Basic Cisco AnyConnect full-tunnel SSL VPN uses user authentication by username and password, provides IP address assignment to the client, and uses a basic access control policy. The client also authenticates the ASA with identity certificate-based authentication. Deployment tasks in this post are as follows:
- Configure the basic ASA SSL VPN gateway features.
- Configure local user authentication.
- Configure IPv4/IPv6 address assignment.
- Configure basic access control.
- Install the Cisco AnyConnect Secure Mobility Client.
Initially, AnyConnect was an SSL-only VPN client. Starting with Version 3.0, AnyConnect became a modular client with additional features (including IPsec IKEv2 VPN terminations on Cisco ASA), but it requires a minimum of ASA 8.4(1) and ASDM 6.4(1).
Related posts in this blog:
- Cisco ASA 5500-X Series Software 9.x Configuration Notes (Tips and Tricks)
- Cisco ASA Remote Access VPN Configuration 2 – Anyconnect VPN Configuration
- Cisco ASA Remote Access VPN Configuration 1 – Clientless SSL VPN Configuration
- Cisco ASAv HA Configurations
In this post, Cisco Adaptive Security Appliance Software Version 9.1(2) and Device Manager Version 7.1(3) have been used as an example.
DMZ (Security Level 50) interface will be used to simulate external connection to Internet.
INTERNAL (Security Level 100) interface is connecting to local network.
User will come from 172.17.3.62 to access 10.94.200.62 though Anyconnect VPN connection.
2. Basic Configuration
2.1 Interface Configuration
ip address 10.94.200.12 255.255.255.0
ip address 172.17.3.12 255.255.255.0
ip address 192.168.2.12 255.255.255.0
2.2 SSH and ASDM Configuration
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 MGMT
ssh 192.168.2.0 255.255.255.0 MGMT
username admin password admin
2.3 NAT and Access-list Configuration
INTERNAL network can access all DMZ networks with NAT-ed DMZ interface ip 172.17.3.12. But there is no access from DMZ to INTERNAL.
ICMP Echo reply packets have to be allowed on DMZ interface to make ping working from INTERNAL to DMZ work.
object service icmp-reply
service icmp echo-reply 0
access-list global_access extended permit object icmp-reply any any
access-list INTERNAL_access_in extended permit ip any any
access-group INTERNAL_access_in in interface INTERNAL
access-group global_access global
The following NAT rule is to make INTERNAL network to access DMZ network using DMZ interface ip address.
nat (INTERNAL,DMZ) source dynamic any interface
3. Steps to Enable AnyConnect VPN
3.1 Start VPN Wizards -> AnyConnect VPN Wizard…
3.2 Enter Connection Profile Name
3.3 Create and Use a New Self-Signed Certificate
3.4 Add a new Client Image.
It is not .msi file. It has to be a package file.
3.5 Use Local Accounts in ASA as Authentication Method
3.6 Create and Use SSL Connection IPv4 Address Pool
3.7 NAT Exempt
Usually in ASA configuration, there are NAT configured. You will have to exempt your SSL VPN Traffic from NAT configuration
Note: In this wizard, you will only can exempt one local network from NAT configuration. If you have multiple Internal local networks, you will have to work on configuration manually from CLI to exempt all of them from NAT. Else, you will get a deny for your non-NAT-exempt traffic.
3.8 Allow Web Launch
3.9 Configuration Summary
After this screen, your configuration will be pushed from ASDM to ASA device. You will get a notification if there is any configuration wrong.
4. Split Tunneling
Split tunnelling is a feature that you can use in order to define the traffic for the subnets or hosts that must be encrypted. This involves the configuration of an Access Control List (ACL) that will be associated with this feature. The traffic for the subnets or hosts that is defined on this ACL will be encrypted over the tunnel from the client-end, and the routes for these subnets are installed on the PC routing table.
If Split Tunneling enabled on AnyConnect VPN Configuration, VPN user ‘s traffic to Internal Network (10.94.200.0/24) will be split from other traffic such as Internet Traffic. In this way, AnyConnect VPN user can keep their Internet connection at the same time having local Internal network access.
5. User Policy Control
By default, the user will use DfltGrpPolicy. You can customize your local user to use different VPN Group Policy and different VPN Connection Profile.
In this way, you can control which network user can access, since you can control Split-Tunneling networks in the VPN Connection Profile.