{"id":2082,"date":"2015-03-27T12:44:17","date_gmt":"2015-03-27T16:44:17","guid":{"rendered":"https:\/\/infotechguy.net\/?p=2082"},"modified":"2022-08-26T09:47:03","modified_gmt":"2022-08-26T13:47:03","slug":"easy-cisco-anyconnect-with-cisco-asa","status":"publish","type":"post","link":"https:\/\/infotechguy.net\/?p=2082","title":{"rendered":"CiscoASA &#8212; AnyConnect SSL VPN Setup"},"content":{"rendered":"<p>As promised here is my article on how to setup a SSL remote VPN, an alternative to <a title=\"Easy Remote Client VPN Solution with a Cisco ASA\" href=\"https:\/\/infotechguy.net\/easy-remote-client-vpn-solution-with-a-cisco-asa\/\" target=\"_blank\" rel=\"noopener noreferrer\">IPSec Remote VPN from this article<\/a>. What&#8217;s\u00a0great is the steps to setup an SSL remote VPN service are very similar to IPSec remote VPN!! So let&#8217;s get started.<\/p>\n<p>As with IPSec remote VPN we will need similar design considerations for SSL remote VPN.<\/p>\n<ul>\n<li>First, a subnet is required for client&#8217;s to be put on when successfully authenticated and authorized via the SSL remote VPN. This can be the same subnet as one already existing on your network or a separate one with a firewall in-between The later being best in practice and security.<\/li>\n<li>Secondly, deciding on split-tunneling vs all-tunneling. The difference being on the client would you like all traffic to be forced across the tunnel or allow clients to communicate with both their local network and the networks on the otherside of the VPN. For best practice and security, all-tunneling is recommended.<\/li>\n<li>Third, Access Lists and tunneled networks. Here we will decided what\u00a0SSL remote\u00a0VPN users will have have access to in our other networks. We will also, in the case of split-tunneling, create an access-list of what networks to tunnel for the Remote VPN user.<\/li>\n<li>Fourth, provisioning standard network services for VPN user&#8217;s. Remote VPN user&#8217;s will need a default gateway, DNS servers, domain suffix, an address pool, proxy settings, etc.<\/li>\n<\/ul>\n<p><!--more--><\/p>\n<h3>Configuring the Server Side (Cisco ASA):<\/h3>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li>\n<h6>First Step: Create an Address Pool for SSL VPN clients.<\/h6>\n<p>Decided on the subnet you will be assigning to SSLremote VPN clients. For this article I will choose 172.21.1.0\/24, staring at .10 and ending at .250.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">ciscoasa(config)# ip local pool pool-AnyConnect l 172.21.0.10-172.21.0.250 mask 255.255.255.0<\/pre>\n<\/li>\n<li>\n<h6>Second Step: Make ACLs for allowed communication and networks to push across the tunnel for the client. (assuming networks we want to allow communication with are 192.168.1.0\/24 and we will force it to be tunnelled as well<\/h6>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">ciscoasa(config)# object-group network obj-AnyConnect\nciscoasa(config-network-object-group)# network-object 172.21.0.0 255.255.255.0\n\nciscoasa(config)# object-group network obj-PROTECTED-NETWORK\nciscoasa(config-network-object-group)# network-object 192.168.1.0 255.255.255.0\n\nciscoasa(config)# access-list vpnACL extened permit ip object-group obj-AnyConnect object-group obj-PROTECTED-NETWORK\/pre&gt;\n\n\n<\/pre>\n<\/li>\n<li>\n<h6>Next step: Make an additional ACL to identify the traffic we would like the remote client to know about on the other side of the tunnel (For Split-Tunneled scenarios).<\/h6>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">ciscoasa(config)# access-list tunneledNets standard permit 192.168.1.0 255.255.255.0\nciscoasa(config)# access-list tunneledNets standard permit 192.168.2.0 255.255.255.0\nciscoasa(config)# access-list tunneledNets standard permit 192.168.3.0 255.255.255.0<\/pre>\n<\/li>\n<li>\n<h6>Moving on: We have to create an identify NAT because our VPN traffic communicating with our Protected networks will traverse two different interfaces on the Cisco ASA. We will not be performing\u00a0 NAT manipulation, but the statement is required because of Cisco ASA standard security policy when traversing traffic between different interfaces.<\/h6>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">ciscoasa(config)# nat (outside,inside) source static obj-AnyConnect obj-AnyConnect destination obj-PROTECTED-NETWORK obj-PROTECTED-NETWORK<\/pre>\n<\/li>\n<li>\n<h6>VPN Attributes: Let&#8217;s set up group-policy to tie together all the attributes we are going to send to the remote client when they connect.<\/h6>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">ciscoasa(config)# group-policy AnyConnect_GroupPolicy attributes\nciscoasa(config-group-policy)# banner value Welcome to thejimmahknows VPN\nciscoasa(config-group-policy)# vpn-idle-timeout 30\nciscoasa(config-group-policy)# vpn-session-timeout none\nciscoasa(config-group-policy)# vpn-filter value vpnACL\nciscoasa(config-group-policy)# vpn-tunnel-protocol ssl-client\nciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified\nciscoasa(config-group-policy)# split-tunnel-network-list value tunneledNets\nciscoasa(config-group-policy)# dns-server value 192.168.1.3 192.168.3.4\nciscoasa(config-group-policy)# default-domain value internaldomain.local\nciscoasa(config-group-policy)# split-tunnel-all-dns enable\nciscoasa(config-group-policy)# address-pools value  pool-AnyConnect\nciscoasa(config-group-policy)# ipv6-address-pools none<\/pre>\n<p>Let&#8217;s step thru this:<\/p>\n<ul>\n<li><strong>AnyConnect_GroupPolicy {internal\/external} &#8212; Where to get attributes from? Internal = from this ASA, External = from external server like RADIUS or Cisco ACS<\/strong><\/li>\n<li><strong>AnyConnect_GroupPolicy attributes &#8212;<\/strong> First we have to create a new group policy which will push down to the client all the network services we want to assign them.<\/li>\n<li><strong>banner value {your text} &#8212;<\/strong> This is not technically needed, however I like it because it gives the user a pop-up from their VPN software that they have successfully connected.<\/li>\n<li><strong>vpn-idle-time {min} &#8212;<\/strong> Helpful to terminate VPN connections that are idle for too long.<\/li>\n<li><strong>vpn-session-timeout {min} &#8212;<\/strong><\/li>\n<li><strong>vpn-filter value {your ACL} &#8212;<\/strong> This is where you set the ACL with the networks your VPN Network is allowed to communicate with others inside your network.<\/li>\n<li><strong>vpn-tunnel protocol {ssl-client} &#8212;<\/strong> SSL Client or SSL Web Cilentless<\/li>\n<li><strong>split-tunnel-policy {tunnelspecified\/tunnelall} &#8212;<\/strong> Sets the split-tunneling policy, if any.<\/li>\n<li><strong>split-tunnel-network-list {standard ACL} &#8212;<\/strong> what networks on far side to tell the client about.<\/li>\n<li><strong>dns-server value {dns servers} &#8212;<\/strong> Specify the DNS servers to have your remote VPN clients use.<\/li>\n<li><strong>default-domain value {windows domain name} &#8212;<\/strong> Supplied to client for DNS suffix.<\/li>\n<li><strong>split-tunnel-all-dns {enable\/disable} &#8212;<\/strong> Tells client whet hers to ask far end of the tunnel for DNS resolution or use local network DNS. Best practice is to enable this and force SSL remote VPN clients to always ask far end for DNS resolution.<\/li>\n<li><strong>address-pools value {IP pool object} &#8212;<\/strong> Where to get IPs for SSL remote VPN clients from.<\/li>\n<li><strong>ipv6-address-pools {IP pool object\/none} &#8212;<\/strong> IPv6 pools? Nah.<\/li>\n<li><strong>NOTE:<\/strong><em>For more information and other attributes, see the<a href=\"http:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/security\/asa\/asa84\/configuration\/guide\/asa_84_cli_config\/vpn_groups.html\" target=\"_blank\" rel=\"noopener noreferrer\"> Cisco documentation here.<\/a><\/em><\/li>\n<\/ul>\n<\/li>\n<li>\n<h6>SSL VPN Service : Here we set up ASA to enable the SSL VPN service<\/h6>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">ciscoasa(config)# webvpn \nciscoasa(config-webvpn)# port 443 \nciscoasa(config-webvpn)# enable outside \nciscoasa(config-webvpn)# anyconnect-essentials \nciscoasa(config-webvpn)# anyconnect enable \nciscoasa(config-webvpn)# tunnel-group-list enable<\/pre>\n<ul>\n<li><strong>port 443<\/strong> = what port the service listens on. Both Client application and Web page listen on this port.<\/li>\n<li><strong>enable outside<\/strong> = this will enable the service on the interface you specify. Keep in mind, it will assign it to the primary IP of the interface only.<\/li>\n<li><strong>anyconnect-esstentials<\/strong> = this is the basic license for AnyConnect, it is limited to the Cisco ASA platform. Do a <strong>show version<\/strong> to see how many seats your ASA versiion supports.<\/li>\n<li><strong>tunnel-group-list enable<\/strong> = This is handy, when enabled it appears on the SSL web page to your users. It is a drop-down box listing the different tunnel-groups they can choose from. Handy on geo-diverse data centers. Have users connect to the closest Data center, or pull down different tunnel-group attributes.<\/li>\n<\/ul>\n<\/li>\n<li>\n<h6>AnyConnect Client images: Set which version of the AnyConnect client you will offer to your users for download.<\/h6>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">ciscoasa(config-webvpn)# anyconnect image disk0:\/anyconnect-win-4.0.000061-k9.pkg 1 regex \"Windows NT\"\nciscoasa(config-webvpn)# anyconnect image disk0:\/anyconnect-macosx-i386-4.0.00061-k9.pkg 2 regex \"PPC Mac OS X\"\n<\/pre>\n<p><strong>NOTE:<\/strong> You can download the AnyConnect images from <a href=\"https:\/\/software.cisco.com\/download\/release.html?mdfid=286281283&amp;flowid=72322&amp;softwareid=282364313&amp;release=4.0.00061&amp;relind=AVAILABLE&amp;rellifecycle=&amp;reltype=latest\" target=\"_blank\" rel=\"noopener noreferrer\">Cisco&#8217;s support and download page<\/a>. Download the <strong>Full Instatallation .pkg<\/strong> versions so you can upload them onto your ASA. The <strong>regex part matches the user-agent sent by the client<\/strong>. This is helpful when providing Windows, Mac, and Linux with AnyConnect clients.<em><br \/>\n<\/em><\/li>\n<li>\n<h6>Last Step: Putting it all together with a Tunnel Group object.<\/h6>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">ciscoasa(config)# tunnel-group AnyConnect-TunnelGroup type remote-access\nciscoasa(config)# tunnel-group AnyConnect-TunnelGroup general-attributes\nciscoasa(config-tunnel-general)# default-group-policy AnyConnect-GroupPolicy\n\nciscoasa(config)# tunnel-group AnyConnect-TunnelGroup webvpn\nciscoasa(config-tunnel-webvpn)# group-alias thejimmahknows Group<\/pre>\n<p><strong>NOTE:<\/strong> <em>Type <strong>remote-access<\/strong> = tells ASA this is a remote-access tunnel and not a Site-to-Site tunnel. We also bind what Group Policy to use with this tunnel here. The group-alias part is the name that will appear in the dropdown list to the user. Remember when I said you can have multiple group-policies, this is where you would give them the names that would appear to the users for selection.<br \/>\n<\/em><\/li>\n<li>\n<h6>Creating users within the LOCAL user-table on your Cisco ASA<\/h6>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">ciscoasa(config)# username testuser password *****\n\nciscoasa(config)# username testuser attributes\nciscoasa(config-username)# vpn-framed-ip-address 172.21.0.55\n<\/pre>\n<p><strong>NOTE:<\/strong> <em><strong> vpn-gramed-ip-address<\/strong> = sets the IP address the user will get. Kinda of like DHCP reservation.<\/em><\/li>\n<\/ol>\n<h3>Configuring the Client Side<\/h3>\n<h6>Windows &#8212; Using SSL remote\u00a0VPN Client<\/h6>\n<ol>\n<li>Browse to your Cisco ASA interface. In my case it was the outside interface.<\/li>\n<li>Configuration:<br \/>\n<a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/login-anyconnect.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3392\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/login-anyconnect-300x160.png\" alt=\"\" width=\"456\" height=\"243\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/login-anyconnect-300x160.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/login-anyconnect.png 348w\" sizes=\"auto, (max-width: 456px) 100vw, 456px\" \/><\/a><img decoding=\"async\" src=\"http:\/\/s6.postimg.org\/tvhydo9kx\/welcome_anyconnect.png\" alt=\"\" \/><img decoding=\"async\" src=\"http:\/\/s6.postimg.org\/6vbb1cbr5\/java_anyconnect.png\" alt=\"\" \/><img decoding=\"async\" src=\"http:\/\/s6.postimg.org\/c46bz7u69\/connected_anyconnect.png\" alt=\"\" \/><\/li>\n<li>Wahoo!!<\/li>\n<\/ol>\n<h6>Ubuntu &#8212; Using openconnect package<\/h6>\n<ol>\n<li><em>Install <\/em>:\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">sudo apt-get install network-manager-openconnect<\/pre>\n<p>&nbsp;<\/li>\n<li>Configure:<a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ubuntu-openconnect.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3399\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ubuntu-openconnect-300x137.png\" alt=\"\" width=\"300\" height=\"137\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ubuntu-openconnect-300x137.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ubuntu-openconnect.png 448w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ubuntu-openconnect-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3398\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ubuntu-openconnect-2-300x220.png\" alt=\"\" width=\"300\" height=\"220\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ubuntu-openconnect-2-300x220.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ubuntu-openconnect-2.png 448w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ubuntu-openconnect-3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3397\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ubuntu-openconnect-3-287x300.png\" alt=\"\" width=\"287\" height=\"300\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ubuntu-openconnect-3-287x300.png 287w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ubuntu-openconnect-3.png 704w\" sizes=\"auto, (max-width: 287px) 100vw, 287px\" \/><\/a><a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ubuntu-openconnect-5.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3395\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ubuntu-openconnect-5-300x274.png\" alt=\"\" width=\"300\" height=\"274\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ubuntu-openconnect-5-300x274.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ubuntu-openconnect-5.png 397w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/li>\n<li><em>Tada!!<\/em><\/li>\n<\/ol>\n<p>Sources:<\/p>\n<ul>\n<li><a href=\"http:\/\/www.cisco.com\/c\/en\/us\/support\/docs\/security\/asa-5500-x-series-next-generation-firewalls\/117641-config-asa-00.html#anc8\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/www.cisco.com\/c\/en\/us\/support\/docs\/security\/asa-5500-x-series-next-generation-firewalls\/117641-config-asa-00.html#anc8<\/a><\/li>\n<li><a href=\"http:\/\/www.petenetlive.com\/KB\/Article\/0000943.htm\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/www.petenetlive.com\/KB\/Article\/0000943.htm<\/a><\/li>\n<li><a href=\"http:\/\/www.tunnelsup.com\/webvpn-or-ssl-vpn-on-an-asa\/\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/www.tunnelsup.com\/webvpn-or-ssl-vpn-on-an-asa\/<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>As promised here is my article on how to setup a SSL remote VPN, an alternative to IPSec Remote VPN from this article. What&#8217;s\u00a0great is the steps to setup an SSL remote VPN service are&#46;&#46;&#46;<\/p>\n","protected":false},"author":2,"featured_media":4233,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[55,112],"class_list":["post-2082","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cisco","tag-cisco","tag-security-2"],"_links":{"self":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts\/2082","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2082"}],"version-history":[{"count":1,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts\/2082\/revisions"}],"predecessor-version":[{"id":4152,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts\/2082\/revisions\/4152"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/media\/4233"}],"wp:attachment":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2082"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2082"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2082"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}