Cisco ASA 5505: Client SSL with local authentication

Task

Configure the VPN Remote Access on Cisco ASA5505 with ClientSSL and local authentication.


Scenario

Cisco ASA works in the VPN RA Layer as main VPN end-point for a remote emplyees or external companies. Inside the company there is a virtual router – Vyatta Core – connected to a local virtual Windows Server 2012. This router is directly connected to Cisco ASA. On the other side there is a TP-Link router. The emplyee’s machines like tablet or notebooks are directly connected to a TP-Link Router and have connection to the simulated Internet.


Hardware | Software

  • VPN Server – Cisco ASA5505 9.2.(3)
  • VPN Client – Cisco AnyConnect v4.0.02052
  • Router – Vyatta Core 6.6 R1
  • Router – TP-Link TL-WR1043N/ND v1 with OpenWrt Barrier Breaker v14.07
  • Server System – Microsoft Windows Server 2012 R2

Solution

Step 1: Create a Local IP VPN Pool address for Tunnel Group.

ip local pool POOL-InternalEmployees 10.1.147.1-10.1.147.7 mask 255.255.255.248

 

Step 2: Create a Group Policy ACL “Splitt” (GPACL Splitt) for Group Policy.

access-list GPACL-ST-InternalEmplyoees standard permit 10.1.169.0 255.255.255.128

 

Step 3: Create and configure a Group Policy (GP).

You can specify the values of WINS and DNS systems, maximum simultaneous logins, tunnel protocol, domain etc. You have to add the Group Policy ACL into this Group Policy. too. If you need more parameters, please check the VPN Configuration’s Guide.

group-policy GP-InternalEmployees internal
group-policy GP-InternalEmployees attributes
 wins-server value 10.1.169.1
 dns-server value 10.1.169.1
 vpn-simultaneous-logins 1
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value GPACL-ST-InternalEmplyoees
 default-domain value dm.local

 

Step 4: Create and configure a Tunnel Group (TG) aka Connection Profile (CP).

You have to add the Local IP VPN Pool info this Tunnel Group, choose the Default Group Policy + Authorization Server and create the readable alias for the people, who will be use the VPN Remote Access. If you need more parameters, please check the VPN Configuration’s Guide.

tunnel-group TG-InternalEmployees type remote-access
tunnel-group TG-InternalEmployees general-attributes
 address-pool POOL-InternalEmployees
 authorization-server-group LOCAL
 default-group-policy GP-InternalEmployees
tunnel-group TG-InternalEmployees webvpn-attributes
 group-alias "Employee - Username" enable

 

Step 5: Enable the service with AnyConnect image on the external interface.

webvpn
 enable EXTERNAL
 anyconnect image disk0:/anyconnect-win-4.0.02052-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable

 

Step 6: Create the local VPN user.

I prefer to lock the user with specific Group Policy and Tunnel Group and specify the type of service. In this example it will be of course Remote Access.

username dawid.mitura password ********** encrypted
username dawid.mitura attributes
 vpn-group-policy GP-InternalEmployees
 group-lock value TG-InternalEmployees
 service-type remote-access

 

Step 7: Verify the connection.

Login into ASA from the external host with local credentials (already created on the ASA) and install the AnyConnect client on your machine. Create the connection directly from your host, then verify the VPN connection. You can test RDP connection with Windows Server 2012 or just send the ICMP Echo Request.

 

Step 8: Verify the connection the ASA.

sh vpn-sessiondb anyconnect filter name dawid.mitura
****************************************************

Session Type: AnyConnect

Username : dawid.mitura Index : 6
Assigned IP : 10.1.147.1 Public IP : 1.1.1.2
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)RC4 DTLS-Tunnel: (1)AES8
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SH1
Bytes Tx : 13572 Bytes Rx : 11120
Group Policy : GP-InternalEmployees Tunnel Group : TG-InternalEmployees
Login Time : 07:05:36 UTC Tue Jul 21 2015
Duration : 0h:07m:46s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0a01920d0000600055adef40
Security Grp : none
sh vpn-sessiondb detail anyconnect 
**********************************

Session Type: AnyConnect Detailed

Username : dawid.mitura Index : 6
Assigned IP : 10.1.147.1 Public IP : 1.1.1.2
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)RC4 DTLS-Tunnel: (1)AES8
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SH1
Bytes Tx : 13572 Bytes Rx : 12866
Pkts Tx : 29 Pkts Rx : 146
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GP-InternalEmployees Tunnel Group : TG-InternalEmployees
Login Time : 07:05:36 UTC Tue Jul 21 2015
Duration : 0h:10m:10s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0a01920d0000600055adef40
Security Grp : none

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

AnyConnect-Parent:
 Tunnel ID : 6.1
 Public IP : 1.1.1.2
 Encryption : none Hashing : none 
 TCP Src Port : 49232 TCP Dst Port : 443 
 Auth Mode : userPassword 
 Idle Time Out: 30 Minutes Idle TO Left : 19 Minutes 
 Client OS : win
 Client OS Ver: 6.1.7601 Service Pack 1
 Client Type : AnyConnect
 Client Ver : Cisco AnyConnect VPN Agent for Windows 4.0.02052
 Bytes Tx : 5642 Bytes Rx : 748 
 Pkts Tx : 4 Pkts Rx : 1 
 Pkts Tx Drop : 0 Pkts Rx Drop : 0 
 
SSL-Tunnel:
 Tunnel ID : 6.2
 Assigned IP : 10.1.147.1 Public IP : 1.1.1.2
 Encryption : RC4 Hashing : SHA1 
 Encapsulation: TLSv1.0 TCP Src Port : 49235 
 TCP Dst Port : 443 Auth Mode : userPassword 
 Idle Time Out: 30 Minutes Idle TO Left : 19 Minutes 
 Client OS : Windows 
 Client Type : SSL VPN Client
 Client Ver : Cisco AnyConnect VPN Agent for Windows 4.0.02052
 Bytes Tx : 5642 Bytes Rx : 0 
 Pkts Tx : 4 Pkts Rx : 0 
 Pkts Tx Drop : 0 Pkts Rx Drop : 0 
 
DTLS-Tunnel:
 Tunnel ID : 6.3
 Assigned IP : 10.1.147.1 Public IP : 1.1.1.2
 Encryption : AES128 Hashing : SHA1 
 Encapsulation: DTLSv1.0 UDP Src Port : 56176 
 UDP Dst Port : 443 Auth Mode : userPassword 
 Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes 
 Client OS : Windows 
 Client Type : DTLS VPN Client
 Client Ver : Cisco AnyConnect VPN Agent for Windows 4.0.02052
 Bytes Tx : 2288 Bytes Rx : 12797 
 Pkts Tx : 21 Pkts Rx : 152 
 Pkts Tx Drop : 0 Pkts Rx Drop : 0
sh vpn-sessiondb detail full
****************************
 
---------------------------------------------------------------------------
VPN Session Summary 
---------------------------------------------------------------------------
 Active : Cumulative : Peak Concur : Inactive
 ----------------------------------------------
AnyConnect Client : 1 : 6 : 1 : 0
 SSL/TLS/DTLS : 1 : 6 : 1 : 0
---------------------------------------------------------------------------
Total Active and Inactive : 1 Total Cumulative : 6
Device Total VPN Capacity : 25
Device Load : 4%
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
 Active : Cumulative : Peak Concurrent 
 ----------------------------------------------
AnyConnect-Parent : 1 : 6 : 1
SSL-Tunnel : 1 : 6 : 1
DTLS-Tunnel : 1 : 6 : 1
---------------------------------------------------------------------------
Totals : 3 : 18
---------------------------------------------------------------------------