":{"rendered":"https:\/\/infotechguy.net\/?p=2078"},"modified":"2022-08-26T09:47:20","modified_gmt":"2022-08-26T13:47:20","slug":"easy-remote-client-vpn-solution-with-a-cisco-asa","status":"publish","type":"post","link":"https:\/\/infotechguy.net\/?p=2078","title":{"rendered":"Cisco ASA &#8212; Easy Remote Client VPN Solution"},"content":{"rendered":"<p>I&#8217;ve posted an article on Client VPN setup using OpenVPN and I noticed I didn&#8217;t have one regarding Cisco ASA. A Cisco ASA being a very common <a href=\"http:\/\/en.wikipedia.org\/wiki\/Security_appliance\" target=\"_blank\" rel=\"noopener noreferrer\">Security Appliance<\/a> used by small and large companies. This article will cover how to setup a standard remote client VPN utilizing IPsec as the crypto carrier. Cisco also has their own proprietary remote client VPN solution called <a href=\"http:\/\/www.cisco.com\/c\/en\/us\/solutions\/enterprise-networks\/anyconnect-secure-mobility-solution\/index.html\" target=\"_blank\" rel=\"noopener noreferrer\">AnyConnect<\/a>. I will be posting an article after this one on how to set an AnyConnect solution up\u00a0and include what the differences are between it and the standard\u00a0IPsec remote client VPN contained in this article.<\/p>\n<p>A remote client VPN is something very common in workplace now-a-days. It allows users to appear as if they are on the company&#8217;s internal network over an insecure medium(e.g. Internet, untrused Network, etc). It does so by using <a href=\"http:\/\/en.wikipedia.org\/wiki\/IPsec\" target=\"_blank\" rel=\"noopener noreferrer\">IPsec<\/a>. IPsec is a tried and true Layer 3 securing technique that requires both parties involved to mutually authenticate each other before passing traffic.<\/p>\n<p>A few things to keep in mind regarding remote client VPNs.<\/p>\n<ul>\n<li>First, a subnet is required for client&#8217;s to be put on when successfully authenticated and authorized via the remote client VPN. This can be the same subnet as one already existing on your network or a separate one with a firewall in-between The later being best in practice and security.<\/li>\n<li>Secondly, deciding on split-tunneling vs all-tunneling. The difference being on the client would you like all traffic to be forced across the tunnel or allow clients to communicate with both their local network and the networks on the otherside of the VPN. For best practice and security, all-tunneling is recommended.<\/li>\n<li>Third, Access Lists and tunneled networks. Here we will decided what Remote VPN users will have access to other networks. We will also, in the case of split-tunneling, create an access-list of what networks to tunnel for the Remote VPN user.<\/li>\n<li>Fourth, provisioning standard network services for VPN user&#8217;s. Remote VPN user&#8217;s will need a default gateway, DNS servers, domain suffix, an address pool, proxy settings, etc.<\/li>\n<\/ul>\n<p><!--more--><\/p>\n<h3>Configuring the Server Side (Cisco ASA):<\/h3>\n<ol>\n<li>\n<h6>First Step: Create an Address Pool for VPN clients.<\/h6>\n<p>Decided on the subnet you will be assigning to remote VPN clients. For this article I will choose 172.21.1.0\/24, staring at .10 and ending at .250.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">ciscoasa(config)# ip local pool obj-RemoteVPNPool l 172.21.0.10-172.21.0.250 mask 255.255.255.0<\/pre>\n<\/li>\n<\/ol>\n<\/li>\n<li>\n<h6>Second Step: Make ACLs for allowed communication and networks to push accross the tunnel for the client. (assuming networks we want to allow communication with are 192.168.1.0\/24 and we will force it to be tunneled as well)<\/h6>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">ciscoasa(config)# object-group network obj-VPN-NETWORK\nciscoasa(config-network-object-group)# network-object 172.21.0.0 255.255.255.0\n\nciscoasa(config)# object-group network obj-PROTECTED-NETWORK\nciscoasa(config-network-object-group)# network-object 192.168.1.0 255.255.255.0\n\nciscoasa(config)# access-list vpnACL extened permit ip object-group obj-VPN-NETWORK object-group obj-PROTECTED-NETWORK<\/pre>\n<pre><\/pre>\n<\/li>\n<li>\n<h6>Next step: Make an additional ACL to identify the traffic we would like the remote client to know about on the other side of the tunnel (For Split-Tunneled scenarios).<\/h6>\n<\/li>\n<li>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">ciscoasa(config)# access-list tunneledNets standard permit 192.168.1.0 255.255.255.0\nciscoasa(config)# access-list tunneledNets standard permit 192.168.2.0 255.255.255.0\nciscoasa(config)# access-list tunneledNets standard permit 192.168.3.0 255.255.255.0<\/pre>\n<\/li>\n<li>\n<h6>Moving on: We have to create an identify NAT because our VPN traffic communicating with our Proected networks will travers two different interfaces on the Cisco ASA. We will not be performing an NAT manipulation, but the statement is required because of Cisco ASA standard security policy when traversing traffic between different interfaces.<\/h6>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">ciscoasa(config)# nat (outside,inside) source static obj-VPN-NETWORK obj-VPN-NETWORK destination obj-PROTECTED-NETWORK obj-PROTECTED-NETWORK<\/pre>\n<\/li>\n<li>\n<h6>VPN Attributes: Let&#8217;s set up group-policy to tie together all the attributes we are going to send to the remote client when they connect.<\/h6>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">ciscoasa(config)# group-policy ClientVPN_GroupPolicy internal \nciscoasa(config)# group-policy ClientVPN_GroupPolicy attributes \nciscoasa(config-group-policy)# banner value Welcome to thejimmahknows VPN \nciscoasa(config-group-policy)# vpn-idle-timeout 30 \nciscoasa(config-group-policy)# vpn-session-timeout none\nciscoasa(config-group-policy)# vpn-filter value vpnACL \nciscoasa(config-group-policy)# vpn-tunnel-protocol ikev1\nciscoasa(config-group-policy)# ipsec-udp enable \nciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified \nciscoasa(config-group-policy)# split-tunnel-network-list value tunneledNets \nciscoasa(config-group-policy)# dns-server value 192.168.1.3 192.168.3.4\nciscoasa(config-group-policy)# default-domain value internaldomain.local \nciscoasa(config-group-policy)# split-tunnel-all-dns enable \nciscoasa(config-group-policy)# address-pools value obj-RemoteVPNPool \nciscoasa(config-group-policy)# ipv6-address-pools none<\/pre>\n<p>Let&#8217;s step thru this:<\/p>\n<ul>\n<li><strong>ClientVPN_GroupPolicy {internal\/external} &#8212; Where to get attributes from? Internal = from this ASA, External = from external server like RADIUS or Cisco ACS<\/strong><\/li>\n<li><strong>ClientVPN_GroupPolicy attributes &#8212;<\/strong> First we have to create a new group policy whcih will push down to the cilent all the network services we want to assign them.<\/li>\n<li><strong>banner value {your text} &#8212;<\/strong> This is not technically needed, however I like it because it gives the user a pop-up from their VPN software that they have successfully connected.<\/li>\n<li><strong>vpn-idle-time {min} &#8212;<\/strong> Helpful to terminate VPN connections that are idle for too long.<\/li>\n<li><strong>vpn-session-timeout {min} &#8212;<\/strong><\/li>\n<li><strong>vpn-filter value {your ACL} &#8212;<\/strong> This is where you set the ACL with the networks your VPN Network is allowed to communicate with others inside your network.<\/li>\n<li><strong>vpn-tunnel protocol {ikev1} &#8212;<\/strong> Tells client to use ikev1 to establish a connection.<\/li>\n<li><strong>ipsec-udp {enable\/disable} &#8212;<\/strong> This will enable IP NAT traversal, which is 99% of the time needed. If you don&#8217;t enable it, only one client will be able to connect in from the same remote network at a time. See <a title=\"What is IPsec NAT-Traversal??\" href=\"https:\/\/infotechguy.net\/nat-traversal-ipsec\/\">What is IPsec NAT-Traversal<\/a><\/li>\n<li><strong>split-tunnel-policy {tunnelspecified\/tunnelall} &#8212;<\/strong> Sets the split-tunneling policy, if any.<\/li>\n<li><strong>split-tunnel-network-list {standard ACL} &#8212;<\/strong> what networks on far side to tell the client about.<\/li>\n<li><strong>dns-server value {dns servers} &#8212;<\/strong> Specify the DNS servers to have your remote VPN clients use.<\/li>\n<li><strong>default-domain value {windows domain name} &#8212;<\/strong> Supplied to client for DNS suffix.<\/li>\n<li><strong>split-tunnel-all-dns {enable\/disable} &#8212;<\/strong> Tells client whethers to ask far end of the tunnel for DNS reslution or use local network DNS. Best practice is to enable this and force remote VPN clients to always ask far end for DNS resolution.<\/li>\n<li><strong>address-pools value {IP pool object} &#8212;<\/strong> Where to get IPs for remote VPN clients from.<\/li>\n<li><strong>ipv6-address-pools {IP pool object\/none} &#8212;<\/strong> IPv6 pools? Nah.<\/li>\n<li><strong>NOTE:<\/strong><em>For more information and other attributes, see the <a href=\"http:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/security\/asa\/asa82\/configuration\/guide\/config\/vpngrp.html#wp1166190\" target=\"_blank\" rel=\"noopener noreferrer\">Cisco documentation here.<\/a><\/em><\/li>\n<\/ul>\n<\/li>\n<li>\n<h6>Proxy settings?: We can also try to push down Web Proxy settings to Internet Explorer using the following<\/h6>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">ciscoasa(config)# group-policy ClientVPN_GroupPolicy attributes \nciscoasa(config-group-policy)# msie-proxy method modify \nciscoasa(config-group-policy)# msie-proxy pac-url value http:\/\/proxyserver:8080\/proxy.pac<\/pre>\n<\/li>\n<li>\n<h6>IPSec Phase1: Here we set up Phase 1 to be used by this IPsec tunnel.<\/h6>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">ciscoasa(config)# crypto ikev1 policy 1 \nciscoasa(config-ikev1-policy)# authentication pre-share \nciscoasa(config-ikev1-policy)# encryption 3des \nciscoasa(config-ikev1-policy)# hash sha \nciscoasa(config-ikev1-policy)# group 2 \nciscoasa(config-ikev1-policy)# lifetime 86400 \nciscoasa(config)# crypto ikev1 enable outside<\/pre>\n<p><strong>NOTE:<\/strong> <em>The Cisco VPN Client v5 will match the first IKEv1 policy you have for Phase 1. Don&#8217;t forget to enable it on the outside interface!<\/em><\/li>\n<li>\n<h6>IPSec Phase 2: Continuing on in building our Transport tunnel, we now have to create a Crypto Map (in this case Dynamic), and a Transform set.<\/h6>\n<pre><code><\/code><\/pre>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">ciscoasa(config)# crypto ipsec ikev1 transfrom-set VPN-TRANSFORM-SET esp-3des esp-sha-hmac \nciscoasa(config)# crypto dynamic-map VPN-DynamicCryptoMap 11 set ikev1 transform-set vpnTS \nciscoasa(config)# crypto map outside-cmap 65535 ipsec-isakmp dynamic VPN-DynamicCryptoMap \nciscoasa(config)# crypto map outside-cmap interface outside<\/pre>\n<pre><code><\/code><\/pre>\n<pre><code><\/code><\/pre>\n<p><strong>NOTE:<\/strong> <strong>dynamic-map<\/strong><em> is used here because the remote endpoint&#8217;s address could be anything. Unlike other IPsec tunnels where we know both endpoint address are predetermined and it is part of the Security Association (SA). Specifying the <strong>dynamic-map<\/strong> keyword tells the ASA not to perform peer IP validation after initiating the tunnel. For more info on static tunnels read <a title=\"Site-to-Site IPSec VPN using Openswan and Cisco ASA 9.1(3)\" href=\"https:\/\/infotechguy.net\/site-to-site-ipsec-vpn-using-openswan-and-cisco-asa-9-13\/\" target=\"_blank\" rel=\"noopener noreferrer\">my other post here<\/a>.<\/em><\/li>\n<li>\n<h6>Last Step: Putting it all together with a Tunnel Group object.<\/h6>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">ciscoasa(config)# tunnel-group VPN-TunnelGroup type remote-access \nciscoasa(config)# tunnel-group VPN-TunnelGroup general-attributes \nciscoasa(config-tunnel-general)# default-group-policy ClientVPN-GroupPolicy \nciscoasa(config)# tunnel-group VPN-TunnelGroup ipsec-attributes \nciscoasa(config-tunnel-ipsec)# ikev1 pre-shared-key ****<\/pre>\n<p><strong>NOTE:<\/strong> <em>Type <strong>remote-access<\/strong> = tells ASA this is a remote-access tunnel and not a Site-to-Site tunnel. We also bind what Group Policy to use with this tunnel here. Don&#8217;t forget to set the Phase1 pre-shred-key here!!<\/em><\/li>\n<li>\n<h6>Creating users within the LOCAL user-table on your Cisco ASA<\/h6>\n<pre><code><\/code><\/pre>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">ciscoasa(config)# username testuser password ***** \nciscoasa(config)# username testuser attributes \nciscoasa(config-username)# vpn-framed-ip-address 172.21.0.55<\/pre>\n<pre><code><\/code><\/pre>\n<pre><code><\/code><\/pre>\n<\/li>\n<\/ol>\n<h3>Configuring the Client Side<\/h3>\n<h6>Windows &#8212; Using Cisco VPN Client<\/h6>\n<ol>\n<li><em>Download software <a href=\"http:\/\/www.cisco.com\/c\/en\/us\/support\/security\/vpn-client-v5-x\/model.html\" target=\"_blank\" rel=\"noopener noreferrer\">here <\/a><\/em><\/li>\n<li><em>Install (duh!)<\/em><\/li>\n<li>Configuration:<br \/>\n<a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/windows-cisco-VPN.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3401\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/windows-cisco-VPN-300x252.png\" alt=\"\" width=\"535\" height=\"449\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/windows-cisco-VPN-300x252.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/windows-cisco-VPN.png 644w\" sizes=\"auto, (max-width: 535px) 100vw, 535px\" \/><\/a> <a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/windows-cisco-VPN2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3402\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/windows-cisco-VPN2-300x123.png\" alt=\"\" width=\"534\" height=\"219\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/windows-cisco-VPN2-300x123.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/windows-cisco-VPN2.png 414w\" sizes=\"auto, (max-width: 534px) 100vw, 534px\" \/><\/a> <a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/windows-cisco-VPN3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3403\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/windows-cisco-VPN3-300x128.png\" alt=\"\" width=\"534\" height=\"228\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/windows-cisco-VPN3-300x128.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/windows-cisco-VPN3.png 516w\" sizes=\"auto, (max-width: 534px) 100vw, 534px\" \/><\/a><\/li>\n<li>Wahoo!!<\/li>\n<\/ol>\n<h6>Ubuntu &#8212; Using vpnc package<\/h6>\n<ol>\n<li><em><em>\u00a0Install<\/em><\/em>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">sudo apt-get install network-manager-vpnc vpnc<\/pre>\n<p>&nbsp;<\/li>\n<li>\u00a0<em>Configure<\/em>:<br \/>\n<a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/Ubuntu-VPN-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3405\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/Ubuntu-VPN-1-300x155.png\" alt=\"\" width=\"600\" height=\"310\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/Ubuntu-VPN-1-300x155.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/Ubuntu-VPN-1.png 397w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/a> <a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/Ubuntu-VPN-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3406\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/Ubuntu-VPN-2-300x246.png\" alt=\"\" width=\"601\" height=\"493\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/Ubuntu-VPN-2-300x246.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/Ubuntu-VPN-2.png 400w\" sizes=\"auto, (max-width: 601px) 100vw, 601px\" \/><\/a> <a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/Ubuntu-VPN-3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3407\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/Ubuntu-VPN-3-300x139.png\" alt=\"\" width=\"604\" height=\"280\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/Ubuntu-VPN-3-300x139.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/Ubuntu-VPN-3.png 640w\" sizes=\"auto, (max-width: 604px) 100vw, 604px\" \/><\/a> <a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/Ubuntu-VPN-4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3408\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/Ubuntu-VPN-4-300x285.png\" alt=\"\" width=\"604\" height=\"574\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/Ubuntu-VPN-4-300x285.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/Ubuntu-VPN-4.png 548w\" sizes=\"auto, (max-width: 604px) 100vw, 604px\" \/><\/a><\/li>\n<li><em>Tada!!<\/em><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;ve posted an article on Client VPN setup using OpenVPN and I noticed I didn&#8217;t have one regarding Cisco ASA. A Cisco ASA being a very common Security Appliance used by small and large companies.&#46;&#46;&#46;<\/p>\n","protected":false},"author":2,"featured_media":4233,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[55,96],"class_list":["post-2078","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cisco","tag-cisco","tag-network"],"_links":{"self":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts\/2078","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2078"}],"version-history":[{"count":1,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts\/2078\/revisions"}],"predecessor-version":[{"id":4194,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts\/2078\/revisions\/4194"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/media\/4233"}],"wp:attachment":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2078"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2078"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2078"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}