Deploying a Basic Cisco AnyConnect Full-Tunnel SSL VPN Solution

Basic Cisco AnyConnect full-tunnel SSL VPN uses user authentication by username and password, provides IP address assignment to the client, and uses a basic access control policy. The client also authenticates the ASA with identity certificate-based authentication. Deployment tasks for this scenario are as follows:

As of this writing, AnyConnect Client officially supports only SSL connections. Starting with version 3.0, which is available for download, AnyConnect is composed of multiple modules and supports additional features (including IPsec IKEv2 VPN terminations on Cisco ASA). The problem here is that this requires ASA 8.4(1) and Adaptive Security Device Manager (ASDM) 6.4(1) at a minimum, which are not available for download at the moment of this writing. For these reasons, this book is limited to configuration scenarios supported by AnyConnect versions earlier than 3.0. You can find more information about AnyConnect Secure Mobility Client 3.0 in the official release notes: www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html#wp1139431.

Configuring Basic Cisco ASA SSL VPN Gateway Features

To initially prepare the ASA for SSL VPN termination, complete the following steps:

Step 1.	Provision the ASA with an identity certificate. Your options are as follows: Use a self-signed certificate. Enroll ASA in Public Key Infrastructure (PKI) with Simple Certificate Enrollment Protocol (SCEP). Enroll ASA in PKI with manual cut-and-paste method. To install a self-signed certificate using the ASDM, navigate to Configuration > Remote Access VPN > Certificate Management > Identity Certificates and click Add. Give the PKI trustpoint a name, choose Add a New Identity Certificate, check Generate Self-Signed Certificate, and then click Add Certificate. To configure a self-signed certificate by command-line interface (CLI), use the following commands: ciscoasa(config)# crypto key generate rsa label SELF-SIGNED modulus 2048 ciscoasa(config)# crypto ca trustpoint TEST-CA ciscoasa(config-ca-trustpoint)# id-usage ssl-ipsec ciscoasa(config-ca-trustpoint)# subject-name CN=cisco.com ciscoasa(config-ca-trustpoint)# enrollment self ciscoasa(config-ca-trustpoint)# keypair SELF-SIGNED ciscoasa(config)# crypto ca enroll TEST-CA noconfirm To enroll with SCEP by using the ASDM, navigate to same the section as for self-signed certificates. Give the PKI trustpoint a name, choose Add a New Identity Certificate (do not check Generate Self-Signed Certificate), and click the Advanced button for enrollment options. From here, you have two options: For SCEP enrollment, navigate to Enrollment Mode and choose Request from a CA method, complete the URL (which is in the form http://IP_ADDRESS/certserv/mscep/mscep.dll). Navigate to SCEP Challenge Password and provide the challenge in case the certificate authority (CA) requires it. For manual enrollment navigate to Enrollment Mode and choose Request by Manual Enrollment. This requires an additional step: After the certificate is issued, it needs to be imported onto the ASA from a file. For this, select the created trustpoint and click Install. In the new window, choose Install from a File and provide the full path to the base64-encoded certificate. To configure SCEP enrollment by CLI, use the following commands: Code View: Scroll / Show All ciscoasa(config)# crypto key generate rsa label SELF-SIGNED modulus 2048 ciscoasa(config)# crypto ca trustpoint TEST-CA ciscoasa(config-ca-trustpoint)# id-usage ssl-ipsec ciscoasa(config-ca-trustpoint)# subject-name CN=cisco.com ciscoasa(config-ca-trustpoint)# enrollment url http://10.10.10.10/certsrv/mscep/mscep.dll ciscoasa(config-ca-trustpoint)# keypair SELF-SIGNED ciscoasa(config)# crypto ca authenticate TEST-CA nointeractive ciscoasa(config)# crypto ca enroll TEST-CA
Step 2.	Load the AnyConnect image onto the ASA. There are different AnyConnect packages for different client operating systems. Choose the one you need, download it from Cisco.com, and load it into ASA flash memory. To make the transfer using the ASDM, navigate to Tools > File Management.
Step 3.	Enable SSL VPN termination on desired interfaces. To enable SSL using the ASDM, navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles and check the Enable Cisco AnyConnect VPN Client Access on the Interfaces Selected in the Table Below check box. In the pop-up window, select the AnyConnect image. Choose Allow Access and, optionally, Enable DTLS for desired interfaces. To enable SSL by CLI, use the following commands: ciscoasa(config)# webvpn ciscoasa(config-webvpn)# enable outside ciscoasa(config-webvpn)# svc enable ciscoasa(config-webvpn)# svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
Step 4.	Configure and optionally tune SSL Transport Layer Security (TLS) settings. Here, you can tune SSL VPN by allowing only certain SSL/TLS versions and algorithms and by specifying the identity certificate used (if many exist). To configure it using the ASDM, navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles and click Click Here to Assign Certificate to Interface (see Figure 3-2). Figure 3-2. SSL VPN Tuning [View full size image]

To configure it by CLI, use the following commands:

ciscoasa(config)#ssl trustpoint TEST-CA outside
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)#ssl server-version tlsv1
ciscoasa(config-webvpn)# ssl encryption aes128-sha1 aes256-sha1 3des-sha1 des-sha1

					  

Configuring Local Password-Based User Authentication

The simplest authentication method uses local usernames and passwords. We enabled SSL VPN access for AnyConnect clients earlier. Now we need to configure the access, including authentication:

Step 1.	Configure a new group policy for AnyConnect connections or modify the default group policy (not recommended because this policy is inherited by all newly created policies, thus making it difficult to differentiate users later). To create a group policy for AnyConnect connections using the ASDM, navigate to Configuration > Remote Access VPN > Network (Client) Access > Group Policies and click Add. To create it by CLI, use the following commands: ciscoasa(config)# group-policy BASIC-ANYCONNECT-POLICY internal ciscoasa(config)# group-policy BASIC-ANYCONNECT-POLICY attributes ciscoasa (config-group-policy)# vpn-tunnel-protocol svc
Step 2.	Configure a connection profile for AnyConnect connections and assign it the new group policy. To create a connection profile for AnyConnect connections using the ASDM, navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles and click Add. To create it by CLI, use the following commands: Code View: Scroll / Show All ciscoasa(config)# tunnel-group BASIC-ANYCONNECT-PROFILE type remote-access ciscoasa(config)# tunnel-group BASIC-ANYCONNECT-PROFILE general-attributes ciscoasa(config-tunnel-general)# default-group-policy BASIC-ANYCONNECT-POLICY
Step 3.	Optionally, define an alias for the connection profile. This option allows users to select the desired connection profile when connecting to the SSL VPN. Navigate in the connection profile configuration to Advanced > SSL VPN and click Add under Connection Aliases (see Figure 3-3). Figure 3-3. Connection Alias [View full size image] To create it by CLI, use the following commands: ciscoasa(config)# tunnel-group BASIC-ANYCONNECT-PROFILE general-attributes ciscoasa(config-tunnel-general)# group-alias “BASIC PROFILE” enable
Step 4.	Configure the local user database. To create a user account using the ASDM, navigate to Configuration > Remote Access VPN > AAA/Local Users > Local Users and click Add. To create it by CLI, use the following commands: ciscoasa(config)# username BASIC-ANYCONNECT-USER password CISCO ciscoasa(config)# username BASIC-ANYCONNECT-USER attributes ciscoasa(config-username)# service-type remote-access
Step 5.	Optionally, configure the connection profile lock. This option restricts users to a specific connection profile with no other profile being functional, even if it is selected. To configure restrictions using the ASDM, in the user-editing pane, navigate to VPN Policy and configure Connection Profile (Tunnel Group) Lock. To configure it by CLI, use the following commands: ciscoasa(config)# username BASIC-ANYCONNECT-USER attributes ciscoasa(config-username)# group-lock value BASIC-ANYCONNECT-PROFILE

Configuring Client IP Address Management, Basic Access Control, and Split Tunneling

IP address assignment methods are the same as in Easy VPN:

• Using a default group policy pool

• Using a pool in a specific group policy

• Per-user assignment in the local AAA database

• Per-user or per-group assignment via remote AAA server

• Using a Dynamic Host Control Protocol (DHCP) server

Address assignment and access control configuration steps are the same as in easy VPN:

• Define the IP address assignment methods.

• Configure an address pool to use this method.

• Assign the address pool to the group policy.

• Assign per-user IP addresses if needed.

• Configure interface access control list (ACL) bypass if needed.

• Configure interface ACLs if bypass is disabled.

• Configure per-profile or per-user ACLs.

• Configure split tunneling.

Installing and Configuring Cisco AnyConnect Client

AnyConnect Client was introduced together with the ASA version 8.0 operating system to replace the SSL VPN Client (SVC). There are two ways to install the AnyConnect Client on remote devices:

• Predeploy installation package, manual installation using an installer on client devices

• Web installation, automatic installation through an SSL VPN clientless session, using PKG files from ASA

Cisco AnyConnect-supported platforms are as follows:

• Windows 7 (32-bit and 64-bit), Windows Vista (32-bit and 64-bit) SP2 or SP1 with KB952876, Windows XP SP2 and SP3, Windows Mobile 5.0 and 6.x

• Linux RedHat Enterprise 5 Desktop, Ubuntu 9.x and 10.x

• Mac OS 10.5 and 10.6.x (32-bit and 64-bit)

• IPhone OS 4.1 and later

The manual deployment of AnyConnect Client requires the following steps:

To initiate the session, click the Select button. After the first successful connection, ASA pushes further configuration options to the client such as the list of connection profiles if aliases were configured and allowed to be selected.

Verification of the connection can be done on both the client and server. On the client, use the AnyConnect tray icon and Statistics. On the server, navigate with ASDM to Monitoring > VPN > VPN Statistics > Sessions, or from the CLI issue the command show vpn-sessiondb svc.

Troubleshooting Basic Full-Tunnel SSL VPN Operation

You can use the Diagnostic AnyConnect Reporting Tool (DART) to collect data useful for troubleshooting AnyConnect install and connection problems. It is separate from AnyConnect Client and assembles diagnostic information for Cisco Technical Assistance Center (TAC) analysis.

To troubleshoot AnyConnect SSL VPN, follow this approach:

• Install DART (can be installed manually on remote devices or pushed from ASA).

• Collect diagnostic information by starting DART.

• Optionally examine gathered data.

• Perform troubleshooting.

If the VPN session does not get established, you want to do the following:

• Verify Secure Sockets Layer / Transport Layer Security (SSL/TLS) parameters match on server and client.

• Verify user credentials are correct.

• Verify connection profile, group policies, and any configured restrictions.

• Verify correct IP address assignment to AnyConnect Client.

If traffic does not flow through the AnyConnect SSL VPN session, do the following:

• Check client routes and split tunneling.

• Check access control methods deployed on ASA.

• Check Network Address Translation (NAT) configuration; perhaps NAT exempt is needed for AnyConnect Client.

• Check routing back to AnyConnect Client addresses from the internal network.

• Check fragmentation issues.