| KB | 0000069 | ||
| Dated | 09/11/09 | ||
| Revision | 0.02 | ||
| Problem | |||
Below is a walk through for setting up a client to gateway VPN Tunnel using a Cisco ASA appliance.This is done via the ASDM console. Though if (Like me) you prefer using the Command Line Interface I've put the commands at the end. This was done with the following versions,
There are 2 types of Clientless SSL VPN to the PIX/ASA. 1. Clientless SSL VPN - access to internal http/https or CIFS file shares only. for........ 2. SSL VPN Client (AnyConnect VPN Client) - full tunneled access. You can deploy either one or both :) Note ASDM cannot be used on the normal port on the outside interface when using SSL VPN |
|||
| Solution | |||
Configure the ASA5500 |
|
![]() |
1. Open up the ADSM console. > Click Wizards >SSL VPN Wizard. |
![]() |
2. Select "Both Options". > Next. |
![]() |
3. Enter a connection name > If you have a certificate already select it here or simply leave it on" -None-" and the ASA will generate an un trusted one. > Next. |
![]() |
4. For this example we are going to use the ASA's Local database to hold our user database (If you want to use RADIUS/Windows IAS select those options and follow the instructions (To set up IAS read my notes HERE) > Enter a username and Password. |
![]() |
5. Add. > Next. |
![]() |
6. We are going to create a new policy in this case called SSL Users > Next. |
![]() |
7. You can now add bookmarks (Links on the VPN portal page) > Manage > Add > Type in a name > Add. > OK.. |
![]() |
8. Give it a name and subtitle (look at step 16 to see how that display) > Enter the internal URL for the web site. > OK. |
![]() |
9. Add > OK. |
![]() |
10 OK.. |
![]() |
11 Next. |
![]() |
12. Create an IP Pool (IP range to be leased to the VPN clients that is DIFFERENT to your LAN IP range) > New > enter a name, ip addresses, and the subnet mask > OK. |
![]() |
13. Point the ASA to the Anyconnect client you want to use (Note you can upload a software image from your PC here as well) Next > Accept the warning about NAT Exemptions (Note if you do get a warning to add a NAT Exemption see the note at the end). |
![]() |
14. Finish. |
![]() |
15. Before It will work you need to Select Configuration > Remote Access VPN > Network (CLient) Access > AnyConnect Connection Profiles > . Double click the Connection profile you create earlier in step 3 > Enter a name in the Aliases section i.e. AnyConnect > OK. > Tick the box that says "Allow user to select connection profile by its alias........." > Apply. |
![]() |
16. File > Save running configuration to flash. |
![]() |
17. Connect externally to https://{public_IP} (Note this has to be in the browsers trusted site list) > Enter a username and password > Login. |
![]() |
18. You are now on the "Portal" site any bookmarks created above will be visible > Click the AnyConnect Tab. |
![]() |
19 Double click to launch AnyConnect. |
![]() |
20. The Anyconnect client will install if not used previously (User needs to be local admin) and connects. |
NAT Exemptions: Note if you received a warning about needing to add the remote VPN pool as a NAT Exemption (After step 13)you will need to add the following lines to the ASA Syntax access-list {name} extended permit ip {LAN behind ASA} {Subnet behind ASA} {VPN Pool Range} {VPN Pool Subnet} Working example access-list nonat extended permit ip 10.254.254.0 255.255.255.0 10.254.253.0 255.255.255.0 WARNING: Make sure the name matches any existing no NAT ACLs or your IPsec vpns will fail! |
|
Do the same thing from command line |
|
webvpn
|
|





























