Sunday 28 April 2013

ASA SSL - part II - Anyconnect


In order to configure the ASA for VPN access using the AnyConnect client, complete these steps:
  1. Configure a Self-Issued Certificate.
  2. Upload and Identify the SSL VPN Client Image.
  3. Enable Anyconnect Access.
  4. Create a new Group Policy.
  5. Configure Access List Bypass for VPN Connections.
  6. Create a Connection Profile and Tunnel Group for the AnyConnect Client Connections.
  7. Add Users to the Local Database.
Scenario:
  • Configure a Self-Issued Certificate
By default, the security appliance has a self-signed certificate that is regenerated every time the device is rebooted. You can purchase your own certificate from vendors, such as Verisign or EnTrust, or you can configure the ASA to issue an identity certificate to itself. This certificate remains the same even when the device is rebooted.
  • Upload and Identify the SSL VPN Client Image
ciscoasa# copy tftp://172.20.1.6/anyconnect-win-3.0.11042-k9.pkg flash:
Address or name of remote host [172.20.1.6]?
Source filename [anyconnect-win-3.0.11042-k9.pkg]?
Destination filename [anyconnect-win-3.0.11042-k9.pkg]? 
webvpn
 anyconnect image disk0:/anyconnect-win-3.0.11042-k9.pkg 1
  • Enable Anyconnect Access.
webvpn
 port 8443
 enable outside
 anyconnect enable
  • Create a new Group Policy.
access-list SPLIT_TUNNEL standard permit 10.1.1.0 255.255.255.0
access-list PERMIT_ANY extended permit ip any any 

 group-policy SSLVPN internal
group-policy SSLVPN attributes
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_TUNNEL
  • Configure Access List Bypass for VPN Connections.
sysopt connection permit-vpn
  •  Create a Connection Profile and Tunnel Group for the AnyConnect Client Connections.
 ip local pool SVC_POOL 20.0.0.1-20.0.0.254

tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
 address-pool SVC_POOL
 default-group-policy SSLVPN
 webvpn
tunnel-group-list enable
  •  Add Users to the Local Database.
username ANYCONNECT password CISCO
Verification: 
  • https://172.20.1.10:8443

  • anyconnect will be downloaded and installed automatically.
  •  SSLVPN connection will be automatically established after that

  • ASA outputs:
ciscoasa# show webvpn anyconnect
1. disk0:/anyconnect-win-3.0.11042-k9.pkg 1 dyn-regex=/Windows NT/
  CISCO STC win2k+
  3,0,11042
  Hostscan Version 3.0.11042
  Mon 12/10/2012  5:18:28.27
1 AnyConnect Client(s) installed

ciscoasa# show vpn-sessiondb anyconnect
Session Type: AnyConnect
Username     : ANYCONNECT                 Index        : 15
Assigned IP  : 20.0.0.1               Public IP    : 172.20.1.6
Protocol     : Clientless SSL-Tunnel
Encryption   : RC4                    Hashing      : SHA1
Bytes Tx     : 47604                  Bytes Rx     : 11501
Group Policy : SSLVPN                 Tunnel Group : SSLVPN
Login Time   : 18:45:49 UTC Sat Apr 27 2013
Duration     : 0h:06m:03s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)