SSL VPN with Anyconnect

From Internetworkpro

Jump to: navigation, search
This page or section provides device configuration instructions
Please note that the information on this page has not been checked for accuracy and is not intended as a replacement to documentation. Please ensure you understand your desired objectives before attempting to apply any examples listed.
See more examples at Category:Configuration
This page or section provides VPN Configuration examples
The collection of articles under the VPN Category help to describe simple and complex VPN setups. These are often confusing and complicated so the Internetworkpro Wiki is attempting to create examples for many VPN setups - Site to site, remote access, automatic, one-way, ipsec, pptp, gre, vpdn, easyvpn, ssl, etc. Please ensure you understand your desired objectives before attempting to apply any examples listed. Guidance can be provided on irc://freenode.net/cisco
See more examples at Category:Configuration
See more VPN configuration at Category:VPN

[edit] Overview

From cisco.com:
"The Cisco AnyConnect VPN Client is the next-generation VPN client, providing remote users with secure VPN connections to the Cisco 5500 Series Adaptive Security Appliance running ASA version 8.0 and higher or ASDM 6.0 and higher. It does not connect with a PIX device nor with a VPN 3000 Series Concentrator."

[edit] Example Config:

Define split tunelling and IP pool for VPN users: 

access-list VPN_SPLIT standard permit 172.16.0.0 255.240.0.0 
!
ip local pool VPN_POOL 172.16.100.1-172.16.100.254 mask 255.255.255.0

Define LDAP Server (or substitute with RADIUS, etc) 

aaa-server LDAP protocol ldap
aaa-server LDAP host x.x.x.x
 server-port 636
 ldap-base-dn ou=people,dc=domain,dc=com
 ldap-scope onelevel
 ldap-naming-attribute uid
 ldap-login-password *
 ldap-login-dn uid=vpn_svc,ou=ServiceAccounts,dc=domain,dc=com
 ldap-over-ssl enable
 server-type openldap
!
  • Enable webvpn on the chosen interfaces
  • Define Anyconnect packages
  • Enable svc
  • Enable the listing of the tunnel group list on login 
webvpn
 enable inside
 enable outside
 svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
 svc image disk0:/anyconnect-macosx-i386-2.1.0148-k9.pkg 2
 svc image disk0:/anyconnect-macosx-powerpc-2.1.0148-k9.pkg 3
 svc image disk0:/anyconnect-linux-2.1.0148-k9.pkg 4
 svc enable
 tunnel-group-list enable
!
!

Define default group police attributes (apply to all groups):

  • DNS Server
  • Domain name
  • WebVPN parameters 
group-policy DfltGrpPolicy attributes
 dns-server value x.x.x.x y.y.y.y
 vpn-tunnel-protocol svc 
 default-domain value domain.com
 webvpn
  svc rekey time 30
  svc rekey method ssl
  svc ask none default svc timeout 10
!

Not entirely sure why these are needed: 

group-policy vpn-users internal
group-policy split-users internal

Define the split tunnel ACL here: 

group-policy split-users attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_SPLIT
!

Define the tunnel group that will use the LDAP server:

  • Tunnel group type
  • Address pool
  • Authentication server
  • Group alias, which is what is shown on the login page 
tunnel-group vpn-users type remote-access
tunnel-group vpn-users general-attributes
 address-pool VPN_POOL
 authentication-server-group LDAP
 default-group-policy vpn-users
tunnel-group vpn-users webvpn-attributes
 group-alias "Regular VPN Users" enable

Define the tunnel group tha will use local authentication: 

tunnel-group split-users type remote-access
tunnel-group split-users general-attributes
 address-pool VPN_POOL
 default-group-policy split-users
tunnel-group split-users webvpn-attributes
 group-alias "Split Tunnel Users" enable
!
!

Links:

If there are any mistakes, please feel free to add/edit!

--IPv6Freely 10:01, 1 July 2008 (CDT)

Retrieved from "http://inetpro.org/wiki/SSL_VPN_with_Anyconnect"
Personal tools