Professional Documents
Culture Documents
Cisco ASA Anyconnect Remote Access VPN
Cisco ASA Anyconnect Remote Access VPN
Sign Up
Search …
IPsec. When it comes to SSL, the ASA offers two SSL VPN modes: Cisco ASA Self Signed Certificates
Unit 8: Troubleshooting
The clientless WebVPN method does not require a VPN client to be installed on the
user’s computer. You just open your web browser, enter the IP address of the ASA and
you will get access through a web portal. You only have limited access to a number of
applications, for example:
Anyconnect VPN offers full network access. The remote user will use the anyconnect
client to connect to the ASA and will receive an IP address from a VPN pool, allowing full
access to the network.
In this lesson we will use clientless WebVPN only for the installation of the anyconnect
VPN client. The remote user will open a web browser, enters the IP address of the ASA
and then it will automatically download the anyconnect VPN client and establishes the
connection. Here’s the topology that we will use:
Above we have the ASA firewall with two security zones: inside and outside. The remote
Get Full Access to our 737 Cisco Lessons Now
user is located somewhere on the outside and wants remote access with the Anyconnect
Sign Up
VPN client. R1 on the left side will only be used so that we can test if the remote user has
access to the network. Let’s take a look at the configuration!
1. ASA Configuration
The remote user will be able to download the anyconnect VPN client from the ASA so we
need to store it somewhere. Each operating system has a different installation file and
we need to have them on the flash memory of the ASA:
There is a different PKG file for each operating system. Above you can see that I have
one for Windows, Linux and Mac OS X. If you don’t have them already, make sure you
copy them to the flash memory of the ASA.
ASA1(config)# webvpn
I’m only specifying the anyconnect client for Windows but if you want to support Linux or
Mac OS X users, make sure to add them here. Now we can enable client WebVPN on the
outside interface:
This enables WebVPN on the outside interface. We also need to enable anyconnect:
When you have an inbound access-list on the outside interface then all your decrypted
traffic from the SSL WebVPN has to match the inbound access-list. You can either create
some permit statements for the decrypted traffic or you can just tell the ASA to let this
traffic bypass the access-list:
Get permit-vpn
ASA1(config)# sysopt connection Full Access to our 737 Cisco Lessons Now Sign Up
When remote users connect to our WebVPN they have to use HTTPS. The following
option is not required but useful, whenever someone accesses the ASA through HTTP
then they will be redirected to HTTPS:
The ASA will assign IP addresses to all remote users that connect with the anyconnect
VPN client. We’ll configure a pool with IP addresses for this:
Remote users will get an IP address from the pool above, we’ll use IP address range
192.168.10.100 – 200.
By default all traffic will be sent through the tunnel once the remote user is connected. If
you want to allow remote users to access the Internet once they are connected then you
need to configure split tunneling. We will configure an access-list that specifies what
networks we want to reach through the tunnel:
This means that the SSL VPN tunnel will only be used to reach the 192.168.1.0 /24
network. Now we can configure the anyconnect group policy:
ASA1(config-group-policy)# webvpn
ASA1(config-group-webvpn)# exit
There’s quite some stuff in the group policy, let me break it down for you:
The group policy is called “ANYCONNECT_POLICY” and it’s an internal group policy
which means that we configure it locally on the ASA. An external group policy could
be on a RADIUS server.
The VPN tunnel protocol is ssl-client (for anyconnect) and also ssl-clientless
(clientless SSL VPN).
Split tunneling has been enabled and we refer to the access-list “SPLIT_TUNNEL”
that we just created.
The DNS server 8.8.8.8 will be assigned to remote VPN users.
Normally when the remote VPN user terminates the session, the anyconnect
installer will be uninstalled. The anyconnect keep-installer installed command
leaves it installed on the user’s computer.
The anyconnect ask command specifies how the anyconnect client will be
installed on the user’s computer. The none default anyconnect part tells the ASA
not to ask the user if he/she wants to use WebVPN or anyconnect but just starts
Get Full Access to our 737 Cisco Lessons Now
the download of the anyconnect client automatically.
Sign Up
The anyconnect dpd-interval command is used for Dead Peer Detection. The
remote user’s anyconnect client will check every 30 seconds if the ASA is still
responding or not. You can also use dpd-interval gateway so that the ASA checks
if the remote user is still responding.
After the group policy configuration we have to create a tunnel group which binds the
group policy and VPN pool together:
ASA1(config-tunnel-general)# exit
When the remote user connects, the ASA will show a group name to the remote user, we
can specify the group name like this:
You will see that when the remote user connects, the ASA will show the group name
“SSL_USERS”. If you have multiple tunnel groups then your remote users should be able
to select a certain tunnel group:
ASA1(config)# webvpn
We need to tell the ASA that this user account is allowed to access the network:
Everything is now in place on the ASA. We can use the client to connect to the ASA and
install the anyconnect client.
2. Client Configuration
I will use a Windows 7 client with Internet Explorer for this. Start the browser and enter
the IP address of the ASA as the URL. If you use HTTP, you will be redirected to HTTPS:
Get Full Access to our 737 Cisco Lessons Now Sign Up
The ASA is using a self-signed certificate that is not recognized by the browser so that’s
why you see this error. Click continue and you will see the following screen:
Now you can authenticate yourself. Enter the username and password that we created
earlier. The group name is the group alias that we created. Once you are authenticated
you will see this:
The client tries to download the Anyconnect automatically, this is because of the
anyconnect ask none default anyconnect command that we used. Since we are using
a self-signed certificate you will get the following error message:
Get Full Access to our 737 Cisco Lessons Now Sign Up
You need to click on the Change Setting button and you will see this:
Click on the Apply Change button and you will see this:
Click on the retry the connection link and you will see this:
We get one more warning that the certificate cannot be verified. Click on Connect
Anyway and the download will finally start:
Get Full Access to our 737 Cisco Lessons Now Sign Up
The Anyconnect client has been installed and the connection has been established. If you
look in the Windows taskbar then you will find a small icon:
Click on it and it will open the Anyconnect client, here’s what it looks like:
It is connected and if you want to see some details you need to click on the little “gear”
icon, it will give you a nice overview of the connection:
Get Full Access to our 737 Cisco Lessons Now Sign Up
This shows you the IP address that the client has received and some statistics about how
much bytes were sent/received. This is looking good but it’s important to verify a couple
of things before we end this lesson…
3. Verification
3.1. Client Verification
First we’ll generate some traffic on the client, see if it can reach R1 on the inside network:
C:UsersVPN>ping 192.168.1.1
That’s looking good, let’s use ipconfig to see what IP address it has received:
C:UsersVPN>ipconfig /all
Get Full Access to our 737 Cisco Lessons Now Sign Up
Windows IP Configuration
IP Routing Enabled. . . . . . . . : No
DHCP Enabled. . . . . . . . . . . : No
Default Gateway . . . . . . . . . :
You can see that we received IP address 192.168.10.100 (the first IP address from the
VPN pool). Anyconnect creates an additional interface, just like the legacy Cisco VPN
client does.
Duration : 0h:11m:28s
Inactivity : 0h:00m:00s
This shows us that user “SSL_USER” is connect, the IP address it has received and also
that it is using a SSL tunnel…mission accomplished! I hope this lesson has been useful to
learn about remote access VPN using the Anyconnect client. If you have any questions,
feel free to leave a comment!
Get Full Access to our 737 Cisco Lessons Now Sign Up
« Previous Lesson
Forum Replies
dsimpson
Rene
Which ASA model does your configuration examples apply to? Would you give some thought to doing a video similar to the one about choosing routers
and switches but topic would be choosing firewalls.
Thanks
ReneMolenaar
Hi Donald,
I used the ASA 5510 for most of these examples. The big difference between the ASA 5505 and all the other models is that it’s the only firewall that has 4
switchports.
The 5510 only has L3 interfaces, it doesn’t have switchports. The ASA 5506 that replaces the 5505 also doesn’t have switchports anymore.
A video for the different firewalls might be a good idea, for labs the ASA 5510 with security plus license is probably the best choice for now.
Rene
kamal
Hi
I have ASA 5520 VPN Plus license with latest IOS disk0:/asa917-k8.bin
GTP/GPRS
ReneMolenaar
Hi Richard,
Get Full Access to our 737 Cisco Lessons Now Sign Up
The VPN traffic does terminate on the outside interface. Usually we use the sysopt connection permit-vpn command to permit IPsec traffic to bypass
any access-list. If you don’t use it, then you’ll need to explicitly permit your IPsec traffic to the inside.
It could be an issue on your ASA but have you also checked your router has a route back to the ASA?
Rene
cscoccie
Hi Rene,
Congrats, very clear tutorial. What about the NAT rule to keep untranslated the traffic between internal subnets and remote VPN hosts ? Is not it needed ?
Please advise.
Thank you.
88 more replies! Ask a question or join the discussion by visiting our Community Forum