Cisco ASA Remote Access VPN Configuration 2 - AnyConnect VPN - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Monday, February 22, 2016

Cisco ASA Remote Access VPN Configuration 2 - AnyConnect VPN

Basic Cisco AnyConnect full-tunnel SSL VPN uses user authentication by username and password, provides IP address assignment to the client, and uses a basic access control policy. The client also authenticates the ASA with identity certificate-based authentication. Deployment tasks in this post are as follows:
  • Configure the basic ASA SSL VPN gateway features.
  • Configure local user authentication.
  • Configure IPv4/IPv6 address assignment.
  • Configure basic access control.
  • Install the Cisco AnyConnect Secure Mobility Client.
Initially, AnyConnect was an SSL-only VPN client. Starting with Version 3.0, AnyConnect became a modular client with additional features (including IPsec IKEv2 VPN terminations on Cisco ASA), but it requires a minimum of ASA 8.4(1) and ASDM 6.4(1).

Related posts in this blog:
1. Topology

In this post, Cisco Adaptive Security Appliance Software Version 9.1(2) and Device Manager Version 7.1(3) have been used as an example.

DMZ (Security Level 50) interface will be used to simulate external connection to Internet.
INTERNAL (Security Level 100) interface is connecting to local network.

User will come from to access though Anyconnect VPN connection.

2. Basic Configuration

2.1 Interface Configuration

interface GigabitEthernet0/0
 nameif INTERNAL
 security-level 100
 ip address 
interface GigabitEthernet0/1
 nameif DMZ
 security-level 50
 ip address 

interface Management0/0
 nameif MGMT
 security-level 0
 ip address 
 no shutdown

2.2 SSH and ASDM Configuration

aaa authentication ssh console LOCAL 
http server enable
http MGMT
ssh MGMT
username admin password admin

2.3 NAT and Access-list Configuration

INTERNAL network can access all DMZ networks with NAT-ed DMZ interface ip But there is no access from DMZ to INTERNAL.


Firewall Rule
ICMP Echo reply packets have to be allowed on DMZ interface to make ping working from INTERNAL to DMZ work.

object service icmp-reply

 service icmp echo-reply 0

access-list global_access extended permit object icmp-reply any any 
access-list INTERNAL_access_in extended permit ip any any 

access-group INTERNAL_access_in in interface INTERNAL

access-group global_access global

The following NAT rule is to make INTERNAL network to access DMZ network using DMZ interface ip address.
nat (INTERNAL,DMZ) source dynamic any interface

3. Steps to Enable AnyConnect VPN

3.1 Start VPN Wizards -> AnyConnect VPN Wizard...

3.2 Enter Connection Profile Name
3.3 Create and Use a New Self-Signed Certificate

3.4 Add a new Client Image.
It is not .msi file. It has to be a package file.

3.5 Use Local Accounts in ASA as Authentication Method
3.6 Create and Use SSL Connection IPv4 Address Pool

3.7 NAT Exempt
Usually in ASA configuration, there are NAT configured. You will have to exempt your SSL VPN Traffic from NAT configuration
Note: In this wizard, you will only can exempt one local network from NAT configuration. If you have multiple Internal local networks, you will have to work on configuration manually from CLI to exempt all of them from NAT. Else, you will get a deny for your non-NAT-exempt traffic.

3.8 Allow Web Launch

3.9 Configuration Summary
After this screen, your configuration will be pushed from ASDM to ASA device. You will get a notification if there is any configuration wrong.

4. Split Tunneling
Split tunnelling is a feature that you can use in order to define the traffic for the subnets or hosts that must be encrypted. This involves the configuration of an Access Control List (ACL) that will be associated with this feature. The traffic for the subnets or hosts that is defined on this ACL will be encrypted over the tunnel from the client-end, and the routes for these subnets are installed on the PC routing table.

If Split Tunneling enabled on AnyConnect VPN Configuration, VPN user 's traffic to Internal Network ( will be split from other traffic such as Internet Traffic. In this way, AnyConnect VPN user can keep their Internet connection at the same time having local Internal network access.

5. User Policy Control

By default, the user will use DfltGrpPolicy. You can customize your local user to use different VPN Group Policy and different VPN Connection Profile.

In this way, you can control which network user can access, since you can control Split-Tunneling networks in the VPN Connection Profile.

Configure AnyConnect Secure Mobility Client with Split Tunneling on an ASA

No comments:

Post a Comment