Anyconnect SSL-Client VPN with Self-signed Certificate on Cisco ASA

The Cisco AnyConnect Secure Mobility Solution provides a comprehensive, highly secure enterprise mobility solution. the Cisco AnyConnect Secure Mobility Solution continues to lead with next-generation security and encryption, including support for the Suite B set of cryptographic algorithms, and support for IPv6 networks. More importantly, it adapts its tunneling protocol to the most efficient method.
In the present scenario, we have to configure Anyconnect SSL remote access VPN for Sales department and Engineering department of a company. Engineering users will have to be provided with access to web server as well as FTP server, while sales users may only have access to the web server.



Anyconnect client authenticates the VPN gateway by it's Identity Certificate, so now we'll generate crypto rsa key to be used in enrolling for Self-Signed Identity Certificate followed by certificate enrollment.

crypto key generate rsa label VPNKeyPair
!
crypto ca trustpoint LocalTrust
enrollment self
fqdn ravpn.pacificgroup.co.in
subject-name CN=ravpn.pacificgroup.co.in
keypair VPNKeyPair
crypto ca enroll LocalTrust noconfirm

Copy Anyconnect client image to the security appliance, which will enable the remote users to download and install the Anyconnect client software to their system when they connect to VPN Gateway from their web browsers.
copy tftp://192.168.100.10/anyconnect-win-3.1.04059-k9.pkg flash:



And now we will do the rest of the configuration required for Anyconnect SSL VPN.

ip local pool RA_VPN_IP_POOL 10.10.20.1-10.10.20.255 mask 255.255.255.0
!
access-list RA_VPN_SplitTunnelACL standard permit 192.168.100.0 255.255.255.0
!
access-list SALES_VPN_ACL extended permit tcp any host 192.168.100.10 eq www
access-list SALES_VPN_ACL extended permit udp any host 192.168.100.10 eq domain
access-list ENGR_VPN_ACL extended permit tcp any host 192.168.100.10 eq www
access-list ENGR_VPN_ACL extended permit tcp any host 192.168.100.10 eq ftp
access-list ENGR_VPN_ACL extended permit udp any host 192.168.100.10 eq domain
!
!
ssl trust-point LocalTrust OUTSIDE
!
webvpn
 enable OUTSIDE
 anyconnect image disk0:/anyconnect-win-3.1.04059-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
!
!
group-policy GRP_SALES_SSL_RA_VPN internal
group-policy GRP_SALES_SSL_RA_VPN attributes
 dns-server value 192.168.100.10
 vpn-filter value SALES_VPN_ACL
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RA_VPN_SplitTunnelACL
!
group-policy GRP_ENGR_SSL_RA_VPN internal
group-policy GRP_ENGR_SSL_RA_VPN attributes
 dns-server value 192.168.100.10
 vpn-filter value ENGR_VPN_ACL
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RA_VPN_SplitTunnelACL
!
!
username salesuser password uXUrGApVTzN8lH14 encrypted
username salesuser attributes
 vpn-group-policy GRP_SALES_SSL_RA_VPN
 service-type remote-access
!
username engruser password osgMkcb3N.VlT8/u encrypted
username engruser attributes
 vpn-group-policy GRP_ENGR_SSL_RA_VPN
 service-type remote-access
!
!
tunnel-group SSL_RA_VPN type remote-access
tunnel-group SSL_RA_VPN general-attributes
 address-pool RA_VPN_IP_POOL
tunnel-group SSL_RA_VPN webvpn-attributes
 group-alias SSL_RA_VPN enable
!
!
object network VPN_USERS
 subnet 10.10.20.0 255.255.255.0
object network INSIDE_NETWORK
 subnet 192.168.100.0 255.255.255.0
!
nat (INSIDE,OUTSIDE) source static INSIDE_NETWORK INSIDE_NETWORK destination static VPN_USERS VPN_USERS


Now the remote users will be able to connect to the VPN . Remote users have to open the URL https://172.31.10.1 from their web-browsers to download and install the Anyconnect client software from the VPN gateway. Remote users will see the below screen when they will connect to VPN Gateway from their web browsers.





To Verify the connected users, use the following command.


ciscoasa# sh vpn-sessiondb anyconnect

Session Type: AnyConnect

Username    : engruser              Index       : 3
Assigned IP : 10.10.20.1            Public IP   : 172.31.10.2
Protocol    : AnyConnect-Parent SSL-Tunnel
License     : AnyConnect Premium
Encryption  : RC4                   Hashing     : none SHA1
Bytes Tx    : 10062                 Bytes Rx    : 2536
Group Policy: GRP_ENGR_SSL_RA_VPN   Tunnel Group: SSL_RA_VPN
Login Time  : 13:12:04 UTC Tue Jul 16 2013
Duration    : 0h:08m:39s
Inactivity  : 0h:00m:00s
NAC Result  : Unknown
VLAN Mapping: N/A                   VLAN        : none


To manually disconnect remote access VPN user, following command can be used

ciscoasa# vpn-sessiondb logoff index 3
Do you want to logoff the VPN session(s)? [confirm]
INFO: Session with Index = 3 has been logged off


Comments

Post a Comment

Popular posts from this blog

Specifying SSH port in Ansible Inventory

There may be some instances where you set a custom port for SSH on your network device. If ssh port for hosts is different than the default port 22, it can be specified in the inventory file with colon (:) after hostname. #vi inventory # Inventory file for Ansible   [XE] ios-xe-mgmt.cisco.com:8181 ios-xe-mgmt-latest.cisco.com:8181   [XR] sbx-iosxr-mgmt.cisco.com:8181
Read more

Ansible-Playbook to display output of multiple show commands (using stdout_lines with Loop)

 In this playbook, we we'll see how we can get display of multiple show commands in stdout_lines format. We can make use of loops (or with_items) for submitting multiple commands, but debug output with stdout_lines does not gives the formatted result as it would give for single command. So in case of multiple commands, we can debug the output of each command separately in stdout_lines format.
Read more

Filtering Routes in BGP using Route-maps and Prefix-list

Image
Order of preference of attributes in BGP The order of preference varies based on whether the attributes are applied for inbound updates or outbound updates. For inbound updates the order of preference is:     route-map     filter-list     prefix-list, distribute-list For outbound updates the order of preference is:     prefix-list, distribute-list     filter-list     route-map NOTE: The attributes prefix-list and distribute-list are mutually exclusive, and only one command (neighbor distribute-list or neighbor prefix-list) can be applied to each inbound or outbound direction for a particular neighbor. Scenario: We own the AS500 and advertising a network block of 192.0.2.0/24 and 180.179.179.0/16 to two different ISPs. Objectives: Configure router R1 to establish eBGP neighbor relationship with ISP1. Configure router R1 to establish eBGP neighbor relationship with ISP2. Advertise  192.0.2.0/24 network to ISP1 only. Advertise 180.179.179.0/16 network to ISP2 only. Receive routes having n
Read more

Ansible Playbook for Network OS Upgrade with pre and post checks

You have 100s of network switches or routers that you need to upgrade. How much time would it take for you to do the upgrades? There are a lot number of sub-tasks involved while upgrading IOS image of a Cisco router or a switch. This time of upgradation can be reduced through automation from various Enterprise Configuration Management tools that also have ability to upgrade network OS. Though these tools give an easy to use graphical interface, but this requires you to have appropriate license and also restricts you to customize your upgrade process.
Read more

Bypassing Proxy Server in Google Chrome

Image
There may be times when you might want to use Google Chrome and do not wish to use the proxy settings for which you are bound to use in Internet Explorer because of your company policies. If you try to change proxy settings in Google Chrome, by default it will open the System Internet Properties dialogue box, and most of the times, change in proxy setting options is restricted by domain group policy. So here is an alternate way to remove or disable proxy settings in Google Chrome. 1. Right click the GoogleChrome.exe and create it's shortcut. 2. Open the properties of the shortcut of GoogleChrome.exe created in previous step. 3. Here you have to edit the Target of this shortcut. You have to add   --proxy-server=""  after the existing path. You are done. Now enjoy the web browsing without any restrictions.
Read more

VMware NSX Traffic Flow — East-West & North-South

Image
Understanding how traffic is flowing in NSX environment is an important aspect to successfully maintain and troubleshoot networks having NSX. In this post we'll understand hop-by-hop flow of traffic in East-West and North-South directions. East-West: VMs on Same Subnet, Same Host VM-1 has IP address 172.16.20.6 and VM-2 has IP address 172.16.20.7 VM-1 vNIC è Logical Switch (Segment ID 5002) è VM-2 vNIC
Read more

Export or Backup Azure Network Security Groups into CSV using PowerShell

There could be many use cases where you may want to export Network Security Groups into CSV. You might have question, how to export or backup Azure Network Security Groups into CSV. Here is the PowerShell script that you can use to export Azure Network Security Groups into CSV using PowerShell script. This script will export Network Security Group along with rules of all Active subscriptions into a CSV.
Read more

Ansible-playbook for backing up running config of Cisco IOS

This ansible-playbook can be used to backup running configuration from Cisco IOS devices. You can refer to my earlier post Getting Started with your first ansible-playbook for Network Automation  to know about the parameters used in this playbook. Inventory file # Inventory file for Ansible [XE] ios-xe-mgmt.cisco.com:8181 ios-xe-mgmt-latest.cisco.com:8181 [XR] sbx-iosxr-mgmt.cisco.com:8181 [all:vars] ansible_network_os=ios Playbook --- - name: Define Parameters   hosts: XE   gather_facts: no   connection: network_cli   tasks:    - name: backup the config      ios_config:       backup: yes      register: backup_config    - name: Store the config to directory      copy:       src: "{{ backup_config.backup_path }}"       dest: "/tmp/backups/{{ inventory_hostname }}" Running the playbook [prashant@Prashant-VM01 ~]$ ansible-playbook play03.yml -i /home/prashant/inventory -u developer -k SSH password: PLAY [Define Parameters] **********************************************
Read more