Anyconnect SSL-Client VPN with Self-signed Certificate on Cisco ASA

The Cisco AnyConnect Secure Mobility Solution provides a comprehensive, highly secure enterprise mobility solution. the Cisco AnyConnect Secure Mobility Solution continues to lead with next-generation security and encryption, including support for the Suite B set of cryptographic algorithms, and support for IPv6 networks. More importantly, it adapts its tunneling protocol to the most efficient method.
In the present scenario, we have to configure Anyconnect SSL remote access VPN for Sales department and Engineering department of a company. Engineering users will have to be provided with access to web server as well as FTP server, while sales users may only have access to the web server.



Anyconnect client authenticates the VPN gateway by it's Identity Certificate, so now we'll generate crypto rsa key to be used in enrolling for Self-Signed Identity Certificate followed by certificate enrollment.

crypto key generate rsa label VPNKeyPair
!
crypto ca trustpoint LocalTrust
enrollment self
fqdn ravpn.pacificgroup.co.in
subject-name CN=ravpn.pacificgroup.co.in
keypair VPNKeyPair
crypto ca enroll LocalTrust noconfirm

Copy Anyconnect client image to the security appliance, which will enable the remote users to download and install the Anyconnect client software to their system when they connect to VPN Gateway from their web browsers.
copy tftp://192.168.100.10/anyconnect-win-3.1.04059-k9.pkg flash:



And now we will do the rest of the configuration required for Anyconnect SSL VPN.

ip local pool RA_VPN_IP_POOL 10.10.20.1-10.10.20.255 mask 255.255.255.0
!

access-list RA_VPN_SplitTunnelACL standard permit 192.168.100.0 255.255.255.0
!
access-list SALES_VPN_ACL extended permit tcp any host 192.168.100.10 eq www
access-list SALES_VPN_ACL extended permit udp any host 192.168.100.10 eq domain
access-list ENGR_VPN_ACL extended permit tcp any host 192.168.100.10 eq www
access-list ENGR_VPN_ACL extended permit tcp any host 192.168.100.10 eq ftp
access-list ENGR_VPN_ACL extended permit udp any host 192.168.100.10 eq domain
!
!

ssl trust-point LocalTrust OUTSIDE
!
webvpn
 enable OUTSIDE
 anyconnect image disk0:/anyconnect-win-3.1.04059-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
!
!
group-policy GRP_SALES_SSL_RA_VPN internal
group-policy GRP_SALES_SSL_RA_VPN attributes
 dns-server value 192.168.100.10
 vpn-filter value SALES_VPN_ACL
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RA_VPN_SplitTunnelACL
!
group-policy GRP_ENGR_SSL_RA_VPN internal
group-policy GRP_ENGR_SSL_RA_VPN attributes
 dns-server value 192.168.100.10
 vpn-filter value ENGR_VPN_ACL
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RA_VPN_SplitTunnelACL
!
!
username salesuser password uXUrGApVTzN8lH14 encrypted
username salesuser attributes
 vpn-group-policy GRP_SALES_SSL_RA_VPN
 service-type remote-access
!
username engruser password osgMkcb3N.VlT8/u encrypted
username engruser attributes
 vpn-group-policy GRP_ENGR_SSL_RA_VPN
 service-type remote-access
!
!
tunnel-group SSL_RA_VPN type remote-access
tunnel-group SSL_RA_VPN general-attributes
 address-pool RA_VPN_IP_POOL
tunnel-group SSL_RA_VPN webvpn-attributes
 group-alias SSL_RA_VPN enable
!

!
object network VPN_USERS
 subnet 10.10.20.0 255.255.255.0
object network INSIDE_NETWORK
 subnet 192.168.100.0 255.255.255.0
!
nat (INSIDE,OUTSIDE) source static INSIDE_NETWORK INSIDE_NETWORK destination static VPN_USERS VPN_USERS


Now the remote users will be able to connect to the VPN . Remote users have to open the URL https://172.31.10.1 from their web-browsers to download and install the Anyconnect client software from the VPN gateway. Remote users will see the below screen when they will connect to VPN Gateway from their web browsers.





To Verify the connected users, use the following command.


ciscoasa# sh vpn-sessiondb anyconnect

Session Type: AnyConnect

Username    : engruser              Index       : 3
Assigned IP : 10.10.20.1            Public IP   : 172.31.10.2
Protocol    : AnyConnect-Parent SSL-Tunnel
License     : AnyConnect Premium
Encryption  : RC4                   Hashing     : none SHA1
Bytes Tx    : 10062                 Bytes Rx    : 2536
Group Policy: GRP_ENGR_SSL_RA_VPN   Tunnel Group: SSL_RA_VPN
Login Time  : 13:12:04 UTC Tue Jul 16 2013
Duration    : 0h:08m:39s
Inactivity  : 0h:00m:00s
NAC Result  : Unknown
VLAN Mapping: N/A                   VLAN        : none


To manually disconnect remote access VPN user, following command can be used

ciscoasa# vpn-sessiondb logoff index 3
Do you want to logoff the VPN session(s)? [confirm]
INFO: Session with Index = 3 has been logged off


8 comments:

  1. It's awesome in favor of me to have a web site, which is useful in support of my know-how.
    thanks admin

    Here is my weblog - Handyman Honolulu

    ReplyDelete
  2. Ҭhe following three tips will Һelp you get as much ɑs
    ρoѕsiblе from artiсle marketing. Peߋple will bе more lіkely to
    pay attention to thе group οf guys they know and like than someone they've never heard of before.
    Whеn you finish off your opponents, you'll be able to gain XP
    and earn sniper levels where you can then customize
    the ultimate sniper гiflе fit for your playing style.



    Check out my homepage ... what men secretly want download

    ReplyDelete
  3. The kitchen is used more than any other room in the house,
    therefore an inviting and well laid-out kitchen is instrumental in reducing stress and streamlining
    your life. Arranging a remodeling dependably begins with great aims: "We should overhaul the split and peeling flooring, floor in the kitchen," you say.
    You can also use tile as backsplash or can use them either in a traditional
    manner or diagonally.

    Feel free to visit my web-site ... boca Raton tulsa tulsa plumber reviews

    ReplyDelete
  4. Hey very interesting blog!

    Here is my web site: home business phone system New York City

    ReplyDelete
  5. thanks very easy to follow!

    ReplyDelete
  6. Normally I do not read article on blogs, but I wish to say that this write-up very forced me to take
    a look at and do it! Your writing taste has been amazed me.

    Thank you, very great post.

    Feel free to visit my blog post weed seeds online (ministryofcannabis.com)

    ReplyDelete
  7. I find work outs to be tedious, and frankly I managed to always convince myself that 'I didn't have the time' to incorporate a
    workout into my busy daily routine (this is something that many people
    do, convince themselves that they don't have the time).
    t like in life both from the outside and from the inside.
    But, the fact is, you need to exercise in order for your weight loss
    goals to be met.

    Here is my site ... where to buy premium garcinia cambogia extract

    ReplyDelete
  8. EXCLUSIVE: Famous French vocalist Patrick Bruel on why
    he’s at last playing great britain for very first time in Three decades job

    Patrick Bruel - meet France's response to The Employer
    France’s favourte son is nearly here to the UK

    source: http://patrickbrueltour.wordpress.com/2014/07/02/saturday-nov-08-2014-800pm-ca-orpheum-theatre-los-angeles/

    ReplyDelete