IT Network
Jan 25, 2011 default-domain value company.com address-pools value SSLClientPool webvpn svc ask none default webvpn customization value DfltCustomization group-policy DfltGrpPolicy attributes dns-server value 10.0.1.1 vpn-simultaneous-logins 10 vpn-tunnel-protocol svc webvpn default-domain value company.com address-pools value SSLClientPool webvpn. Anyconnect ask none default anyconnect. Dynamic-access-policy-record DfltAccessPolicy.
Cisco AnyConnect VPN is a remote access software to replacement the old Cisco VPN client which it can be downloaded from ASA firewall via web browser. It is a best VPN solution providing the remote access user to use the AnyConnect VPN client to connect to the Cisco ASA firewall and will receive an IP address from a remote access VPN pool, then allowing full access to the internal network.
In this article will show how to configure Cisco AnyConnect remote access VPN on Cisco ASA firewalls IOS version 9.x to allow remote access user connect to internal network remotely.
In this article of configuring Cisco AnyConnect remote access software, it is assumed that:
a. You already have Cisco ASAv on GNS3 VM up and running. In case that you don’t, please follow this link. Configuring Cisco ASAv QCOW2 with GNS3 VM
b. You have already downloaded Cisco AnyConnect remote access software (anyconnect-win-4.3.05017-k9.pkg) PKG file from the Cisco website. Cisco service contract is needed to be able to download it.
To demonstrate configuring Cisco AnyConnect remote access VPN on Cisco ASA firewalls IOS version 9.x, we will set up a GNS3 lab as the following diagram.
There is a Cisco ASAv firewall virtual server and there is one Cisco router act as client in the internal network connected to ASAv firewall virtual server interface inside. Another ASAv firewall virtual server interface is outside interface connect to the real physical computer via GNS3 Cloud. So, we use the real physical computer as the remote access client connect to router in the local network. Also, the Lab will use IP subnet 172.16.0.0/24 for assign for remote access clients. The following is the IP configuration of each device.
On Cisco ASAv firewall virtual server
On Cisco router
The first thing to do of configuring Cisco AnyConnect remote access vpn is to copy AnyConnect client package into the firewall via TFTP server.
After the Cisco AnyConnect remote access software has been copied into ASAv firewall virtual server, we need to enable the WebVPN on on the outside interface of ASAv firewall virtual server and specify the AnyConnect image to be downloaded via web browser by remote access users.
We need to configure a pool with IP addresses for ASAv firewall virtual server to assign IP addresses to all remote access users that connect with Cisco AnyConnect remote access VPN client.
By default after remote access user is connected successfully, all traffic will be sent through the tunnel and they cannot access to any internet websites. To allow remote access users to access the Internet while they are connected with Cisco AnyConnect remote access software, we need to configure split tunneling. We need to create an access-list that specifies what networks we want to reach through the tunnel as the following.
Cisco AnyConnect remote access vpn need a Group Policies to specify the parameters that are applied to clients when they connect. In our case now, we’ll create a group policy named “GP-RemoteAcessVPN”.
A connection profile which is also known as a tunnel group is needed when the remote access vpn clients connect to the ASAv firewall virtual server. This tunnel group is used to define the specific connection parameters we want our remote access VPN clients to use.
The remote access clients will need to be assigned an IP address during login, so we’ll also set up a DHCP pool for them.
We need to create the remote access vpn user account on ASAv firewall virtual server to allow them access to the internal network. Below user will can only use AnyConnect remote access VPN and cannot login the ASAv firewall virtual server.
All the configuration for Cisco AnyConnect remote access VPN is now in ready on the ASAv firewall virtual server. Now we can start testing by accessing to IP address of the outside interface on ASAv firewall virtual server which is our case now is 192.168.229.131 and download install the Cisco AnyConnect remote access software to install on the client computer.
After finished installing the Cisco AnyConnect remote access software on the client computer, we can start the application and enter the IP address of the ASAv firewall virtual server, the click “Connect”.
Enter the username and password of the Cisco AnyConnect remote access VPN account that we create in the above step, then click “OK” to connect.
The remote access VPN client now should be able to successfully connected to the ASAv firewall virtual server.
We can verify if the remote access VPN client cannot access to the internet network or not by test ping to the router IP address with is “10.0.0.2” and we should get the successful ping result as the below.
Normal, Dynamic NAT is configured on Cisco ASA firewall appliance to provide internet access to all computers within a specific subnet in the Local Area Network (LAN). In this case, we need to configure NAT Exemption to exclude the remote access VPN subnet of Cisco AnyConnect remote access software from Dynamic NAT, otherwise the remote access VPN client cannot access to the resource within the internal network.
Now you should be able to configure Cisco AnyConnect Remote Access VPN on Cisco ASA firewall appliance with IOS version 9.x. It is recommended that you try it by your own self using GNS3 MV to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.
Comments
comments
Related posts:
!
en
conf t
##############################
#Interfaces
##############################
int GigabitEthernet0
ip
address 10.10.10.1 255.255.255.0
nameif
outside
# INFO: Security level for “outside” set to 0 by default.
no shut
!
int GigabitEthernet1
ip
address 192.168.16.1 255.255.255.0
nameif
inside
# INFO: Security level for “inside” set to 100 by default.
no shut
!
exit
##############################
#Logging
##############################
!
logging
enable
logging buffered 7
logging buffer-size 4096
logging
asdm Informational
!
Install Cisco Anyconnect
##############################
#Access
##############################
!
http
server
enable
http 10.10.10.2 255.255.255.255 outside
http 192.168.16.2 255.255.255.255 inside
!
##############################
#TFTP – ASDM and AnyConnect
##############################
copy tftp://10.10.10.2/asdm-711.bin flash
! enter x 3
Font russian for mac. copy tftp://10.10.10.2/anyconnect-win-3.1.05160-k9.pkg
flash://anyconnect-win-3.1.05160-k9.pkg
! enter x 3
!
##############################
#Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Software
##############################
webvpn
anyconnect image disk0:/anyconnect-win-3.1.05160-k9.pkg 1
!It is recommended that you restart ASDM in order to refresh the AnyConnect Client Profile Plug-inExit
exit
!
##############################
#Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles
##############################
webvpn
enable
outside
Anyconnect Ask None Default Anyconnect Password
anyconnect enable
exit
!
##############################
#Configuration > Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools
##############################
!
ip local pool DHCP_POOL 192.168.16.50-192.168.16.100 mask 255.255.255.0
!
##############################
#Configuration > Remote Access VPN > Network (Client) Access > Group Policies
##############################
group-policy SSL_GROUP_POLICY internal
group-policy SSL_GROUP_POLICY attributes
vpn-tunnel-protocol ssl-client
banner none
banner value By accessing this network you agree to the computer user policy.
banner value All traffic, authentication and access is logged and audited.
banner value If you are not authorized to access the network, do NOT proceed.
banner value You will be held liable for any damages incurred.
exit
dns domain-lookup inside
dns domain-lookup outside
group-policy SSL_GROUP_POLICY attributes
address-pools value DHCP_POOL
exit
!
##############################
#Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile
##############################
webvpn
anyconnect profiles SSL_CLIENT_PROFILE disk0:/ssl_client_profile.xml
exit
group-policy SSL_GROUP_POLICY attributes
webvpn
anyconnect profiles value SSL_CLIENT_PROFILE type user
exit
exit
!
##############################
#Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles #2
##############################
!
group-policy SSL_GROUP_POLICY attributes
dns-server none
wins-server none
default-domain none
exit
tunnel-group SSL_CONNECTION_PROFILE type remote-access
tunnel-group SSL_CONNECTION_PROFILE general-attributes
default-group-policy SSL_GROUP_POLICY
address-pool DHCP_POOL
exit
!
##############################
#User
##############################
!
username cisco password cisco privilege 15
username vpn_user password X7qKj7fHN7w1WIlA encrypted privilege 15
username vpn_user attributes
vpn-group-policy SSL_GROUP_POLICY
exit
##############################
#Testing
##############################
ciscoasa# sh vpn-sessiondb
C:>cd C:Program FilesJavajre7bin
C:Program FilesJavajre7bin>javaws.exe https://10.10.10.1/admin/public/asdm.jnlp
##############################
#10.10.10.2- ASDM
##############################
C:Documents and SettingsUser>cd C:Program FilesJavajre7bin
C:Program FilesJavajre7bin>javaws.exe https://10.10.10.1/admin/public/asdm.jnlp