AnyConnect ‘Management VPN Tunnel’ Configuration

KB ID 0001503

Problem

With the newest version of AnyConnect (4.7) there’s an added feature called ‘Management VPN’. It’s there, so that if you have remote users who don’t VPN in very often, then you may struggle to mange them, e.g. put software updates, AV updates, SCCM packages etc. down to them. 

Before version 4.7  you could configure ‘Automatically Connect’, or ‘Start before Logon’ to handle these problems, well now you can use Management VPN. What it does is, it automatically connects (using the computer certificate to authenticate), and it automatically disconnects when a remote user brings up a normalAnyConnect VPN user  connection. When they disconnect again, the Management VPN (after a few seconds) will re-establish again.

As usual the Cisco documentation is not brilliant! So I built it out in EVE-NG to test. Here’s the Lab I used;

AnyConnect Management VPN Topology

I’ve got a Windows 2012 R2 Server that’s doing Certificate services and DHCP, I’ve also got an external (Windows 7) client with AnyConnect 4.7 installed.

Solution

My first task was to setup normal user AnyConnect, which I secured with certificates, (user certificates), I sent the certificates out using auto-enrollment. Also while I had my certificate hat on, I generated a certificate for the outside of the ASA as well. (I didn’t  bother setting up NDES I just imported the CA Certificate eon the ASA).

Note: If you already have working AnyConnect, then you can skip this section.

Deploying Certificates via ‘Auto Enrollment’

Cisco AnyConnect – Securing with Microsoft Certificate Services

I’m also leasing my remote client’s IP addresses from my Windows DHCP server, so I’ve setup a DHCP scope on there as well (192.168.125.0/24)

AnyConnect Windows DHCP

As a pointer here is the config I’m using;

object network OBJ-AnyConnect-SN
 subnet 192.168.125.0 255.255.255.0
!
access-list SPLIT-TUNNEL standard permit 192.168.123.0 255.255.255.0 
!
nat (inside,outside) source static any any destination static OBJ-AnyConnect-SN OBJ-AnyConnect-SN no-proxy-arp route-lookup
!
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.7.00136-webdeploy-k9.pkg 1
!
group-policy GP-AnyConnect internal
group-policy GP-AnyConnect attributes
 wins-server none
 dns-server value 192.168.123.10
 dhcp-network-scope 192.168.125.0
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value testrig.com
!
tunnel-group TG-AnyConnect type remote-access
tunnel-group TG-AnyConnect general-attributes
 default-group-policy GP-AnyConnect
 dhcp-server 192.168.123.10
tunnel-group TG-AnyConnect webvpn-attributes
 authentication certificate
 group-alias TG-AnyConnect enable
 group-url https://vpn.testrig.com/AnyConnect enable

In addition, (much as I prefer to work at CLI, you need to go into the ASDM to do the following). Create a new connection profile and associate it with the group policy we just created (above).

AnyConnect Profile

Add to the ‘Server list‘ the URL you specified (above).

AnyConnect Profile Server List

To avoid being prompted for which certificate to use, untick ‘Disable Automatic Certificate Selection’ (Yes the name makes no sense to me either!) Save the profile.

AnyConnect Certificate Override

Then make sure the VPN works as expected.

AnyConnect Windows DHCP

Setup AnyConnect Management VPN

Prerequisites

Your ASA needs to be running newer than version 9, and your ASDM image needs to be 7.10(1) or newer.

AnyConnect Windows DHCP

You need to have the Anyconnect client software (4.7 or newer!)

AnyConnect 4.7 Management VPN Pre-requisites

I’ve already mentioned certificates, but you will need to have the CA certificate from the CA that’s generating your COMPUTER certificates installed and trusted, mine’s already there, as I’m already authenticating my USER certificates with it.

ASA Trusted CAs

Add another Tunnel-Group and Group-Policy for your Management-VPN, I’ll drop back to CLI to do that (to keep things neat and tidy).

!
group-policy GP-Management-VPN internal
group-policy GP-Management-VPN attributes
 dns-server value 192.168.123.10
 dhcp-network-scope 192.168.125.0
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value testrig.com
!
tunnel-group TG-Managemet-VPN type remote-access
tunnel-group TG-Managemet-VPN general-attributes
 default-group-policy GP-Management-VPN
 dhcp-server 192.168.123.10
tunnel-group TG-Managemet-VPN webvpn-attributes
 authentication certificate
 group-alias TG-Managemet-VPN enable
 group-url https://vpn.testrig.com/Management-VPN enable
!

Add a new connection profile, set the type to ‘AnyConnect Management VPN Profile’, and link it to the Group-Policy for your AnyConnect USER connections.

ASA Trusted CAs

As before add an entry to the server list with the same URL you specified in the Management VPN tunnel group.

ASA Trusted CAs

Add an Automatic VPN policy, to connect whenever you are on a network that is NOT your corporate network. Here if a client sees my server, on the same network, or gets my domain name via DHCP it WONT connect.

ASA Trusted CAs

Additional Settings Required for Management VPN

Edit the Group-Policy you are using for Management VPN > AnyConnect Client  > Custom Attributes > Add > Create an Attribute called: ManagementTunnelAllAllowed.

ASA Trusted CAs

Create a value for it called true/true.

ASA Trusted CAs

In the ‘AnyConnect Client‘ section, ENABLE ‘Client Bypass Protocol’.

ASA Trusted CAs

Your client will need to connect at least once to get the new settings, once they have when they disconnect the Management VPn will establish.

ASA Trusted CAs

As soon as the user tunnel comes up, the Management VPN tunnel will drop.

ASA Trusted CAs

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

2 Comments

  1. Thank you for the article. I am trying to think of a use-case for this setup. It seems that if your resources are not segregated, little benefit is gained with this setup vs Automatically Connect feature.
    However if your internal resources are well segregated and you do not want to use auto connect feature, this setup will at least allow continuous access to management resources for group policy updates, client call-home, av/windows updates etc…

    Most high-security organizations these days require full-tunnel VPN with automatically connect to VPN when on untrusted network so that is why I am asking the question.

    To summarize: If organization wants to enable auto VPN for management purposes, but also wants to protect other resources with User based/2FA authentication requirements this solution is for them. But if organization has management apps (DC/AV/SCCM/WSUS etc…) and other applications which they do not want to protect with additional authentication, they gain little with this solution?

    Post a Reply
    • Agreed, or you may want to deploy force tunnelled on your user tunnels and split tunnelled on your machine tunnels. Either way try and deploy Microsofts Machine tunnel feature! I’ve still not got it to work 🙂

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *