I got an email from a client I deployed SSLVPN for, (a couple of weeks ago), one of his users was seeing this;
Unlicensed VPN access is available until {Date} {Time}
Solution: Unlicensed VPN access is available until…
At first I was confused, unlike other vendors SSL VPN is not a licensed requirement? As it turns out in my instructions, I’d written ‘Download the Forticliet” when I should have said ‘scroll to the bottom and download the ‘FortiClient VPN’ version’.
That will teach me!
Related Articles, References, Credits, or External Links
Given my background I’m usually more comfortable connecting to Azure with a Route Based VPN from a hardware device, like a Cisco ASA. I got an email this afternoon, a client had a server in a private cloud and a server in Azure, they needed to transfer files from the Azure server to the server in the private cloud. Now on further investigation this client had a Cisco vASA so a VPN was the best option for them, (probably).
But what if they didn’t? Or what if they were ‘working from home’ and needed to access their Azure servers that were not otherwise publicly accessible?
Well the Microsoft solution for that is called an ‘Azure Point to Site VPN‘, even though in the current Azure UI they’ve called it ‘User VPN Configuration‘, because ‘Hey! Screw consistency and documentation that goes out of date every time a developer has a bright idea, and updates the UI’ Note: I have a thing about things being changed in GUIs!
So regardless whether you are on or off the corporate LAN, you can connect to your Azure Virtual Networks.
Azure VPN (Remote Access)
This is not a full Azure tutorial, I’m assuming, as you want to connect to existing Azure resources, you will already have most of this setup already. But, just to quickly run through. You will need a Resource Group, and in that Resource Group you will need a Virtual Network. (Note: I like to delete the ‘default‘ subnet and create one with a sensible name).
So far so good, within your virtual network you will need to create, (if you don’t already have one,) a ‘Gateway Subnet‘. To annoy the other network engineers, I’ve made it a /24, but to be honest a /29 is usually good enough).
Now to terminate a VPN, you need a ‘Virtual Network Gateway‘.
Make sure it’s set for VPN (Route Based) > Connected to your Virtual Network > Either create (or assign) a public IP to it. I told you I’d be quick, however the Gateway will take a few minutes to deploy, (time for a coffee.)
Now launch ‘certmgr‘ and you will see the two certificates. Firstly, export the client certificate.
Yes you want to export the private key > You want to Save it as a .PFX file > Create a password for the certificate (MAKE NOTE OF IT!) > Save it somewhere you can get to, (you will need it in a minute).
Secondly, export the Root CA certificate.
You DON’T export the private key > Save as Base-64 encoded > Again save it somewhere sensible, you will also need it in a minute.
Open the ROOT CA CERT with Notepad, and copy all the text BETWEEN —-BEGIN CERTIFICATE—- and —-END CERTIFICATE—- Note: This is unlike most scenarios, when working with PEM files, where you select everything, (it tripped me up!)
Back in Azure > Select your Virtual Network Gateway > Select ‘User VPN Connection’ (seriously, thanks Microsoft be consistent eh!) > ‘Configure now‘.
Pick an address pool for your remote clients to use, (make sure it does not overlap with any of your assets, and don’t use 192.168.1.0/24, or 192.168.0.0/24, Note: These will work, but most home networks use these ranges, and let’s not build in potential routing problems before we start!)
Choose IKEv2 and SSTP > Authentication Type = Azure Certificate > Enter your Root CA details, and paste in the PEM text, you copied above > Save > Time for another coffee!
When is stopped deploying, you can download the the VPN client software.
Azure Point to Site (User VPN) Client Configuration
So for your client(s) you will need the ClientCertificate, (the one in PFX format,*) and the VPN Client software > Double click the PFX file > Accept ‘Current User‘.
*Note: Unless you deployed user certificates already, and your corporate Root Cert was entered into Azure above.
Type in the certificate password you created above > Accept all the defaults.
Yes.
Now install the Client VPN software, you may get some security warnings, accept them and install.
Now you will have a configured VPN connection. I’m a keyboard warrior so I usually run ncpa.cpl to get to my network settings, (because it works on all versions of Windows back to NT4, and ‘developers’ haven’t changed the way it launches 1006 times!)
Launch the Connection > Connect > Tick the ‘Do not show…‘ option > Continue > If it works, everything will just disappear and you will be connected.
Related Articles, References, Credits, or External Links
Cisco released information on their blog a few days ago to say that they would be offering free Umbrella, Duo and AnyConnect Licences to customers in the wake of the the COVID-19 outbreak.
Thats great news, but there’s no information on how to get the AnyConnect licences. It just says speak to your Cisco partner. As I am a Cisco partner I was confused, and it seems my colleagues were also. So I contacted Cisco Partner help, who passed me to licensing, who passed me to Cisco TAC, who opened a call. 24 hours later still no reply. Luckily by this time a colleague had managed to set this up for a client, and he pointed me in the right direction, (cheers Trev!)
Solution
Note: This procedure DOES NOT work for vASA or FTD. You can email licensing@cisco.com Subject: ‘COVID-19 AnyConnect License Request’. Provide your platform information, and smart account details, and they will provision licenses for your account that you can then assign via the usual methods.
Note: I exclusively work at command line, I realise some people are terrified of doing this, so if you want to work with activation keys and serial numbers in the ASDM then read this post.
Log into your Cisco Device (in my case a Cisco ASA) and get the serial number. (Issue a show version command).
Note: I would also take a copy of the Activation Key at this point paste it into Notepad and keep it somewhere safe.
Also from the show version command you will see I only have the factory default 2 AnyConnect premium licences.
You will need a Cisco CCO account, these are free to setup and once you have one you can log into the licensing portal, from there, (either using classic licences or SMART licences) > Get Licences > Demo and Evaluation > Security Products > AnyConnect Plus/Apex(ASA) Demo Licence and Emergency COVID-19 Licence > Next.
Enter the Serial Number of your ASA (from above), Here I asked for 10 users, you will get the maximum for your model of ASA, if you don’t know what the maximum is see this article > Next.
Review > Next.
You will get sent the licence by email, (this has a habit of going into spam!) But I download them directly anyway.
Heres you new activation key, copy it to the clipboard;
Excute the following commands;
[box]
Petes-ASA# configure terminal
Petes-ASA(config)# activation-key a27ed158 406176b7 799f41f2 6184be43 12345678
Validating activation key. This may take a few minutes...
The requested key is a timebased key and is activated, it has 91 days remaining.
[/box]
Now if you recheck your AnyConnect Licence count, it will match the maximum for your hardware.
I Need More! Sorry buddy, you need to replace the hardware with a larger one.
Related Articles, References, Credits, or External Links
Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.
Below is a walk through for setting up a client to gateway VPN Tunnel using a Cisco Firepower ASA appliance. This was done via the ASDM console. The video was shot with ASA version 9.13(1) and ASDM 7.13(1).
Suggestion: If you are setting this up for the first time, I would suggest setting it up to use the ASA’s LOCAL database for usernames and passwords, (as shown in the video). Then once you have it working, you can change the authentication (AAA) to your preferred method (see links at bottom of page).
The original article was written with ASA version 8.0(4) and ASDM 6.1(3), which was a little more difficult so I will leave that procedure at the end just in case 🙂
Note: The ASDM cannot be used on the normal port (https) on the outside interface when using AnyConnect, because HTTPS or TCP port 443 needs to be free (and also IMPORTANTLYNOT ‘port-forwarded’ to a web server / Exchange server etc. for this to work). To fix that, either change the port that AnyConnect is using (not the best solution!) Or, (a much better solution) Change the port ASDM is using.
Solution
Setup AnyConnect From ASDM (Local Authentication)
In case you don’t want to watch a video! Launch the ASDM > Wizards > VPN Wizards > AnyConnect VPN Wizard > Next.
Give the AnyConnect profile a name i.e PF-ANYCONNECT, (I capitalise any config that I enter, so it stands out when I’m looking at the firewall configuration). >Next > Untick IPSec > Next.
Note: You can use IPSec if you want, but you will need a Certificate pre-installed to do so!
Now you need to upload the AnyConnect client packages for each operating system that is going to want to connect,
Once the package (with a pkg extension) is located, you can upload it directly into the firewalls flash memory.
Repeat the process for each OS that will be connecting. (PLEASE! Don’t forget to add the macOS package! or your users will see THIS ERROR) > Next > As mentioned above I’m using LOCAL (on the ASA) authentication. I always set this up first, then test it, then if required, change the authentication method > If you don’t already have a LOCAL user created then add a username and password for testing > Next.
Next (Unless you want to setup SAML) > Here I’ll create a new ‘Pool’ of IP addresses for my remote clients to use. You can also use an internal DHCP server for remote clients, again I normally setup and test with a Pool from the ASA, then if I need to use a DHCP server, I swap it over once I’ve tested AnyConnect. If that’s a requirement, see the following article;
Enter the DNS server(s) details for you remote clients > WINS? Who is still using WINS! > Domain name > Next > Tick ‘Exempt VPN traffic from network address translation’ > Next.
Next > Finish
DON’T FORGET TO SAVE THE CHANGES!! (File > Save Running Configuration to Flash)
Now any remote client attempting to connect to AnyConnect can install the client software directly from the firewall, (This is assuming you have not already installed it for them beforehand).
For Older Versions of the ASA/ASDM
Note: The information below is OBSOLETE, I only leave it here in case someone is running some VERY old versions of the ASDM and AnyConnect
1. Open up the ADSM console. > Click Wizards >SSL VPN Wizard.
2. Select “Both Options”. > Next.
3. Enter a connection name > If you have a certificate already select it here or simply leave it on” -None-” and the ASA will generate an un trusted one. > Next.
4. For this example we are going to use the ASA’s Local database to hold our user database, however, if you want to use RADIUS/Windows IAS select those options and accordingly, and then follow the instructions. Note: To set up IAS read my notes HERE > Enter a username and password.
5. Add. > Next
6. We are going to create a new policy in this case called SSL Users > Next.
7. You can now add bookmarks (Links on the VPN portal page) > Manage > Add > Type in a name > Add. > OK.
8. Give it a name and subtitle (look at step 18 to see how that displays) > Enter the internal URL for the web site > OK.
9. Add > OK.
10. OK.
11. Next.
12. Create an IP Pool (IP range to be leased to the VPN clients that is DIFFERENT to your LAN IP range) > New > enter a name, IP addresses, and the subnet mask > OK.
13. Point the ASA to the Anyconnect client you want to use (Note you can upload a software image from your PC here as well) Next > Accept the warning about NAT Exemptions (Note if you do get a warning to add a NAT Exemption see the note at the end).
14. Finish.
15. Before it will work you need to Select Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Double click the Connection profile you created earlier in step 3 > Enter a name in the Aliases section i.e. AnyConnect > OK. > Tick the box that says “Allow user to select connection profile by its alias………” > Apply.
16. File > Save running configuration to flash.
17. Connect externally to https://{public_IP} (Note this has to be in the browsers trusted site list) > Enter a username and password > Login
18. You are now on the “Portal” site any bookmarks created above will be visible > Click the AnyConnect Tab.
19. Double click to launch AnyConnect.
20. The Anyconnect client will install if not used previously (User needs to be local admin) and connects.
NAT Exemptions: Note if you received a warning about needing to add the remote VPN pool as a NAT Exemption (After step 13) you will need to add the following lines to the ASA
Syntax;
[box]
access-list {name} extended permit ip {LAN behind ASA} {Subnet behind ASA} {VPN Pool Range} {VPN Pool Subnet}
nat (inside) 0 access-list {name}
Working example
access-list nonat extended permit ip 10.254.254.0 255.255.255.0 10.254.253.0 255.255.255.0
nat (inside) 0 access-list nonat
[/box]
WARNING: Make sure the name matches any existing no NAT ACLs or your IPsec vpns will fail!
Related Articles, References, Credits, or External Links
But if you want to use the native Windows VPN client you can still use L2TP over IPSEC. I had a look around the net to work out how to do this and most decent articles are written using the older versions of the ASDM, and the CLI information I found on Cisco’s site didn’t help either.
What I’m using
1. Cisco ASA5525 version 9.2(4) and ASDM version 7.6(1).
2. Network behind the ASA 192.168.110.0/24.
3. IP addresses of the remote clients 192.168.198.1 to 254 (DNS 192.168.110.10).
Configure the ASA 5500 for L2TP IPSEC VPNs from ASDM
1. From within the ASDM > Wizards > VPN Wizards > IPSec (IKEv1) Remote Access VPN Wizard)
2. Next.
3. Tick Microsoft Windows Client using L2TP over IPSEC > Tick MS-CHAP-V2 ONLY > Next.
4. Type in a pre-shared key > Next.
5. Select LOCAL authentication > Next.
6. Enter a username/password to use for connection to the VPN > Next.
7. Create a ‘VPN Pool‘ for the remote clients to use as a DHCP pool > OK > Next.
8. Enter your internal DNS server(s) and domain name > Next.
9. Set your internal network(s) > Tick “Enable Split tunnelling…” > Untick PFS > Next.
10. Finish.
11. Save the changes.
Configure the ASA 5500 for L2TP IPSEC VPNs from CLI
1. Connect to the ASA, go to “enable mode”, then to “Configure terminal mode”
[box]
User Access Verification
Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure Terminal
PetesASA(config)#
[/box]
2. First we need to create a “Pool” of IP addresses for the remote client to use.
[box]
PetesASA(config)# ip local pool L2TP-Pool 192.168.198.1-192.168.198.10
[/box]
3. Now to make sure the traffic that’s going to travel over our VPN is not NATTED.
Note: This is assuming that 192.168.100.0/24 is the remote VPN clients subnet, and 10.254.254.0/24 is the subnet BEHIND the ASA.
4. Normally when a remote client is connected they will lose all other connections (including their other internet connections) while connected, to stop this you need to enable “Split Tunnelling“. You will refer to this later but for now we just need to create an ACL.
[box]
PetesASA(config)# access-list Split-Tunnel-ACL standard permit 192.168.110.0 255.255.255.0
[/box]
5. We need a “Transform Set” that will be used for “Phase 2” of the tunnel, I’m going to use AES encryption and SHA hashing, then set the transform type to “Transport”.
6. Remote VPNs usually use a “Dynamic Cryptomap”, the following will create one that uses our transform set, then applies that to the firewalls outside interface.
7. Then enable IKE (version 1) on the outside interface. And create a policy that will handle “Phase 1” of the tunnel, in this case 3DES for encryption, and SHA for hashing, and Diffie Hellman group 2 for the secure key exchange.
8. Create a group policy, that hold the following, DNS server IP(s) that will be leased to the remote clients. Tunnel type (L2TPIPSEC), enable spit tunnelling using the ACL we created in step 4. The domain name that will be given to the remote clients. The “intercept-dhcp enable” looks after a Windows client problem. And finally create a user and password.
Note: In this example I’m using the ASA’s local database of users for authentication.
9. Every tunnel needs a “Tunnel Group”, You HAVE TO use the DefaultRAGroup (Unless you are securing things with certificates which we are not). This pulls in the IP Pool we created in step 2 and the policy we created in step 8.
10. For the tunnel group, setup a shared key, and the authentication method for our clients.
Note: We are disabling CHAP and enabling MSCHAP v2.
[box]
PetesASA(config-tunnel-general)# tunnel-group DefaultRAGroup ipsec-attributes
PetesASA(config-tunnel-ipsec)# ikev1 pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# tunnel-group DefaultRAGroup ppp-attributes
PetesASA(config-ppp)# no authentication chap
PetesASA(config-ppp)# authentication ms-chap-v2
[/box]
11. Finally save the new config.
[box]
PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d
7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#
[/box]
Configure Windows VPN client for L2TP IPSEC connection to Cisco ASA 5500
Note: Windows 10 Enterprise used.
1. Start > Settings > Network and Internet.
2. VPN > Add a VPN Connection.
3. VPN Provider = Windows (Built-in) > Connection Name = (A Sensible name) > Server name or Address = Public IP/Hostname of the ASA > Scroll Down.
4. VPN Type = L2TP/IPSEC with pre-shared key > Pre Shared Key = {the one you set on the firewall in our example 1234567890} > Type of sign-in information = Username and Password.
Note: You may want to untick “Remember my sign-in information” To supply a username and password each time.
5. Start > ncpa.cpl {Enter} > Right click your VPN connection profile > Properties..
6. Security Tab > Allow These Protocols > Tick “Microsoft CHAP version 2 (MS-CHAP v2)” > OK.
7. You can now connect your VPN.
Related Articles, References, Credits, or External Links
Packet tracer is a great tool, I wrote about it in the ‘Prove It’s Not the Firewall‘ article a while ago. A couple of months ago I was having a discussion with a colleague about packet tracing a remote VPN client to check connectivity, he said at the time, “It will behave differently if the IP you use is already connected”. I never really thought about it until today, when I was troubleshooting a clients AnyConnect they they had ‘hair pinned‘ to another site.
So after I had finished I tested the theory on the bench to discover he was correct.
Solution
Results When The IP is NOT IN USE
I prefer to work at commend line, so if I packet-trace the above connection (using normal http port 80 for example) This is what I get;
[box]
Petes-ASA# packet-tracer input outside tcp 192.168.199.2 www 192.168.100.10 w$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.100.0 255.255.255.0 inside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.100.10/80 to 192.168.100.10/80
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound in interface outside
access-list inbound extended permit tcp any object Internal_HTTP_Server eq www
Additional Information:
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.199.2/80 to 192.168.199.2/80
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
Additional Information:
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5786108, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
Petes-ASA#
[/box]
If you really must use the ASDM here’s what it looks like in there;
Results When The IP is IN USE
So, if I connect my remote client, and it gets an IP, (for simplicities sake the same IP we used above), like so;
Then run the exact same test, here’s the result;
[box]
Petes-ASA# packet-tracer input outside tcp 192.168.199.2 www 192.168.100.10 www
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.100.0 255.255.255.0 inside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.100.10/80 to 192.168.100.10/80
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound in interface outside
access-list inbound extended permit tcp any object Internal_HTTP_Server eq www
Additional Information:
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.199.2/80 to 192.168.199.2/80
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: dropDrop-reason: (acl-drop) Flow is denied by configured rule
Petes-ASA#
[/box]
Again, the same thing in the ASDM;
So the moral of the story is, if you are testing, make sure the IP you are using for the remote client is NOT in use.
How do I know which AnyConnect IPs are in use? Simple run the ‘show vpn-sessiondb anyconnect‘ command like so;
The bottom line is Remote Cisco IPSEC VPN is a dead technology, Cisco, (and Me!) want you to use AnyConnect. For a couple of users you can use the work arounds above, but that wont scale well. So if you don’t want to ditch IPSEC VPN, then you will have to go with third party software to connect to your device. In this example I will use the NCP Secure Entry Client.
Solution
Configure the ASA, I’ve done this to death in the past, (read the links above), so here’s the config (taken from a firewall running version 9.x) to copy and paste in.
[box]
!
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto ipsec ikev1 transform-set TS-IPSEC-VPN esp-3des esp-sha-hmac
!
ip local pool PNL-POOL-IPSEC192.168.198.1-192.168.198.254 mask 255.255.255.0
!
access-list SPLIT-TUNNEL standard permit 192.168.100.0 255.255.255.0
!
group-policy IPSEC-VPN internal
group-policy IPSEC-VPN attributes
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
dns-server value 192.168.100.10
vpn-simultaneous-logins 3
default-domain value petenetlive.com
!
tunnel-group IPSEC-VPN type remote-access
tunnel-group IPSEC-VPN general-attributes
address-pool PNL-POOL-IPSEC
default-group-policy IPSEC-VPN
authentication-server-group LOCAL
tunnel-group IPSEC-VPN ipsec-attributes
ikev1 pre-shared-key Cisco123456
!
crypto dynamic-map DYNAMIC-CRYPTO-MAP 65535 set ikev1 transform-set TS-IPSEC-VPN
!
crypto map CRYPTO-MAP 65535 ipsec-isakmp dynamic DYNAMIC-CRYPTO-MAP
!
crypto map CRYPTO-MAP interface outside
!
crypto ikev1 enable outside
!
object network OBJ-IPSEC-SUBNET
subnet 192.168.198.0 255.255.255.0
!
nat (inside,outside) source static any any destination static OBJ-IPSEC-SUBNET OBJ-IPSEC-SUBNET no-proxy-arp route-lookup
!
[/box]
Points to Note:
I’m using 3DES and SHA1 for Phase 1 (ISAKMP,) and phase 2 (IPSEC).
The Network behind my ASA is 192.168.100.0/24.
I’ve allocated 192.168.198.0/24 to my remote VPN clients. (If you have a complicated network, ensure this is routable from the LAN back to the firewall!)
My interfaces are called inside and outside, yours might be different!
Crypto Map Warning: If you already have a crypto map applied to the outside interface use the name of the existing one (i.e NOT CRYPTO-MAP,) or your exiting VPN’s will stop working! Issue a ‘show run crypto map‘ command to check.
I have not enabled PFS. (If I had it would have been in the crypto map).
Configure NCP Entry Client
OK it’s not free, but you do get a 30 day trial to give it a test run an see if you like it. Once installed and rebooted launch the software. Configuration > Profiles > Add/Import > Link to Corporate Network Using IPSEC > Next
Note: As indicated below if you have a PCF file you can import that.
Give the profile a name i.e. ‘Connection to Office’ > Next > Communication Medium = LAN (over IP) > Next > Gateway = Public name or IP of your Cisco ASA > User ID details is the username and password that you need to enter to connect. (Note: Not the Group name and pre-shared key) > Next.
Usernames should be supplied by your firewall admin (tell them to issue a ‘show run | begin username’ command).
Exchange Mode = Aggressive Mode > PFS Group = {blank} > Next > Local Identity IKE Type = ‘Free string used to identify groups’ > ID = {Your Tunnel Group-Name} > Shared Secret = {Your Group Pre-Shared-Key} > Next.
Tunnel group name, and Pre-Shared Keys also need to be given to you by your firewall admin. Ask them to run ‘more system:running-config | begin tunnel-group‘ if they don’t know.
Change IP Address Assignment to IKE Config Mode > Next > Firewall (leave it off) > Finish.
OK > Click switch to enable.
It Wont Work?
On the client you can go to Help > Logbook to see what the problem is.
On the firewall debug crypto isakmp 255 will debug phase 1 and debug crypto ipsec sa 255 will debug phase 2.
Related Articles, References, Credits, or External Links
You would like to enable remote access for your clients using the Cisco VPN Client software.
Solution
Before you start – you need to ask yourself “Do I already have any IPSECVPN’s configured on this firewall?” Because if its not already been done, you need to enable ISAKMP on the outside interface. To accertain whether yours is on, or off, issue a “show run crypto isakmp” command and check the results, if you do NOT see “crypto isakmp enable outside” then you need to issue that command.
[box]
PetesASA# show run crypto isakmp
crypto isakmp enable outside << Mines already enabled.
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
PetesASA#
[/box]
1. Firstly we need to set up Kerberos AAA, if you wanted to use the ASDM to do this CLICK HERE however, to do the same via command line see the commands below. (so my DC is at 10.254.254.5 and the the domain is petenetlive.com). Note you could use LOCAL or RADIUS for authentication as well, but as the title states we are using Kerberos 🙂
2. Set up a range of IP addresses, for the remote clients to use, Note: DONT use the same IP range as your internal network (That’s a common error!) In this example I’m going to only have a range of 10 IP addresses.
[box]
PetesASA(config)#
PetesASA(config)# ip local pool IPSEC-VPN-DHCP-POOL 10.253.253.1-10.253.253.5
PetesASA(config)#
[/box]
3. Now I’m going to create two access control lists, one for “Split Tunneling” (So when my remote clients connect, they can still browse the internet from their remote location.) And the second one will be to STOP the ASA performing NAT on the traffic that travels over the VPN.
Warning: If you already have NAT excluded traffic on the firewall (for other VPN’s) this will BREAK THEM – to see if you do, issue a “show run nat” command, if you already have a nat (inside) 0 access-list {name} entry, then use that {name} NOT the one in my example.
So below I’m saying “Don’t NAT Traffic from the network behind the ASA (10.254.254.0) that’s going to the remote clients (10.253.253.0) that we set up in step 2″.
3. Now we need to create a “Group Policy” this will specify that we are going to use split-tunneling, what type of VPN it is (IPSEC), the domain name and DNS server for the policy.
[box]
PetesASA(config)#
PetesASA(config)# group-policy IPSEC-VPN-POLICY internal
PetesASA(config)# group-policy IPSEC-VPN-POLICY attributes
PetesASA(config-group-policy)# vpn-tunnel-protocol IP Sec
PetesASA(config-group-policy)# split-tunnel-policy tunnelspecified
PetesASA(config-group-policy)# split-tunnel-network-list value Split-Tunnel
PetesASA(config-group-policy)# dns-server value 10.254.254.5
PetesASA(config-group-policy)# default-domain value PETENETLIVE.COM
PetesASA(config)#
[/box]
4. Next we create a tunnel group, and tell that group to use the policy we created above, we also specify the Kerberos AAA we created , the IP Pool, and lastly we set up a shared key.
NOTE: This sets up two of the three pieces of information that you need to enter into the VPN Client software, the tunnel group goes in the “Name” section, and the pre-shared-key goes in the “Password” section HERE.
6. Lastly we need to create a “Dynamic Cryptomap”, then get that cryptomap to use the transforms we have just created.
Note: I’ve also enabled NAT-Traversal here as well – sometimes the client software will connect successfully,and pass no traffic, if that happens 99% of the time its a NAT problem, caused by either mis-configured NAT on the ASA, or a device somewhere in the VPN tunnels path, that’s performing NAT that breaks the traffic flow, NAT-Traversal fixes this, so lets turn it on anyway to be on the safe side 🙂
(This method uses the ASA to hold the user database) to use RADIUS CLICK HEREto use Kerberos CLICK HERE
KB ID 0000070
Problem
Note: IPSEC VPN is still possible, but getting Windows clients is a little sketchy, and you will have to mess about with them to get them to work on modern versions of Windows. (Mac OSX and iPhone/iPad can connect with their built in VPN software though).
Below is a walkthrough for setting up a client to gateway VPN Tunnel using a Cisco ASA appliance.This is done via the ASDM console.
It also uses the Cisco VPN client – This is no longer available form Cisco see the following article.
1. Open up the ADSM console. > Click Wizards > VPN Wizard.
2. Select “Remote Access”. > Next.
3. Select Cisco VPN Client. > Next.
4. Enter a Pre Shared Key e.g. thisisthepresharedkey > And then give the Tunnel group a name e.g. “RemoteVPN”. > Next.
5. Select “Authenticate using the local user database”. > Next.
6. Now create a user, for this exercise I’ve created a user called user1 with a password of password1
7. Click Add. > Next.
8. Now we need to create some IP addresses that the remote clients will use when connected. > Click New
9. Give the Pool a name e.g. RemotePool and set the start and end IP addresses you want to lease (note these DONT have to be on the same network as your internal IP’s – In fact, for auditing its good practice to make them different). > Enter a Subnet Mask. > OK.
10 Click Next.
11 Enter the details you want the remote clients to use while connected, DNS servers, WINS Servers and domain name. > Next.
12. Leave it on the defaults of 3DES, SHA and DH Group 2 (Note some Cisco VPN clients will not support AES). > Next
13. Again leave it on the default of 3DES and SHA. > Next.
14. You can choose what IP addresses you want the remote VPN clients to have access to, first change the dropdown to “Inside”, here I want them to have access to the entire network behind the ASA so I will choose 10.254.254.0 with a mask of 255.255.255.0 > Click Add. > Next.
NOTE If you do not tick the box to enable “Split Tunneling” then the client cannot browse the internet etc while connected via VPN.
15. Review the information at the end of the wizard. > Finish
16. Now you need to save the changes you have just made, From the ASDM Select File > “Save running configuration to flash”
Step 2 Configure the Client VPN Software on the remote client.
1. I’ll assume you have the software installed you can get it from two places, On the CD that came with the ASA, or download it direct from Cisco (NOTE this needs a valid Cisco CCO account and a service contract). > Click New.
2. Under connection entry give the connection a name e.g. “Remote VPN to Office” > Under “Host” enter the Public IP of the ASA (NOTE I’ve blurred this one out to protect my IP address). > Under “Name” enter the name you created earlier (Step 1 number 4) > Under Password use the password you created earlier (Step 1 number 4) and enter it a second time to confirm. NOTE these are NOT the usernames and passwords you created in Step 1 number 6. > Click Transport Tab.
3 Accept the defaults but tick “Allow LAN access if you want to be able to access YOUR drives etc from the network behind the ASA” > Save.
4. Select the Connection you have just created. > Connect.
5. Enter the username and password you created earlier (Step 1 Number 6) of user1 and password1. > OK.
6 After a few seconds (provided the details were all right) it will connect, hover over the padlock in your task tray and it should say “VPN Client – Connected”.
Create Additional Users on the ASA
1. Open the ASDM and navigate to Configuration > VPN > General > Users > Add.
2. Give the user a name > Enter and confirm a password > Set the Privilege Level to 0 > Then Select the VPN Policy Tab
3. > Under Group Policy untick “Inherit” > Select RemoteVPN (the policy you set in Step1 Number 4) > OK.
4. You will now see the user listed (Don’t forget to save the settings, (File > “Save Running Configuration to Flash”).
I haven’t needed to use my AnyConnect for a long time. But this week I needed to spin up some test servers. I connected fine, but I could not access the ASA via telnet, SSH or ASDM.
Solution
1. Traditionally all you needed to do to manage an ASA from a remote VPN session, was to set the management-access to inside.
[box]
User Access Verification
Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# management-access inside
[/box]
2. Post version 8.3 you also need to have the route-lookup keyword on the end of the NAT statement (the one that stops the remote VPN subnet being NATTED).
[box]
PetesASA# show run nat
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.253.253.0_24 NETWORK_OBJ_10.253.253.0_24 no-proxy-arp route-lookup
[/box]
3. Finally make sure you have the same-security-traffic permit intra-interface command enabled.