Cisco AnyConnect on Cisco ASA 5500 running IOS 9.1.5

Cisco AnyConnect is a great VPN client because it runs over SSL/TLS and is very mature at this point in time. So, because of this, and the fact that I had a lot of questions come up about this in the past month (for one of my clients), I decided to write a blog on how to implement Cisco AnyConnect on a Cisco ASA 5515, running IOS 9.1.5. While I’m using a ASA-5515, I have also tested this to work on my 5505 and my 5510 test machines. So let’s get configuring!

We’ll start by downloading all the software from Cisco. For this you’ll need Cisco IOS version 9.1.5, ASDM version 7.x, and AnyConnect Version 2.5 or higher. To get this software legally, you’ll need to have a valid CCO ID (Cisco account), and you’ll need a valid SmartNet or SmartCare contract on your ASA.

Once you’ve obtained your software, we’ll need to upload it to your ASA. So let’s do that right now. If you don’t have a TFTP server, you’ll need one. If you need one that is simple to setup and use, check out my blog on setting up a Linux TFTP server.


Below, I am uploading the new IOS 9.1.5.

erdmanor-5510# copy tftp flash

Address or name of remote host []? 192.168.1.10

Source filename []? asa915-k8.bin

Destination filename [asa915-k8.bin]?

Accessing tftp://192.168.1.10/asa915-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asa915-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
27113472 bytes copied in 39.670 secs (695217 bytes/sec)
erdmanor-5510#
erdmanor-5510# conf t
erdmanor-5510(config)# boot system disk0:/asa915-k8.bin
erdmanor-5510(config)# sh run boot
boot system disk0:/asa915-k8.bin
erdmanor-5510(config)#
erdmanor-5510(config)# wr
Building configuration...
Cryptochecksum: fdee857f 734e0f13 a5fda71e e6bc2320
9154 bytes copied in 3.250 secs (3051 bytes/sec)
[OK]
erdmanor-5510(config)#
erdmanor-5510(config)# exit
erdmanor-5510# reload
Proceed with reload? [confirm]
erdmanor-5510#

***
*** --- START GRACEFUL SHUTDOWN ---


Now lets get the new ASDM uploaded along with our SSLVPN client.

erdmanor-5510# copy tftp flash

Address or name of remote host []? 192.168.1.10

Source filename []? asdm-743.bin

Destination filename [asdm-743.bin]?

Accessing tftp://192.168.1.10/asdm-743.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing current ASDM file disk0:/asdm-743.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
24810876 bytes copied in 34.30 secs (729731 bytes/sec)
erdmanor-5510# copy tftp flash

Address or name of remote host [192.168.1.10]?

Source filename [asdm-743.bin]? anyconnect-win-2.5.2014-k9.pkg

Destination filename [anyconnect-win-2.5.2014-k9.pkg]?

Accessing tftp://192.168.1.10/anyconnect-win-2.5.2014-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-2.5.2014-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
4678691 bytes copied in 6.460 secs (779781 bytes/sec)

erdmanor-5510# dir

Directory of disk0:/

107    -rwx  27113472     13:27:06 Nov 03 2015  asa915-k8.bin
113    -rwx  24810876     13:40:12 Nov 03 2015  asdm-743.bin
115    -rwx  4678691      13:41:07 Nov 03 2015  anyconnect-win-2.5.2014-k9.pkg

62904320 bytes total (5550080 bytes free)
erdmanor-5510#


Great. Now that we have our software, let’s start setting up our environment.

When dealing with SSL, you need to have some kind of certificate installed on your server in order to create a secure connection. If this is a company, you should setup a real certificate from a real vendor like Verisign/Symantec, but for this instance I’m just going to setup a self-signed certificate. Keep in mind that self-signed certs are less secure and that they will prompt your end users with security warnings whenever your users connect.

So lets get a certificate setup for our ASA’s Outside interface, since that’s where our outside users will be connecting from.

erdmanor-5510(config)#
erdmanor-5510(config)# crypto key generate rsa label ErdmanorSSLCert modulus 2048

Keypair generation process begin. Please wait...
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# crypto ca trustpoint ErdmanorSSLTrustpoint
erdmanor-5510(config-ca-trustpoint)# enrollment self
erdmanor-5510(config-ca-trustpoint)# fqdn sslvpn.erdmanor.com
erdmanor-5510(config-ca-trustpoint)# subject-name CN=sslvpn.erdmanor.com
erdmanor-5510(config-ca-trustpoint)# keypair ErdmanorSSLCert
erdmanor-5510(config-ca-trustpoint)# crypto ca enroll ErdmanorSSLTrustpoint
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no]: yes

% The fully-qualified domain name in the certificate will be: sslvpn.erdmanor.com

% Include the device serial number in the subject name? [yes/no]: no

Generate Self-Signed Certificate? [yes/no]: yes
erdmanor-5510(config)#
erdmanor-5510(config)# ssl trust-point ErdmanorSSLTrustpoint Outside
erdmanor-5510(config)#
erdmanor-5510(config)# wr
Building configuration...
Cryptochecksum: 9be339e8 0522dd14 a192370f 5e9c6bf4

7969 bytes copied in 3.240 secs (2656 bytes/sec)
[OK]
erdmanor-5510(config)#


Now we need to configure WebVPN to work on our ASA, and allow it to present the AnyConnect VPN client to our connecting users.

erdmanor-5510(config)# webvpn
erdmanor-5510(config-webvpn)# enable Outside
INFO: WebVPN and DTLS are enabled on 'Outside'.
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)# anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg
erdmanor-5510(config-webvpn)# anyconnect enable
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)# exit
erdmanor-5510(config)# wr
Building configuration...
Cryptochecksum: aa7a52ab 38eb7e98 3e15d522 856eae67

8069 bytes copied in 3.250 secs (2689 bytes/sec)
[OK]
erdmanor-5510(config)#


Before we go any further, you have to make a determination here on how you’re going to perform DHCP addressing for your VPN users. There are two primary options:
1. Host the DHCP pool on the ASA
2. Forward DHCP requests to a DHCP server (like a Windows Domain Controller)

For this case, I’ve opted to host the DHCP pool locally on the ASA. But for a business environment, I would suggest that you forward these requests to your domain controller. Especially if you’re running other Microsoft services such as Exchange, SCCM, SCOM and others. I’ll go over both methods, but I’m going to be using the local DHCP server.

erdmanor-5510(config)#
erdmanor-5510(config)# ip local pool AnyConnectIPPool 192.168.2.1-192.168.2.200 mask 255.255.255.0
erdmanor-5510(config)#


I will update this section of the DHCP forwarding at a later time. Please check back!
For now, here is what Cisco has on this: http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/configuration/guide/config/vpnadd.html#wp999516



In the Microsoft world, Group Policies are a group of settings that are applied to a Windows operating system in a domain. For instance, if you wanted all the desktop backgrounds to be a picture of your company logo, you could roll that our via MS Group Policy.

In the same fashion, Cisco has begun using Group Policies in order to set certain parameters and settings to their clients that connect. Group Policies are actually a pretty good idea in order to group a list of settings together that would apply to one connection type. In this case, that connection type is Cisco’s AnyConnect users.

So, let’s get our Group Policy setup for our users. This policy will be extremely basic, but please understand that Cisco’s Group Policies can get very in-depth.

erdmanor-5510(config)#
erdmanor-5510(config)# group-policy AnyConnectPolicy Internal
erdmanor-5510(config)# group-policy AnyConnectPolicy attributes
erdmanor-5510(config-group-policy)#
erdmanor-5510(config-group-policy)# dns-server value 192.168.1.5 192.168.1.6
erdmanor-5510(config-group-policy)#
erdmanor-5510(config-group-policy)# vpn-tunnel-protocol ssl-client
erdmanor-5510(config-group-policy)# default-domain value erdmanor.com
erdmanor-5510(config-group-policy)#
erdmanor-5510(config-group-policy)# address-pools value AnyConnectIPPool
erdmanor-5510(config-group-policy)#


The next thing we need to do is allow our SSL VPN users to bypass outside access lists so they can get to the Internal network. If this isn’t put in there, then you’ll have to write up ACLs on your Outside access list that specifically allow your VPN users to access certain network locations. This can turn into an administration overhead nightmare. The easiest thing to do is allow your users to bypass the Outside ACL, and then manage the ACL from the inside. It’s cleaner, and causes less headaches.

erdmanor-5510(config)# sysopt connection permit-vpn


Now we need to create our AnyConnect connection profile. This profile is what users will see when they connect to the Outside interface of our ASA. To do this we need to create what is named a, “tunnel-group” in Cisco terminology. This tunnel-group will contain all of the connection profile settings that will be applied to any user successfully connecting with the AnyConnect client. When you’re going through this configuration, please make sure to see what config mode you’re in. You’ll start in normal config and progress through “config-tunnel-general“, “config-tunnel-webvpn“, and “config-webvpn“. Make sure to ? each of those and check out the other commands in there.

erdmanor-5510(config)#
erdmanor-5510(config)# tunnel-group AnyConnectPolicy type remote-access
erdmanor-5510(config)# tunnel-group AnyConnectPolicy general-attributes
erdmanor-5510(config-tunnel-general)#
erdmanor-5510(config-tunnel-general)# default-group-policy AnyConnectPolicy
erdmanor-5510(config-tunnel-general)# tunnel-group AnyConnectPolicy webvpn-attributes
erdmanor-5510(config-tunnel-webvpn)#
erdmanor-5510(config-tunnel-webvpn)# group-alias Erdmanor-VPN enable
erdmanor-5510(config-tunnel-webvpn)#
erdmanor-5510(config-tunnel-webvpn)# webvpn
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)#
erdmanor-5510(config-webvpn)# tunnel-group-list enable
erdmanor-5510(config-webvpn)# exit
erdmanor-5510(config)# exit
erdmanor-5510# wr
Building configuration...
Cryptochecksum: 52d129a7 a5d58820 28b2f420 29226a32

8622 bytes copied in 3.240 secs (2874 bytes/sec)
[OK]
erdmanor-5510#


Since we’re going to be using Split Tunneling for our VPN connection, we need to ensure that our VPN users get the proper routing updates they need so that when they try to access a resource on our corporate network, their computers will send that traffic down the SSL VPN tunnel to our office or Data Center. We should discuss what we mean by Split tunneling as well. There are three options here, as you can see below, and here is more information from Cisco on Split-Tunneling.

erdmanor-5510(config-group-policy)# split-tunnel-policy ?              

group-policy mode commands/options:
  excludespecified  Exclude only networks specified by split-tunnel-network-list
  tunnelall         Tunnel everything
  tunnelspecified   Tunnel only networks specified by split-tunnel-network-list


To configure the network routes that our end user will see, we’ll create an access list and then specify that ACL in the group-policy configuration. We’ll also specify that our tunnel is a Split-Tunnel, and we’ll provide our internal domain name so any DNS resolution works as well.

erdmanor-5510(config)#
erdmanor-5510(config)# access-list split-tunnel-network-acl standard permit 192.168.1.0 255.255.255.0
erdmanor-5510(config)# access-list split-tunnel-network-acl standard permit 10.10.10.0 255.255.255.0
erdmanor-5510(config)#                                                                                
erdmanor-5510(config)# group-policy AnyConnectPolicy attributes    
erdmanor-5510(config-group-policy)# split-tunnel-policy tunnelspecified
erdmanor-5510(config-group-policy)# split-tunnel-network-list value split-tunnel-network-acl
erdmanor-5510(config-group-policy)# split-dns value erdmanor.com
erdmanor-5510(config-group-policy)# exit
erdmanor-5510(config)#


Now we need to fix up the NAT’ing to ensure that our users are able to communicate to the rest of the network as well as get Internet access. To enable that functionality, we’re actually going to be creating two NAT statements here. The first NAT that we’re going to create is a dynamic NAT that will translate connections from the VPN users and allow them Internet access. Remember that in order for this to work, you still need an ACL to allow the access to specific locations. Also, another point is that we are allowing split tunnelling, so technically we don’t need to allow them Internet access here, but I’m covering it anyway just in case you need to tunnel all traffic from your end users back to your internal network for security reasons.

First let’s get our dynamic NAT created. Since our internal network is on 192.168.1.0/24, we put our VPN users on 192.168.2.0/24. So here we’ll create an object-group for our VPN users and then we can create our dynamic NAT.

erdmanor-5510(config)#
erdmanor-5510(config)# object-group network VPN-Users                        
erdmanor-5510(config-network-object-group)# network-object 192.168.2.0 255.255.255.0
erdmanor-5510(config)# nat (Outside,Outside) source dynamic VPN-Users interface
erdmanor-5510(config)#


Now let’s get our static NAT configured. This one is what Cisco refers to as a “Identity NAT”. According to Cisco, “You might have a NAT configuration in which you need to translate an IP address to itself. For example, if you create a broad rule that applies NAT to every network, but want to exclude one network from NAT, you can create a static NAT rule to translate an address to itself. Identity NAT is necessary for remote access VPN, where you need to exempt the client traffic from NAT.

So based on this information, we know that we need an Identity NAT. So let’s get that going.

erdmanor-5510(config)#
erdmanor-5510(config)# nat (Inside,Outside) source static Internal-Network Internal-Network destination static VPN-Users VPN-Users no-proxy-arp route-lookup
erdmanor-5510(config)#


Also, let’s say for instance that we have a Site-to-Site VPN tunnel to our sister data center, or a partner company, which our end users will need access to. While we’re talking about NATs, let’s walk through NATing this traffic as well.

We’ll start by assuming that we already have a S2S VPN already up and running. Let’s say it’s to the Amazon Cloud (AWS). Since this is already setup, we just need to allow our users access to this. Remember, you’ll need to setup ACLs to allow the traffic, this is just ensuring that NAT’ing is setup properly. Here, we’re assuming we already have an Object-Group named “AWS-Network“. But the NAT is nearly the same as before, but the difference is that this is what Cisco refers to as a Hairpin Nat. For this to work properly, you’ll need to enable “intra-interface” traffic. The “Inter-Interface” traffic is for different interfaces, while the “Intra-Interface” allows communication into and back out the SAME interface. See here:

erdmanor-5510(config)# same-security-traffic permit ?              

configure mode commands/options:
  inter-interface  Permit communication between different interfaces with the same security level
  intra-interface  Permit communication between peers connected to the same interface
erdmanor-5510(config)#


So let’s get this Hairpin NAT started. First you’ll notice that the Interface is the same (Outside,Outside). Remember, AnyConnect users are coming in from the “Outside” interface, and they’re communicating across a VPN tunnel that is also connected to the “Outside” interface.

erdmanor-5510(config)#
erdmanor-5510(config)# same-security-traffic permit intra-interface
erdmanor-5510(config)# nat (Outside,Outside) source static VPN-Users VPN-Users destination static AWS-Network AWS-Network no-proxy-arp route-lookup
erdmanor-5510(config)#


Okay moving right along here! Now we’ll create a user account and test logging into our system.

erdmanor-5510(config)#
erdmanor-5510(config)# username vpnsteve password NotMyP@ssw0rd
erdmanor-5510(config)# username vpnsteve attributes        
erdmanor-5510(config-username)# service-type remote-access
erdmanor-5510(config-username)# exit
erdmanor-5510(config)#


I’ll have to get this thing actually setup on the Internet so that I can connect to it, but I know the configuration works from here. I’ve set this up a few times this month alone for clients, so I’m confident in it running properly for you as well. When I can, I’ll get some screenshots posted here to show it works.

Thanks for reading!




http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30.pdf
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/anyconnectadmin24/ac03features.html#wp1064149
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
http://www.databasemart.com/HowTo/Cisco_VPN_Remote_Access_Setup_ASA5500.aspx
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_rules.html
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html#25608
http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/configuration/guide/config/vpnadd.html#wp999516
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/dhcp.html
http://www.petenetlive.com/KB/Article/0001050.htm
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html
http://www.techrepublic.com/blog/data-center/eight-easy-steps-to-cisco-asa-remote-access-setup/

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
Tagged , , , , , , . Bookmark the permalink.

Comments are closed.