Networking

Eight easy steps to Cisco ASA remote access setup

Lori Hyde shows you a simple eight-step process to setting up remote access for users with the Cisco ASA.

There are eight basic steps in setting up remote access for users with the Cisco ASA.

  • Step 1. Configure an Identity Certificate
  • Step 2. Upload the SSL VPN Client Image to the ASA
  • Step 3. Enable AnyConnect VPN Access
  • Step 4. Create a Group Policy
  • Step 5. Configure Access List Bypass
  • Step 6. Create a Connection Profile and Tunnel Group
  • Step 7. Configure NAT Exemption
  • Step 8. Configure User Accounts

So let's get started!

Step 1. Configure an Identity Certificate

Here I am creating a general purpose, self-signed, identity certificate named sslvpnkey and applying that certificate to the "outside" interface. You can purchase a certificate through a vendor such as Verisign, if you choose.

corpasa(config)#crypto key generate rsa label sslvpnkey
corpasa(config)#crypto ca trustpoint localtrust
corpasa(config-ca-trustpoint)#enrollment self
corpasa(config-ca-trustpoint)#fqdn sslvpn. mycompany.com
corpasa(config-ca-trustpoint)#subject-name CN=sslvpn.mycompany.com
corpasa(config-ca-trustpoint)#keypair sslvpnkey
corpasa(config-ca-trustpoint)#crypto ca enroll localtrust noconfirm
corpasa(config)# ssl trust-point localtrust outside
Step 2. Upload the SSL VPN Client Image to the ASA

You can obtain the client image at Cisco.com. As you choose which image to download to your tftp server, remember that you will need a separate image for each OS that your users have. After you select and download your client software, you can tftp it to your ASA.

corpasa(config)#copy tftp://192.168.81.50/anyconnect-win-2.0.0343-k9.pkg flash

After the file has been uploaded to the ASA, configure this file to be used for webvpn sessions. Note that if you have more than one client, configure the most commonly used client to have the highest priority. In this case, we're using only one client and giving it a priority of 1.

corpasa(config)#webvpn
corpasa(config-webvpn)#svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
Step 3. Enable AnyConnect VPN Access
corpasa(config)#webvpn
corpasa(config-webvpn)#enable outside
corpasa(config-webvpn)#svc enable
Step 4. Create a Group Policy

Group Policies are used to specify the parameters that are applied to clients when they connect. In this case, we'll create a group policy named SSLClient. The remote access clients will need to be assigned an IP address during login, so we'll also set up a DHCP pool for them, but you could also use a DHCP server if you have one.

corpasa(config)#ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0
corpasa(config)#group-policy SSLCLient internal
corpasa(config)#group-policy SSLCLient attributes
corpasa(config-group-policy)#dns-server value 192.168.200.5
corpasa(config-group-policy)#vpn-tunnel-protocol svc
corpasa(config-group-policy)#default-domain value mysite.com
corpasa(config-group-policy)#address-pools value SSLClientPool
Step 5. Configure Access List ByPass

By using the sysopt connect command we tell the ASA to allow the SSL/IPsec clients to bypass the interface access lists.

corpasa(config)#sysopt connection permit-vpn
Step 6. Create a Connection Profile and Tunnel Group

As remote access clients connect to the ASA, they connect to a connection profile, which is also known as a tunnel group. We'll use this tunnel group to define the specific connection parameters we want them to use. In our case, we're configuring these remote access clients to use the Cisco AnyConnect SSL client, but you can also configure the tunnel groups to use IPsec, L2L, etc.

First, let's create the tunnel group SSL Client:

corpasa(config)#tunnel-group SSLClient type remote-access

Next, we'll assign the specific attributes:

corpasa(config)#tunnel-group SSLClient general-attributes
corpasa(config-tunnel-general)#default-group-policy SSLCLient
corpasa(config-tunnel-general)#tunnel-group SSLClient webvpn-attributes
corpasa(config-tunnel-webvpn)#group-alias MY_RA enable
corpasa(config-tunnel-webvpn)#webvpn
corpasa(config-webvpn)#tunnel-group-list enable

Note that the alias MY_RA is the group that your users will see when they are prompted for login authentication.

Step 7. Configure NAT Exemption

Now we need to tell the ASA not to NAT the traffic between the remote access clients and the internal network they will be accessing. First we'll create an access list that defines the traffic, and then we'll apply this list to the nat statement for our interface.

corpasa(config)#access-list no_nat extended permit
ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0
corpasa(config)#nat (inside) 0 access-list no_nat
Step 8. Configure User Accounts

Now we're ready for some user accounts. Here we'll create a user and assign this user to our remote access vpn.

corpasa(config)#username hyde password l3tm3in
corpasa(config)#username hyde attributes
corpasa(config-username)#service-type remote-access
Finishing up

Don't forget to save your configuration to memory.

corpasa#write memory

Verify your configuration by establishing a remote access session and use the following show command to view session details.

corpasa #show vpn-sessiondb svc

This guide should help you to get your remote access users up and running in no time. If you run into any difficulties, use the debug webvpn commands to diagnose the problem.

Good luck and have fun out there!

Want to learn more about router and switch management? Automatically sign up for our free Cisco Technology newsletter, delivered each Friday!

13 comments
salznoor
salznoor

India-CiscoASA(config)# show vpn-sessiondb anyconnect


Session Type: AnyConnect


Username     : anycisco               Index        : 53

Assigned IP  : 192.168.105.11         Public IP    : 192.168.102.219

Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel

License      : AnyConnect Premium

Encryption   : AnyConnect-Parent: (1)RC4  SSL-Tunnel: (1)RC4  DTLS-Tunnel: (1)AES128

Hashing      : AnyConnect-Parent: (1)SHA1  SSL-Tunnel: (1)SHA1  DTLS-Tunnel: (1)SHA1

Bytes Tx     : 19798                  Bytes Rx     : 33019

Group Policy : SSLCLient              Tunnel Group : SSLClient

Login Time   : 07:23:05 UTC Thu Jul 17 2014

Duration     : 0h:13m:52s

Inactivity   : 0h:00m:00s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN         : none


India-CiscoASA(config)#

India-CiscoASA(config)# sho

India-CiscoASA(config)# show cryp

India-CiscoASA(config)# show crypto ips

India-CiscoASA(config)# show crypto ipsec sa

India-CiscoASA(config)# show crypto ipsec sa


There are no ipsec sas

India-CiscoASA(config)#


salznoor
salznoor

I configured the above mentioned steps..., and am able to connect the Anyconnect client to the vpn gateway.


But am not seeing any ipsec sa formed

i could see the vpn-sessiondb thou..


some help please ?

ckelly
ckelly

If I read the docs right, if you have a pair of ASAs in fail over (like we do), the local CA issue is not allowed.

aharry01
aharry01

If you want to allow internet browsing for SSL VPN users WITHOUT split-tunneling turned on, you will have to enable traffic to pass in and then back out of the outside interface, and you will also need to apply a nat for the SSL VPN IP pool. Here's how: 1. Use the command "same-security-traffic permit intra-interface" to allow traffic to enter and exit an interface with the same security level. 2. Apply a nat for the IP pool that was configured for the SSL VPN users: global (outside) 1 interface nat (outside) 1 [ip_pool_address_range] [netmask] That should do the trick. This process is known as hair-pinning. Of course, please be careful when typing in these commands on a production ASA as your configuration may be different. You should ALWAYS backup your configs before making any changes. Alan Harrylal

rayb
rayb

Can anyone tell me if there is a cost involved in using the cisco web vpn client or the standard cisco vpn client with the ASA 5505 or 5510? Thanks.

bvnay
bvnay

Is there another article that describes how to configure remote access using the Cisco VPN Client?

tcase
tcase

Pretty good article and there is so much more you can do with just the clientless web vpn. I would like to see an article on single sign on for the ASA webvpn. Thanks, Tony

troncarter80
troncarter80

Looks good but, I think you're better off with a "copy run start" instead of a "wr mem". The latter is/on it's way to being deprecated. I also believe that a "wr mem" used more processing power than a "copy run start" when it is ran. Perhaps someone can confirm this for me. Thanks

Lori H
Lori H

I believe the base license includes 2 SSL VPN peers. More than that will require an upgrade that you will have to pay for. Lori

bpate
bpate

There is an easy way to setup single sign on for the WebVPN. If you already have your ASA setup to authenticate against RADIUS or TACACS all you have to do is add the following line to your config...please keep in mind you must have an authentication server group setup. tunnel-group SSLClient general-attributes authentication-server-group RD_SRV_GRP LOCAL default-group-policy SSLCLient To setup an authentication server you can use a server like Cisco ACS or you can use IAS radius server from Microsoft. Below is a link how to setup an IAS server to authenticate cisco devices: http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/ If this doesn't work you can just google "use IAS to authenticate cisco devices" I use MS IAS server and it works perfectly for us...

rcharlesworth
rcharlesworth

So we have AnyConnect setup and working great. Now we need to deploy the certificate to all our users. Does anyone know how we do this without any user involvement?

FAST!!!
FAST!!!

Personally I prefer "wr" because it uses less of my own processing power. Four key strokes to be exact...

Editor's Picks