Thursday, January 5, 2017

Cisco Anyconnect VPN Configuration

Any Connect VPN :

C:\Users\jees\AppData\Local\Temp\msohtmlclip1\02\clip_image001.jpg
ASA Details
Interface                        Name           IP address          Subnet mask     
GigabitEthernet0         outside        110.110.10.1     255.255.255.0   
GigabitEthernet1         inisde          192.168.22.10    255.255.255.0  
 Note : This configuration is based on a lab setup.
Outside PC
IP address 110.110.10.24
Create Network Object for inside and Anyconnect network ranges :
object network inside-net
subnet 192.168.22.0 255.255.255.0
object network anyconnect-net
subnet 10.0.0.0 255.255.255.0
using above network Objects define an twice NAT/ manual Nat to exempt traffic from NATing while going to Anyconnect client. If this NAT is not there then ASA will NAT the traffic from inside network towards the Anyconnect host.
nat (inisde,outside) source static inside-net inside-net destination static anyconnect-net anyconnect-net no-proxy-arp route-lookup
Create a access list for split tunneling
access-list anyconnect-acl standard permit 192.168.22.0 255.255.255.0
This access list is used in split tunneling. According to this access list all the traffic destined towards 192.168.22.0 network will be send via tunnel , all others will be send towards regular local network (NIC).
You can use an extended acl, which have destination as ‘any’.
Create local IP pool.
ip local pool anyconnect-pool 10.0.0.1-10.0.0.10 mask 255.255.255.0
When a Anyconnect host connects VPN it receives a local LAN IP which is defined in this pool. Try to not use inside network range in pool. Also make sure that pool range is within the subnet we specified earlier for Anyconnect pool object ( here it is Anyconnect-net). That’s because we want twice NAT to work when traffic goes from inside network to Anyconnect host.
Define a group policy :
group-policy anyconnect-policy internal
group-policy anyconnect-policy attributes
vpn-tunnel-protocol ssl-client ssl-clientless -------- this defines type of VPN
split-tunnel-policy tunnelspecified  ------------- this tells ASA that tunneling parameters will be specified for
split  tunnel.
split-tunnel-network-list value anyconnect-acl  ---- Split tunnel parameter is specified using the ACl we
created earlier.

Define Tunnel group :
tunnel-group anyconnect-grp type remote-access
tunnel-group anyconnect-grp general-attributes
address-pool anyconnect-pool  ---------- Pool we created earlier.
default-group-policy anyconnect-policy  --------- Associating the Policy we created earlier with the pool.
tunnel-group anyconnect-grp webvpn-attributes
group-alias STAFF enable
Define WebVPN setup :
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1 - This image pkg should be same as we installed in PC,
anyconnect enable
tunnel-group-list enable ---- Enables option for selecting from drop down.
Note : Its important to specify the installer pkg otherwise ASA will give a message ‘Anyconnect not enables in server’ even though we have enabled it.
Define a local user
username joe attributes
group-lock value anyconnect-grp
service-type remote-access

Posted by at 1 comment:
Subscribe to: Posts (Atom)