- Configure the basic ASA SSL VPN gateway features.
- Configure local user authentication.
- Configure IPv4/IPv6 address assignment.
- Configure basic access control.
- Install the Cisco AnyConnect Secure Mobility Client.
Related posts in this blog:
- Cisco ASA 5500-X Series Software 9.x Configuration Notes (Tips and Tricks)
- Cisco ASA Remote Access VPN Configuration 2 - Anyconnect VPN Configuration
- Cisco ASA Remote Access VPN Configuration 1 - Clientless SSL VPN Configuration
- Cisco ASAv HA Configurations
In this post, Cisco Adaptive Security Appliance Software Version 9.1(2) and Device Manager Version 7.1(3) have been used as an example.
DMZ (Security Level 50) interface will be used to simulate external connection to Internet.
INTERNAL (Security Level 100) interface is connecting to local network.
User will come from 172.17.3.62 to access 10.94.200.62 though Anyconnect VPN connection.
2. Basic Configuration
2.1 Interface Configuration
interface GigabitEthernet0/0
 nameif INTERNAL  security-level 100  ip address 10.94.200.12 255.255.255.0 !        interface GigabitEthernet0/1  nameif DMZ  security-level 50  ip address 172.17.3.12 255.255.255.0 interface Management0/0  management-only  nameif MGMT  security-level 0  ip address 192.168.2.12 255.255.255.0  no shutdown |
2.2 SSH and ASDM Configuration
aaa authentication ssh console LOCALÂ
http server enable http 192.168.2.0 255.255.255.0 MGMT ssh 192.168.2.0 255.255.255.0 MGMT username admin password admin |
2.3 NAT and Access-list Configuration
INTERNAL network can access all DMZ networks with NAT-ed DMZ interface ip 172.17.3.12. But there is no access from DMZ to INTERNAL.
NAT |
Firewall Rule |
object service icmp-reply
 service icmp echo-reply 0 access-list global_access extended permit object icmp-reply any any access-list INTERNAL_access_in extended permit ip any any access-group INTERNAL_access_in in interface INTERNAL access-group global_access global |
The following NAT rule is to make INTERNAL network to access DMZ network using DMZ interface ip address.
nat (INTERNAL,DMZ) source dynamic any interface
|
3. Steps to Enable AnyConnect VPN
3.1 Start VPN Wizards -> AnyConnect VPN Wizard...
3.2 Enter Connection Profile Name
3.3 Create and Use a New Self-Signed Certificate
3.4 Add a new Client Image.
It is not .msi file. It has to be a package file.
3.6 Create and Use SSL Connection IPv4 Address Pool
3.7 NAT Exempt
Usually in ASA configuration, there are NAT configured. You will have to exempt your SSL VPN Traffic from NAT configuration
Note: In this wizard, you will only can exempt one local network from NAT configuration. If you have multiple Internal local networks, you will have to work on configuration manually from CLI to exempt all of them from NAT. Else, you will get a deny for your non-NAT-exempt traffic.
3.8 Allow Web Launch
3.9 Configuration Summary
After this screen, your configuration will be pushed from ASDM to ASA device. You will get a notification if there is any configuration wrong.
4. Split Tunneling
Split tunnelling is a feature that you can use in order to define the traffic for the subnets or hosts that must be encrypted. This involves the configuration of an Access Control List (ACL) that will be associated with this feature. The traffic for the subnets or hosts that is defined on this ACL will be encrypted over the tunnel from the client-end, and the routes for these subnets are installed on the PC routing table.
If Split Tunneling enabled on AnyConnect VPN Configuration, VPN user 's traffic to Internal Network (10.94.200.0/24) will be split from other traffic such as Internet Traffic. In this way, AnyConnect VPN user can keep their Internet connection at the same time having local Internal network access.
5. User Policy Control
In this way, you can control which network user can access, since you can control Split-Tunneling networks in the VPN Connection Profile.
Reference:
Configure AnyConnect Secure Mobility Client with Split Tunneling on an ASA
No comments:
Post a Comment