Cisco ASA Config
This article aims to explain how to configure a Cisco ASA to terminate a Cisco AnyConnect SSL VPN client using the ASDM (GUI).
The following example was configured on an ASA 5505 running software version 8.0(4). The ASA also has ASDM v6.1(5) and AnyConnect v2.3 installed on its flash and was set to the factory default configuration.
Before starting please ensure you have the latest version of Java installed on the Windows computer you intend to use to setup the ASA.
Connect a Windows computer to the inside interface of the ASA (Interface 1 is set to the Inside interface by default). The ASA should automatically allocate an IP address to the computer by DHCP. This address will likely be 192.168.1.2
.
Open a browser (I recommend Internet Explorer for this installation) and go to:
https://192.168.1.1
You will be prompted with the following page:
Click “Install ASDM Launcher and Run ASDM”. You will be prompted for your ASA login password (if configured).
Once the ASDM has been downloaded and installed login via the ASDM:
Choose “Configuration > Device Setup > Interfaces” and check “Enable traffic between two or more hosts connected to the same interface”. Please note I have also assigned the IP address 172.16.1.1/24
to the outside interface (interface 0). This is for example purposes only.
Choose “Configuration > Remote Access VPN > Network (Client) Access > Address Assignment >Address Pools” and click Add in order to create the IP address pool “vpnpool”.
Choose “Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles” and under Access Interfaces, click the check box “Enable Cisco AnyConnect VPN Client or legacy SSL VPN Client on the interfaces selected in the table below”. Once checked you will be asked to select the AnyConnect image stored on the ASA Flash.
Also check “Allow Access” and “Enable DTLS” for the outside interface.
Choose “Configuration > Remote Access VPN > Network (Client) Access > Group Policies” and click Add to create an internal group policy “clientgroup”. Under the “General tab > More Options”, select the “SSL VPN Client” check box in order to enable the WebVPN as tunneling protocol.
In the “Advanced > Split Tunneling” tab, choose “Tunnel All Networks” from the drop down list of the Policy in order to make all the packets coming from the remote PC through a secure tunnel.
To enable the “Keep Installer on Client System” option, uncheck the Inherit check box under “Advance > SSL VPN Client”, and click the Yes radio button.
Click “Advance > SSL VPN Client > Login Setting” in order to set the Post Login Setting and Default Post Login Selection as shown below.
Click “Advance > SSL VPN Client > Key Regeneration”
For the” Renegotiation Interval” option, uncheck the Inherit box, uncheck the Unlimited check box, and enter 30. Security is enhanced by setting limits on the length of time a key is valid.
For the “Renegotiation Method” option, uncheck the Inherit check box, and click the SSL radio button. Renegotiation can use the present SSL tunnel or a new tunnel created expressly for renegotiation.
Finally Click OK and Apply.
Choose “Configuration > Remote Access VPN > AAA/Local Users > Local Users” click Add in order to create the new user account “ssluser1”. Select a password of your choice (For example “cisco”). Click OK and then Apply.
Choose “Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Connection Profiles” click Add in order to create the new tunnel group “sslgroup”. In the “Basic” tab apply the following settings:
Under “Advance > SSL VPN > Connection Aliases” click Add, specify the group “alias sslgroup_users” and click OK.
Choose “Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Login Page Setting”, check “Allow user to select connection profile, identified by its alias, on the login page. Otherwise, DefaultWEBVPNGroup will be connection profile and Apply”.
Finally choose “Configuration > Firewall > NAT Rules > Add Dynamic NAT Rule” so the traffic that comes from the inside network can be translated with outside IP address 172.16.1.5
. Click OK when complete.
Choose “Configuration > Firewall > NAT Rules > Add Dynamic NAT Rule” for the traffic coming from the outside network. 192.168.10.0
can be translated with outside IP address 172.16.1.5
. Click OK when complete.
To finish click Apply and Save.
To test you will need to connect a Windows computer to the outside interface of the ASA (interface 0) and set the IP settings to:
IP Address: 172.16.1.5
Subnet Mask: 255.255.255.0
Now open a browser (I recommend Internet Explorer for this test) and establish an SSL connection with the ASA by going to:
https://172.16.1.1
You will be prompted for your login credentials.
Once authenticated (ssluser1 / cisco / sslgroup_users) your browser will automatically download the Cisco AnyConnect client, install it and establish an SSL VPN connection to the ASA.