3.1.5 ASA AnyConnect SSL VPN with PSK

ASA AnyConnect SSL VPN with PSK

Courtesy Poonam

Configuration on ASA: (Pre-config)

ASA Version 8.4(2)

enable

!

configure terminal

!

hostname ASA

domain-name nh.com

passwd cisco

enable password cisco

username cisco password cisco privilege 15

!

interface GigabitEthernet2

nameif VLAN18

ip address 10.1.18.8 255.255.255.0

no shutdown

!

interface GigabitEthernet1

vlan 100

nameif VLAN100

ip address 10.1.100.8 255.255.255.0

no shutdown

interface GigabitEthernet0

nameif VLAN38

ip address 10.1.38.8 255.255.255.0

no shutdown

!

policy-map global_policy

class inspection_default

inspect icmp

!

router eigrp 111

no auto-summary

network 10.1.18.0 255.255.255.0

network 10.1.100.0 255.255.255.0

network 10.1.38.0 255.255.255.0

redistribute static metric 10000 100 255 1 1500

!

same-security-traffic permit inter-interface

!

logging enable

logging buffered debugging

!

ntp server 150.1.1.1

SSL VPN CONFIGURATION ON ASA

Step 1: Copy tftp://10.1.100.100/anyconnect-win-3.1.02026-k9.pkg flash:/anyconnect-win-3.1.02026-k9.pkg

Step 2: Enable Webvpn

Webvpn

enable VLAN100

anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 1

anyconnect enable

tunnel-group-list enable (it allows the user to select the tunnel-group to be used for login and authentication from the VPN portal)

Step 3: Configure Split-Tunnel access-list and local ip pool to assign ip to anyconnect client when it is connected to gateway.

access-list SPLIT_TUNNEL standard permit 10.1.18.0 255.255.255.0

ip local pool ANYCONNECT_POOL 20.0.0.1-20.0.0.254

Step 4: Configure Group Policy. Group policy information is referenced by VPN Connection Profile/Tunnel-group and user accounts. Through group policy we can define tunneling protocol, split acl, access hours, simultaneous logins, tunnel-group lock, restrict access to vlan, max connection time, idle timeout settings etc.

group-policy SSLVPN internal

group-policy SSLVPN attributes

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT_TUNNEL

Step 5: Configure advanced Group policy options for AnyConnect Client under group-policy.

webvpn

anyconnect ssl dtls enable

anyconnect keep-installer installed

anyconnect ssl compression deflate

Step 6: Now define Connection-profile/Tunnel-group. Tunnel-group is used for login and authentication from VPN Portal.

Bind the group policy to tunnel-group

tunnel-group SSLVPN type remote-access

tunnel-group SSLVPN general-attributes

default-group-policy SSLVPN

address-pool ANYCONNECT_POOL

!

tunnel-group SSLVPN webvpn-attributes

group-alias SSLVPN enable (define a name to be used on the logon page for the tunnel-group selection)

authentication aaa

!

username SSLVPN pass cisco

username SSLVPN attributes

group-lock value SSLVPN (we define a group-lock attribute for the user to limit him to use the group SSLVPN only)

Configuration on R3

Image: c3725-advsecurity-k9-mz.124-15.T9.bin

hostname R3

no ip domain-lookup

ip domain name nh.com

!

logging console debugging

logging monitor informational

logging buffered informational

no service timestamps

!

!

line console 0

logging synchronous

exec-timeout 0 0

privilege level 15

!

line vty 0 4

password cisco

logging synchronous

login local

!

enable password cisco

username cisco privilege 15 password cisco

!

interface FastEthernet0/0

ip address 10.1.38.3 255.255.255.0

no shutdown

!

interface FastEthernet0/1

ip address 10.1.33.3 255.255.255.0

no shutdown

!

interface Loopback0

ip address 150.1.3.3 255.255.255.255

!

router eigrp 111

no auto-summary

network 10.1.38.0 0.0.0.255

network 150.1.3.0 0.0.0.255

!

!

ntp server 150.1.1.1

Configuration on R1

Image: c3725-advsecurity-k9-mz.124-15.T9.bin

hostname R1

no ip domain-lookup

ip domain name nh.com

!

logging console debugging

logging monitor informational

logging buffered informational

no service timestamps

!

!

line console 0

logging synchronous

exec-timeout 0 0

privilege level 15

!

line vty 0 4

password cisco

logging synchronous

login local

!

enable password cisco

username cisco privilege 15 password cisco

!

interface f0/0

ip address 10.1.18.1 255.255.255.0

no shutdown

!

interface f0/1

ip address 10.1.11.1 255.255.255.0

no sh

!

interface Loopback0

ip address 150.1.1.1 255.255.255.255

!

router eigrp 111

no auto-summary

network 10.1.18.0 0.0.0.255

network 150.1.1.0 0.0.0.255

!

ntp master

ip http server

TESTING

To test first turn off your windows firewall and check that you have administrative privilege on the pc from which you are connecting also it must have java 1.4+ installed on it.

Launch the web browser and write https://10.1.100.8( I have tried from win 7, 64 bit using firefox browser

ASA ANYCONNECT VPN Page 3

ASA ANYCONNECT VPN Page 4

If you disconnect and again try to connect you will find this screen

After Tunnel establishment try to ping 10.1.18.1 it should be successful also http://10.1.18.1should be successful where as http://150.1.1.1should not work as it is not included in split tunnel acl.