Anyconnect SSL-Client VPN with Self-signed Certificate on Cisco ASA

The Cisco AnyConnect Secure Mobility Solution provides a comprehensive, highly secure enterprise mobility solution. the Cisco AnyConnect Secure Mobility Solution continues to lead with next-generation security and encryption, including support for the Suite B set of cryptographic algorithms, and support for IPv6 networks. More importantly, it adapts its tunneling protocol to the most efficient method.
In the present scenario, we have to configure Anyconnect SSL remote access VPN for Sales department and Engineering department of a company. Engineering users will have to be provided with access to web server as well as FTP server, while sales users may only have access to the web server.



Anyconnect client authenticates the VPN gateway by it's Identity Certificate, so now we'll generate crypto rsa key to be used in enrolling for Self-Signed Identity Certificate followed by certificate enrollment.

crypto key generate rsa label VPNKeyPair
!
crypto ca trustpoint LocalTrust
enrollment self
fqdn ravpn.pacificgroup.co.in
subject-name CN=ravpn.pacificgroup.co.in
keypair VPNKeyPair
crypto ca enroll LocalTrust noconfirm

Copy Anyconnect client image to the security appliance, which will enable the remote users to download and install the Anyconnect client software to their system when they connect to VPN Gateway from their web browsers.
copy tftp://192.168.100.10/anyconnect-win-3.1.04059-k9.pkg flash:



And now we will do the rest of the configuration required for Anyconnect SSL VPN.

ip local pool RA_VPN_IP_POOL 10.10.20.1-10.10.20.255 mask 255.255.255.0
!

access-list RA_VPN_SplitTunnelACL standard permit 192.168.100.0 255.255.255.0
!
access-list SALES_VPN_ACL extended permit tcp any host 192.168.100.10 eq www
access-list SALES_VPN_ACL extended permit udp any host 192.168.100.10 eq domain
access-list ENGR_VPN_ACL extended permit tcp any host 192.168.100.10 eq www
access-list ENGR_VPN_ACL extended permit tcp any host 192.168.100.10 eq ftp
access-list ENGR_VPN_ACL extended permit udp any host 192.168.100.10 eq domain
!
!

ssl trust-point LocalTrust OUTSIDE
!
webvpn
 enable OUTSIDE
 anyconnect image disk0:/anyconnect-win-3.1.04059-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
!
!
group-policy GRP_SALES_SSL_RA_VPN internal
group-policy GRP_SALES_SSL_RA_VPN attributes
 dns-server value 192.168.100.10
 vpn-filter value SALES_VPN_ACL
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RA_VPN_SplitTunnelACL
!
group-policy GRP_ENGR_SSL_RA_VPN internal
group-policy GRP_ENGR_SSL_RA_VPN attributes
 dns-server value 192.168.100.10
 vpn-filter value ENGR_VPN_ACL
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RA_VPN_SplitTunnelACL
!
!
username salesuser password uXUrGApVTzN8lH14 encrypted
username salesuser attributes
 vpn-group-policy GRP_SALES_SSL_RA_VPN
 service-type remote-access
!
username engruser password osgMkcb3N.VlT8/u encrypted
username engruser attributes
 vpn-group-policy GRP_ENGR_SSL_RA_VPN
 service-type remote-access
!
!
tunnel-group SSL_RA_VPN type remote-access
tunnel-group SSL_RA_VPN general-attributes
 address-pool RA_VPN_IP_POOL
tunnel-group SSL_RA_VPN webvpn-attributes
 group-alias SSL_RA_VPN enable
!

!
object network VPN_USERS
 subnet 10.10.20.0 255.255.255.0
object network INSIDE_NETWORK
 subnet 192.168.100.0 255.255.255.0
!
nat (INSIDE,OUTSIDE) source static INSIDE_NETWORK INSIDE_NETWORK destination static VPN_USERS VPN_USERS


Now the remote users will be able to connect to the VPN . Remote users have to open the URL https://172.31.10.1 from their web-browsers to download and install the Anyconnect client software from the VPN gateway. Remote users will see the below screen when they will connect to VPN Gateway from their web browsers.





To Verify the connected users, use the following command.


ciscoasa# sh vpn-sessiondb anyconnect

Session Type: AnyConnect

Username    : engruser              Index       : 3
Assigned IP : 10.10.20.1            Public IP   : 172.31.10.2
Protocol    : AnyConnect-Parent SSL-Tunnel
License     : AnyConnect Premium
Encryption  : RC4                   Hashing     : none SHA1
Bytes Tx    : 10062                 Bytes Rx    : 2536
Group Policy: GRP_ENGR_SSL_RA_VPN   Tunnel Group: SSL_RA_VPN
Login Time  : 13:12:04 UTC Tue Jul 16 2013
Duration    : 0h:08m:39s
Inactivity  : 0h:00m:00s
NAC Result  : Unknown
VLAN Mapping: N/A                   VLAN        : none


To manually disconnect remote access VPN user, following command can be used

ciscoasa# vpn-sessiondb logoff index 3
Do you want to logoff the VPN session(s)? [confirm]
INFO: Session with Index = 3 has been logged off


Comments

Post a comment

Popular posts from this blog

IKEv2 IPsec Site-to-Site VPN configuration on Cisco ASA 8.4(x)

IPsec VPN as a Backup for Point-to-Point Link using IP SLA

Bypassing Proxy Server in Google Chrome

Cisco ASA Active/Active Failover Configuration

Cisco ASA Active/Standby Failover Configuration