ASA SSL

The Cisco AnyConnect VPN Client provides secure SSL connections to the ASA security appliance for remote users. Without a previously installed client, remote users can simply enter the IP address or domain name of the ASA in their browser. After entering the URL, the browser connects to that interface and displays the login screen. If the user satisfies the login and authentication, and the security appliance identifies the user as requiring the client, it downloads the client that matches the operating system of the remote computer. 

The installation, and configuration of the Anyconnect SSL VPN can be achieved by using either the ASDM GUI Management Client or via the CLI. I’ll cover the installation and configuration via the CLI.  I will also cover the configuration of Webvpn, Group Policy, and ACL’s as it relates to Anyconnect SSL connections, and the corresponding.

The first place to begin with the Anyconnect SSL VPN is the Certificate installation and configuration. The ASA comes with a factory installed certificate, however it’s not tied to any specific Public Key Infrastructure or PKI, so Users will receive certificate error when they connect for the first time via https to install the Anyconnect Client or whenever they connect with the Anyconnect Client after it’s been installed.

Basic Public Key Infrastructure

  1. If the CA trust the ASA then the ASA can trust the CA.
  2. If the CA trust the Client then the Client can trust the CA.
  3. If the ASA and the Client both trust the CA then they can trust each other.

Generate a signing request from the ASA

ASA#configure terminal
ASA(config)#crypto key generate rsa label my.cert.key modulus 1024
ASA(config-ca-trustpoint)#keypair my.cert.key
ASA(config-ca-trustpoint)#fqdn my.company.com
ASA(config-ca-trustpoint)#enrollment terminal
ASA(config-ca-trustpoint)#exit
ASA(config)#crypto ca enroll my.cert.trustpoint
ASA(config)#exit
ASA#

Certificate Installation

Download your Intermediate and Primary Certificate file from you favorite Certificate Authority such as VeriSign, GoDaddy, DigiCert, Thawte etc. All well respected Certificate Authorities, but use whatever works for you or your Company. At his point you will use the Certificate Signing request to generate a Primary Certificate for the ASA.

  1. Start ASDM
  2. Click the Configuration Tab at the top of the screen
  3. In the Tree menu expand Certificate Management portion
  4. Select CA Certificate option
  5. Click the Add button in the upper right hand corner of the screen
  6. Enter the Trust name for the Certificate you downloaded
  7. Click the Browse button to search for your file
  8. After you have loaded the Certificate from file click Install

In this example I’m going to be using a subinterface on the ASA for all inbound SSL connections. This is by no means mandatory, it’s just a good way to direct Clients over a particular interface and VLAN. I’m not covering the required Switch trunk configurations for the VLAN, but you get the idea.

ASA#configure terminal
ASA(config)#interface Ethernet0/3.1
ASA(config-subif)#vlan 20
ASA(config-subif)#nameif vpn
ASA(config-subif)#security-level 0
ASA(config-subif)#ip address 172.18.126.4 255.255.255.0
ASA(config-subif)#exit
ASA(config)#exit
ASA#

Lets insure that all VPN related traffic traverses the VPN subinterface we created previously. We can do this by simply adding the following default tunneled route.

ASA#configure terminal
ASA(config)#route vpn 0.0.0.0 0.0.0.0 172.18.126.1 tunneled
ASA(config)#exit
ASA#

Depending on your method of authentication you can create either RADIUS or TACACS or both in your environment. If you choose to use Active Directory / RADIUS you will need to configure either Windows 2003 Internet Authentication Server or IAS, Windows 2008 Network Policy Server or NPS.

ASA#configure terminal
ASA(config)#aaa-server RADIUS protocol radius
ASA(config)#aaa-server RADIUS (inside) host 172.18.126.20
  key *****
ASA(config)#aaa-server tacacs+ protocol tacacs+
ASA(config)#aaa-server TACACS (inside) host 172.18.126.21
   key *****
ASA(config)#exit
ASA#
ASA#show aaa-server RADIUS
Server Group: RADIUS
Server Protocol: radius
Server Address: 172.18.126.20
Server port: 1645(authentication), 1646(accounting)
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 1838
Number of authorization requests 0
Number of accounting requests 3091
Number of retransmissions 0
Number of accepts 4640
Number of rejects 273
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 16
Number of unrecognized responses 0

Lets create a couple of VPN Pools one for Admins and the other for Users. The reason fore the two Pools is simple. The first, and most important reason is insure that the IT Support Staff always has access to the Network in the event that the Client Pool is exhausted.

ASA#configure terminal
ASA(config)#ip local pool Admins 172.18.126.50-172.18.126.55 mask 255.255.255.0
ASA(config)#ip local pool Users 172.18.126.56-172.18.126.80 mask 255.255.255.0
ASA(config)#exit
ASA#
ASA#configure terminal
ASA(config)#group-policy Admins internal
ASA(config)#
ASA(config)#
ASA(config)#group-policy Admins attributes
ASA(config-group-policy)#vpn-access-hours none
ASA(config-group-policy)#vpn-simultaneous-logins 3
ASA(config-group-policy)#vpn-idle-timeout none
ASA(config-group-policy)#vpn-session-timeout none
ASA(config-group-policy)#vpn-filter value none
ASA(config-group-policy)#vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
ASA(config-group-policy)#group-lock value DefaultWEBVPNGroup
ASA(config-group-policy)#vlan 20
ASA(config-group-policy)#address-pools value Admins
ASA(config-group-policy)#exit
ASA(config)#

Lets create the Group Policy for our Users who will be connecting via the Anyconnect SSL Client. The Group Policy Attributes within the Policy allow you to set specific options for Users when they connect such as Access Hours, Idle Timeout, VLAN, Login attempts etc.

ASA#
ASA#configure terminal
ASA(config)#group-policy Users internal
ASA(config)#
ASA(config)#group-policy Users attributes
ASA(config-group-policy)#vpn-access-hours none
ASA(config-group-policy)#vpn-simultaneous-logins 3
ASA(config-group-policy)#vpn-idle-timeout none
ASA(config-group-policy)#vpn-session-timeout none
ASA(config-group-policy)#vpn-filter value Users
ASA(config-group-policy)#vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
ASA(config-group-policy)#group-lock value DefaultWEBVPNGroup
ASA(config-group-policy)#vlan 20
ASA(config-group-policy)#address-pools value Users
ASA(config-group-policy)#exit
ASA(config)#
ASA(config)#object network VPNPOOL
ASA(config-network-object)#range 172.18.126.56 172.18.126.80
ASA(config-network-object)#exit
ASA#show run object id VPNPOOL
object network VPNPOOL
  range range 172.18.126.56 172.18.126.80

Notice that the ACL below doesn’t affect the Admins due to the fact that the Group Policy for Admins group doesn’t have a VPN filter assigned. This gives the Admins Group complete access to the Network.

ASA#
ASA#configure terminal
ASA(config)#access-list Users extended permit tcp object VPNPOOL any eq www
ASA(config)#access-list Users extended permit tcp object VPNPOOL any eq https
ASA(config)#access-list Users extended permit icmp object VPNPOOL any
ASA(config)#
ASA(config)#
ASA(config-webvpn)#webvpn
ASA(config-webvpn)#enable outside
ASA(config-webvpn)#anyconnect image disk0:/anyconnect-win-3.0.08057-k9.pkg 1
ASA(config-webvpn)#anyconnect enable
ASA(config-webvpn)#end
ASA#

The installation of the Anyconnect client via HTTP from the ASA is almost completely automatic. After the initial logon from the Web Page on the ASA the installation process will begin. The installation requires administrative privileges, and it will check for the presence of either Java or Active X depending on your system.

Routing Switching Voice Firewall Wireless