Connect with us

Hi, what are you looking for?

Internet

ASA 8.x: Allow split tunneling for AnyConnect VPN client on the example of ASA configuration

ASA 8.x: Allow split tunneling for AnyConnect VPN client on the example of ASA configuration

👨‍💻

This document provides step-by-step instructions on how to allow a Cisco AnyConnect VPN client to access the Internet while tunneling a Cisco Adaptive Security Appliance (ASA) 8.0.2 device. This configuration allows the client to securely access corporate resources via SSL while granting unsecured access to the Internet using segmented tunnels.

requirements

Make sure these requirements are met before attempting this configuration:

  • ASA Security Appliance needs to be running version 8.x

  • Cisco AnyConnect VPN Client 2.x

    Noticeable: Download the AnyConnect VPN Client (anyconnect-win *.pkg) package from Cisco Software Download (registered customers only). Copy the AnyConnect VPN client to the ASA flash drive, which will be downloaded to the remote user’s computers in order to establish an SSL VPN connection with ASA. See the Install AnyConnect Client section of the ASA Configuration Guide for more information.

Ingredients used

The information in this document is based on the following software and hardware versions:

  • Cisco 5500 Series ASA running software version 8.0 (2)

  • Cisco AnyConnect SSL VPN Client for Windows Version 2.0.0343

  • A computer running Microsoft Visa, Windows XP SP2, or Windows 2000 Professional SP4 with Microsoft Installer version 3.1

  • Cisco Adaptive Security Device Manager (ASDM) version 6.0 (2)

The information in this document was generated from devices in a specific laboratory environment. All devices used in this document started with a cleared (default) configuration. If your network is active, make sure you understand the potential impact of any command.

conventions

See the Cisco Technical Guidelines Conventions for more information about document conventions.

Cisco AnyConnect VPN Client provides secure SSL connections to the security device for remote users. Without a pre-installed client, remote users enter an IP address into their browser for an interface that is configured to accept SSL VPN connections. Unless the security device is configured to redirect http:// requests to https://, users must enter the URL as https://

.

After entering the URL, the browser connects to that interface and displays the login screen. If the user satisfies login and authentication, and identifies the security device used as requesting the client, it downloads the client that matches the remote computer’s operating system. After downloading, the client installs and configures itself, establishes a secure SSL connection and either stays or cancels itself (depending on the security hardware configuration) when the connection is terminated.

In the case of a pre-installed client, when the user authenticates, the security device checks the client’s review and upgrades the client as necessary.

When the client negotiates an SSL VPN connection with the security device, it communicates using the Transport Layer Security (TLS) protocol and, optionally, Datagram Transport Layer Security (DTLS). DTLS avoids the latency and bandwidth issues associated with some SSL connections, and improves the performance of real-time applications sensitive to packet delays.

The AnyConnect client can be downloaded from the security device, or it can be manually installed on the remote computer by the system administrator. See the Cisco AnyConnect VPN Client Administrator Guide for more information on how to install the client manually.

The security device downloads the client based on the group policy or username attributes of the user creating the connection. You can configure the security device to download the client automatically, or you can configure it to prompt the remote user whether they want to download the client. In the latter case, if the user does not respond, you can configure the security device to either download the client after the time-out period or present the login page.

In this section, information is provided for you to configure the features described in this document.

Noticeable: Use the Order Finder (registered customers only) to get more information about the orders used in this section.

network diagram

This document uses this network setup:

Noticeable: The IP addressing schemes used in this configuration are not legally routable on the Internet. They are RFC 1918 addresses that were used in a lab environment.

Configuring ASA with ASDM 6.0 (2)

This document assumes that the basic configuration, such as the interface configuration, has already been performed and is working properly.

Noticeable: See Allow HTTPS Access for ASDM to allow ASA to be configured by ASDM.

Noticeable: WebVPN and ASDM cannot be enabled on the same ASA interface unless you change the port numbers. See Enabling ASDM and WebVPN on the same ASA interface for more information.

Complete these steps to configure SSL VPN on ASA with split tunneling:

  1. Choose Configuration > Remote VPN Access > Network Access (Client) > Address Management > Address Pools > Add In order to create an IP address pool vpnpool.

  2. click Progressing.

    Equivalent CLI Configuration:

    Cisco ASA 8.0 (2)
    ciscosa (config) #ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0
  3. Activate WebVPN.

    1. Choose Configuration > VPN Remote Access > Network Access (Client) > SSL VPN Connection Profiles and under access interfaces, click the checkboxes allow pass And Activate DTLS for the external interface. Check also file Enable Cisco AnyConnect VPN Client or Legacy SSL VPN Client Access on the interface specified in the table below Checkbox to enable SSL VPN on the external interface.

    2. click Progressing.

    3. Choose Configuration > Remote VPN Access > Network Access (client) > Advanced > SSL VPN > Client Settings > Add In order to add a Cisco AnyConnect VPN client image from an ASA flash drive as shown.

    4. click OK.

    5. click Add.

      Equivalent CLI Configuration:

      Cisco ASA 8.0 (2)
      ciscosa (config) #webvpn
      ciscoasa (config-webvpn) #Enable outside
      ciscoasa (config-webvpn) #svc0 disk image: /anyconnect-win-2.0.0343-k9.pkg 1
      ciscoasa (config-webvpn) #Enable Tunnel Group List
      ciscoasa (config-webvpn) #enable svc
  4. Configure Group Policy.

    1. Choose Configuration > VPN Remote Access > Network (client) access > Group Policies In order to create an internal group policy customer group. under general tab, select SSL VPN Client Checkbox to enable WebVPN as a tunneling protocol.

    2. In the Advanced > Split Tunneling tab, deselect inherit Check box for Split Tunnel Policy and select it Tunnel network list below from the dropdown menu.

    3. Deselect a file inherit check box for Split Tunnel Network List Then click Manages In order to run ACL Manager.

    4. Under ACL Management, choose Add > Add ACL… In order to create a new access list.

    5. Enter a name for the ACL and click on it OK.

    6. Once the ACL name has been created, choose Add > Add ACE In order to add an access control entry (ACE).

      Select the ACE that corresponds to the LAN behind the ASA. In this case the network is 10.77.241.128/26 and select Allow Like the procedure.

    7. click OK In order to exit the management of the ACL.

    8. Make sure you select the ACL you just created for the split tunnel network list. click OK In order to return to the Group Policy configuration.

    9. On the home page, tap Progressing Then send (if necessary) to send the commands to the ASA.

    10. formation SSL VPN Settings under Group Policy mode.

      1. For the Keep Installer on Client System option, deselect inherit check box, and click Yes radio button.

        This action allows SVC to remain on the client machine. Therefore, ASA is not required to download the SVC software to the client each time a connection is made. This option is a good choice for remote users who often access the corporate network.

      2. click Login setup in order to adjust Post-login setup And Default selection after logging in as shown.

      3. For the renegotiation period option, deselect inherit box, deselect Unlimited check box, and enter the number of minutes until resetting the key.

        Security is improved by setting limits on the length of time a key is valid.

      4. For the Renegotiation style option, deselect inherit check box, and click SSL radio button.

        The renegotiation can use an existing SSL tunnel or a new tunnel explicitly created for renegotiation.

    11. click OK and then Progressing.

      Equivalent CLI Configuration:

      Cisco ASA 8.0 (2)
      ciscosa (config) #Split Tunnel Access List Standard Permit 10.77.241.128 255.255.255.1922 ciscosa (config) #Group Policy The internal client group
      ciscosa (config) #Group Attributes – Politics
      ciscoasa (config-group-policy) #vpn – webvpn protocol tunnel
      ciscoasa (config-group-policy) #Specific split tunneling tunnels
      ciscoasa (config-group-policy) #Split tunnel network value list
      ciscoasa (config-group-policy) #webvpn
      ciscoasa (config-group-webvpn) #svc does not request anything the default svc
      ciscoasa (config-group-webvpn) #install svc installer
      ciscoasa (config-group-webvpn) #svc rekey time 30
      ciscoasa (config-group-webvpn) #svc rekey ssl method
  5. Choose Configuration > Remote Access VPN > AAA Setting > Local Users > Add In order to create a new user account ssluser1. click OK and then Progressing.

    Equivalent CLI Configuration:

    Cisco ASA 8.0 (2)
    ciscoasa (config) # username ssluser1 @asdmASA password
  6. Choose Configuration > Remote Access VPN > AAA Setup > AAA Server Groups > Edit To modify the LOCAL virtual server group by checking Enable local user lockout Checkbox with Max Attempts value as 16.

  7. click OK and then Progressing.

    Equivalent CLI Configuration:

    Cisco ASA 8.0 (2)
    ciscosa (config) #Maximum local authentication attempts for aaa 16
  8. Tunnel group configuration.

    1. Choose Configuration> Remote VPN Access> Network Access (Client)> SSL VPN Connection Profiles> Add In order to create a new group of tunnels sslgroup.

    2. In the Basic tab, you can implement a list of configurations as shown:

      • Name the tunnel group as sslgroup.

      • Under Set Client Address, choose Address Pool vpnpool from the dropdown menu.

      • Under Default Group Policy, choose Group Policy customer group from the dropdown menu.

    3. under SSL VPN > Connection Aliases tab, set the group alias as sslgroup_users and click OK.

    4. click OK and then Progressing.

      Equivalent CLI Configuration:

      Cisco ASA 8.0 (2)
      ciscosa (config) #sslgroup tunnel type remote access
      ciscosa (config) #General features of the tunnel group sslgroup
      ciscoasa (config-tunnel-general) #vpnpool address pool
      ciscoasa (config-tunnel-general) #Default Group Policy Client Group
      ciscoasa (config-tunnel-general) #Exit
      ciscosa (config) #sslgroup webvpn . group tunnel features
      ciscoasa (config-tunnel-webvpn) #Enable group alias sslgroup_users
  9. NAT configuration.

    1. Choose Configuration>Firewall>NAT Rules>Add Dynamic NAT Rule So the traffic that comes from the internal network can be translated using an external IP address 172.16.1.5.

    2. click OK.

    3. click OK.

    4. click Progressing.

      Equivalent CLI Configuration:

      Cisco ASA 8.0 (2)
      ciscosa (config) #global (external) 1 172.16.1.5
      ciscosa (config) #Nat (inside) 1 0.0.0.0 0.0.0.0
  10. Configure a nat exemption for return traffic from within the network to the VPN client.

    ciscosa (config) #Accessing the list of nonat permit IP…

[ad_1]
Don’t forget to share this post with friends !

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Related

Internet

AnyConnect certificate-based authentication. Cisco community 👨‍💻 The information in this document is based on the following software and hardware versions: ASA 5510 running software...

Internet

AnyConnect: Install a self-signed certificate as a trusted source 👨‍💻 kmgmt-2879-cbs-220-config-security-port objective The goal of this article is to walk you through creating and...

Internet

ITProPortal . Portal 👨‍💻 We live in a dynamic moment in terms of technology. Even criminals are becoming more technically savvy and are using...

Internet

Top 5 Free AV Packages – 👌 Bitdefender Antivirus Free Edition best interface Positives Works on Windows 7 and 8.1 Very easy to use...