How to configure Cisco ASA 5500 for AnyConnect Client

So i was testing some stuff with the Authentication on the ASA Firewall and the AnyConnect client in the last days. So i feel it is time to write things down a little bit.

First i discovered we have the same problem with Windows 7 Firewall. Windows is not detecting the Interface so the Firewall do not say here we are part of the domain:-( Sad very Sad. But as i described here, there is a workaround but this is not supported by Cisco in any way.
But anyhow, we have to move to the AnyConnect Client to get VPN running with WWAN Cards.

So lets begin with a basic setup, only localusers and connect to the ASA with the AnyConnect Client.
No complex things, just connectivity. So we will start here with the configuration.
In the next posts we will go to the more complex things.

A Basic Configuration

Down below you will find a more complete example to use for configuration, be aware the examples a maybe collapsed to save space.

The AnyConnect Client

First you need the AnyConnect Client Package from the Cisco Download Website, either as predeploy or as web install package for your platform. We will use Windows 7 (x64) on our new clients so we will test in the first step the Windows packages.

Assuming we are using Version 2.5.1025, the Package is called anyconnect-win-2.5.1025-k9.pkg.

To install the Package on the ASA you can do following steps on the CLI:

ASA# copy tftp://192.168.0.2/anyconnect-win-2.5.1025-k9.pkg flash:
Address or name of remote host [192.168.0.2]?
Source filename [anyconnect-win-2.5.1025-k9.pkg]?
Destination filename [anyconnect-win-2.5.1025-k9.pkg]?
Accessing tftp://192.168.0.2/anyconnect-win-2.5.1025-k9.pkg...!!!!!!!!!!!
Writing file disk0:/anyconnect-win-2.5.1025-k9.pkg...!!!!!!!!!!!
4436544 bytes copied in 37.750 secs (119906 bytes/sec)
ASA#

Then make the package usable by the webvpn service:

ASA# configure terminal
ASA(config)# webvpn
ASA(config-webvpn)# ! The regex will make the selection of the platform specific package much faster.
ASA(config-webvpn)# svc image disk0:/anyconnect-win-2.5.1025-k9.pkg 1 regex "Windows NT"
ASA(config-webvpn)# exit
ASA(config)# exit
ASA#

The installation via the ASDM-IDM UI is as easy. 😉 Go to „Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Settings“ and follow the pictures.

To install the Predeploy package execute the msi file, in my example it is anyconnect-win-2.5.1025-k9.msi.

The Cisco ASA Configuration

Enabling the WebVPN Service

Assuming we have called the interface pointing to the Internet „Outside“.

ASA# configure terminal
ASA(config)# webvpn
ASA(config-webvpn)# enable Outside
ASA(config-webvpn)#  svc enable
ASA(config-webvpn)# exit
ASA(config)# exit
ASA#
AnyConnect Essentials

We are using the AnyConnect essentials only;-) Have your toughts.

ASA# configure terminal
ASA(config)# webvpn
ASA(config-webvpn)# anyconnect-essentials
ASA(config-webvpn)# exit
ASA(config)# exit
ASA#
Client IP Addresses

For the moment we use a local pool and for testing we will only use 16 addresses it is enought;-)

ASA# configure terminal
ASA(config)# ip local pool SSLClientPool 10.2.9.240-10.2.9.255 mask 255.255.255.240
ASA(config)# exit
ASA#
The client policy
ASA# configure terminal
ASA(config)# group-policy SSLCLientPolicy internal
ASA(config-group-policy)#exit
ASA(config)# group-policy SSLCLientPolicy attributes
ASA(config-group-policy)# banner value Welcome to the MyVPN Service
ASA(config-group-policy)# dns-server value 192.168.10.1
ASA(config-group-policy)# vpn-tunnel-protocol svc
ASA(config-group-policy)# default-domain value example.com
ASA(config-group-policy)# address-pools value SSLClientPool
ASA(config-group-policy)# exit
ASA(config)# exit
ASA#
Create a tunnel group

here we define connection parameters.

ASA# configure terminal
ASA(config)# tunnel-group SSLClientProfile type remote-access
ASA(config)# tunnel-group SSLClientProfile general-attributes
ASA(config-tunnel-general)# default-group-policy SSLCLientPolicy
ASA(config-tunnel-general)# exit
ASA(config)# tunnel-group SSLClientProfile webvpn-attributes
ASA(config-tunnel-webvpn)# group-alias SSLVPNClient enable
ASA(config-tunnel-webvpn)# exit
ASA(config)# webvpn
ASA(config-webvpn)# tunnel-group-list enable
ASA(config-webvpn)# exit
ASA(config)# exit
ASA#
How to connect
The complete code
webvpn
 ! The regex will make the selection of the platform specific package much faster.
 svc image disk0:/anyconnect-win-2.5.1025-k9.pkg 1 regex "Windows NT"
 enable Outside
 svc enable
 anyconnect-essentials
 exit
!
ip local pool SSLClientPool 10.2.9.240-10.2.9.255 mask 255.255.255.240
!
group-policy SSLCLientPolicy internal
exit
!
group-policy SSLCLientPolicy attributes
 banner value Welcome to the MyVPN Service
 dns-server value 192.168.10.1
 vpn-tunnel-protocol svc
 default-domain value example.com
 address-pools value SSLClientPool
exit
!
tunnel-group SSLClientProfile type remote-access
!
tunnel-group SSLClientProfile general-attributes
 default-group-policy SSLCLientPolicy
 exit
!
tunnel-group SSLClientProfile webvpn-attributes
 group-alias SSLVPNClient enable
 exit
!
webvpn
 tunnel-group-list enable
exit
!

If you feel this helps a bit or may be not ? Please leave a comment.

Advertisements
Dieser Beitrag wurde unter ASA, Cisco, Computer, Routing, Security, VPN abgelegt und mit , , , , , , verschlagwortet. Setze ein Lesezeichen auf den Permalink.

4 Antworten zu How to configure Cisco ASA 5500 for AnyConnect Client

  1. Matt Juaire schreibt:

    Thanks a lot for the quick howto! Worked great for me. Now that we have clients connecting, is there a way to set up routing so that once they are connected they can still get to the Internet? It seems that they now only have local access once connected.

    Cheers!
    Matt Juaire

    • Bruce Gordon schreibt:

      Just enable „same-security-traffic permit inter-interface“ on the external interface which will allow the vpn tunneled traffic to exit back out the external interface (hairpinning)

  2. Tushar Singh schreibt:

    Hi,

    I am looking for a way by which i can enable the automatic selection of the client version to be used. For instance, for the people who already have a client installed on their PCs (2.2), i dont want them to download and install the new 2.5 version.

    thanks…

    • patrickpreuss schreibt:

      As far as i know you can only have the Minimum Version on the ASA for download.
      You can have „one“ version per supported OS. If you have a higher version on the client no downgrade will initiated.

      What you can define is a minimum version and then the option for upgrade.

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

WordPress.com-Logo

Du kommentierst mit Deinem WordPress.com-Konto. Abmelden / Ändern )

Twitter-Bild

Du kommentierst mit Deinem Twitter-Konto. Abmelden / Ändern )

Facebook-Foto

Du kommentierst mit Deinem Facebook-Konto. Abmelden / Ändern )

Google+ Foto

Du kommentierst mit Deinem Google+-Konto. Abmelden / Ändern )

Verbinde mit %s