This topic is to discuss the following lesson:
For this part here -
The DNS server 22.214.171.124 will be assigned to remote VPN users.
When connected to the VPN, If the users are trying to access Internal Corporate machines via DNS name, should we provide an Internal DNS server address rather than 126.96.36.199
That would work yes, there are also some other solutions. Take a look at this Cisco post:
Which ASA model does your configuration examples apply to? Would you give some thought to doing a video similar to the one about choosing routers and switches but topic would be choosing firewalls.
I used the ASA 5510 for most of these examples. The big difference between the ASA 5505 and all the other models is that it’s the only firewall that has 4 switchports.
The 5510 only has L3 interfaces, it doesn’t have switchports. The ASA 5506 that replaces the 5505 also doesn’t have switchports anymore.
A video for the different firewalls might be a good idea, for labs the ASA 5510 with security plus license is probably the best choice for now.
I was asking because Cisco Packet Tracer 6.2 has a 5505 under it’s Security device category.
I will add an ASA 5510 to the physical lab after I pass the CCNA exam. I have to keep reminding myself to not spend a lot of time for now on things that are not going to be on the CCNA exam. It is easy to get distracted by topics not on the exam.
Thanks for your response
Ah I see…well the 5505 is similar but it uses a VLAN interface for the switchports (similar to a SVI interface on a multilayer switch).
The best results are achieved when you focus on one thing at a time…it’s so easy to get distracted, there are so many things that are worth checking out
Thanks for your response and the great content.
How to avoid user selecting “group-alias” if multiple group available like “sales” ,“finance”.
How to avoid user choosing a group which he should not . if the sales user choose finance he may get access to the finance resources ?
I don’t have an example for it but it’s possible to assign users to certain groups and to disable the selection. They won’t be able to select any group aliases then.
I have ASA 5520 VPN Plus license with latest IOS disk0:/asa917-k8.bin
Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 150 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual Encryption-DES : Enabled perpetual Encryption-3DES-AES : Enabled perpetual Security Contexts : 20 perpetual GTP/GPRS : Enabled perpetual AnyConnect Premium Peers : 250 perpetual AnyConnect Essentials : 750 perpetual Other VPN Peers : 750 perpetual Total VPN Peers : 750 perpetual Shared License : Enabled perpetual AnyConnect for Mobile : Enabled perpetual AnyConnect for Cisco VPN Phone : Enabled perpetual Advanced Endpoint Assessment : Enabled perpetual UC Phone Proxy Sessions : 100 perpetual Total UC Proxy Sessions : 100 perpetual Botnet Traffic Filter : Enabled perpetual Intercompany Media Engine : Disabled perpetual Cluster : Disabled perpetual This platform has an ASA 5520 VPN Plus license.
My question is, can we use AnyConnect VPN Client Software-4.2.01035 with my existing Firewall?
I tested today AnyConnect VPN Client Software-4.2.01035 with my ASA and glad it works perfectly with Rene article.
Rene, your ASA articles are amazing which so far I am testing, just a quick note, if you can add NAT statements also related to the configuration that will be great or if you add a Note that particular configuration require NAT changes as well.
e.g. to make the Split Tunnel work we need a deny statement in NAT so it will be helpful.
Thanks and amazing work, everything work for me like a charm.
Good to hear everything is working. I’ll add a separate post for NAT exemption but for now, you can use this:
object network INSIDE subnet 192.168.1.0 255.255.255.0
object network VPN_POOL subnet 192.168.10.0 255.255.255.0
nat (INSIDE,OUTSIDE) source static INSIDE,INSIDE destination static VPN_POOL VPN_POOL
Basically this rule means that the source addresses from INSIDE will be translated to INSIDE and the destination addresses in VPN_POOL will be translated to VPN_POOL. In other words…the source and destination addresses will remain the same and no NAT is performed.
I think you will be fine with the anyconnect client btw, best to just test it.
Hope this helps!
I’ve recently setup the Anyconnect on my Corporate network for Windows users and it’s working beautifully, thanks to you. The only issue i have now is trying to get an iPad to connect using the Anyconnect, as it uses the Anyconnect App that it not pushed to the ipad when the user authenticates.
Have you seen or do you know a way of making the iPad work ? (Andriod devices work fine using the App, so I’m thinking its a Apple certificate blocking thing ???)
Any help would be great.
Ignore that last post Rene, I’ve just found out that the Domain chaps have pushed MobileIron out on the iPad fleet, and they are preventing SSL certificate installs. :o)
I want to use two asa5525-X firewall (Active/Active) design in main office. Branch office want to use anyconnect vpn client. Is it possible or not?
Can you tell me what, if anything, needs to be done to allow authentication with Smart cards for AnyConnect VPN’s?
@Mark I believe that on ASA 9 you can only use IPsec site-to-site VPN in active/active mode, not anyconnect.
@Christine There are quite some different options to implement this. It’s a bit similar to this example:
In that lesson I used the ASA as a CA but you can also use an external (windows) CA server.
Do you know which zone/security level the user belongs to after connecting via anyconnect ?
The reason I ask is because after logging in via anyconnect I can’t SSH to my router (as I normally would if I am directly on the inside network).
Thanks in advanced.
The VPN traffic does terminate on the outside interface. Usually we use the sysopt connection permit-vpn command to permit IPsec traffic to bypass any access-list. If you don’t use it, then you’ll need to explicitly permit your IPsec traffic to the inside.
It could be an issue on your ASA but have you also checked your router has a route back to the ASA?