How To Configure AnyConnect SSL VPN on Cisco ASA 5500
In a previous post (anyconnect ssl vpn) I briefly explained the general functionality of the new remote access vpn technology, the AnyConnect SSL client VPN. The AnyConnect is supported on the new ASA 8.x software version and provides remote access to users with just a secure Web Browser (https). The AnyConnect client software supports Windows Vista, XP, 2000, MAC OS X and Linux. The client can either be preinstalled to remote user’s PC or it can be loaded to ASA flash and uploaded to remote user’s PC when they connect to the ASA. You have also the option to uninstall the client from the remote user when he/she disconnects from the ASA.
In this post I will explain the technical details to configure AnyConnect SSL VPN on Cisco ASA 5500. I assume that we use the AnyConnect client version 2.0 which will be stored on ASA flash and uploaded to remote user on demand. The same configuration applies for newer versions of AnyConnect. The remote users, after successful authentication, will receive an IP address from local ASA pool 192.168.100.1-50. The internal ASA network will use subnet range 192.168.5.0/24
Therefore, after the remote user successfully authenticates on Cisco ASA with the AnyConnect client, he will receive an IP address in the range 192.168.100.1 to 50 and he will be able to access resources in the internal LAN network 192.168.5.0/24.
Upload AnyConnect to ASA
The first step is to obtain the AnyConnect client software from the Cisco Software Download Website. You will need to download the appropriate software version according to the Operating System that your users have on their computers.
Assume the software vpn client file is “anyconnect-win-2.0.0343-k9.pkg”.
ASA(config)# copy tftp flash
Address or name of remote host ? 192.168.5.10
Source filename ? anyconnect-win-2.0.0343-k9.pkg
Destination filename [anyconnect-win-2.0.0343-k9.pkg]?
Accessing tftp://192.168.5.10/anyconnect-win-2.0.0343-k9.pkg…!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-2.0.0343-k9.pkg…
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Configuring the Cisco ASA
! Specify the AnyConnect image to be downloaded by users
ASA(config)#webvpn
ASA(config-webvpn)#svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
! Enable AnyConnect access on the outside ASA interface
ASA(config-webvpn)#enable outside
ASA(config-webvpn)#svc enable
ASA(config-webvpn)#exit
! Create a local IP address pool to assign for remote users
ASA(config)# ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0
! Configure NAT exemption for traffic between internal LAN and remote users
ASA(config)#access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0
ASA(config)# nat (inside) 0 access-list NONAT
! Create usernames that will use the AnyConnect remote access only
ASA(config)#username userA password test123
ASA(config)#username userA attributes
ASA(config-username)# service-type remote-access
ASA(config)#username userB password test12345
ASA(config)#username userB attributes
ASA(config-username)# service-type remote-access
! Create a group policy with configuration parameters that should be applied to clients (there are two options available here according to the ASA version you are running)
OPTION 1
ASA(config)# group-policy SSLCLientPolicy internal
ASA(config)# group-policy SSLCLientPolicy attributes
ASA(config-group-policy)# dns-server value 192.168.5.100
ASA(config-group-policy)# vpn-tunnel-protocol svc
ASA(config-group-policy)# address-pools value SSLClientPool
OPTION 2
ASA(config)# group-policy SSLCLientPolicy internal
ASA(config)# group-policy SSLCLientPolicy attributes
ASA(config-group-policy)# dns-server value 192.168.5.100
ASA(config-group-policy)# address-pools value SSLClientPool
ASA(config-group-policy)# webvpn
ASA(config-group-webvpn))#vpn-tunnel-protocol svc
! Allow the AnyConnect traffic to bypass access lists
ASA(config)# sysopt connection permit-vpn
! Create tunnel group profile to define connection parameters
ASA(config)# tunnel-group SSLClientProfile type remote-access
ASA(config)# tunnel-group SSLClientProfile general-attributes
ASA(config-tunnel-general)# default-group-policy SSLCLientPolicy
ASA(config-tunnel-general)# tunnel-group SSLClientProfile webvpn-attributes
ASA(config-tunnel-webvpn)# group-alias SSLVPNClient enable
ASA(config-tunnel-webvpn)# webvpn
ASA(config-webvpn)#tunnel-group-list enable
How to Connect
The user just needs to open a browser and go to https://[outside ASA IP]
The login screen is displayed as below example:
On “Group” field enter the name of the tunnel group SSLClientProfile or SSLVPNClient (group alias name).
On “Username” and “Password” field enter the user credentials (e.g UserA, test123)
Related posts:
- Cisco AnyConnect SSL VPN Client on Cisco ASA 5500
- Comparison Between Cisco ASA WebVPN Technologies
- How to Configure Access Control Lists on a Cisco ASA 5500 Firewall
- How to Configure Access Control Lists on a Cisco ASA 5500 Firewall
- Configure Cisco ASA 5505 to allow Remote Desktop access from Internet
Tagged with: anyconnect vpn • how to configure anyconnect ssl vpn
Filed under: Cisco ASA Configuration
Like this post? Subscribe to my RSS feed and get loads more!
I’ve tried using this configuration example on my simple ASA configuration, I’m able to get the client to load form the https:// url, however when enabling debug (debug webvpn svc 255) on the ASA 5505, it errors out with: SVC message: t/s=3/16: Failed to fully establish a connection to the secure gate
way (proxy authentication, handshake, bad cert, etc.).
Before that it is assigning it an IP address and such.
On the VPN Client log, I see:
A SSL connection has been established using cipher RC4-SHA .
then
Function: CNetInterface::GetIPAddrInfo Return code: 0xFE0F000F File: .\Utility\NetInterface.cpp Line: 256 Description: NETINTERFACE_ERROR_INTERFACE_NOT_AVAILABLE . (repeats 4 times)
Termination reason code 16: Failed to fully establish a connection to the secure gateway (proxy authentication, handshake, bad cert, etc.). .
Function: CVpnMgr::initiateTunnel Return code: 0xFE0A0010 File: .\VpnMgr.cpp Line: 1014 Description: VPNMGR_ERROR_TERMINATING .
Termination reason code 16: Failed to fully establish a connection to the secure gateway (proxy authentication, handshake, bad cert, etc.). .
Mike, I have a couple of employees that are having the same issue and the exact same error in the event log. One of the things I noticed was another event ID, 53. It shows the following about the end users local ethernet interface:
Public address: 127.0.0.1
Public mask: 255.0.0.0
When I look at Event ID 53 on my PC and others, it shows the local interface ip address, not loopback. I’m not sure what is causing the local interface to register with a loopback address. Does your PC have the same info in event ID 53?
If anyone has an answer please post.
Thanks,
Shea
Incorrect
vpn-tunnel-protocol svc
Correct
vpn-tunnel-protocol webvpn
Hello Jimmy,
Well, after ASA version 7.3(1) , a new keyword was added to allow SSL tunnel negotiation. This is the “svc” keyword. I don’t know what version of ASA you are refering to, but the “vpn-tunnel-protocol svc” command is correct. In some other cases (again according to what asa version you are running), you might need to configure the following under the group policy:
ASA(config-group-policy)# webvpn
ASA(config-group-webvpn)# vpn-tunnel-protocol svc
Thank you for your help! Good work.
cannot access resources in the internal LAN network 192.168.5.0/24.
is there any correction?
Hello there,
It should be working. This configuration works on a firewall I have with no problems.
hello,
any idea on where the certificates for the SSL stuff are kept? I’m kinda wanting to see how the traffic looks like under wireshark, which needs the ssl keypair to decrypt the ssl traffic. Any clue?
Thanks
Hello Haku,
Maybe the following will help you:
show ca mypubkey rsa
mike, shea: Deactivating Kaspersky AV reproducibly fixed the problem. I could connect without a glitch as soon after turning the AV engine off. Bummer.
Nice article. I would like to mention that some users may want to use the ‘port’ command before ‘enable outside’ to run WebVPN on a port other than 443, just in case something else is using https on the outside interface (like Active Sync for example). Thanks again.
Thank you so much I was looking for something like this.
Thanks
Just one problem i have defined a pool of /28 ip addresses now when customer connects it gets first ip address from the pool and the default gateway is next available ip address… which is not assigned to any thing ..and client is not able to connect to any thing.
Any idea, is this is how it should be ?
It looks like your example is great. I am trying to confi this in a new ASA 5505. It will not allow me to use the command “nat (inside) 0 access-list NONAT”. It says I must use object-groups, but I am not sure how to yet. Can you please explain?
Thanks
Hello Jamie,
The reason you get this message is that you are running version 8.3 and up. From ASA 8.3 the NAT configuration has been completely changed. In order to configure “nat 0″ you must do the following (using object groups)::
We need to exempt traffic going from 192.168.5.0/24 to 192.168.100.0/24.
object network obj-192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network obj-192.168.100.0
subnet 192.168.100.0 255.255.255.0
nat (inside,outside) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-192.168.100.0 obj-192.168.100.0