Configuring SSL VPN on Cisco ASA

Starting a few years ago, Cisco began to phase out their support of the long standing VPN Client software which used IPsec. Basically, they didn’t make a 64-bit version to run on Windows 7 and 8, so unless you use XP, its very hard to use the old Cisco VPN client software. The replacement is AnyConnect, which can be launched via the web. AnyConnect does not use IPsec for the vpn tunnel, it uses SSL. The downside is it requires additional licensing, most ASA’s only come with 1 SSLVPN user license, and 10 IPSec.

Here is how you configure a typical ASA (running IOS 8.3) to use webvpn and AnyConnect.

Assumptions:

1. The outside or public WAN IP of the ASA is 200.50.75.1
2. The inside or local access range is 192.168.1.0/24
3. The VPN IP pool that we will create is 10.100.1.0/24

Here is the complete config with some comments.

Create and apply a nonat access list:
ASA(config)# access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.100.1.0 255.255.255.0
ASA(config)# nat (inside) 0 access-list nonat


Define a split tunnel access list:

ASA(config)# access-list splitvpn standard permit 192.168.1.0 255.255.255.0

Define the Group Policy for the WebVPN:

ASA(config)# group-policy SSLVPN_POLICY internal
ASA(config)# group-policy SSLVPN_POLICY attributes
ASA(config-group-policy)# vpn-tunnel-protocol svc webvpn
ASA(config-group-policy)# webvpn
ASA(config-group-webvpn)# split-tunnel-policy tunnelspecified
ASA(config-group-webvpn)# split-tunnel-network-list value splitvpn
ASA(config-group-webvpn)# split-dns value foobar.com
ASA(config-group-webvpn)# dns-server value X.X.X.X

In the above case, foobar.com would be your local DNS search suffix. The X.X.X.X would be the IP of your local DNS server if you used one, if not you can leave it out or insert a public DNS server IP like 8.8.8.8.

Define a DHCP pool for the clients to use:
ASA(config)# ip local pool vpnpool 10.100.1.1-10.100.1.254 mask 255.255.255.0

Define a local user to use for the VPN:
ASA(config)# username johndoe password ABC123 privilege 0
ASA(config)# username johndoe attributes
ASA(config-username)# vpn-group-policy SSLVPN_POLICY

Enable WebVPN:
ASA(config)# webvpn
ASA(config-webvpn)# enable outside
ASA(config-webvpn)# svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
ASA(config-webvpn)# svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
ASA(config-webvpn)# svc enable

The above location/filename of the AnyConnect software may vary, to verify just type the “dir” command from the main prompt to see a file listing showing the exact filename versions.

Define the tunnel group:
ASA(config)# Tunnel-group SSLVPN_TUNNEL type remote-access
ASA(config)# Tunnel-group SSLVPN_TUNNEL general-attributes
ASA(config-tunnel-general)# default-group-policy SSLVPN_POLICY
ASA(config-tunnel-general)# address-pool vpnpool


Link the tunnel group to WebVPN:

ASA(config)# webvpn
ASA(config-webvpn)# tunnel-group-list enable
ASA(config-webvpn)# exit
ASA(config)# tunnel-group SSLVPN_TUNNEL webvpn-attributes
ASA(config-tunnel-webvpn)# group-alias AnyConnect enable

Total Views: 6249 ,