SSL VPN is the new buzz phrase among VPN solutions. Cisco decided to stop supporting their standard IPSec client in 64 bit OS’s. While some won’t agree with me, I believe this to be a pretty clear indication that Cisco wants us to start using SSL for our client VPN solutions. IPSec will continue to rule the world of L2L(LAN to LAN) VPN’s for the time being.
The configuration is actually pretty straightforward. I’ll walk through the commands below and then follow up with some comments. I’m going to assume here that you are using a different subnet for your VPN network and your local network. I’m also assuming you will be using Local authentication. We may configure Radius in a later post.
Notes
-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them
Define or add a No Nat ACL
ASA(config)# access-list nonat extended permit ip <local access range> <subnet> <vpn access range> <subnet>
Apply the No Nat ACL
ASA(config)# nat (inside) 0 access-list nonat
Define your Split Tunnel ACL
ASA(config)# access-list splitVPN standard permit <local access range> <local access subnet>
Define the Group Policy for the WebVPN
ASA(config)# group-policy GP_SSLVPN internal
ASA(config)# group-policy GP_SSLVPN attributes
ASA(config-group-policy)# vpn-tunnel-protocol svc webvpn
ASA(config-group-policy)# webvpn
ASA(config-group-webvpn)# split-tunnel-policy tunnelspecified
ASA(config-group-webvpn)# split-tunnel-network-list value splitVPN
ASA(config-group-webvpn)# split-dns value <dns domain (Ex: interubernet.com>
ASA(config-group-webvpn)# dns-server value <ip address>
Define a DHCP pool for the clients to use
ASA(config)# ip local pool SSL_Pool <VPN Range> mask <Range Mask>
Define a local user to use for the VPN
ASA(config)# username <username> password <password> privilege 0
ASA(config)# username <username> attributes
ASA(config-username)# vpn-group-policy GP_SSLVPN
Enable WebVPN
ASA(config)# webvpn
ASA(config-webvpn)# enable outside
ASA(config-webvpn)# svc image disk0:/<anyconnect image file name> 1
ASA(config-webvpn)# svc image disk0:/<2nd anyconnect image file name (for Mac or Linux)> 2
ASA(config-webvpn)# svc enable
Define the tunnel group
ASA(config)# Tunnel-group TG_SSLVPN type remote-access
ASA(config)# Tunnel-group TG_SSLVPN general-attributes
ASA(config-tunnel-general)# default-group-policy GP_SSLVPN
ASA(config-tunnel-general)# address-pool SSL_Pool
Link the tunnel group to WebVPN
ASA(config)# webvpn
ASA(config-webvpn)# tunnel-group-list enable
ASA(config-webvpn)# exit
ASA(config)# tunnel-group TG_SSLVPN webvpn-attributes
ASA(config-tunnel-webvpn)# group-alias AnyConnect enable
Wrap it up by saving the config
ASA(config)# write
After you have finished entering the above commands you should have the base AnyConnect solution configured. If you browse to the secure (https://) external address of your ASA you should get the login page for the WebVPN Portal. Keep in mind that we haven’t configured a certificate for the ASA yet, so anyone browsing to your portal page will get an error indicating that the certificate is invalid. The ASA will use a self generated certificate any time it doesn’t have a third party one defined. The VPN solution will work fine without a certificate but clicking on all of the error messages can be annoying. In one of our next posts we will install a certificate from a third part CA so we don’t get the annoying security warnings.
Whoever need to have written or generated this particular website ought to be a skilled in this region of expertise.
Thanks for writing this awesome article. I’m reading your blog since a
long time already but I never compelled to leave
a comment. I saved your blog in my rss feed and shared it on my
Twitter. Thanks again for this great post!
Thanks for your help. I tried many times to configure SSL VPN on a Cisco ASA but failed. But your tips made it possible. I appreciate your job.