Anyconnect VPN Configuration Using Multiple Subinterfaces

smittytech · August 23, 2023, 4:57pm

I’ve been trying to configure a Remote Access (Anyconnect/Secure Client) on our Cisco ASA 5508-X. However, I keep running into issues. I think my core problem is correctly configuring my PAT and NAT Exemption. However, it also seems like my Secure Client Profile is not being used, and it is choosing the default profiles instead.

Here is a sanitized version of my configuration:




Static External IP *


interface GigabitEthernet1/1

nameif external

security-level 0

ip address XX.XX.XX.XX 255.255.255.0

!


Internal Subinterfaces *


interface GigabitEthernet1/5

description Connected to Switch01 GigabitEthernet0/25

no shut

no nameif

security-level 0

no ip address

!

interface GigabitEthernet1/5.20

description inside20 vlan

vlan 20

nameif inside20

security-level 100

ip address XX.XX.20.1 255.255.255.0

!

interface GigabitEthernet1/5.30

description inside30 vlan

vlan 30

nameif inside30

security-level 100

ip address XX.XX.30.1 255.255.255.0

!

interface GigabitEthernet1/5.40

description inside40 vlan

vlan 40

nameif inside40

security-level 100

ip address XX.XX.40.1 255.255.255.0

!

!


Network Objects *


object network OBJECT-NAT-ALL

subnet 0.0.0.0 0.0.0.0

!

!

object network inside20

subnet XX.XX.20.0 255.255.255.0

object network inside30

subnet XX.XX.30.0 255.255.255.0

object network inside40

subnet XX.XX.40.0.0 255.255.255.0

object network VPN_Pool range X.X.X.200 X.X.X.220

!

!


NAT RULES *


!

nat (inside20,external) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup

!

!

object network OBJECT-NAT-ALL

nat (any,external) dynamic interface

!

!


STATIC ROUTE *


!

route external 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1

!


CRYPTO *


!

crypto ca trustpoint INT_CA

enrollment terminal

enrollment interface inside40

fqdn XYZ.XYZ.XYZ

subject-name CN=XYZ.XYZ.XYZ,O=Company,OU=Division,L=Locality,ST=State

keypair int.key

crl configure

no protocol http

no protocol ldap

!

crypto ca trustpool policy

crypto ca certificate chain INT_CA





!

!

crypto ikev2 policy 10

encryption aes-gcm-256 aes-gcm-192 aes-gcm

integrity null

group 19

prf sha256

lifetime seconds 86400

crypto ikev2 enable external client-services port 443

crypto ikev2 remote-access trustpoint INT_CA

telnet timeout 5

!

!

no vpn-addr-assign dhcp

vpn-addr-assign local

no ipv6-vpn-addr-assign aaa

no ipv6-vpn-addr-assign local

vpn-sessiondb max-other-vpn-limit 100

vpn-sessiondb max-anyconnect-premium-or-essentials-limit 100

!

!

ssl server-version tlsv1.2

ssl client-version tlsv1.2

ssl trust-point  (I have this for each nameif)

!

!


WEB VPN *


webvpn

enable external

http-headers

hsts-server

enable

max-age 31536000

include-sub-domains

no preload

hsts-client

enable

x-content-type-options

x-xss-protection

content-security-policy

anyconnect image disk0:/cisco-secure-client-win.pkg 1 regex “Windows NT”

anyconnect image disk0:/cisco-secure-client-linux64.pkg 2 regex “Linux”

anyconnect profiles Team_client_profile disk0:/Team_client_profile.xml

anyconnect enable

cache

disable

error-recovery disable

!

!


Group Policy *


!

!

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol l2tp-ipsec

!

!

group-policy GroupPolicy_Team internal

group-policy GroupPolicy_Team attributes

wins-server none

dns-server value XX.XX.40.10 XX.XX.40.20

vpn-tunnel-protocol ikev2 ssl-client

default-domain value XYZ.XYZ

webvpn

anyconnect profiles value Team_client_profile type user

dynamic-access-policy-record DfltAccessPolicy

!

!


Local Users *

! username user1 password priviledge 15 username user2 password priviledge 15 ! ! username user1 attributes vpn-group-policy GroupPolicy_Team group-lock value Team tunnel-group Team type remote-access tunnel-group Team general-attributes address-pool VPN_Pool authentication-server-group RADIUSSERVERS LOCAL default-group-policy GroupPolicy_Team tunnel-group Team webvpn-attributes group-alias Team enable !

Any help is appreciated!

lagapidis · August 28, 2023, 7:06am

Hello Kevin

From your configuration, it appears that you have correctly set up most of the necessary components for remote access VPN. However, there are a few potential issues that might be causing problems.

NAT Exemption: Your NAT exemption rule should exempt VPN traffic from being translated. Make sure you’re using the correct object for your VPN pool in the NAT rule. The NAT exemption rule should look something like this:

nat (any,external) source static NETWORK_OBJ LOCAL_NETWORK_OBJ destination static VPN_POOL_OBJ VPN_POOL_OBJ

Group Policy: Make sure the correct group policy is applied to the tunnel group. In your configuration, you have assigned the GroupPolicy_Team to the Team tunnel group, which seems correct. However, ensure that this group policy has the correct settings for your VPN.

Secure Client Profile: If your secure client profile is not being used, it might be because the profile is not correctly uploaded to the ASA or not correctly specified in the group policy. Check the disk0:/ path and ensure that the profile is correctly uploaded and specified in the group policy.

User Attributes: Ensure that the users have the correct attributes. The vpn-group-policy attribute should match the group policy you have defined.

If you’ve checked all these and are still having issues, I would recommend enabling debug for IKEv2 and SSL on the ASA to get more detailed information about what might be going wrong. You can do this with the following commands:

debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127
debug webvpn anyconnect 255

You can also take a look at this Cisco documentation for more details on using debugs for this purpose:

Take a look at all of these and let us know how you get along. If you need any further help, you know where to find us!

I hope this has been helpful!

Laz