Cisco ASA Anyconnect Template 8.3+

Anyconnect along with webvpn is Cisco’s SSL VPN and portal. It works great.

This is my homegrown template for implementing the Anyconnect VPN. There are somethings to note with it. 1. You need to update your VPN client for the OS you need from Cisco. I know there were many issues with Windows 8, and they all seem to be fixed with the new client. 2. This Template works great on 8.3 and above. The steps are made to work with a pretty vanilla config. If you already have a bunch of config it might take some tweaking to work with your other settings.

I will paste the whole config at the bottom of the entry and you can just copy, rename things and paste in. So, lets review what is needed to get anyconnect up and working, and what these parts actually do.

If anyone has anything to contribute feel free to comment.

1. So, lets create the subnets we want for our VPN. I am choosing to use 10.253.241.0/24 for my “Anyconnect” profile. I like to use objects my networks because you can reference them throughout your config and its a great way to keep organized.
object network Anyconnect-Subnet
 subnet 10.253.241.0 255.255.255.0
object network Internal-Lan
 subnet 10.1.10.0 255.255.255.0

This created my Internal subnet, and Anyconnect Subnet.

2. Create a IP pool for your subnet (Remember, you can have multiple pools if you need to have multiple Groups/Portals)

.ip local pool Anyconnect-VPN-Pool 10.253.241.10-10.253.241.100 mask 255.255.255.0

3. I want to use split tunnel for my VPN users, so I will create an ACL for my internal LAN. Applying this will make any subnet in the ACL get pushed to the clients routing table. This means that only the needed subnets come across the VPN.

access-list Split-Tunnel standard permit 10.1.10.0 255.255.255.0

Speaking of the Split tunnel ACL, you could do a group in the ACL and if you add a lot of networks in your organization you could just drop the new network in the group and everything would get updated dynamically.

Next lets configure the Webvpn options. WebVPN? Whats that, weren’t we configuring Anyconnect? Well true, Anyconnect and WebVPN are completley different. Webvpn is the https://portal that you logged into. By logging into this page you can give the client links/bookmarks to internal resource, and give them a platform to download the Anyconnect client. Anyconnect is the actual VPN client that connects the user to internal resources. So lets get our Webvpn enabled and select the image we want to use. In this case its the newest windows image. Also note – I have the login page show the tunnel groups that are enabled. If I had multiple groups – lets say one for Traveling salesman and one for Internal Employees, each might have different bookmarks/links , different IP subnets, and different resources they are allowed to get to.

webvpn
 enable inside
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.05178-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable

4. Now lets create the Group policy to use for our Anyconnect session. A Group Policy is “is a set of user-oriented attribute/value pairs for IPSec/SSL connections that are stored either internally (locally) on the device or externally on a RADIUS or LDAP server. A tunnel group uses a group policy that sets terms for user connections after the tunnel is established. ” – From Cisco. The Group policy allows use to specify a lot of settings that any tunnel using the GP will get. For example DNS servers, and the Split-Tunnel policy.
group-policy Anyconnect internal
group-policy Anyconnect attributes
 dns-server value 10.1.10.5 8.8.8.8
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel

5. Next we will configure the Tunnel-group for this network. Tunnel groups contain a small number of attributes that pertain to creating the tunnel itself. Tunnel groups include a pointer to a group policy that defines user-oriented attributes. Some of these attributes are the DHCP Pool, what kind of encryption , etc.

tunnel-group Anyconnect type remote-access
tunnel-group Anyconnect general-attributes
 address-pool Anyconnect-VPN-Pool
 default-group-policy Anyconnect

tunnel-group Anyconnect webvpn-attributes
 group-alias Anyconnect enable

6. In this case I am using local authentication – Not using LDAP or Radius. So i will create the user and assign the user to the correct Group Policy

username <value> password <value>
username <value> attributes
 vpn-group-policy Anyconnect
 service-type remote-access

7. One of the most important things to do is make sure our “No-Nat” is there.

nat (inside,outside) source static Internal-Lan Internal-Lan destination static Anyconnect-Subnet Anyconnect-Subnet
nat (inside,outside) source static Anyconnect-Subnet Anyconnect-Subnet destination static Internal-Lan Internal-Lan

Thats it. Everything works great. Below is the template only

ip local pool Anyconnect-VPN-Pool 10.253.241.10-10.253.241.100 mask 255.255.255.0

object network Anyconnect-Subnet
 subnet 10.253.241.0 255.255.255.0
object network Internal-Lan
 subnet 10.1.10.0 255.255.255.0

access-list Split-Tunnel standard permit 10.1.10.0 255.255.255.0

webvpn
 enable inside
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.05178-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable

group-policy Anyconnect internal
group-policy Anyconnect attributes
 dns-server value 10.1.10.5 8.8.8.8
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel

tunnel-group Anyconnect type remote-access
tunnel-group Anyconnect general-attributes
 address-pool Anyconnect-VPN-Pool
 default-group-policy Anyconnect
tunnel-group Anyconnect webvpn-attributes
 group-alias Anyconnect enable
!
username <value> password <value>
username <value> attributes
 vpn-group-policy Anyconnect
 service-type remote-access

nat (inside,outside) source static Internal-Lan Internal-Lan destination static Anyconnect-Subnet Anyconnect-Subnet
nat (inside,outside) source static Anyconnect-Subnet Anyconnect-Subnet destination static Internal-Lan Internal-Lan
!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: