Since ASDM and “wizards” are being used, knowing Command Line Interface on ASA to configure its seems to be unnecessary, but knowledge about what particular commands are responsible for and how they work is demanding if you will have to troubleshoot SSL. In this topic you will se how to configure Remote Access with SSL and VPN.with command line.
Let’s omit explanation what are and how work both protocols ( you will find an explanation at my blog elsewhere) and go over the configuration, because there is a lot to explain.
DHCP Pool for Remote Access hosts, doesn’t have to cover internal network behind ASA, cause ASA use Reverse Route Injection and will put this network into its routing table.
ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
We have to exempt Remote Access hosts return traffic (from inside to outside) from being “natted”, it is called NAT0 or Nat Exemption
object network OBJ-ANYCONNECT-SUBNET
subnet 192.168.100.0 255.255.255.0
nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
nat (real interface,mapped interface) source static [real_object] [mapped_object] destination static [real_object] [mapped_object]
Enabling SSL Remote Access and anyconnect software on the outside interface (I assumed you uploaded an image via TFTP already)
anyconnect image disk0:/anyconnect-win-4.1.04011-k9.pkg
creating user that will be authenticated and pointing out inherited group policy
username Marcin password itbundle
username Marcin attributes
SPlit Tunnel ACL. If we don’t specify Split Tunnel, then a whole traffic from the RA host regardless is going to the ASA or to the Internet always will be going first to the outside ASA interface.
access-list SPLIT-TUNNEL standard permit 172.16.1.0 255.255.255.0
Group Policy – Policy that will be applied after logging on, group policy is linked to the Tunnel Group. We also specify split tunnel policy and a couple of other things like domain name or dns server that connected RA host will be using.
group-policy GroupPolicy_ANYCONNECT-SSL internal
group-policy GroupPolicy_ANYCONNECT-SSL attributes
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value itbundle.net
dns-server value 192.168.100.1
creating tunnel group that is nothing more then well know connection profile.
In tunnel group first we specify type of tunnel then assign group policy, address pool,
as you see we may also use name aliases.
tunnel-group ANYCONNECT-SSL type remote-access
tunnel-group ANYCONNECT-SSL general-attributes
tunnel-group ANYCONNECT-SSL webvpn-attributes
group-alias ANYCONNECT-SSL enable
usefull command if you want to logoff given user:
vpn-sessiondb logoff name USERNAME
We wspecify ISAKMP and transform sets policy alike in ipsec site to site
crypto ikev1 policy 65535
crypto ipsec ikev1 transform-set set1 esp-3des esp-sha-hmac
pool destined for VPN RA hosts
ip local pool client_pool 192.168.100.1-192.168.100.254 mask 255.255.255.0
access-list split_tunnel_acl standard permit 172.16.1.0 255.255.255.0
group-policy ipsec_ra_policy internal
group-policy ipsec_ra_policy attributes
split-tunnel-network-list value split_tunnel_acl
tunel group additionally to compare with SSL we specify the server to authenticate users of the tunnel also we specify pre shared key of the tunnel
tunnel-group ipsec_ra_tunnel type remote-access
tunnel-group ipsec_ra_tunnel general-attributes
tunnel-group ipsec_ra_tunnel ipsec-attributes
ikev1 pre-shared-key cisco
Now we have to create DYNAMIC crypto map, cause we have no idea what is the address of the user that wants to connect to VPN server
crypto dynamic-map dyn_map 65535 set ikev1 transform-set set1
crypto dynamic-map dyn_map 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic dyn_map
crypto map outside_map interface outside
crypto ikev1 enable outside
username Marcin password itbundle
And finally we want to prevent VPN traffic from being “natted”
object-group network obj_192.168.100.0_255
network 192.168.100.0 255.255.255.248
nat (inside,outside) source static any any destination static obj_192.168.100.0_255 obj_192.168.100.0_255 no-proxy-arp route-lookup