Aug 06

Configuring AnyConnect SSL VPN Client Connections

Overview

ASA: 8.3+ (Written/Tested on 9.0)

Authentication: Local (Local ASA User Database)

Type: Split-tunnel OR Non split-tunnel

The below configurations will work with 8.3+, but was written and tested with 9.0.  When setting up a Anyconnect VPN tunnel, you can push all traffic from the client over the VPN (Tunnel all) or you can use a split tunnel to only push traffic destined for selected subnets over the VPN tunnel.  In laymen terms, the clients internet traffic originates from their ISP in a split tunnel, and it originates from the ASA when using tunnel all.  The below configuration examples assume you have a basic setup equivalent to running factory-default and are setup to authenticate locally to the ASA.  I will give examples of each configuration below.

Network Diagram

Network Diagram Anyconnect VPN

The ASA has a command that gives an overview of how to configure an Anyconnect SSL VPN, which in global configuration mode is vpnsetup ssl-remote-access steps.  Here are the results of that command:

There are a few important things to note from Cisco’s directions:

  1. They are using the default names for configuring the group policy and tunnel groups, which will throw a warning that they already exist since they’re defaults
  2. The directions do not specify that you MUST attach the VPN Address pool to the tunnel group, which is necessary for it to work!
  3. They do not include how to create a split tunnel or a tunnel all to allow internet from the Anyconnect client.
  4. They are using outdated “svc” commands, which were replaced with “anyconnect”.

With that said, let’s move on to the configurations!

Anyconnect Configuration 1: Tunnel All

 Anyconnect Configuration 2: Split Tunnel

 

Testing the Configuration

Open a web browser, connect to your ASA (https://vpn.domain.com OR https://172.31.100.1), and you’ll be prompted to login.  You can login with the user account you’ve created in the configuration above.  The Anyconnect client will automatically install, if it fails you may need to download and manually install it.  Once installed, you can connect to your ASA by the outside interface (vpn.domain.com OR 172.31.100.1) and authenticate with the user you’ve created.

Additional Notes

You may wish to use a 3rd party SSL certificates (ie: Verisign, Thawte, Godaddy, etc) so end users do not get prompted about certificate warnings.  Cisco ASA’s will regenerate it’s certificate upon reboot, and due to this you should create a self signed certificate whenever you cannot use a 3rd party.  You can create the self signed certificate as follows:

 

Jul 28

How to Configure a Cisco ASA Site-to-Site IPSec VPN

This article will explain how to configure a Site-to-Site IPSec VPN using Cisco ASA 55XX’s using IKEV1.  My example below shows how to configure VPN’s between 3 sites but can be modified for the following scenarios without much explanation:

  • site-to-site VPN between 2 sites (Just remove SiteC… duh!)
  • site-to-site to 3+ sites (just follow the example and modify for a N+1 sites.  If You’re doing more than 3 sites, you may wish to look at a hub and spoke model to simply the network and backups, etc)
  • Hub and spoke VPN, where 2 remote offices only connect to a main office (If SiteA is the Hub, on SiteB remove the SiteC configuration, on SiteC remove the SiteB configuration, etc…)

Overview

Network Diagram

ASA_Multi_Site-to-site_IPSEC_VPN

Network Diagram

Phase 1 Settings

Attribute Value
Authentication Preshared Keys
Encryption 3DES
Hash MD5
DH Group Group 2
Lifetime 86400 seconds

Phase 2 Settings

Attribute Value
Mode Tunnel
Encryption 3DES
Hash SHA-1
PFS Enabled
Lifetime 86400 seconds

Configure SiteA

 

Configure SiteB

Configure SiteC

 

Further Info

I would suggest using IKEV2 for a Site-to-Site VPN, and I’ll outline the steps a in future article once I get time to write it up…. Stay tuned!

 

May 21

Convert a WLC LDPE Image to Non-LDPE

If you ever purchase a used Cisco Wireless LAN Controller or receive one on RMA, you may run into an issue when you attempt to upgrade the image and receive the following error:

ERROR: Incompatible SW image.ERROR: Please install the Data Payload Encryption licensed image

This issue occurs because the Controller has an LDPE image installed, which is only needed in Russia where Data DTLS Payload Encryption is regulated by the Government.  Cisco only recommends using this image if you reside in Russia.  To resolve this issue and put the standard image on, follow these steps:

Step 1 – Confirm you have an LDPE image installed

From the console, enter the show sysinfo command and confirm the build type is DATA + WPS + LDPE

Build Type Data + WPS + LDPE

Step 2 – Upgrade to LDPE Image version 7.0.230.0

LDPE Image version 7.0.230.0 (ex: AIR-CT5500-LDPE-K9-7-0-230-0.aes for a 5508) introduced the ability to move to a normal image once a DTLS license is installed (Resolved Caveat CSCtw78061).  If the product version is not already on that image, download it, and install it.

Step 3a – Confirm a DTLS License is Installed

From the console, enter the show license summary and ensure under the Feature: data encryption section it shows License State: Active, In Use.  If you see this, then continue to step 4, otherwise you must download a free DTLS license and install it.

Data Encryption License State

Step 3b – Download a DTLS License

  1. Go to https://tools.cisco.com/SWIFT/LicensingUI/Quickstart
  2. Click Get New->IPS, Crypto, Other Licenses
    Get New->IPS,Crypto,Other Licenses
  3. Click Wireless, then click Cisco Wireless Controllers (2500/5500/7500/WISM2) DTLS License
    Cisco Wireless Controllers (2500/5500/7500/WISM2) DTLS License
  4. Choose the Controller Platform, enter the Product ID, enter the Serial Number, and click Next
    1. You can retrieve the PID and SN by running show license UDI at the console

    Specify Target and Options

  5. Select I agree with the Terms of the License, confirm your email address, and click Get License

Step 3c – Install the DTLS License

  1. Copy the DTLS license to the root of your TFTP server
  2. At the console, run the following command to install your license
    1. license install tftp://<TFTP_IP>/XXXX.lic
    2. Replace <TFTP_IP> with the IP address of your TFTP servver
    3. Replace XXXX.lic with the name of your license
  3. Save your configuration and reboot the WLC
    1. save config
    2. reset system

Step 4 – Install the Non-LDPE Image

You can now install any Non-LDPE Image as needed!

Dec 29

BackupRouters-TelnetToLocal.pl