Make a PayPal Donation


  KB 0000069
  Dated 20/09/11
  Revision 1.01
   

Cisco ASA5500 AnyConnect SSL VPN
(This method uses the ASA to hold the user database)
Also see Update: Securing AnyConnect with Certificates
 

Problem

Below is a walk through for setting up a client to gateway VPN Tunnel using a Cisco ASA appliance.This was done via the ASDM console. The video was shot with ASA version 8.4(2) and ASDM 6.4(5) and the setup process is a lot less painful than it used to be.

The original article was written with ASA version 8.0(4) and ASDM 6.1(3), which was a little more difficult so I will leave that procedure below just in case :)

ASDM cannot be used on the normal port on the outside interface when using SSL VPN
SSL VPN AnyConnect from within an RDP session is not supported (and fails - even with a /console switch).
SSL (HTTPS ot TCP port 443) needs to be free (i.e. NOT port forwarded to a web server / exchange server etc).

Solution

For Older Versions of the ASA/ASDM
1. Open up the ADSM console. > Click Wizards >SSL VPN Wizard.
2. Select "Both Options". > Next.
3. Enter a connection name > If you have a certificate already select it here or simply leave it on" -None-" and the ASA will generate an un trusted one. > Next.
4. For this example we are going to use the ASA's Local database to hold our user database (If you want to use RADIUS/Windows IAS select those options and follow the instructions (To set up IAS read my notes HERE) > Enter a username and Password.
5. Add. > Next.
6. We are going to create a new policy in this case called SSL Users > Next.
7. You can now add bookmarks (Links on the VPN portal page) > Manage > Add > Type in a name > Add. > OK..
8. Give it a name and subtitle (look at step 18 to see how that displays) > Enter the internal URL for the web site > OK.
9. Add > OK.
10 OK..
11 Next.
12. Create an IP Pool (IP range to be leased to the VPN clients that is DIFFERENT to your LAN IP range) > New > enter a name, ip addresses, and the subnet mask > OK.
13. Point the ASA to the Anyconnect client you want to use (Note you can upload a software image from your PC here as well) Next > Accept the warning about NAT Exemptions (Note if you do get a warning to add a NAT Exemption see the note at the end).
14. Finish.
15. Before It will work you need to Select Configuration > Remote Access VPN > Network (CLient) Access > AnyConnect Connection Profiles > . Double click the Connection profile you created earlier in step 3 > Enter a name in the Aliases section i.e. AnyConnect > OK. > Tick the box that says "Allow user to select connection profile by its alias........." > Apply.

16. File > Save running configuration to flash.
17. Connect externally to https://{public_IP} (Note this has to be in the browsers trusted site list) > Enter a username and password > Login.
18. You are now on the "Portal" site any bookmarks created above will be visible > Click the AnyConnect Tab.
19 Double click to launch AnyConnect.
20. The Anyconnect client will install if not used previously (User needs to be local admin) and connects.

NAT Exemptions: Note if you received a warning about needing to add the remote VPN pool as a NAT Exemption (After step 13) you will need to add the following lines to the ASA

Syntax

access-list {name} extended permit ip {LAN behind ASA} {Subnet behind ASA} {VPN Pool Range} {VPN Pool Subnet}
nat (inside) 0 access-list {name}

Working example

access-list nonat extended permit ip 10.254.254.0 255.255.255.0 10.254.253.0 255.255.255.0
nat (inside) 0 access-list nonat

WARNING: Make sure the name matches any existing no NAT ACLs or your IPsec vpns will fail!

Do the same thing from command line

 

webvpn
enable outside
revert webvpn url-list SSL_Bookmarks
import webvpn url-list Bookmark disk0:/tmpAsdmImportFile148579927
delete /noconfirm disk0:/tmpAsdmImportFile148579927
webvpn
svc image disk0:/anyconnect-win-2.2.0136-k9.pkg 1
svc enable
username petelong password password123 privilege 0
username petelong attributes
vpn-group-policy SSL_Policy
ip local pool SSL_Pool 172.16.253.1-172.16.253.254 mask 255.255.255.0
group-policy SSL_Policy internal
group-policy SSL_Policy attributes
vpn-tunnel-protocol svc webvpn
webvpn
url-list value Bookmark
svc enable
configure terminal
tunnel-group SSL_Connection type remote-access
tunnel-group SSL_Connection general-attributes
default-group-policy SSL_Policy
address-pool SSL_Pool
webvpn
tunnel-group-list enable
tunnel-group SSL_Connection webvpn-attributes
group-alias AnyConnect enable

 

If this post helped you, PLEASE take the time to +1 it.

Please be aware, all information is provided free, but it does cost me to have this site hosted, if I've helped you in any way, or saved you some time/cost please take time to make a donation.

If you have anything to add to an article, or have an article you would like us to publish please feel free to contact PeteNetLive. (Please be aware I get a LOT of email, I cannot assist and fix everyone's problems, please do not be offended if you do not get a response).
References - Credits - Or External Links
Originally written 09/11/09

 


powered by
Socialbar