THIS ARTICLE IS UNFINISHED – 12/20/2020.
In this document we we are going to review setting up a CISCO ASA for use with VPN. We are going to leverage our choice of public ip addresses. In my opinion a lot of the tutorials out there use one of the RFC 1811 (172., 192.168, … or 10.) for this task. Lets put RFC 5737 to good use for once.
REVIEW OF SETUP:
This is what we are using for our basic “Lab” setup. We will use this theme and variants thereof throughout these posts.
interface GigabitEthernet0/0
ip address 203.0.113.1 255.255.255.0
nameif outside
no shutdown
interface GigabitEthernet0/1
ip address 172.16.104.1 255.255.255.0
nameif inside
no shutdownAs part of the initial configuration we are going to count that we can route traffic through the outside interface.
route outside 0.0.0.0 0.0.0.0 203.0.113.2 1STEP 1:
Now let’s also assume we set the device up to allow traffic out. This is a nasty assumption – and isn’t going to be true for anything resembling a secure environment.
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any
nat (inside,outside) dynamic interfaceSTEP 2: Now we will consider the steps in configuring and preparing the ASA to serve as a VPN server. First let’s establish a pool of addresses that we will had out to clients.
While we are at it we can create some values which we will use later.
ip local pool ssl_vpnpool 10.10.20.1-10.10.20.255 mask 255.255.255.0STEP 3: We will create some object for later use
object network ssl_vpnpool
subnet 10.10.20.0 255.255.255.0
object network local_net
subnet 172.16.104.0 255.255.255.0
object-group network local_nets
network-object object local_netSTEP 4: Now in this case we will enable the the device for VPN
webvpn
enable outside
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
anyconnect enablegroup-policy SPARELAB internal
group-policy SPARELAB attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
default-domain value sparelab.net
vpn-tunnel-protocol svc
address-pool value ssl_vpnpooltunnel-group SPARELAB type remote-access
tunnel-group SPARELAB general-attributes
default-group-policy SPARELAB
tunnel-group SPARELAB webvpn-attributes
group-alias SPARELAB enableSTEP 5: Allow SSLVPN traffic
access-list ssl_vpnfilter extended permit ip object ssl_vpnpool object local_netSTEP 6: Now we create the NAT for the VPN traffic
object-group network local_nonat_destinations
network-object object ssl_vpnpool
nat (inside,outside) source static local_net local_net destination static local_nonat_destinations local_nonat_destinations no-proxy-arpSTEP 7: Let’s create a user – for a Mr. John Smith with password of “l3tm3in”. This results in the following.
username jsmith password l3tm3in
username jsmith attributes
service-type remote-accessNext, I would install the Anyconnect VPN client for the OS you are using. If this is for Windows I would suggest making sure you reboot afterwards. Now we can connect to our VPN host.
Now… because this is new we are going to get a warning. In a follow up post we will review some basic care and maintenance – including replacing how to replace the cert with a commercial version.
And to verify are connection information from the ASA:
ciscoasa# show vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : jsmith Index : 2
Assigned IP : 10.10.20.1 Public IP : 192.168.0.102
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)AES128 SSL-Tunnel: (1)AES128 DTLS-Tunnel: (1)none
Hashing : AnyConnect-Parent: (1)SHA1 SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)none
Bytes Tx : 17963624 Bytes Rx : 1084994
Group Policy : SSLCLient Tunnel Group : SSLClient
Login Time : 17:04:38 UTC Sun Dec 13 2020
Duration : 0h:08m:48s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : noneEND POST:
