AnyConnect ‘Management VPN Tunnel’ Configuration

KB ID 0001503

Problem

With the newest version of AnyConnect (4.7) there’s an added feature called ‘Management VPN’. It’s there, so that if you have remote users who don’t VPN in very often, then you may struggle to mange them, e.g. put software updates, AV updates, SCCM packages etc. down to them. 

Before version 4.7  you could configure ‘Automatically Connect’, or ‘Start before Logon’ to handle these problems, well now you can use Management VPN. What it does is, it automatically connects (using the computer certificate to authenticate), and it automatically disconnects when a remote user brings up a normalAnyConnect VPN user  connection. When they disconnect again, the Management VPN (after a few seconds) will re-establish again.

As usual the Cisco documentation is not brilliant! So I built it out in EVE-NG to test. Here’s the Lab I used;

AnyConnect Management VPN Topology

I’ve got a Windows 2012 R2 Server that’s doing Certificate services and DHCP, I’ve also got an external (Windows 7) client with AnyConnect 4.7 installed.

Solution

My first task was to setup normal user AnyConnect, which I secured with certificates, (user certificates), I sent the certificates out using auto-enrollment. Also while I had my certificate hat on, I generated a certificate for the outside of the ASA as well. (I didn’t  bother setting up NDES I just imported the CA Certificate eon the ASA).

Note: If you already have working AnyConnect, then you can skip this section.

Deploying Certificates via ‘Auto Enrollment’

Cisco AnyConnect – Securing with Microsoft Certificate Services

I’m also leasing my remote client’s IP addresses from my Windows DHCP server, so I’ve setup a DHCP scope on there as well (192.168.125.0/24)

AnyConnect Windows DHCP

As a pointer here is the config I’m using;

object network OBJ-AnyConnect-SN
 subnet 192.168.125.0 255.255.255.0
!
access-list SPLIT-TUNNEL standard permit 192.168.123.0 255.255.255.0 
!
nat (inside,outside) source static any any destination static OBJ-AnyConnect-SN OBJ-AnyConnect-SN no-proxy-arp route-lookup
!
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.7.00136-webdeploy-k9.pkg 1
!
group-policy GP-AnyConnect internal
group-policy GP-AnyConnect attributes
 wins-server none
 dns-server value 192.168.123.10
 dhcp-network-scope 192.168.125.0
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value testrig.com
!
tunnel-group TG-AnyConnect type remote-access
tunnel-group TG-AnyConnect general-attributes
 default-group-policy GP-AnyConnect
 dhcp-server 192.168.123.10
tunnel-group TG-AnyConnect webvpn-attributes
 authentication certificate
 group-alias TG-AnyConnect enable
 group-url https://vpn.testrig.com/AnyConnect enable

In addition, (much as I prefer to work at CLI, you need to go into the ASDM to do the following). Create a new connection profile and associate it with the group policy we just created (above).

AnyConnect Profile

Add to the ‘Server list‘ the URL you specified (above).

AnyConnect Profile Server List

To avoid being prompted for which certificate to use, untick ‘Disable Automatic Certificate Selection’ (Yes the name makes no sense to me either!) Save the profile.

AnyConnect Certificate Override

Then make sure the VPN works as expected.

AnyConnect Windows DHCP

Setup AnyConnect Management VPN

Prerequisites

Your ASA needs to be running newer than version 9, and your ASDM image needs to be 7.10(1) or newer.

AnyConnect Windows DHCP

You need to have the Anyconnect client software (4.7 or newer!)

AnyConnect 4.7 Management VPN Pre-requisites

I’ve already mentioned certificates, but you will need to have the CA certificate from the CA that’s generating your COMPUTER certificates installed and trusted, mine’s already there, as I’m already authenticating my USER certificates with it.

ASA Trusted CAs

Add another Tunnel-Group and Group-Policy for your Management-VPN, I’ll drop back to CLI to do that (to keep things neat and tidy).

!
group-policy GP-Management-VPN internal
group-policy GP-Management-VPN attributes
 dns-server value 192.168.123.10
 dhcp-network-scope 192.168.125.0
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value testrig.com
!
tunnel-group TG-Managemet-VPN type remote-access
tunnel-group TG-Managemet-VPN general-attributes
 default-group-policy GP-Management-VPN
 dhcp-server 192.168.123.10
tunnel-group TG-Managemet-VPN webvpn-attributes
 authentication certificate
 group-alias TG-Managemet-VPN enable
 group-url https://vpn.testrig.com/Management-VPN enable
!

Add a new connection profile, set the type to ‘AnyConnect Management VPN Profile’, and link it to the Group-Policy for your AnyConnect USER connections.

ASA Trusted CAs

As before add an entry to the server list with the same URL you specified in the Management VPN tunnel group.

ASA Trusted CAs

Add an Automatic VPN policy, to connect whenever you are on a network that is NOT your corporate network. Here if a client sees my server, on the same network, or gets my domain name via DHCP it WONT connect.

ASA Trusted CAs

Additional Settings Required for Management VPN

Edit the Group-Policy you are using for Management VPN > AnyConnect Client  > Custom Attributes > Add > Create an Attribute called: ManagementTunnelAllAllowed.

ASA Trusted CAs

Create a value for it called true/true.

ASA Trusted CAs

In the ‘AnyConnect Client‘ section, ENABLE ‘Client Bypass Protocol’.

ASA Trusted CAs

Your client will need to connect at least once to get the new settings, once they have when they disconnect the Management VPn will establish.

ASA Trusted CAs

As soon as the user tunnel comes up, the Management VPN tunnel will drop.

ASA Trusted CAs

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

6 Comments

  1. Thank you for the article. I am trying to think of a use-case for this setup. It seems that if your resources are not segregated, little benefit is gained with this setup vs Automatically Connect feature.
    However if your internal resources are well segregated and you do not want to use auto connect feature, this setup will at least allow continuous access to management resources for group policy updates, client call-home, av/windows updates etc…

    Most high-security organizations these days require full-tunnel VPN with automatically connect to VPN when on untrusted network so that is why I am asking the question.

    To summarize: If organization wants to enable auto VPN for management purposes, but also wants to protect other resources with User based/2FA authentication requirements this solution is for them. But if organization has management apps (DC/AV/SCCM/WSUS etc…) and other applications which they do not want to protect with additional authentication, they gain little with this solution?

    Post a Reply
    • Agreed, or you may want to deploy force tunnelled on your user tunnels and split tunnelled on your machine tunnels. Either way try and deploy Microsofts Machine tunnel feature! I’ve still not got it to work 🙂

      Post a Reply
  2. I have a situation where I have a remote server in a secure facility that allows me to establish a client VPN session out, but I cannot have a static public IP NAT’d through to my LAN firewall segement. i.e. I have a private LAN behind my building owner’s firewall. I need remote access to this server – especially after restarts, etc. I’m thinking this solution would meet this need, as it allows me to have a client VPN session to this device without having anyone logged in.

    Other than this, many orgs have techs or remote workers that only occasionally need access to resources behind the VPN and may go for months without using it, yet still need group policy updates, etc. The increasing use of SaaS apps over https minimizes the need for daily vpn needs – this seems like a way to control the desktop without requiring them to actually use the vpn. And you don’t have to remind them of their credentials or renew certs when they realize it expired.

    Post a Reply
    • That would be a use case, I did something similar, a few years ago when AWS didn’t support VPN to Cisco ASA, I had a AWS host that AnyConnect VPN’d to a clients site as soon as it booted up, and then I had one IP in the remote pool so it always got the same IP.

      Post a Reply
  3. I had to configure the custom attribute ‘ManagementTunnelAllAllowed’ to use ‘name’ set to ‘true’ and ‘configure valuse’ set to ‘true’ in order to have a fulltunnel management tunnel.

    This differs from your screenshot.

    Post a Reply
  4. Thanks for this it helped get me started but I was trying to work out how to link my user vpn with the management tunnel, which seems to be missing from your post.
    I found this in the cisco docs –

    Associate the Management VPN Profile to Group Policies
    You must add the management VPN profile to the group policy associated with the tunnel group used for the
    management tunnel connection.
    Similarly, you may also add the management VPN profile to the group policy mapped to the regular tunnel
    group, used for the user tunnel connection. When the user connects, the management VPN profile is
    downloaded, along with the user VPN profile already mapped to the group policy, enabling the management
    VPN tunnel feature.
    Alternatively, you can deploy the management VPN profile out of band: ensure it is named
    VpnMgmtTunProfile.xml, copy it to the above mentioned management VPN profile directory, and restart the
    Cisco AnyConnect Secure Mobility Agent service (or reboot).

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *