Cisco ASA AnyConnect VPN ‘Using ASDM’

KB ID 0000069

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

Below is a walk through for setting up a client to gateway VPN Tunnel using a Cisco Firepower ASA appliance. This was done via the ASDM console. The video was shot with ASA version 9.13(1) and ASDM 7.13(1).

Suggestion: If you are setting this up for the first time, I would suggest setting it up to use the ASA’s LOCAL database for usernames and passwords, (as shown in the video). Then once you have it working, you can change the authentication (AAA) to your preferred method (see links at bottom of page).

The original article was written with ASA version 8.0(4) and ASDM 6.1(3), which was a little more difficult so I will leave that procedure at the end just in case 🙂

Note: The ASDM cannot be used on the normal port (https) on the outside interface when using AnyConnect, because HTTPS or TCP port 443 needs to be free (and also IMPORTANTLY NOT ‘port-forwarded’ to a web server / Exchange server etc. for this to work). To fix that, either change the port that AnyConnect is using (not the best solution!) Or, (a much better solution) Change the port ASDM is using

Solution

Setup AnyConnect From ASDM (Local Authentication)

In case you don’t want to watch a video! Launch the ASDM > Wizards > VPN Wizards > AnyConnect VPN Wizard > Next.

Give the AnyConnect profile a name i.e PF-ANYCONNECT, (I capitalise any config that I enter, so it stands out when I’m looking at the firewall configuration). >Next > Untick IPSec > Next.

Note: You can use IPSec if you want, but you will need a Certificate pre-installed to do so!

Now you need to upload the AnyConnect client packages for each operating system that is going to want to connect, 

Once the package (with a pkg extension) is located, you can upload it directly into the firewalls flash memory. 

Repeat the process for each OS that will be connecting. (PLEASE! Don’t forget to add the macOS package! or your users will see THIS ERROR) > Next > As mentioned above I’m using LOCAL (on the ASA) authentication. I always set this up first, then test it, then if required, change the authentication method > If you don’t already have a LOCAL user created then add a username and password for testing > Next.

Next (Unless you want to setup SAML) > Here I’ll create a new ‘Pool’ of IP addresses for my remote clients to use. You can also use an internal DHCP server for remote clients, again I normally setup and test with a Pool from the ASA, then if I need to use a DHCP server, I swap it over once I’ve tested AnyConnect. If that’s a requirement, see the following article;

AnyConnect – Using a Windows DHCP Server

Enter the DNS server(s) details for you remote clients > WINS? Who is still using WINS! > Domain name > Next > Tick ‘Exempt VPN traffic from network address translation’ > Next.

Next > Finish

DON’T FORGET TO SAVE THE CHANGES!! (File > Save Running Configuration to Flash)

Now any remote client attempting to connect to AnyConnect can install the client software directly from the firewall, (This is assuming you have not already installed it for them beforehand).

 

For Older Versions of the ASA/ASDM

Note: The information below is OBSOLETE, I only leave it here in case someone is running some VERY old versions of the ASDM and AnyConnect

1. Open up the ADSM console. > Click Wizards >SSL VPN Wizard.

2. Select “Both Options”. > Next.

3. Enter a connection name > If you have a certificate already select it here or simply leave it on” -None-” and the ASA will generate an un trusted one. > Next.

4. For this example we are going to use the ASA’s Local database to hold our user database, however, if you want to use RADIUS/Windows IAS select those options and accordingly, and then follow the instructions. Note: To set up IAS read my notes HERE > Enter a username and password.

5. Add. > Next

6. We are going to create a new policy in this case called SSL Users > Next.

7. You can now add bookmarks (Links on the VPN portal page) > Manage > Add > Type in a name > Add. > OK.

8. Give it a name and subtitle (look at step 18 to see how that displays) > Enter the internal URL for the web site > OK.

9. Add > OK.

10. OK.

11. Next.

12. Create an IP Pool (IP range to be leased to the VPN clients that is DIFFERENT to your LAN IP range) > New > enter a name, IP addresses, and the subnet mask > OK.

13. Point the ASA to the Anyconnect client you want to use (Note you can upload a software image from your PC here as well) Next > Accept the warning about NAT Exemptions (Note if you do get a warning to add a NAT Exemption see the note at the end).

14. Finish.

15. Before it will work you need to Select Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Double click the Connection profile you created earlier in step 3 > Enter a name in the Aliases section i.e. AnyConnect > OK. > Tick the box that says “Allow user to select connection profile by its alias………” > Apply.

16. File > Save running configuration to flash.

17. Connect externally to https://{public_IP} (Note this has to be in the browsers trusted site list) > Enter a username and password > Login

18. You are now on the “Portal” site any bookmarks created above will be visible > Click the AnyConnect Tab.

19. Double click to launch AnyConnect.

20. The Anyconnect client will install if not used previously (User needs to be local admin) and connects.

NAT Exemptions: Note if you received a warning about needing to add the remote VPN pool as a NAT Exemption (After step 13) you will need to add the following lines to the ASA

Syntax;

[box]

access-list {name} extended permit ip {LAN behind ASA} {Subnet behind ASA} {VPN Pool Range} {VPN Pool Subnet}

nat (inside) 0 access-list {name}

Working example

access-list nonat extended permit ip 10.254.254.0 255.255.255.0 10.254.253.0 255.255.255.0

nat (inside) 0 access-list nonat

[/box]

WARNING: Make sure the name matches any existing no NAT ACLs or your IPsec vpns will fail!

Related Articles, References, Credits, or External Links

Cisco ASA 5500 AnyConnect Setup From Command Line

AnyConnect: Allow ‘Local’ LAN Access

AnyConnect 4 – Plus and Apex Licensing Explained

Cisco AnyConnect – Essentials / Premium Licences Explained

AnyConnect (AAA) Authentication Methods

Kerberos Authentication (Cisco ASA)

LDAP Authenticaiton (Cisco ASA)

RADIUS Authentication(Cisco ASA)

Duo 2FA Authentication (Cisco ASA)

Cisco – Testing AAA Authentication (Cisco ASA and IOS)

Event ID 7023

KB ID 0000353 0

Problem

Event ID 7023

Source: Service Control Manager

Description: The Internet Authentication Service service terminated with the following error: Only one usage of each socket address (protocol/network address/port) is normally permitted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Cause: In my case the server (SBS2003) had recently been patched and updated. It was one of those updates that had stopped the IAS service from running, this was originally seen with MS KB 956189. But the update mentioned in that article (MS KB 953230) was not visible on the list of installed updates. However the fix is the same.

<palign=”left”>The Internet Authentication service was not running, and manually starting it, caused it to stall straight away.

1. On the affected server > Start > run regedit {Enter}.

2. Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters

3. Locate the ReservedPorts entry and double click it.

4. For IAS to run you need to have the following port ranges 1812-1813 and 1645-1646 (I was missing the second range) > OK.

Note: DO NOT remove or change any existing entries!

5. You MUST reboot the server for this to take effect.

Related Articles, References, Credits, or External Links

NA

Event ID 7023

KB ID 0000353 

Problem

Event ID 7023

Source: Service Control Manager

Description: The Internet Authentication Service service terminated with the following error:
Only one usage of each socket address (protocol/network address/port) is normally permitted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

In my case the server (SBS2003) had recently been patched and updated. It was one of those updates that had stopped the IAS service from running, this was originally seen with MS KB 956189. But the update mentioned in that article (MS KB 953230) was not visible on the list of installed updates. However the fix is the same.

The Internet Authentication service was not running, and manually starting it, caused it to stall straight away.

Solution

1. On the affected server > Start > run regedit {Enter}.

2. Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters

3. Locate the ReservedPorts entry and double click it.

4. For IAS to run you need to have the following port ranges 1812-1813 and 1645-1646 (I was missing the second range) > OK.

Note: DO NOT remove or change any existing entries!

5. You MUST reboot the server for this to take effect.

 

Related Articles, References, Credits, or External Links

NA

Windows Server 2008 R2 – Configure RADIUS for Cisco ASA 5500 Authentication

KB ID 0000688

Problem

Last week I was configuring some 2008 R2 RADIUS authentication, for authenticating remote VPN clients to a Cisco ASA Firewall.

I will say that Kerberos Authentication is a LOT easier to configure, so you might want to check that first.

Solution

Step 1 Configure the ASA for AAA RADIUS Authentication

1. Connect to your ASDM, > Configuration > Remote Access VPN. > AAA Local Users > AAA Server Groups.

2. In the Server group section > Add.

3. Give the group a name and accept the defaults > OK.

4. Now (with the group selected) > In the bottom (Server) section > Add.

5. Specify the IP address, and a shared secret that the ASA will use with the 2008 R2 Server performing RADIUS > OK.

6. Apply.

Configure AAA RADIUS from command line;

[box]

aaa-server PNL-RADIUS protocol radius
aaa-server PNL-RADIUS (inside) host 172.16.254.223
  key 123456
  radius-common-pw 123456
  exit

[/box]

Step 2 Configure Windows 2012 Server to allow RADIUS

7. On the Windows 2008 Server > Launch Server Manager > Roles > Add Role.

8. If you get a welcome page > Next > Select Network Policy and Access Server > Next >Next.

9. Select ‘Network Policy Server’ > Next > Install.

10. Close, when complete.

11. Whilst still in Server Manager > Network Policy and Access Server > NPS (Local).

12. Register Server in Active Directory >OK > OK.

13. Expand RADIUS Clients and Servers > Right click RADIUS Clients > New.

14. Give the firewall a friendly name, (take note of what this is, you will need it again) > Specify its IP > Enter the shared secret you setup above (number 5) > OK.

15. Expand policies > right click ‘Connection Request Policies’ > New > Give the policy a name > Next.

16. Add a condition > Set the condition to ‘Client Friendly Name’ > Add.

17. Specify the name you set up above (number 14) > OK > Next > Next > Next.

18. Change the attribute to User-Name > Next > Finish.

19. Now right click ‘Network Policies’ > New > Give the policy a name> Next.

20. Add a condition > User Groups > Add.

21. Add in the AD security group you want to allow access to > OK > Next > Next.

22. Select ‘Unencrypted Authentication PAP SPAP” > Next > No > Next > Next > Finish.

Step 3 Test RADIUS Authentication

23. Back at the ASDM, in the same page you were in previously, select your server and then click ‘Test’.

24. Change the selection to Authentication > Enter your domain credentials > OK.

25. You are looking for a successful outcome.

Note: if it fails check there is physical connectivity between the two devices, the shared secrets match. Also ensure UDP ports 1645 and 1646 are not being blocked.

To Test AAA RADIUS Authentication from Command Line

[box]

test aaa-server authentication PNL-RADIUS host 172.16.254.223 username petelong password password123

[/box]

26. Finally, save the firewall changes > File > Save running configuration to flash.

Related Articles, References, Credits, or External Links

Windows Server 2003 – Configure RADIUS for Cisco ASA 5500 Authentication

Windows Server 2012 – Configure RADIUS for Cisco ASA 5500 Authentication

Cisco ASA5500 Client VPN Access Via RADIUS

KB ID 0000071

Problem

Below is a walkthrough for setting up a client to gateway VPN Tunnel using a Cisco ASA appliance.This is done via the ASDM console. Though if (Like me) you prefer using the Command Line Interface I’ve put the commands at the end.

You will need a RADIUS server, WIndows Server (2000 and 2003) Has its own RADIUS bolt on called Windows IAS Step 1 Below is a walkthrough on how to set this up.

It also uses the Cisco VPN client – the version used is v5 which is still in beta at the time of writing.

Solution

Note: This is an old post and covers setup on Server 2003, for a more modern version, (Server 2012/2016/2019) of this procedure, see the following article;

Windows Server Setup RADIUS for Cisco ASA 5500 Authentication

Step 1 Install RADIUS (Server 2003 Windows IAS)

Note: for Server 2008 go here and for Server 2012 go here.

1. Assuming you don’t already have IAS installed, Click Start > Control Panel > Add Remove Programs.

2. Add/Remove Windows Components.

3. Double Click “Networking Services”.

4. Tick Internet Authentication Service.

5. Next

6. The Service will install, NOTE it may ask you for the Windows CD, if you have already copied the i386 directory to a hard drive on the server, point it there instead.

7. When its done click Finish.

8. Click Start > Run.

9. Type mmc > OK.

10. An Empty MMC Console will open.

11. Click File > AddRemove Snap-in.

12. Click Add

13 Scroll down to Internet Authentication Service (IAS), Select it > Add.

14. Finish

15. Close.

16 OK.

17 Right Click “RADIUS Clients” > New RADIUS Client.

18 Give it a sensible name like “CiscoASA” > Enter its IP address > Next.

19 Client vendor set to “RADIUS Standard” > Enter a shared secret to use in this example I’ll use 123456 I suggest you use something more secure 🙂 > Finish.

20 Back at the main console > Select “Remote Access Policies” > Right Click “Connections to other Access Servers” > Properties.

21 Tick “Grant remote access permissions”. > Press the Edit Profile button.

22. On the Authentication tab, tick Unencrypted authentication (PAP SPAP)

23. On the Encryption tab ensure “No Encryption” is ticked.

24. Pah! Reading help files is for the weak > No.

25. Apply > OK.

26. We will now create a new user to use the RADIUS. Click Start > dsa.msc > OK. Active Directory Users and COmputers will open.

27 Right click the OU you want your user created inside > New > User.

28. Give the user a name and logon name, e.g. user2 > Next > Enter and confirm a password and tick Password Never Expires > Next.

29. If you have Microsoft Exchange you will see this next if you don’t see it don’t panic > Next

30. Finish

31. Locate the user > Right Click > Properties.

32. On the Dial in Tab select “Allow Access” > Apply > OK. Then close all the open windows.

 

Step 2 Add the RADIUS server to the ASA5500 as an AAA Server.

1. Open the ASDM > Configuration > Properties >AAA Setup > AAA Server Groups > Add.

2. Give the Server group a name e,g “WindowsIAS” > Select RADIUS > OK.

3. In the bottom section titled “Servers in the selected group” Click Add.

4. Set interface name to “Inside” > Enter the IP Address of the Windows server > Enter the “Server Secret Key” (you specified above in Step1 Number 19) > Re-enter the same one next to “Common Password.” > OK.

5. Click Apply > Test.

6. Select Authentication > Enter the username and password you created earlier (Step 1 Numbers 28,29 and 30) > OK.

7. If it fails recheck all your previous settings. > OK.

8. Back at the ASDM > File > Save Running Configuration to Flash”.

 

Step 2 Configure the ASA for Client VPN Access.

1. Open up the ADSM console. > Click Wizards > VPN Wizard.

2. Select “Remote Access”. > Next.

3. Select Cisco VPN Client. > Next.

4. Enter a Pre Shared Key e.g. thisisthepresharedkey > And then give the Tunnel group a name e.g. “RemoteVPN”. > Next.

5. Select “Authenticate using an AAA Server Group “. > Select The Server Group you created in Step 2 > Next.

6. Now we need to create some IP addresses that the remote clients will use when connected. > Click New.

7. Give the Pool a name e.g. RemotePool and set the start and end IP addresses you want to lease (note these DONT have to be on the same network as your internal IP’s – In fact, for auditing its good practice to make them different). > Enter a Subnet Mask. > OK.

8. Click Next.

9. Enter the details you want the remote clients to use while connected, DNS servers, WINS Servers and domain name. > Next.

10. Leave it on the defaults of 3DES, SHA and DH Group 2 (Note some Cisco VPN clients will not support AES). > Next

11. Again leave it on the default of 3DES and SHA. > Next.

12. You can choose what IP addresses you want the remote VPN clients to have access to, first change the drop down to “Inside”, here I want them to have access to the entire network behind the ASA so I will choose 10.254.254.0 with a mask of 255.255.255.0 > Click Add. > Next.

NOTE If you do not tick the box to enable “Split Tunneling” then the client cannot browse the internet etc while connected via VPN.

13 Review the information at the end of the wizard. > Finish

14 Now you need to save the changes you have just made, From the ASDM Select File > “Save running configuration to flash”

 

Step 2 Configure the Client VPN Software on the remote client.

Also See THIS VIDEO

1. I’ll assume you have the software installed you can get it from two places, On the CD that came with the ASA, or download it direct from Cisco (NOTE this needs a valid Cisco CCO account and a service contract). > Click New.

2. Under connection entry give the connection a name e.g. “Remote VPN to Office” > Under “Host” enter the Public IP of the ASA (NOTE I’ve blurred this one out to protect my IP address). > Under “Name” enter the name you created earlier (Step 1 number 4) > Under Password use the password you created earlier (Step 1 number 4) and enter it a second time to confirm. NOTE these are NOT the usernames and passwords you created in Step 1 number 6. > Click Transport Tab.

3 Accept the defaults but tick “Allow LAN access if you want to be able to access YOUR drives etc from the network behind the ASA” > Save.

4. Select the Connection you have just created. > Connect.

5. Enter the username and password you created earlier (Step 1 Number 6) of user1 and password1. > OK.

6 After a few seconds (provided the details were all right) it will connect, hover over the padlock in your task tray and it should say “VPN Client – Connected”.

 

Do the same thing from command line

[box]

access-list remotevpn_splitTunnelAcl standard permit 10.254.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.254.254.0 255.255.255.0 10.254.250.0 255.255.255.0
ip local pool vpnpool 10.254.250.1-10.254.250.254 mask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
aaa-server windowsias protocol radius
aaa-server windowsias host 10.254.254.10
key 123456
radius-common-pw 123456
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value 10.254.254.10
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remotevpn_splitTunnelAcl
default-domain value petenetlive.com
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group remotevpn type ipsec-ra
tunnel-group remotevpn general-attributes
address-pool vpnpool
authentication-server-group windowsias
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
pre-shared-key thisisthepresharedkey

[/box]  

Related Articles, References, Credits, or External Links

NA