I know I’m not the first to attempt writing a succinct guide to quickly setting up a virtual private network (VPN) using Cisco gear, but I’m hoping this guide will be a one stop shop (blog) on how it’s done with an ASA 5505 that also allows users to connect to the internet. The ASA does offer a wizard, but the wizard doesn’t actually cover everything you need to do and can sometimes be a bit confusing on what it’s asking for. There are basically four parts to this: setting up your SSL certificate, configuring the VPN, then setting up the proper NAT rules, and split-tunneling if you so desire. The SSL certificate allows your users to connect to the inside network through an encrypted tunnel. In my example I’m just going to use a self-signed certificate for testing, but you should really go to the third-party certificate authority to get an SSL certificate. The VPN configuration is fairly simple. I’ll describe what the wizard is looking for and go through the configuration steps. The last part allows your users to browse both the inside network and the internet. Here are the steps I followed to make it work for my environment. I’m working with an inside network, outside network and a DMZ using the ASDM and CLI.
Setting up your SSL Certificate
- Click on Configuration at the top and then select Remote Access VPN
- Click on Certificate Management and then click on Identity Certificates
- Click Add and then Add a new identity certificate.
- Click New and enter a name for your new key pair (ex: VPN)
- Click Generate Now.
- You’ll need to enter an FQDN such as CN=vpn.domain.com and click OK.
- Put a check next to Generate Self Signed Certificate and then click Add Certificate.
- Click OK.
Setting up your AnyConnect Remote Access VPN:
- Click on Wizards and go to the VPN wizard
- Put a check next to AnyConnect SSL VPN Client (AnyConnect VPN Client)
- Give it a connection profile name (ex: VPN)
- Make sure to select the Outside interface
- In the pull down menu for certificates select the certificate you just created.
- Take note of the connection URLs you will use to connect to the VPN from the client (ex: ip.add.re.ss:444)
- Click Next
- You can authenticate using a local database (with users you created) or put in your LDAP information (ex: your Active Directory users).
- Click Next
- Create a new group policy and give it a name (ex: AnyConnect) and click Next
- Click on New to create an address pool for your users. Do not use the same subnet as your inside network. So, if you’re using 192.168.100.0/24 for the inside, use 192.168.104.0/24 for your VPN pool. If you only want 20 IPs in the pool your starting address could be 192.168.104.20 and your ending IP address would be 192.168.104.40.
- Now choose that pool from your pull-down menu. You don’t really need to worry about the IPv6 pools unless you’re using IPv6 on your network. The same concepts apply, though.
- For the AnyConnect image, browse your flash to find it. This will be the client that came with it, so it may not be updated. If you want an updated version you’ll need to download it from the Cisco site with a SMARTnet account and then upload that image in this area.
- Click Finish. You may need to Apply and save this configuration.
Create the NAT exemption rule (using CLI because it’s faster):
- Connect to the firewall CLI
- In configuration mode enter the following commands:
- access-list NAT-EXEMPT extended permit ip 192.168.100.0 255.255.255.0 192.168.104.0 255.255.255.0
- tunnel-group VPN general-attributes
- address-pool AnyConnect (the address pool you created earlier)
You would actually be able to connect to the inside network using the VPN now. However, your users would be restricted from using the internet. So next we have to configure split-tunneling to allow them to use their internet. If you want to maintain a very secure environment, you may not want to configure split-tunnel. However, this becomes a question of functionality vs. security. Your users will probably not want to sign on and off of the VPN just to do a simple Google search or check an internet email inbox.
- Go back to your ASDM and click on Configure, then Remote Access VPN, then Network Access. Highlight Group Policies.
- Click the group policy you created in the wizard and then click Edit.
- Expand Advanced and then click on Split Tunneling
- Uncheck Inherit Policy and from the pull-down menu select Tunnel Network List Below
- Uncheck Network List and then click Manage
- Click on Add and then Add ACL
- Name the ACL and then click Add again to Add ACE
- In the Add ACE Window click on Permit and select the inside address (192.168.100.0)
- Click OK and then make sure your new ACL is listed in your Network List.
- Click OK again.
- Click Apply and then Save.
You should now have an operational VPN and your users will be able to access the public internet while connected.