Since ASDM and “wizards” are being used, knowing Command Line Interface on ASA to configure its seems to be unnecessary, but knowledge about what particular commands are responsible for and how they work is demanding if you will have to troubleshoot SSL. In this topic you will se how to configure Remote Access with SSL and VPN.with command line.
Let’s omit explanation what are and how work both protocols ( you will find an explanation at my blog elsewhere) and go over the configuration, because there is a lot to explain.
DHCP Pool for Remote Access hosts, doesn’t have to cover internal network behind ASA, cause ASA use Reverse Route Injection and will put this network into its routing table.
ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
We have to exempt Remote Access hosts return traffic (from inside to outside) from being “natted”, it is called NAT0 or Nat Exemption
object network OBJ-ANYCONNECT-SUBNET
subnet 192.168.100.0 255.255.255.0
nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
nat (real interface,mapped interface) source static [real_object] [mapped_object] destination static [real_object] [mapped_object]
Enabling SSL Remote Access and anyconnect software on the outside interface (I assumed you uploaded an image via TFTP already)
webvpn
enable outside
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-4.1.04011-k9.pkg
anyconnect enable
creating user that will be authenticated and pointing out inherited group policy
username Marcin password itbundle
username Marcin attributes
vpn-group-policy GroupPolicy_ANYCONNECT-SSL
SPlit Tunnel ACL. If we don’t specify Split Tunnel, then a whole traffic from the RA host regardless is going to the ASA or to the Internet always will be going first to the outside ASA interface.
access-list SPLIT-TUNNEL standard permit 172.16.1.0 255.255.255.0
Group Policy – Policy that will be applied after logging on, group policy is linked to the Tunnel Group. We also specify split tunnel policy and a couple of other things like domain name or dns server that connected RA host will be using.
group-policy GroupPolicy_ANYCONNECT-SSL internal
group-policy GroupPolicy_ANYCONNECT-SSL attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value itbundle.net
dns-server value 192.168.100.1
creating tunnel group that is nothing more then well know connection profile.
In tunnel group first we specify type of tunnel then assign group policy, address pool,
as you see we may also use name aliases.
tunnel-group ANYCONNECT-SSL type remote-access
tunnel-group ANYCONNECT-SSL general-attributes
default-group-policy GroupPolicy_ANYCONNECT-SSL
address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-SSL webvpn-attributes
group-alias ANYCONNECT-SSL enable
usefull command if you want to logoff given user:
vpn-sessiondb logoff name USERNAME
IKEv1
We wspecify ISAKMP and transform sets policy alike in ipsec site to site
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ipsec ikev1 transform-set set1 esp-3des esp-sha-hmac
pool destined for VPN RA hosts
ip local pool client_pool 192.168.100.1-192.168.100.254 mask 255.255.255.0
split tunnel
access-list split_tunnel_acl standard permit 172.16.1.0 255.255.255.0
group policy
group-policy ipsec_ra_policy internal
group-policy ipsec_ra_policy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_acl
tunel group additionally to compare with SSL we specify the server to authenticate users of the tunnel also we specify pre shared key of the tunnel
tunnel-group ipsec_ra_tunnel type remote-access
tunnel-group ipsec_ra_tunnel general-attributes
address-pool client_pool
default-group-policy ipsec_ra_policy
authentication-server-group LOCAL
tunnel-group ipsec_ra_tunnel ipsec-attributes
ikev1 pre-shared-key cisco
Now we have to create DYNAMIC crypto map, cause we have no idea what is the address of the user that wants to connect to VPN server
crypto dynamic-map dyn_map 65535 set ikev1 transform-set set1
crypto dynamic-map dyn_map 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic dyn_map
crypto map outside_map interface outside
crypto ikev1 enable outside
username Marcin password itbundle
And finally we want to prevent VPN traffic from being “natted”
object-group network obj_192.168.100.0_255
network 192.168.100.0 255.255.255.248
nat (inside,outside) source static any any destination static obj_192.168.100.0_255 obj_192.168.100.0_255 no-proxy-arp route-lookup