5 August 2012

How to configure basic Anyconnect Essentials on Cisco ASA?

Over the last few days I've struggled to find a nice concise guide to configuring AnyConnect on an ASA for the specific requirements needed for some work I've been doing. So... here is a basic configuration that addresses the following requirements:
  1. Authenticate VPN users to local database of ASA (no radius/LDAP servers used)
    • VPN-only users will not have admin access to ASA.
  2. Allow AnyConnect VPNs to access the ASA's LAN network across the VPN
  3. AnyConnect must run on a non-default port (TCP 442 was chosen for this example)
  4. NAT translate ports of router's outside IP address to internal servers
    • HTTPS and SMTP port will be NAT translated to a specific server on the LAN
This configuration is for ASA code 8.4. This won't work for 8.2 or below (different CLI commands for NAT and Anyconnect). 

The configuration follows...

Define the interface settings. Inside/Outside + IPs:
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.128
!
Define some object groups for NAT statements later on...
object service SMTP
 service tcp source eq smtp
object service HTTPS
 service tcp source eq https
object network 192.168.16.2
 host 192.168.16.2
object network 192.168.16.0
 subnet 192.168.16.0 255.255.255.0
object-group network NO_NAT
 network-object 10.1.88.0 255.255.255.128
 network-object 10.1.88.128 255.255.255.128
Define an ACL for VPN Client access.
access-list VPN_CLIENT_ACL remark === ACL for range the VPN users will access across VPN
access-list VPN_CLIENT_ACL standard permit 192.168.1.0 255.255.0.0
ip local pool VPN_CLIENT_POOL 10.1.1.1-10.1.1.254 mask 255.255.255.0
Define NAT statements for PAT of outside interface (192.168.1.2 is actually the name of an object-group):
nat (inside,outside) source static 192.168.1.2 interface service HTTPS HTTPS
nat (inside,outside) source static 192.168.1.2 interface service SMTP SMTP
Define NAT statements for NO-NAT traffic (i.e. traffic destinations we never want to apply NAT on)
nat (inside,outside) source static any any destination static NO_NAT NO_NAT
Define NAT statement for overload NAT (i.e. everyone from object group 192.168.1.0 can be overloaded with NAT to appear as 1.1.1.1 on way out to internet).
object network 192.168.1.0
 nat (inside,outside) dynamic interface
Define AAA to use local database for ASDM/SSH.
aaa authentication ssh console LOCALaaa authentication http console LOCAL 
Define default route to internet via next hop 1.1.1.2.
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
Define global anyconnect settings (image locations, port used, interface anyconnect is enabled on, etc)
webvpn
 port 442
 enable outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-3.0.08057-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
 anyconnect enable
 tunnel-group-list enable
Define group-policy settings for VPN clients to use (anything not defined here is inherited from default group-policy (do a show run all to see it)
group-policy VPN_CLIENT_POLICY internal
group-policy VPN_CLIENT_POLICY attributes
 dns-server value 192.168.1.2
 vpn-simultaneous-logins 25
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_CLIENT_ACL
 default-domain value domain.com
 address-pools value VPN_CLIENT_POOL
Define local accounts:
username testaccount password xxxxxx encrypted
username testaccount attributes
 service-type remote-access
username admin password xxxxxx encrypted privilege 15
Define VPN profile
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
 address-pool VPN_CLIENT_POOL
 default-group-policy VPN_CLIENT_POLICY
 tunnel-group VPN webvpn-attributes
 group-alias VPN enable
In the above: 
  • Under the webvpn section there is the port 442 which moves Anyconnect to terminate to TCP port 442 rather then default 443 (HTTPS).
  • The outside interface IP has it's TCP ports for HTTPS and SMTP NAT translated to 192.168.1.2 in this example through the use of static NAT translations. 
  • We have a NO_NAT NAT statement which defines that we don't NAT anything going to the VPN Pool's IP (i.e. the IPs VPN users use - In this case 10.1.1.x/24) 
  • We have a global overload NAT which defines that on the way out to the internet from the inside interface we will be hidden behind the outside IP address of the ASA (i.e. 1.1.1.1 in this example). 
  • We also have two user accounts setup, 
    • admin account which has full admin/VPN access 
    • testaccount one which has access only to VPN (not to ASA admin).
I'll stop here for now.... Hope this helps someone.