Cisco ASA Anyconnect Remote Access VPN

Rene

I was asking because Cisco Packet Tracer 6.2 has a 5505 under it’s Security device category.
I will add an ASA 5510 to the physical lab after I pass the CCNA exam. I have to keep reminding myself to not spend a lot of time for now on things that are not going to be on the CCNA exam. It is easy to get distracted by topics not on the exam.

Thanks for your response

Hi Donald,

Ah I see…well the 5505 is similar but it uses a VLAN interface for the switchports (similar to a SVI interface on a multilayer switch).

The best results are achieved when you focus on one thing at a time…it’s so easy to get distracted, there are so many things that are worth checking out :slight_smile:

Rene

Rene

Thanks for your response and the great content.

Hi,

How to avoid user selecting “group-alias” if multiple group available like “sales” ,“finance”.

How to avoid user choosing a group which he should not . if the sales user choose finance he may get access to the finance resources ?

Thanks

Hi,

I don’t have an example for it but it’s possible to assign users to certain groups and to disable the selection. They won’t be able to select any group aliases then.

Rene

Hi

I have ASA 5520 VPN Plus license with latest IOS disk0:/asa917-k8.bin

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 150            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 20             perpetual
GTP/GPRS                          : Enabled        perpetual
AnyConnect Premium Peers          : 250            perpetual
AnyConnect Essentials             : 750            perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Enabled        perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Enabled        perpetual
Advanced Endpoint Assessment      : Enabled        perpetual
UC Phone Proxy Sessions           : 100            perpetual
Total UC Proxy Sessions           : 100            perpetual
Botnet Traffic Filter             : Enabled        perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has an ASA 5520 VPN Plus license.

My question is, can we use AnyConnect VPN Client Software-4.2.01035 with my existing Firewall?
https://software.cisco.com/download/release.html?mdfid=286281283&softwareid=282364313&release=4.2.01035&relind=AVAILABLE&rellifecycle=&reltype=latest

Hi

I tested today AnyConnect VPN Client Software-4.2.01035 with my ASA and glad it works perfectly with Rene article.

Rene, your ASA articles are amazing which so far I am testing, just a quick note, if you can add NAT statements also related to the configuration that will be great or if you add a Note that particular configuration require NAT changes as well.
e.g. to make the Split Tunnel work we need a deny statement in NAT so it will be helpful.

Thanks and amazing work, everything work for me like a charm.

Stay blessed

Hi Syed,

Good to hear everything is working. I’ll add a separate post for NAT exemption but for now, you can use this:

object network INSIDE
 subnet 192.168.1.0 255.255.255.0
object network VPN_POOL
 subnet 192.168.10.0 255.255.255.0

nat (INSIDE,OUTSIDE) source static INSIDE,INSIDE destination static VPN_POOL VPN_POOL

Basically this rule means that the source addresses from INSIDE will be translated to INSIDE and the destination addresses in VPN_POOL will be translated to VPN_POOL. In other words…the source and destination addresses will remain the same and no NAT is performed.

I think you will be fine with the anyconnect client btw, best to just test it.

Hope this helps!

Rene

Hi Rene,

I’ve recently setup the Anyconnect on my Corporate network for Windows users and it’s working beautifully, thanks to you. The only issue i have now is trying to get an iPad to connect using the Anyconnect, as it uses the Anyconnect App that it not pushed to the ipad when the user authenticates.

Have you seen or do you know a way of making the iPad work ? (Andriod devices work fine using the App, so I’m thinking its a Apple certificate blocking thing ???)

Any help would be great.

Many thanks

Neil

Ignore that last post Rene, I’ve just found out that the Domain chaps have pushed MobileIron out on the iPad fleet, and they are preventing SSL certificate installs. :o)

I want to use two asa5525-X firewall (Active/Active) design in main office. Branch office want to use anyconnect vpn client. Is it possible or not?

Can you tell me what, if anything, needs to be done to allow authentication with Smart cards for AnyConnect VPN’s?

@Mark I believe that on ASA 9 you can only use IPsec site-to-site VPN in active/active mode, not anyconnect.

@Christine There are quite some different options to implement this. It’s a bit similar to this example:

In that lesson I used the ASA as a CA but you can also use an external (windows) CA server.

Hi Rene,

Do you know which zone/security level the user belongs to after connecting via anyconnect ?

The reason I ask is because after logging in via anyconnect I can’t SSH to my router (as I normally would if I am directly on the inside network).

Thanks in advanced.

Richard

Hi Richard,

The VPN traffic does terminate on the outside interface. Usually we use the sysopt connection permit-vpn command to permit IPsec traffic to bypass any access-list. If you don’t use it, then you’ll need to explicitly permit your IPsec traffic to the inside.

It could be an issue on your ASA but have you also checked your router has a route back to the ASA?

Rene

Hi Rene,

Congrats, very clear tutorial. What about the NAT rule to keep untranslated the traffic between internal subnets and remote VPN hosts ? Is not it needed ?

Please advise.

Thank you.

Hi Alessandro,

Glad to hear you like it! You will need a NAT rule to keep traffic between remote VPN users and inside hosts untranslated. You can find the config for it in this reply:

Cisco ASA NAT untranslate

Rene

Hi Rene

Been trying to get a 9.1x VPN working for a while now, and wiped the config and started new and followed 99% of your config - internal network is 192.168.2.0/24, running 9.1(6) and Anyconnect 4.2.x.

Everything checked out but unable to talk to internal network once connected. On the ASA log I see the following:-
5 Jul 26 2016 10:25:05 192.168.10.100 38593 192.168.2.100 53 Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.10.100/38593(LOCAL\user) dst inside:192.168.2.100/53 denied due to NAT reverse path failure

Tried adding the nat:-

ciscoasa(config)# object network Inside
ciscoasa(config-network-object)# subnet 192.168.2.0 255.255.255.0
ciscoasa(config-network-object)# object network VPN
ciscoasa(config-network-object)# subnet 192.168.10.0 255.255.255.0
ciscoasa(config)#nat(inside,outside) source static Inside,Inside destination static VPN VPN

and get the error

nat (inside,outside) source static Inside,Inside destination static VPN VPN
                                                              ^
ERROR: % Invalid input detected at '^' marker.

This is driving me nuts, please advise

Thanks

Neil.

Hello Neil.

This error occurs when an inbound connection is trying to reach the internal address on the external interface. This check for assymetric NAT rules basically checks (to quote Cisco) “that the reverse connection from the server to the client matches the same NAT rule” used to initiate the connection. If it does not, then this check fails and the packet is blocked.

Check your NAT rules (especially those translating the 192.168.2.0/24 subnet) and confirm their correctness. You may also find this Cisco resource helpful to solve this problem.

I hope this has been helpful!

Laz

Hi Rene,

Could you please help me with a problem we’re having at work, which is stopping us from moving our network to a VRF lite or MPLS design. When our customers SSL into our network, the following is required:

1- Provide SSL access using over lapping address spaces i.e. All customer are assigned the address pool of 172.10.10.0/28 in their own VRF. Then route via their own VRF route table (This part, i have worked out how to do).
2- When customers login to their SSL account, via wbevpn gateway, that username and password then places them into the correct webvpn context, which is linked to their VRF. I have worked out how to link a context to a VRF, but i am unable to link a username and password from the webvpn gateway to a particular context.

3- I have tried aaa but this only seem to work for global usernames and passwords, and we don’t have access to a radius or tac+ server.

If you could suggest a way for the username and password, entered into the webvpn gateway, to link to the webvpn context. You would make me a very happy junior engineer. All this if possible, configured on an IOS router.