Basic Cisco AnyConnect full-tunnel SSL VPN uses user authentication by username and password, provides IP address assignment to the client, and uses a basic access control policy. The client also authenticates the ASA with identity certificate-based authentication. Deployment tasks in this post are as follows:- Configure the basic ASA SSL VPN gateway features.
- Configure local user authentication.
- Configure IPv4/IPv6 address assignment.
- Configure basic access control.
- Install the Cisco AnyConnect Secure Mobility Client.
Related posts in this blog:
- Cisco ASA 5500-X Series Software 9.x Configuration Notes (Tips and Tricks)
- Cisco ASA Remote Access VPN Configuration 2 - Anyconnect VPN Configuration
- Cisco ASA Remote Access VPN Configuration 1 - Clientless SSL VPN Configuration
- Cisco ASAv HA Configurations
In this post, Cisco Adaptive Security Appliance Software Version 9.1(2) and Device Manager Version 7.1(3) have been used as an example.
DMZ (Security Level 50) interface will be used to simulate external connection to Internet.
INTERNAL (Security Level 100) interface is connecting to local network.
User will come from 172.17.3.62 to access 10.94.200.62 though Anyconnect VPN connection.
2. Basic Configuration
2.1 Interface Configuration
interface GigabitEthernet0/0
nameif INTERNAL security-level 100 ip address 10.94.200.12 255.255.255.0 ! interface GigabitEthernet0/1 nameif DMZ security-level 50 ip address 172.17.3.12 255.255.255.0 interface Management0/0 management-only nameif MGMT security-level 0 ip address 192.168.2.12 255.255.255.0 no shutdown |
2.2 SSH and ASDM Configuration
aaa authentication ssh console LOCAL
http server enable http 192.168.2.0 255.255.255.0 MGMT ssh 192.168.2.0 255.255.255.0 MGMT username admin password admin |
2.3 NAT and Access-list Configuration
INTERNAL network can access all DMZ networks with NAT-ed DMZ interface ip 172.17.3.12. But there is no access from DMZ to INTERNAL.
 |
| NAT |
 |
| Firewall Rule |
object service icmp-reply
service icmp echo-reply 0 access-list global_access extended permit object icmp-reply any any access-list INTERNAL_access_in extended permit ip any any access-group INTERNAL_access_in in interface INTERNAL access-group global_access global |
The following NAT rule is to make INTERNAL network to access DMZ network using DMZ interface ip address.
nat (INTERNAL,DMZ) source dynamic any interface
|
3. Steps to Enable AnyConnect VPN
3.1 Start VPN Wizards -> AnyConnect VPN Wizard...
3.2 Enter Connection Profile Name
3.4 Add a new Client Image.
It is not .msi file. It has to be a package file.
3.7 NAT Exempt
Usually in ASA configuration, there are NAT configured. You will have to exempt your SSL VPN Traffic from NAT configuration
3.8 Allow Web Launch
3.9 Configuration Summary
4. Split Tunneling
Split tunnelling is a feature that you can use in order to define the traffic for the subnets or hosts that must be encrypted. This involves the configuration of an Access Control List (ACL) that will be associated with this feature. The traffic for the subnets or hosts that is defined on this ACL will be encrypted over the tunnel from the client-end, and the routes for these subnets are installed on the PC routing table.
If Split Tunneling enabled on AnyConnect VPN Configuration, VPN user 's traffic to Internal Network (10.94.200.0/24) will be split from other traffic such as Internet Traffic. In this way, AnyConnect VPN user can keep their Internet connection at the same time having local Internal network access.
5. User Policy Control
In this way, you can control which network user can access, since you can control Split-Tunneling networks in the VPN Connection Profile.
Reference:
Configure AnyConnect Secure Mobility Client with Split Tunneling on an ASA
No comments:
Post a Comment