AnyConnect

You are currently browsing articles tagged AnyConnect.

As a matter of personal preference, I was never a HUGE fan of the ASA as a firewall appliance.  For VPN termination, it’s pretty slick but still has some issues.  Either way, I have a 5505 at home that I use for firewall and VPN.  Being bored some time ago (wish I had free time now) I decided to upgrade the device from 8.2 to 9.1 code.  Along with this change came the dreaded ASA 8.3 NAT configuration change.  I’d argue that NAT on the ASA never made true sense, but once you knew how it worked, you could make it do what you wanted it to do.  Not knowing how to configure the new mode of NAT in the CLI, I decided to try it through ASDM (this of course breaking my ‘ASDM is awful never use it’ rule (and yes, I know you have to use ASDM for some of the AnyConnect XML stuff)).  The ASDM configuration lead to the automagic creation of NAT groups I didn’t need, object groups I didn’t need, and ACLs I didn’t need.  Somehow I managed to click enough buttons that it worked, but I wasn’t happy with the end state of the config. 

Fast forward to now.  Now I want to be able to connect to VPN at my house, access local resources, as well as access the internet through my local Comcast connection (internet hairpin).  Thinking this would be straight forward, I pulled down a copy of my ASA config into notepad and realized that it was full of random stuff I didn’t need.  After some clean up, I came to some realizations about NAT on the newer ASA code.  Namely, the fact that you don’t HAVE to use the NAT configuration under the objects themselves.  This, at least for me, was a HUGE help.  Let’s take a quick look at my config so you can see what I’ve setup…

image

So the real goal here is to be able to access a hosting container I use out on the internets from my laptop.  The hosting container only allows certain IP addresses (my home IP) to access it.  So if I could VPN to my house and use my home internet connection to access the hosting space from my laptop, I’d be all set!

In order to accomplish this, you need to do some ‘weird’ NAT configuration. I’m not going to run through my whole ASA config, but here are the important pieces…

hostname ASA
!
ip local pool vpn 10.20.30.249-10.20.30.253 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
interface Vlan1
nameif inside
security-level 100
ip address 10.20.30.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address <removed> 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif guest
security-level 50
ip address 192.168.127.1 255.255.255.248
!
boot system disk0:/asa911-k8.bin
!
same-security-traffic permit intra-interface
object network guest
subnet 192.168.127.0 255.255.255.248
object network locallan
subnet 10.20.30.0 255.255.255.0
object-group network VPNPOOL
network-object 10.20.30.248 255.255.255.248
!
nat (outside,inside) source static VPNPOOL VPNPOOL
nat (outside,outside) source dynamic VPNPOOL interface
nat (inside,outside) source dynamic locallan interface
nat (guest,outside) source dynamic guest interface
!
route outside 0.0.0.0 0.0.0.0 <removed> 1
route inside 10.0.0.0 255.255.255.0 10.20.30.117 1
!
telnet 10.20.30.0 255.255.255.0 inside
telnet timeout 1440
ssh timeout 5
console timeout 0
management-access inside
!
dhcpd address 10.20.30.100-10.20.30.200 inside
dhcpd dns 4.2.2.2 8.8.8.8 interface inside
dhcpd enable inside
!
dhcpd address 192.168.127.2-192.168.127.6 guest
dhcpd dns 4.2.2.2 8.8.8.8 interface guest
dhcpd enable guest
!
webvpn
enable outside
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2017-k9.pkg 1
anyconnect image disk0:/anyconnect-win-2.5.3055-k9.pkg 2
anyconnect profiles vpn disk0:/vpn.xml
anyconnect enable
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
group-policy gp_anyconnect internal
group-policy gp_anyconnect attributes
dns-server value 4.2.2.2 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value splitvpn
webvpn
  anyconnect profiles value vpn type user
  anyconnect ask none default anyconnect
username <removed> password <removed>
tunnel-group tg_vpn type remote-access
tunnel-group tg_vpn general-attributes
address-pool vpn
default-group-policy gp_anyconnect
tunnel-group tg_vpn webvpn-attributes
group-url <removed> enable
without-csd

Lot’s of config there, but I want to focus on are the bolded lines.  The first bolded line is what tells the ASA to allow the ‘hairpin’ to occur.  Specifically, you are telling the ASA with this command that it’s ok for traffic to come in a interface with a certain security level (0) and leave through an interface with an identical security level (0).  This allows VPN traffic to come in the outside interface encrypted, and leave back out the outside interface to get to the internet. 

The next 4 bolded lines are the NAT configuration.  This is what I’m really interested in…

nat (outside,inside) source static VPNPOOL VPNPOOL
nat (outside,outside) source dynamic VPNPOOL interface
nat (inside,outside) source dynamic locallan interface
nat (guest,outside) source dynamic guest interface

Let’s line these statements up on our diagram to give you a visual of what’s actually going on…

image

The first NAT statement tells the ASA to allow the client space in from the outside interface to the inside interface and to not modify the addresses.  This allows my VPN pool (tail end of my 10.20.30.40/24) to talk to the Local LAN space. 

image

The second NAT statement tells the ASA to take the VPN client space in the outside interface, back out the outside interface, but to dynamically overload it to the outside interface IP.  This is the actual NAT hairpin configuration that allows a VPN client to come in the outside and then leave back out towards the internet with the NAT overload.  

image

image

The last two NATs are simple dynamic overloads for the Local LAN and the Guest LAN network.  This allows both RFC 1918 spaces to be hidden behind the outside interface of the ASA.

Not really a ton too it actually, but I did struggle initially with the NAT until I figured out I could do it without defining the NAT under the object group itself.

Tags: , ,

In order to not get the annoying “Invalid certificate” errors in Internet Explorer we need to purchase and install a third party certificate for the ASA. Then we can associate the WebVPN with the certificate so we don’t get the warnings.  Of course, you can do this through the ASDM, but what fun is that?  CLI all the way, here we go.

Notes
-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them
-Note sections are in italics and embedded directly within the code below
-During the install/setup the CLI asks several questions.  I note when they will appear by inserting a line beginning with ‘Question Prompt –‘ in between the lines of code.  I also put the response you should enter after the line in bold.

Verify that your clock is set correctly
To do this, issue the ‘show clock’ command at the CLI.  If it isn’t configured correctly, define a NTP server (Which you should have done during initial config) and ensure your time zone is set correctly.  I usually use us.pool.ntp.org as an NTP server.  You can resolve it to an IP to get rid of the DNS lookup.

Generate the CSR
ASA(config)# crypto key generate rsa label <Your domain name> modulus 2048
Notes: I use the domain name that I am going to use for the label name, it just makes it easier if everything is the same (FQDN, System FQDN, Label, etc….).  An example would be ‘SSLVPN.test.com’.  Additionally I use a 2048 bit modulus because GoDaddy (The third party CA I am using) will no longer accept the 1024 bit modulus.
ASA(config)# crypto ca trustpoint <Your domain name>
ASA(config-ca-trustpoint)# subject-name CN=<Your domain name>, OU=<Organization Unit>, O=<Organization Name>, C=<Country (US)>, St=<Your State>, L=<Your City>
ASA(config-ca-trustpoint)# keypair <Your domain name>
ASA(config-ca-trustpoint)# fqdn <Your domain name>
ASA(config-ca-trustpoint)# enrollment terminal
ASA(config-ca-trustpoint)# exit
ASA(config)# crypto ca enroll <Your domain name>
Question Prompt – Include the device serial number in the subject name? [yes/no]: NO
Question Prompt – Display Certificate Request to terminal? [yes/no]: YES
Notes: After answering YES the CLI will output the CSR.  You need to copy the CSR so you can submit it to your Certificate Authority (GoDaddy in this case)
Redisplay enrollment request? [yes/no]: NO

Submit your CSR to your Certificate Authority
Again, I used GoDaddy because it seemed to be the cheapest.  The certificate was less then $30 for the year.  You purchase a certificate credit and then when you are ready to submit your CSR you go into their Certificate Management Portal under your login and submit the CSR.  After submitting the request it took about 5 minutes for my certificate to be generated.  You download the certificate file in Zip format.  In the Zip file you should have two certificates.  One is the certificate for the FQDN which you purchased and the other is the certificate for the CA.  This is where it gets a little tricky. First you need to authenticate the CA by importing their certificate.  Then you need to import your actual certificate.  I’m not going to get into the details of how certificates work but if you don’t know how, you should find out.  Google ‘Public Key encryption’.  Alright, so my Zip file had two certificates in it.

gd_bundle.crt – The certificate for the CA
<Domain name>.crt – The certificate for my domain

You’ll need to export both of the certificates to Base-64 encoded X.509.  To do this in Windows double click the certificate.  A certificate window with three tabs should appear as shown below.image

Click on the second tab ‘Details’ and select the ‘Copy to File…” button image

This will open the Certificate Export Wizard.  Press NEXTimage

On the next screen select ‘Base-64 encoded X.509 (.CER)’ and press NEXTimage

On the following screen select a location to output the file to and press NEXTimage

Press FINISH on the summary screen.  You should get a pop up window indicating that export was successful.
image

Now browse to where you chose to store the certificate, right click on it, select ‘Open With’, and choose WordPad.  When you open it in WordPad you should get something similar to what is shown below.  image

Perform this certificate Export for your certificate as well as the CA’s certificate.   During the rest of the walk through I will refer to these exports as “CA Certificate”(The CA’s certificate) and “CA Certificate Response”(The certificate for your domain).

Install the certificates on the ASA
ASA(config)# crypto ca authenticate <Your domain name>
Notes: You will now receive the prompt shown below.
”Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself”
Copy the CA Certificate and paste it into the CLI window.  Then make sure you are on a new line, type to the word quit, and press enter.

Question Prompt – Do you accept this certificate? [yes/no]: yes
Notes: After you accept the certificate you should get a message indicating that the certificate import was successful
ASA(config)# exit
ASA(config)# crypto ca import <Your domain name> certificate
Notes: You will now receive the prompt shown below.
”Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself”
Copy the CA Certificate Response and paste it into the CLI window.  Then make sure you are on a new line, type to the word quit, and press enter. After you press enter you should get a message indicating that the certificate import was successful

Tell WebVPN to use your new certificate
ASA(config)# ssl trust-point <Your domain name> outside

Verify
You can use the command ‘show crypto ca certificates’ to verify that your certificates imported successfully.  Of course the other way to test would be to just connect to the outside IP on SSL and see if you still get that annoying warning.

Tags: , ,

SSL VPN is the new buzz phrase among VPN solutions.  Cisco decided to stop supporting their standard IPSec client in 64 bit OS’s.  While some won’t agree with me, I believe this to be a pretty clear indication that Cisco wants us to start using SSL for our client VPN solutions.  IPSec will continue to rule the world of L2L(LAN to LAN) VPN’s for the time being. 

The configuration is actually pretty straightforward.  I’ll walk through the commands below and then follow up with some comments.  I’m going to assume here that you are using a different subnet for your VPN network and your local network.  I’m also assuming you will be using Local authentication.  We may configure Radius in a later post.

Notes
-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them

Define or add a No Nat ACL
ASA(config)# access-list nonat extended permit ip <local access range> <subnet> <vpn access range> <subnet>

Apply the No Nat ACL
ASA(config)# nat (inside) 0 access-list nonat

Define your Split Tunnel ACL
ASA(config)# access-list splitVPN standard permit <local access range> <local access subnet>

Define the Group Policy for the WebVPN
ASA(config)# group-policy GP_SSLVPN internal 
ASA(config)# group-policy GP_SSLVPN attributes 
ASA(config-group-policy)# vpn-tunnel-protocol svc webvpn
ASA(config-group-policy)# webvpn 
ASA(config-group-webvpn)# split-tunnel-policy tunnelspecified
ASA(config-group-webvpn)# split-tunnel-network-list value splitVPN
ASA(config-group-webvpn)# split-dns value <dns domain (Ex: interubernet.com>
ASA(config-group-webvpn)# dns-server value <ip address>

Define a DHCP pool for the clients to use
ASA(config)# ip local pool SSL_Pool <VPN Range> mask <Range Mask>

Define a local user to use for the VPN
ASA(config)# username <username> password <password> privilege 0
ASA(config)# username <username> attributes 
ASA(config-username)# vpn-group-policy GP_SSLVPN

Enable WebVPN
ASA(config)# webvpn 
ASA(config-webvpn)# enable outside
ASA(config-webvpn)# svc image disk0:/<anyconnect image file name> 1
ASA(config-webvpn)# svc image disk0:/<2nd anyconnect image file name (for Mac or Linux)> 2
ASA(config-webvpn)# svc enable

Define the tunnel group
ASA(config)# Tunnel-group TG_SSLVPN type remote-access
ASA(config)# Tunnel-group TG_SSLVPN general-attributes
ASA(config-tunnel-general)# default-group-policy GP_SSLVPN
ASA(config-tunnel-general)# address-pool SSL_Pool

Link the tunnel group to WebVPN
ASA(config)# webvpn
ASA(config-webvpn)# tunnel-group-list enable
ASA(config-webvpn)# exit
ASA(config)# tunnel-group TG_SSLVPN webvpn-attributes 
ASA(config-tunnel-webvpn)# group-alias AnyConnect enable

Wrap it up by saving the config
ASA(config)# write

After you have finished entering the above commands you should have the base AnyConnect solution configured.  If you browse to the secure (https://) external address of your ASA you should get the login page for the WebVPN Portal.  Keep in mind that we haven’t configured a certificate for the ASA yet, so anyone browsing to your portal page will get an error indicating that the certificate is invalid.  The ASA will use a self generated certificate any time it doesn’t have a third party one defined.  The VPN solution will work fine without a certificate but clicking on all of the error messages can be annoying.  In one of our next posts we will install a certificate from a third part CA so we don’t get the annoying security warnings.

Tags: , ,

« Older entries