THIS ARTICLE IS UNFINISHED – 12/20/2020.
In this document we we are going to review setting up a CISCO ASA for use with VPN. We are going to leverage our choice of public ip addresses. In my opinion a lot of the tutorials out there use one of the RFC 1811 (172., 192.168, … or 10.) for this task. Lets put RFC 5737 to good use for once.
REVIEW OF SETUP:
This is what we are using for our basic “Lab” setup. We will use this theme and variants thereof throughout these posts.
interface GigabitEthernet0/0 ip address 203.0.113.1 255.255.255.0 nameif outside no shutdown interface GigabitEthernet0/1 ip address 172.16.104.1 255.255.255.0 nameif inside no shutdown
As part of the initial configuration we are going to count that we can route traffic through the outside interface.
route outside 0.0.0.0 0.0.0.0 203.0.113.2 1
Now let’s also assume we set the device up to allow traffic out. This is a nasty assumption – and isn’t going to be true for anything resembling a secure environment.
object network obj_any subnet 0.0.0.0 0.0.0.0 object network obj_any nat (inside,outside) dynamic interface
STEP 2: Now we will consider the steps in configuring and preparing the ASA to serve as a VPN server. First let’s establish a pool of addresses that we will had out to clients.
While we are at it we can create some values which we will use later.
ip local pool ssl_vpnpool 10.10.20.1-10.10.20.255 mask 255.255.255.0
STEP 3: We will create some object for later use
object network ssl_vpnpool subnet 10.10.20.0 255.255.255.0 object network local_net subnet 172.16.104.0 255.255.255.0 object-group network local_nets network-object object local_net
STEP 4: Now in this case we will enable the the device for VPN
webvpn enable outside tunnel-group-list enable anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1 anyconnect enable
group-policy SPARELAB internal group-policy SPARELAB attributes dns-server value 188.8.131.52 vpn-tunnel-protocol ssl-client default-domain value sparelab.net vpn-tunnel-protocol svc address-pool value ssl_vpnpool
tunnel-group SPARELAB type remote-access tunnel-group SPARELAB general-attributes default-group-policy SPARELAB tunnel-group SPARELAB webvpn-attributes group-alias SPARELAB enable
STEP 5: Allow SSLVPN traffic
access-list ssl_vpnfilter extended permit ip object ssl_vpnpool object local_net
STEP 6: Now we create the NAT for the VPN traffic
object-group network local_nonat_destinations network-object object ssl_vpnpool nat (inside,outside) source static local_net local_net destination static local_nonat_destinations local_nonat_destinations no-proxy-arp
STEP 7: Let’s create a user – for a Mr. John Smith with password of “l3tm3in”. This results in the following.
username jsmith password l3tm3in username jsmith attributes service-type remote-access
Next, I would install the Anyconnect VPN client for the OS you are using. If this is for Windows I would suggest making sure you reboot afterwards. Now we can connect to our VPN host.
Now… because this is new we are going to get a warning. In a follow up post we will review some basic care and maintenance – including replacing how to replace the cert with a commercial version.
And to verify are connection information from the ASA:
ciscoasa# show vpn-sessiondb anyconnect Session Type: AnyConnect Username : jsmith Index : 2 Assigned IP : 10.10.20.1 Public IP : 192.168.0.102 Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)AES128 SSL-Tunnel: (1)AES128 DTLS-Tunnel: (1)none Hashing : AnyConnect-Parent: (1)SHA1 SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)none Bytes Tx : 17963624 Bytes Rx : 1084994 Group Policy : SSLCLient Tunnel Group : SSLClient Login Time : 17:04:38 UTC Sun Dec 13 2020 Duration : 0h:08m:48s Inactivity : 0h:00m:00s NAC Result : Unknown VLAN Mapping : N/A VLAN : none