Cisco ASA AnyConnect SSL VPN

As promised, here is the summarised walkthrough for getting ASA AnyConnect SSL VPN’s setup on their ASA with a quick copy/paste. It’s again, a convenient note to myself and saves me having to trawl around finding Cisco’s documentation. That being said, the documentation for this particular config is exceptionally good and this is shamelessly ripped from this Configuration Guide simply using the important assumptions from the last RA VPN post I created.

Extra Assumptions from the last post:

  • You’re using the latest (as of writing) AnyConnect SVC images 2.3.0254
  • Your edge device is called firewall and your internet domain name is mydomain.com 😉 – seriously though, your certificate fqdn which you use in the config here should resolve to the firewalls interface IP that you’re expecting to connect to or you’ll have to punch through all the browser warnings of the certificate being invalid.

crypto key generate rsa label sslvpnkeypair
crypto ca trustpoint localtrust
enrollment self
fqdn firewall.mydomain.com
subject-name CN=firewall.mydomain.com
keypair sslvpnkeypair
crypto ca enroll localtrust noconfirm
ssl trust-point localtrust outside
webvpn
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc image disk0:/anyconnect-linux-2.3.0254-k9.pkg 2
enable outside
svc enable
ip local pool SSLClientPool 192.168.0.9-192.168.0.14 mask 255.255.255.0
group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 192.168.0.3
vpn-tunnel-protocol svc
default-domain value internaldomain.local
address-pools value SSLClientPool
sysopt connection permit-vpn
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
webvpn
tunnel-group-list enable
access-list nonat_inside extended permit ip any 192.168.0.8 255.255.255.248
username localvpnuser password 12345678 privilege 0
username localvpnuser attributes
service-type remote-access

Hope this helps!

Cisco ASA Remote Access VPN

As a convenient note to myself and to help anyone else out who’d like to get simple Remote Access VPN’s setup on their ASA using the Cisco VPN Client 5.x, here’s the very basic configuration using the CLI as most walkthrough’s are ASDM based on the Cisco website.

This is set out to be dumped straight onto an ASA which has little configuration other than basic IP addressing. To add this to a running unit, you’ll have to read here and understand what you’ll need to change to dump this config straight on.

Assumptions:

  • You’re using 8.2.1 of ASA OS.
  • VPN user authentication will be completed with the local user database.
  • You’ll only be allowed to access the ASA’s inside network from the connecting VPN client (alternative offered later on the page)
  • Your internal addressing is 192.168.0.0/24 and DNS and DHCP configurations used don’t conflict – change as appropriate.
  • The access-list nonat_inside and nat statements are there as they are required from an empty ASA configuration but you’ll very likely have these setup already so simply add the ace from the access-list statement below to your existing nat 0 access-list and don’t add the nat (inside) statement to your config at all.

username localvpnuser password 12345678 privilege 0
access-list nonat_inside extended permit ip any 192.168.0.8 255.255.255.248
nat (inside) 0 access-list nonat_inside
crypto isakmp enable outside
ip local pool RAVPNDHCPPOOL 192.168.0.9-192.168.0.14 mask 255.255.255.0
group-policy RAVPN_ADMIN internal
group-policy RAVPN_ADMIN attributes
dns-server value 192.168.0.2 192.168.0.3
vpn-tunnel-protocol IPSec
default-domain value internaldomain.local
username localvpnuser attributes
Vpn-group-policy RAVPN_ADMIN
tunnel-group RAVPN_ADMIN type remote-access
tunnel-group RAVPN_ADMIN general-attributes
default-group-policy RAVPN_ADMIN
address-pool RAVPNDHCPPOOL
tunnel-group RAVPN_ADMIN ipsec-attributes
pre-shared-key C0mpl1c@t3d
crypto isakmp policy 10 authen pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map sys_def_crypto 65535 set pfs group2
crypto dynamic-map sys_def_crypto 65535 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic sys_def_crypto
crypto map outside_map interface outside

When creating the entry in the installed Cisco VPN Client, you’ll need three things, the IP address of the ASA Device you’re connecting to, the group name (here it’s RAVPN_ADMIN) and the password for that group, which here, is specified in the sub configuration of tunnel-group RAVPN_ADMIN ipsec-attributes.

This done, you’ll be able to click connect, enter the username and password of the local user you created in the first line of the config and you’ll be connected to your inside network.

If you consider being connected to the Internet ‘ok’ for your particular situation, you can add split tunnelling to your configuration by adding these five lines

access-list split_tunnel_list remark The corporate network behind the ASA
access-list split_tunnel_list standard permit 192.168.0.0 255.255.255.0
group-policy RAVPN_ADMIN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_list

I hope this helps y’all out. I’ll be posting similar configurations using the same assumptions for the Clientless SSL VPN feature and the Cisco SSL VPN Client (AnyConnect VPN Client) shortly.

VRF Lite

I’ve been spending a while trying to get my noddle around VRF’s in prep for my new job.
I’ve been having real trouble getting decent documentation on it as for the most part VRF is synonymous with MPLS VPN technology.
This hasn’t helped me at all as I’m on the learning curve and don’t get MPLS properly yet either, so trying to absorb the concepts on MPLS too was all a little too much. But, to my delight, I’ve found a few snippets which nicely summarise everything I’ve needed to know quite quickly and here’s everything that helped me, broken down as follows, basics first.

VRF, firstly this acronym means one of two things which are kinda doing the same thing, see wikipedia :

1. Virtual Routing and Forwarding

Virtual Routing and Forwarding actually implemented as VRF Lite is likely to be used in a campus. Given my greater comfort with Switching technologies , the following statement made me feel nice and warm as I finally understood WHY you’d use VRF’s .. “VRFs employ essentially the same concept as VLANs and trunking, but at layer three” AHHHHH!!!
Not having had to deal with traffic segregation on a network segment with routers other than Firewalling at the edge, this really really helped my conceptual understanding. I totally get VLANs, and since it’s put like that, I understand why VRFs are now interesting!

2. VPN Routing and Forwarding

This is what I previously knew about VRFs, in as much as I knew the name and knew it was ‘out there’ and used by my ISP to get data to/from other sites for us and it worked fine and dandy. This link to Cisco is part of their MPLS VPN technology document and although I don’t get it properly yet, shows the instance where VRF is used and how interlinked it is with MPLS VPNs.

I was actually asked what VRF stood for in my interview for the job I start on Monday. I answered with VPN routing and forwarding and was told I was wrong and was fed back with the the other answer Virtual Routing and Forwarding. I’m subsequently glad I’ve now discovered I was actually right, AND they were right, but the answer wasn’t the one they were looking for as the technology they use is VRF Lite, rather than VRF which is described in the above linked Cisco technote and is actually likely to be routing private address spaces across the Internet for customers such as my old employer.

Thanks to Stretch on Packetlife.net for the Eureka moment!

Nice Summer?

Hey all! You been enjoying the summer?
I certainly have, and with my new job starting on Monday I think I’ve wholly deserved it. I’ve enjoyed a nice couple of weeks off, although being at home has meant I’ve been loaded with a certain amount of anticipation and a tendancy to get the tech tools out to brush up on the skills before the new job.
God knows why I did that. if I’d have been have been abroad I wouldn’t have seen a screen for weeks so I feel a bit of an arse for doing it, just that it’s in my blood to get my shit together and make sure I’m feeling mildly confident at least on my first day.
Still, frustrations aside, new challenges await and I’m looking forward to getting paid as a debt free human being. It’s been an extremely long time since I’ve been able to say ‘I don’t owe anyone any money’ (9 years) but I can now say that with glee and I don’t intend on changing that in the near future! I must say I’m missing the old crew though. I hated leaving my old job, so many really genuinely nice people there and I really enjoyed my last day and was taken back by all the lovely messages people wrote for me, so if anyone’s reading.. Miss you!! 😦
Still, looking forwards and upwards!

Here’s to Life v2 folks! Cheers!