Cisco ASA Remote Access VPN

Hello Sims

Take a look at this post to get an idea of how to proceed with troubleshooting with VPNs…

This one goes into even more detail that might be enlightening.

As you continue your troubleshooting, let us know if we can help with any more specific issues.

I hope this has been helpful!

Laz

Hi dear. how can i add dhcp reservation cisco asa for local and vpn clients ? is it possible?

Hello Cemil

If you take a look at this lesson you will see how the IP address is assigned to the remote client:

In this particular case, an ip local pool is created from which IP addresses can be assigned. Now the method of assigning addresses can be modified using the vpn-addr-assign command. In the above example, the command vpn-addr-assign local is used, which tells the ASA to assign addresses using the predefined local pool.

However, you have other choices that you can use for assigning addresses, such as using AAA or DHCP. These are further described in the following Cisco documentation:

In order to reserve a particular IP address for a specific host, you can do one of the following:

  1. Create an IP pool of a single address and have a single tunnel group correspond to a single user. This is useful if you have very few users, as it is not easily scalable.
  2. You can use AAA and retrieve the address to be used from an external AAA server on a per user basis. If you are using an authentication server anyway, this is the best way to do it.
  3. use DHCP obtaining addresses from a dhcp server.

All of the above can be configured using the vpn-addr-assign command shown above.

I hope this has been helpful!

Laz

Rene,

why is DNS required in the GROUP Policy? what is the PURPOSE ?

And what is the Meaning the following STATEMENT and RADIUS Server

“The group policy is called VPN_POLICY and it’s an internal group policy which means it is created locally on the ASA. You can also specify an external group policy on a RADIUS server.”

Also the routing for IP pool to reach R1 to be manually setup on the ASA/R1 ?

Hello Surendra

Remember that a group policy can be used to apply specific network parameters to particular groups of users. One of those parameters is the use of a DNS server. It is required so that any user that connects using that particular group policy will have a DNS server configured for traffic going over the VPN. If you don’t specify it, then users attempting to reach the internet via the split tunnel will have no DNS server configured.

Group policies that are configured as in the lesson are local group policies. This means that only devices connecting to this particular ASA will have these attributes. If you choose to, you can employ an external RADIUS server that performs authentication for connections to one or more ASA(s), and in there, you can specify an external group policy that will be applied to any ASA you connect to via the RADIUS server. For more info about how RADIUS servers can be used for authentication, take a look at this lesson:

In order for the pool to reach R1 and R1 to reach the pool, routing must be established somehow. You can see that R1 has a default route that sends all traffic to the ASA, and the ASA knows both the 192.168.1.0/24 and the 10.10.10.0/24 networks, so routing is fully established. If you want VPN clients to reach networks behind R1, then you must configure routing in the ASA and R1 to ensure reachability. This can be done by using either static routing or dynamic routing protocols.

I hope this has been helpful!

Laz

1 Like

Hello,
Thank you for sharing
My question is: How I can access from anyconnect to ipsec remote network please?
Could you give a réel configuration?
Thank you for help
Brahim

Hello Brahim

I’m not sure I understand what you need. This particular configuration allows an AnyConnect client to connect to an inside LAN on the corporate network via an IPSec encrypted tunnel. Is this not what you’re looking for?

Give us some more detail about what you would like to achieve so that we can help you further.

I hope this has been helpful!

Laz

Hi Rene,
How can pc ping R1 if PC 's ip address is 192.168.10.100 ?

Hello Nguyen

The PC’s IP address is indeed 192.168.10.100. In the ipconfig of the PC, you will also see that there is no default gateway, and I assume that this is the source of your question. How can the PC communicate with 192.168.1.0/24 if it is on a different subnet and has no default gateway?

When you create a VPN tunnel, the connection is considered a point-to-point connection. When traffic is sent along the tunnel, there is only a single next hop that can be reached. This is why there is no default gateway on VPN connections. If you issue the route print command on the Windows PC command prompt, you will see a default route that is configured with a gateway within the subnet given by the VPN. When traffic is sent down the VPN, it will be encapsulated, and then decapsulated at the other end. The ASA will accept it and route it correctly based on the destination address, which in this case is 192.168.1.1. The ASA has a route to this destination since it is directly connected.

Similarly, R1 has a default route that points to the ASA, so return traffic will reach the ASA. The ASA in turn knows that the destination address belongs to the VPN, and will route traffic back to the PC.

I hope this has been helpful!

Laz

If my public’s ip address is 1.1.1.1, the remote ASA is 1.1.1.254 , then these 2 addresses will become the outer ip for ip packect from PC to ASA , right. And 192.168.10.100, for example, will be my PC actual IP address , right

Hello Nguyen

Yes, that sounds correct. The 192.168.10.100 address will be the IP address of the VPN interface on the PC, and it will be via that interface that the local applications on your PC will communicate with the outside world. This IP header will be encapsulated in another IP header with the source and destination IP addresses of 1.1.1.1 and 1.1.1.254 as you suggested in your post. Does that make sense?

I hope this has been helpful!

Laz

Hello Team,

I am new to ASA so, after checking this lesson and the complete config, I could not find the access-group command to allow remote VPN users to connect Inside Network. As per my understanding traffic is coming from Outside to Inside then we should have ACL to allow the traffic.

So, Is that not required when we are configuring Remote Access VPN or am I missing something else.

Regards,
Justin George

Hello Justin

The access-group command is used to bind an access list to a single interface. In such a case, you are using the access list to filter traffic passing through that interface.

When an access list is used in conjunction with a group policy when creating a remote access VPN, it is not used to filter traffic, but to match traffic. In this case, the access-list called SPLIT_TUNNEL is referenced by the group policy to identify traffic destined for the remote network and to tunnel only that traffic through the VPN.

In such a scenario, the access-group command is not needed. For more info on the access-group command on a Cisco ASA, take a look at the following command reference:

I hope this has been helpful!

Laz

Would I be able to verify this with Cisco AnyConnect Mobility Client? Or are there compatibility issues?

Hello Ken

The Cisco VPN client used in the lesson leverages IPSec only, while the Cisco AnyConnect Mobility Client delivers SSL and other capabilities in addition to IPSec. So you should be able to achieve with AnyConnect what is achieved with Cisco VPN client in this lab.

The security clients used by Cisco have evolved over the years, and you can find more information about those in this NetworkLessons note titled Security - Cisco VPN client software.

I hope this has been helpful!

Laz

1 Like

Hello Team, thanks for taking the time to read me.
I currently work in a project on the company ASA. The ASA currently has a working VPN group; however, I am trying to create a second group that will employ an IP filter that will only permit access to a particular IP address on the Remote LAN. I am planning to create a tunnel group with split tunneling but I am not sure if this is the most effective way to achieve this. If this is correct or if there are other ways to get it done, I will appreciate everyone answers as they will guide me to a better implementation of this. Thank you all!

Hello Johan

The solution you suggest should work for your scenario. To find out more about how to set up remote access VPN on a Cisco ASA including tunnel groups and split tunneling, take a look at this lesson:

See if that helps you to achieve what you’re looking for. Try it out and let us know how you get along and if you need any further help.

I hope this has been helpful!

Laz

Thanks for giving me a hand on this, Laz.
I tried a part of the configuration but one of the main requirements for the organization is to deploy a group alias to the AnyConnect client and I am a little bit lost in that part. How can I set it up?
Thanks a lot for the assistance and help!

Hello Johan

In a Cisco ASA, a group alias is a way to assign a specific connection profile or tunnel group to an AnyConnect VPN client. The group alias gets presented to the VPN client, and the user can choose which alias (and therefore, which tunnel group) to use when establishing a VPN connection.

Here is a high-level description of how to deploy a group alias to an AnyConnect client when configuring a remote access VPN on a Cisco ASA:

  1. Define a Tunnel Group:

    You need to create a tunnel group which will be used to authenticate and connect the AnyConnect clients. Here is an example configuration for a tunnel group called “Employee_VPN”:

    tunnel-group Employee_VPN type remote-access
    tunnel-group Employee_VPN general-attributes
     address-pool Employee_pool
     default-group-policy Employee_policy
    tunnel-group Employee_VPN ipsec-attributes
     ikev1 pre-shared-key cisco
    
  2. Create a Group Alias:

    You can create a group alias for the connection profile that you defined. This alias is the name that will be presented to the AnyConnect client user. For example, you might want to name the alias “EmployeeVPN”.

    tunnel-group Employee_VPN webvpn-attributes
     group-alias EmployeeVPN enable
    
  3. Enable the Group List on the Login Page:

    You will also need to enable the group drop-down list on the login page so that the user can select which group alias they want to use.

    webvpn
     enable outside
     anyconnect-essentials
     group-url https://your_ASA_outside_interface_address/EmployeeVPN enable
     group-policy Employee_policy internal
     group-policy Employee_policy attributes
      vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
    

    Note: Replace “your_ASA_outside_interface_address” with the actual IP address or hostname of the outside interface of your ASA.

  4. Deploy the AnyConnect Client:

    Finally, the AnyConnect client needs to be installed and configured on the user’s device. During the installation, you will have to specify the IP address (or hostname) of your ASA, and the group alias that you created earlier. The client software will then connect to the ASA and authenticate using the connection profile associated with the specified group alias.

This is a basic setup and you may need to adjust it to your specific requirements. For example, you might want to setup additional security features, such as two-factor authentication, or configure specific settings for the connection, such as split-tunneling, DNS servers, and so on.

Now having said that, you’ll notice that the webvpn feature is being used for the group dropdown list. You can find out more about how to use this in the following Cisco documentation. However because webvpn has been depricated in recent ASA and Firepower models and versions, it is worth noting the new method to deploy remote access VPNs is to use AnyCOnnect VPN in SSL or IPsec/IKEv2 mode. In this case, the process to enable group alias is a bit different.

You’re right, Cisco has deprecated the use of the webvpn configuration with recent ASA and Firepower Threat Defense (FTD) models and versions. The new method to deploy remote access VPNs is to use the AnyConnect VPN in SSL or IPsec/IKEv2 mode, but the process to enable group alias is a bit different. It’s actually configured within the tunnel-group configuration. But the command to enable the alias is slightly different.

Here’s how you would define a tunnel-group with a group alias:

tunnel-group Employee_VPN type remote-access
tunnel-group Employee_VPN general-attributes
 address-pool Employee_pool
 default-group-policy Employee_policy
tunnel-group Employee_VPN webvpn-attributes
 group-alias EmployeeVPN enable

In the latest ASA software, you’d use AnyConnect VPN client profiles to determine which group-alias is available to the user. The client profile is an XML file that gets loaded onto the AnyConnect client upon connection. This XML file can specify which VPN headends are available, which group-aliases are available, and many other settings.

Client profiles are assigned to a group-policy and are downloaded when the VPN user connects. Here’s how you would assign a client profile to a group-policy:

group-policy GroupPolicy_EmployeeVPN internal
group-policy GroupPolicy_EmployeeVPN attributes
 vpn-tunnel-protocol ssl-client 
 webvpn
  anyconnect profiles value EmployeeVPN_client_profile type user

In this example, EmployeeVPN_client_profile is the name of the client profile. This profile would be created with the AnyConnect Profile Editor, available with the AnyConnect VPN client download package from Cisco.com.

Once the client profile is created, you would upload it to the ASA, and then reference it in the group-policy as shown above. The client profile will be automatically downloaded and updated on the AnyConnect client whenever the user connects to the VPN.

This is a more secure and flexible way to manage group-alias availability, as it doesn’t rely on the deprecated webvpn configuration, and it can also provide many other client settings and features.

Further information can be found at this Cisco documentation:

Now just a note, if you would like Rene to create a lesson that includes a lab and topology for group aliases, feel free to use the following Member Ideas page, where you can make your suggestions. You may find that others have made similar suggestions and you can add your voice to theirs:

I hope this has been helpful!

Laz

1 Like

Thanks for the help! Much appreciated

1 Like