Cisco ASA Anyconnect Remote Access VPN

This topic is to discuss the following lesson:

Hi Rene,

For this part here -

The DNS server 8.8.8.8 will be assigned to remote VPN users.

When connected to the VPN, If the users are trying to access Internal Corporate machines via DNS name, should we provide an Internal DNS server address rather than 8.8.8.8

Thanks
Rob

Hi Rob,

That would work yes, there are also some other solutions. Take a look at this Cisco post:

Rene

Rene

Which ASA model does your configuration examples apply to? Would you give some thought to doing a video similar to the one about choosing routers and switches but topic would be choosing firewalls.

Thanks

Hi Donald,

I used the ASA 5510 for most of these examples. The big difference between the ASA 5505 and all the other models is that it’s the only firewall that has 4 switchports.

The 5510 only has L3 interfaces, it doesn’t have switchports. The ASA 5506 that replaces the 5505 also doesn’t have switchports anymore.

A video for the different firewalls might be a good idea, for labs the ASA 5510 with security plus license is probably the best choice for now.

Rene

Rene

I was asking because Cisco Packet Tracer 6.2 has a 5505 under it’s Security device category.
I will add an ASA 5510 to the physical lab after I pass the CCNA exam. I have to keep reminding myself to not spend a lot of time for now on things that are not going to be on the CCNA exam. It is easy to get distracted by topics not on the exam.

Thanks for your response

Hi Donald,

Ah I see…well the 5505 is similar but it uses a VLAN interface for the switchports (similar to a SVI interface on a multilayer switch).

The best results are achieved when you focus on one thing at a time…it’s so easy to get distracted, there are so many things that are worth checking out :slight_smile:

Rene

Rene

Thanks for your response and the great content.

Hi,

How to avoid user selecting “group-alias” if multiple group available like “sales” ,“finance”.

How to avoid user choosing a group which he should not . if the sales user choose finance he may get access to the finance resources ?

Thanks

Hi,

I don’t have an example for it but it’s possible to assign users to certain groups and to disable the selection. They won’t be able to select any group aliases then.

Rene

Hi

I have ASA 5520 VPN Plus license with latest IOS disk0:/asa917-k8.bin

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 150            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 20             perpetual
GTP/GPRS                          : Enabled        perpetual
AnyConnect Premium Peers          : 250            perpetual
AnyConnect Essentials             : 750            perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Enabled        perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Enabled        perpetual
Advanced Endpoint Assessment      : Enabled        perpetual
UC Phone Proxy Sessions           : 100            perpetual
Total UC Proxy Sessions           : 100            perpetual
Botnet Traffic Filter             : Enabled        perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has an ASA 5520 VPN Plus license.

My question is, can we use AnyConnect VPN Client Software-4.2.01035 with my existing Firewall?
https://software.cisco.com/download/release.html?mdfid=286281283&softwareid=282364313&release=4.2.01035&relind=AVAILABLE&rellifecycle=&reltype=latest

Hi

I tested today AnyConnect VPN Client Software-4.2.01035 with my ASA and glad it works perfectly with Rene article.

Rene, your ASA articles are amazing which so far I am testing, just a quick note, if you can add NAT statements also related to the configuration that will be great or if you add a Note that particular configuration require NAT changes as well.
e.g. to make the Split Tunnel work we need a deny statement in NAT so it will be helpful.

Thanks and amazing work, everything work for me like a charm.

Stay blessed

Hi Syed,

Good to hear everything is working. I’ll add a separate post for NAT exemption but for now, you can use this:

object network INSIDE
 subnet 192.168.1.0 255.255.255.0
object network VPN_POOL
 subnet 192.168.10.0 255.255.255.0

nat (INSIDE,OUTSIDE) source static INSIDE,INSIDE destination static VPN_POOL VPN_POOL

Basically this rule means that the source addresses from INSIDE will be translated to INSIDE and the destination addresses in VPN_POOL will be translated to VPN_POOL. In other words…the source and destination addresses will remain the same and no NAT is performed.

I think you will be fine with the anyconnect client btw, best to just test it.

Hope this helps!

Rene

Hi Rene,

I’ve recently setup the Anyconnect on my Corporate network for Windows users and it’s working beautifully, thanks to you. The only issue i have now is trying to get an iPad to connect using the Anyconnect, as it uses the Anyconnect App that it not pushed to the ipad when the user authenticates.

Have you seen or do you know a way of making the iPad work ? (Andriod devices work fine using the App, so I’m thinking its a Apple certificate blocking thing ???)

Any help would be great.

Many thanks

Neil

Ignore that last post Rene, I’ve just found out that the Domain chaps have pushed MobileIron out on the iPad fleet, and they are preventing SSL certificate installs. :o)

I want to use two asa5525-X firewall (Active/Active) design in main office. Branch office want to use anyconnect vpn client. Is it possible or not?

Can you tell me what, if anything, needs to be done to allow authentication with Smart cards for AnyConnect VPN’s?

@Mark I believe that on ASA 9 you can only use IPsec site-to-site VPN in active/active mode, not anyconnect.

@Christine There are quite some different options to implement this. It’s a bit similar to this example:

In that lesson I used the ASA as a CA but you can also use an external (windows) CA server.

Hi Rene,

Do you know which zone/security level the user belongs to after connecting via anyconnect ?

The reason I ask is because after logging in via anyconnect I can’t SSH to my router (as I normally would if I am directly on the inside network).

Thanks in advanced.

Richard

Hi Richard,

The VPN traffic does terminate on the outside interface. Usually we use the sysopt connection permit-vpn command to permit IPsec traffic to bypass any access-list. If you don’t use it, then you’ll need to explicitly permit your IPsec traffic to the inside.

It could be an issue on your ASA but have you also checked your router has a route back to the ASA?

Rene