Wednesday, April 30, 2014

HOWTO: Basic Cisco ASA AnyConnect VPN 8.3+

This is a brief how-to style guide for configuring an AnyConnect remote access VPN on an ASA running version 8.3(1) or greater.  The example below uses split tunneling and local authentication.  RADIUS authentication will be covered in a future post. (update: see here)


Before beginning, verify you have the AnyConnect essentials license (without this license, only two simultaneous sessions are permitted).
asa# sh ver | inc AnyConnect
AnyConnect Premium Peers          : 25             perpetual
AnyConnect Essentials             : 25             perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Enabled        perpetual
asa#

The following steps configure an AnyConnect VPN between the 10.10.10.0/24 VPN subnet and 192.168.10.0/24 LAN subnet.

Step 1) Create object for AnyConnect subnet:
asa(config)# object network ANYCONNECT-VPN-10.10.10.0_24
asa(config-network-object)# subnet 10.10.10.0 255.255.255.0
asa(config-network-object)# exit 
asa(config)#

Step 2) Create ACL for split tunneling VPN traffic:
asa(config)# access-list SplitTunnelACL standard permit 192.168.10.0 255.255.255.0
asa(config)#

Step 3) Create IP pool for AnyConnect clients:
asa(config)# ip local pool AnyConnect-pool 10.10.10.1-10.10.10.254 mask 255.255.255.0
asa(config)#

Step 4) Configure NAT identity statement (8.3+ equivalent of nonat)
asa(config)# nat (inside,outside) source static INTERNAL-LAN-192.168.10.0_24 INTERNAL-LAN-192.168.10.0_24 destination static ANYCONNECT-VPN-10.10.10.0_24 ANYCONNECT-VPN-10.10.10.0_24
asa(config)#

The above NAT identity statement assumes your your internal LAN network object is as follows.  Modify as necessary based upon your IP scheme.
object network INTERNAL-LAN-192.168.10.0_24
 subnet 192.168.10.0 255.255.255.0

Step 5) Enable webvpn on the outside interface, configure the ASA to web-deploy the AnyConnect client, and enable AnyConnect:
asa(config)# webvpn
asa(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
asa(config-webvpn)# anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 1
asa(config-webvpn)# anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 2
asa(config-webvpn)# anyconnect image disk0:/anyconnect-linux-3.1.03103-k9.pkg 4mage disk0:/anyconnect-linux-64-3.1.03103-k9.pkg 3
asa(config-webvpn)# anyconnect image disk0:/anyconnect-linux-3.1.03103-k9.pkg 4
asa(config-webvpn)# anyconnect enable
asa(config-webvpn)# exit
asa(config)#

Step 6) Configure a group-policy (change dns-server and default-domain accordingly):
asa(config)# group-policy AnyConnect-policy internal
asa(config)# group-policy AnyConnect-policy attributes
asa(config-group-policy)#  dns-server value 8.8.8.8
asa(config-group-policy)#  vpn-tunnel-protocol ssl-client
asa(config-group-policy)#  split-tunnel-policy tunnelspecified
asa(config-group-policy)#  split-tunnel-network-list value SplitTunnelACL
asa(config-group-policy)#  default-domain value cloud10solutions.local
asa(config-group-policy)#  address-pools value AnyConnect-pool
asa(config-group-policy)# exit
asa(config)#

Step 7) Apply the address-pool and group-policy to a tunnel-group (in this case, the DefaultWEBVPNGroup)
asa(config)# tunnel-group DefaultWEBVPNGroup general-attributes
asa(config-tunnel-general)# address-pool AnyConnect-pool
asa(config-tunnel-general)# default-group-policy AnyConnect-policy
asa(config-tunnel-general)# exit
asa(config)#

Step 8) If using local authentication, create local users for remote access:
asa(config)# username vpnuser password p@ssw0rd
asa(config)# username vpnuser attributes
asa(config-username)# service-type remote-access
asa(config-username)# exit
asa(config)#

You should now be able to connect to your AnyConnect VPN:
asa# sh vpn-sessiondb
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concur : Inactive
                             ----------------------------------------------
AnyConnect Client            :      1 :          1 :           1 :        0
  SSL/TLS/DTLS               :      1 :          1 :           1 :        0
---------------------------------------------------------------------------
Total Active and Inactive    :      1             Total Cumulative :      1
Device Total VPN Capacity    :     25
Device Load                  :     4%
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concurrent
                             ----------------------------------------------
AnyConnect-Parent            :      1 :          1 :               1
SSL-Tunnel                   :      1 :          1 :               1
DTLS-Tunnel                  :      1 :          1 :               1
---------------------------------------------------------------------------
Totals                       :      3 :          3
---------------------------------------------------------------------------

asa#

4 comments:

  1. Thank you for your post, I hope that can help me.

    ReplyDelete
    Replies
    1. Glad to help! Feel free to post any questions you might have.

      Delete
  2. What exactly is the meaning of 'peak concurrent' ?.is it possible like i have the base license of 2 and i have 50 users and still the peak concurrent shows 1

    ReplyDelete
    Replies
    1. "Peak concurrent" indicates the most users that have been connected at once. If "peak concurrent" shows 1, that means no more than one user has been connected to the VPN at the same time.

      Delete