Thursday, March 19, 2009

Remote access for users with the Cisco ASA.

There are eight basic steps in setting up remote access for users with the Cisco ASA.

* Step 1. Configure an Identity Certificate
* Step 2. Upload the SSL VPN Client Image
* Step 3. Enable AnyConnect VPN Access
* Step 4. Create a Group Policy
* Step 5. Configure Access List Bypass
* Step 6. Create a Connection Profile / Tunnel Group
* Step 7. Configure NAT Exemption
* Step 8. Configure User accounts

So let’s get started!

Step 1. Configure an Identity Certificate

Here I am creating a general purpose, self-signed, identity certificate named sslvpnkey, and applying that certificate to the ‘outside’ interface. You can purchase a certificate through a vendor such as Verisign, if you choose.

corpasa(config)#crypto key generate rsa label sslvpnkey

corpasa(config)#crypto ca trustpoint localtrust

corpasa(config-ca-trustpoint)#enrollment self

corpasa(config-ca-trustpoint)#fqdn sslvpn. mycompany.com

corpasa(config-ca-trustpoint)#subject-name CN=sslvpn.mycompany.com

corpasa(config-ca-trustpoint)#keypair sslvpnkey

corpasa(config-ca-trustpoint)#crypto ca enroll localtrust noconfirm

corpasa(config)# ssl trust-point localtrust outside

Step 2. Upload the SSL VPN Client Image to the ASA

You can obtain the client image at Cisco.com. As you choose which image to download to your tftp server, remember that you will need a separate image for each OS that your users have. After you select and download your client software, you can tftp it to your ASA.

corpasa(config)#copy tftp://192.168.81.50/anyconnect-win-2.0.0343-k9.pkg flash

After the file has been uploaded to the ASA, configure this file to be used for webvpn sessions. Note that if you have more than one client, configure the most commonly used client to have the highest priority. In this case, we’re only using one client and giving it a priority of 1.

corpasa(config)#webvpn

corpasa(config-webvpn)#svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1

Step 3. Enable AnyConnect VPN Access

corpasa(config)#webvpn

corpasa(config-webvpn)#enable outside

corpasa(config-webvpn)#svc enable

Step 4. Create a Group Policy

Group Policies are used to specify the parameters that are applied to clients when they connect. In this case, we’ll create a group policy named SSLClient. The remote access clients will need to be assigned an IP address during login, so we’ll also set up a DHCP pool for them, but you could also use a DHCP server if you have one.

corpasa(config)#ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0

corpasa(config)#group-policy SSLCLient internal

corpasa(config)#group-policy SSLCLient attributes

corpasa(config-group-policy)#dns-server value 192.168.200.5

corpasa(config-group-policy)#vpn-tunnel-protocol svc

corpasa(config-group-policy)#default-domain value mysite.com

corpasa(config-group-policy)#address-pools value SSLClientPool

Step 5. Configure Access List ByPass

By using the sysopt connect command we tell the ASA to allow the SSL/IPsec clients to bypass the interface access lists.

corpasa(config)#sysopt connection permit-vpn

Step 6. Create a Connection Profile and Tunnel Group

As remote access clients connect to the ASA, they connect to a connection profile, which is also known as a tunnel group. We’ll use this tunnel group to define the specific connection parameters we want them to use. In our case, we’re configuring these remote access clients to use the Cisco AnyConnect SSL client, but you can also configure the tunnel groups to use IPsec, L2L, etc.

First, let’s create the tunnel group SSL Client:

corpasa(config)#tunnel-group SSLClient type remote-access

Next, we’ll assign the specific attributes:

corpasa(config)#tunnel-group SSLClient general-attributes

corpasa(config-tunnel-general)#default-group-policy SSLCLient

corpasa(config-tunnel-general)#tunnel-group SSLClient webvpn-attributes

corpasa(config-tunnel-webvpn)#group-alias MY_RA enable

corpasa(config-tunnel-webvpn)#webvpn

corpasa(config-webvpn)#tunnel-group-list enable

Note that the alias MY_RA is the group that your users will see when they are prompted for login authentication.

Step 7. Configure NAT Exemption

Now we need to tell the ASA not to NAT the traffic between the remote access clients and the internal network they will be accessing. First we’ll create an access list that defines the traffic, and then we’ll apply this list to the nat statement for our interface.

corpasa(config)#access-list no_nat extended permit

ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0

corpasa(config)#nat (inside) 0 access-list no_nat

Step 8. Configure User Accounts

Now we’re ready for some user accounts. Here we’ll create a user and assign this user to our remote access vpn.

corpasa(config)#username hyde password l3tm3in

corpasa(config)#username hyde attributes

corpasa(config-username)#service-type remote-access

Finishing up

Don’t forget to save your configuration to memory.

corpasa#write memory

Verify your configuration by establishing a remote access session and use the following show command to view session details.

corpasa #show vpn-sessiondb svc

This guide should help you to get your remote access users up and running in no time. If you run into any difficulties, use the debug webvpn commands to diagnose the problem.

No comments: