#

Monday, January 8, 2018

Configuring AnyConnect SSL VPNs on ASA

Anyconnect is used by many enterprises to allow their customers to connect to their internal network through internet via Cisco AnyConnect Monility Client. Here is the way how to configure it on ASA.





If you are going to practice this lab, you will need to go through following posts..

Basic Installation of Microsoft Windows Server 2012 R2 in VMware Workstation
Installing Active Directory, DNS and DHCP on Windows Server 2012 R2
Configuring LDAP Services on Windows Server 2012 R2
Configuring AAA on Cisco ASA for LDAP Users to Use with VPNs
How to Enable ASDM Access to ASA

Well, the easiest method is to go through the Wizard..
Here is the manual way..

 Create a Group Policy

Go to Configuration > Remote Access VPN > Network (Client) Access > Group Policies
+Add, give a name give an address pool like below. You can create the address pool by clicking on the select tab and adding and assigning a new one. This address pool will be the addresses which will be assigned to the clients. In this topology I took it to be from 11.1.1.50 to 11.1.1.100 and named it as 11-pool..









Now collapse the Advanced and select Split Tunneling.. This configuration is required because when the users are connected to the VPN all the traffic will be directed to the VPN by default. With split tunneling we can tunnel only the traffic destined to a network list which is specified by the Firewall. Give the policy as Tunnel Network List Below and specify the Network List by hitting the Manage tab. You will hae to add the ACL, which is just the name of the ACL and add an ACE which is actually the statement of the ACL..

This standard ACL I created permits 11.0.0.0/8 traffic only which actually means that only the traffic which is destined to 11.0.0.0/8 subnet will be directed to the VPN..








Specify Client Software

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Software
Hit Add and Browse Flash for a an image.

Create a Connection Profile

Now go to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles

Add a new profile and configure it the following way..






















Now tick the boxes like the following..











Now users can connect to the VPN from Cisco AnyConnect Mobility Client..

If users do not have the AnyConnect software, they can download it from accessing the 10.1.1.200 IP from web browser..










Note:- 

If unable to reach internal servers after the VPN establishment you may need to issue the following command on ASA..
ASA(config)# sysopt connection permit-vpn

Some useful show commands on CLI;
ASA# show vpn-sessiondb
by at
Tags

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)