Tuesday 9 February 2016

Setup AnyConnect VPN for ASA



The AnyConnect VPN allows clients to establish a VPN that is tunneled over TLS / SSL rather than the traditional method of using an VPN Client that utilizes IPSec to protect the traffic.

It appears that the AnyConnect method seems to be picking up in popularity - no doubt because of some of it's advantages over the traditional client - to name a few:

- No existing client required
- Everything tunneled over HTTPS - so will work in corporate environments
- Will work on much larger array of platforms than the client

So to setup AnyConnect we must firstly grab hold of the appropriate AnyConnect client:

copy tftp flash
anyconnect-win-2.3.0254-k9.pkg

We should now allocate an IP pool for remote VPN clients:

ip local pool ANYCON-POOL 10.11.0.10-10.11.0.200 mask 255.255.255.0

And then create an new object defining the client VPN subnet:

object network VPNClientSubnet
subnet 10.11.0.0 255.255.255.0
exit

We should then turn on the webvpn and enable it on our relevant interface:

webvpn
enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
tunnel-group-list enable
exit

We will now need to instruct the ASA which anyconnect image it should use from the flash:

anyconnect image disk0:/anyconnect-anyconnect-win-3.1.12020.pkg 1
anyconnect enable
exit

Now we should configure an ACL for split tunneling - this will define which traffic will traverse through the VPN:

access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0

Note: I had issues with pinging the loopback on Windows 7 clients, so I ended up need to add the IP pool range into the split tunnel ACL to:

access-list SPLIT-TUNNEL standard permit 10.11.0.0 255.255.255.0

Now proceed by creating an internal group policy which will define.

Note: A group policy is a set of attributes that can be applied to an IPSec connection.

group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
vpn-tunnel-protocol ssl-client
dns-server value 10.0.0.254
default-domain value domain.internal

We will also now apply the ACL for split tunneling we created before:

split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL

Note: We could simply omitt the above two lines if we wished to tunnel all client traffic.

Finally we should create a tunnel group:

tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes

Point it to the group policy we created:

default-group-policy GroupPolicy_ANYCONNECT-PROFILE

and to the IP pool we created earlier:

address-pool ANYCONNECT-POOL

and finally:

tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable

We will want a test user - so we can do:

user remote password access
user remote attribute
service-type remote-access

We will also want to ensure the user's connection profile is locked down:
group-lock value ANYCONNECT-PROFILE
NOTE: Even if you DON'T have NAT enabled on the device (for example a lab environment) - in my testing I found it necessary to  add the identity NAT / nat exemption in place! Now you should also ensure that traffic going to (and from) the remote clients is not NAT'd:

nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup

To test - I had already installed the pre-deploy client (anyconnect-win-3.1.12020-pre-deploy-k9.iso)

I also made extensive use of syslog - that when enabled will help no end when debugging! :)

As I was using an unlicensed / trial copy of ASAv I was limited to only 2 sessions - and hence I was receiving a 'login failed' message from the client sometimes when attempting to connect.

Filtering

There are a number of ways of filtering the VPN traffic:

We can apply the system option "sysopt connection permit-vpn" - this will instruct the ASA NOT to filter / apply ACL's against the VPN traffic - so it can freely get where it wants.

We can also apply a VPN filter that will restrict VPN traffic based on an ACL e.g. the following allows an anyconnect client (10.11.12.13) to access SSH on a local subnet:

access-list vpn-filter permit tcp 10.11.12.13 255.255.255.255 192.168.1.0 255.255.255.0 eq 22

group-policy VPN-POLICY attributes
vpn-filter value VPN-FILTER


0 comments:

Post a Comment