Aug 06

Configuring AnyConnect SSL VPN Client Connections

Overview

ASA: 8.3+ (Written/Tested on 9.0)

Authentication: Local (Local ASA User Database)

Type: Split-tunnel OR Non split-tunnel

The below configurations will work with 8.3+, but was written and tested with 9.0.  When setting up a Anyconnect VPN tunnel, you can push all traffic from the client over the VPN (Tunnel all) or you can use a split tunnel to only push traffic destined for selected subnets over the VPN tunnel.  In laymen terms, the clients internet traffic originates from their ISP in a split tunnel, and it originates from the ASA when using tunnel all.  The below configuration examples assume you have a basic setup equivalent to running factory-default and are setup to authenticate locally to the ASA.  I will give examples of each configuration below.

Network Diagram

Network Diagram Anyconnect VPN

The ASA has a command that gives an overview of how to configure an Anyconnect SSL VPN, which in global configuration mode is vpnsetup ssl-remote-access steps.  Here are the results of that command:

There are a few important things to note from Cisco’s directions:

  1. They are using the default names for configuring the group policy and tunnel groups, which will throw a warning that they already exist since they’re defaults
  2. The directions do not specify that you MUST attach the VPN Address pool to the tunnel group, which is necessary for it to work!
  3. They do not include how to create a split tunnel or a tunnel all to allow internet from the Anyconnect client.
  4. They are using outdated “svc” commands, which were replaced with “anyconnect”.

With that said, let’s move on to the configurations!

Anyconnect Configuration 1: Tunnel All

 Anyconnect Configuration 2: Split Tunnel

 

Testing the Configuration

Open a web browser, connect to your ASA (https://vpn.domain.com OR https://172.31.100.1), and you’ll be prompted to login.  You can login with the user account you’ve created in the configuration above.  The Anyconnect client will automatically install, if it fails you may need to download and manually install it.  Once installed, you can connect to your ASA by the outside interface (vpn.domain.com OR 172.31.100.1) and authenticate with the user you’ve created.

Additional Notes

You may wish to use a 3rd party SSL certificates (ie: Verisign, Thawte, Godaddy, etc) so end users do not get prompted about certificate warnings.  Cisco ASA’s will regenerate it’s certificate upon reboot, and due to this you should create a self signed certificate whenever you cannot use a 3rd party.  You can create the self signed certificate as follows:

 

Jul 28

How to Configure a Cisco ASA Site-to-Site IPSec VPN

This article will explain how to configure a Site-to-Site IPSec VPN using Cisco ASA 55XX’s using IKEV1.  My example below shows how to configure VPN’s between 3 sites but can be modified for the following scenarios without much explanation:

  • site-to-site VPN between 2 sites (Just remove SiteC… duh!)
  • site-to-site to 3+ sites (just follow the example and modify for a N+1 sites.  If You’re doing more than 3 sites, you may wish to look at a hub and spoke model to simply the network and backups, etc)
  • Hub and spoke VPN, where 2 remote offices only connect to a main office (If SiteA is the Hub, on SiteB remove the SiteC configuration, on SiteC remove the SiteB configuration, etc…)

Overview

Network Diagram

ASA_Multi_Site-to-site_IPSEC_VPN

Network Diagram

Phase 1 Settings

Attribute Value
Authentication Preshared Keys
Encryption 3DES
Hash MD5
DH Group Group 2
Lifetime 86400 seconds

Phase 2 Settings

Attribute Value
Mode Tunnel
Encryption 3DES
Hash SHA-1
PFS Enabled
Lifetime 86400 seconds

Configure SiteA

 

Configure SiteB

Configure SiteC

 

Further Info

I would suggest using IKEV2 for a Site-to-Site VPN, and I’ll outline the steps a in future article once I get time to write it up…. Stay tuned!