ASAv AnyConnect Client Remote Access VPN Configuration via ASDM

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
you know we're gonna be taking a look at setting up a remote access VPN with any connect using the ASTM ASTM actually has some built-in wizards that you can use to actually pull this off and work through it so what we're gonna be doing is we're gonna be going back and forth between ASTM and then the topology just to go back and forth the reason why we're gonna do that is because as we're going through I might need to add things to the configuration this is 100% unconvicted okay so what I'm going to do now upload the anyconnect package to the aasa' so let's do that we're gonna click on tools and file management so that's gonna pop this up ie transfer between the local PC and the flash and what we have to do is you actually have to navigate to wherever the the files are so if you look on the right-hand side over here this says disk 0 which is this is where you want the traffic to go I'm gonna take this off screen and I'm going to find it for you guys real quick now you want to grab the any connect package right not the Exe it's got to be the package and moved it here so this is what you wanted to deploy now this has to be on the aasa' in order for it to work now there's three different variations of this you have the Windows version you know the Mac version any of the Linux version so depending on what what the OS is Linux Mac or Windows you'll have to upload the appropriate version I'm gonna go ahead and click close and then I'm gonna go ahead and refresh and then it shows the anyconnect client is there so I'm gonna go ahead and click close on that so that I have the file now locally available the next step here is to go to the Wizards go to VPN wizard and click on any connect VPN this is the client SSL VPN now going through the configuration is actually going to be pretty straightforward the first thing we're going to do is we're going to click on click Next and we're gonna get this a connection profile name the connection profile name for those of you that are familiar with site-to-site VPN this is basically the tunnel group we're going to type in any connect users and we're going to use the outside interface we're gonna click on next now it asks me what protocol do you want to protect the data with I'm gonna use SSL because if you do IPSec that requires crypto maps and some other stuff with like b2 I have not gotten to that part yet I have I'm not that far along yet I've done a bunch of SSL VPN so far that's what we're gonna do now the reason why I'm doing this is because I've already got the device certificate created on the other SA and stuff like that I'm gonna walk you through how to do this now so you you don't have to create a certificate you there's a temporary one you can use if you need to but I'm actually gonna walk you through how to create a self-signed certificate it's not exactly straightforward so if this is the one thing that I normally you don't do I I don't have I don't do this I whenever I create the a any connect connection for a customer I'm always grabbing a connection from like a trusted CA like you know GoDaddy so I'm gonna go and click on manage and we're going to come in here we're gonna click on add and this is the ASTM tress point 0 which is what we which is actually what we need we're gonna add a new identity certificate and we're gonna go ahead in here we're gonna generate a self-signed certificate and then we're to click on new here and we're gonna create an RSA key pair so it's gonna be a new key pair name or a type in RSA and we're going to click generate now now this is the actual command if you were to create it in the the command line so we're gonna go ahead and send that command we're gonna go ahead and add the certificate so the certificate now is saying once it creates the key pair and you have to enroll to the CA I always say any connect add certificate so that's what we want so we're going to go ahead and send the commands that's what you're looking for you're looking for enrollment successful if you don't get that then there's there's a problem now we're gonna click on ok now you added the certificate right and you have to have a certificate or for any connect to work we're gonna continue moving for we're gonna click on next and now we need to tell it where it's gonna be able to download the anyconnect package we're gonna add and we're gonna go browse flash and then we need to click on this guy right here I'll click on ok we're gonna click on OK and there is ok that's ok there it's going to match that or squared there and now what we need to do is we need to give any local user password a local user database is really going to be using the local user database on the aasa' so I'm gonna go ahead and type in VPN user and the password I was using a password at Cisco when I first started my first implementation of this and it wasn't working I was actually really frustrating cuz I was like what the heck it didn't make sense so what I decided doing was I took the mindset of a windows login password so the password I'm going to use is capital P the @ sign SSW 0 rd to spell password p @ sign SS w 0 rd i'm going to add this user now Rob is already here and he can use it as well if you wanted to but I want a specific user for VPN user I'm gonna click Next now one thing about the VPN user when you create it it actually gets a privilege level of two so I don't want primitive level 15 to is fine and we're going to go ahead and click Next now we need to whenever we have a user connect to the a into the a SA to allow communication behind the a SA through a remote access we need to give it an IP address we don't actually have one currently so we need to create a new one I'm going to come in here and the name of its gonna be is address and then I'm gonna say the beginning IP here this is the VIP that is going to be over the tunnel so I'm going to come in here type in 192.168 3.2 192.168 3.25 4 and then it's gonna be a slash 24 mask I could have simply hit the drop down arrow but I'm a CLI guy we're clicking ok and I'm gonna go ahead and it's using the address pool of address I'm gonna click Next now one of the things that it's going to try to do is it wants to know a DNS server it's going to squawk at you if you don't configure one so I'm gonna go ahead and type in ten dot 255 dot one dot I believe it's 101 I'm not mistaken go ahead and just double check yeah 101 I was checking my other I have to me as X I host my my domain controller sits on another host so I'm gonna go ahead and click on next now we're not doing any type of NAT right now I'm gonna go ahead and what's what's this is what this is going to do is I've got web launch is it's going to it's going to go out and automatically install the any connect package as soon as a user connects to the aasa' to connect to via the web so I'm gonna go ahead and click on next and I'm gonna say finish this right here ladies and gentlemen is the configuration that you I would highly recommend you go out and you copy and paste into notepad now let me point out a couple things here this SSL trust point a SDM underscore trust points zero underscore AC for any connect you'll notice it's on the DMZ the inside PC to the management inside PC one outside inside security PC one it only needs to be applied to the outside interface so once I get back into another thing to in here that's not specified here is the split tunneling policy and by default it's going to not split tunnel it's going to take any traffic that's coming from PC three and tunnel it over the any connect tunnel back or the SSL tunnel back to the a sa well I don't want to do that you know a lot of times I'm you know I'm working from home or I need to be able to access the internet but be remote security needed to a customer site so what I'm gonna do is I'm going to add a couple lines of configuration here so I'm going to go ahead and send this can and that should be all the earliest to it beautiful now then now it's all situated now that I've got that in play I'm going to go here to tli and it's I think it I feel it's a little cleaner when I do it that way what I'm gonna do is I'm gonna go ahead and pull this guy up here this is a si one now if I do a show run web VPN you're gonna see that I have any connections enabled underneath the the web VPN interface it is actually the funny thing about it is the outside interface is not specified here so I need to go in here and type in web bpn and type in enable outside because I want to make sure it's on the outside interface so what it does is it's going to automatically allow web VPN in DTLS by defaults on both SSL TLS and DTLS if I want to remove one you can do that but what I'm gonna do now is do a show run web VPN so we have that interface now applied which is what we need to if we didn't do that it would never worked next thing to do is to exit out and do a show run group policy now the group policy here we are there's a DNS server and then I have the VPN tunnel protocol as SSL client meaning I'm going to use any connect so if I do a show run access list I don't have any access list configured that really apply here so I'm going to come in here type in access list split tunnel and type in standard and permit the 192.168 3.0 / 24 I'm gonna do 1.0 170 2.16 dot 100.0 I'm also going to do the 10.1.1.10 dot one dot 3.0 so that I'll give me access ain't almost everything behind router a si one now what I needed to go do is I need to come underneath the this guy right here it's gonna highlight this whole thing just and it is the group policy group policy any connect users attributes under here this is where I'm going to specify the the split tunnel split tunnel and I need to specify the policy is gonna be tunnel specified tunnel specified meaning I'm going to specifically identify a ACL that permits specific routes to come across the tunnel my next line would be here would be split tunnel network list and then the value is going to be split tunnel now that I had that in play I am pretty much squared away I have to also type in the web be PN and I had to specify the Enter key go underneath the web BPM for the group policy and I had to specify that I'm going to do it any connect I'm going to say that the ask but the query download is none do not ask the user and I'm going to set this to be the default for any connect meaning it's going to automatically just push the anyconnect client to the person connecting we have that and then I'm going to exit out exit out one more time show run tunnel group the total group is setting here this is where the address gets applied you could also apply the address underneath of your policy you can do that and that is pretty much it now we've got everything pretty much squared away I'm just double checking some of my notes to make sure that I don't miss anything everything's pretty squared I mean they're drawing out a whole lot more to it than what we've got set up we just go ahead and show run pipe include pool I wanted to make sure the address pool is there and it is show run type include access list and the access list is there so now what I should be able to do is I should be able to go to pc3 and I should be able to hit a sa one from pc3 via any connect client and I should be able to connect to router one so one router one I'm going to do a little bit of trickery here I'm going to go type in line vty 0 space for type in password is cisco and that the transport input is telnet I'm an exit exit out enable password is gonna be Cisco enable password so there we go so now if I go back to PC 3 on here I'm gonna go ahead and I'm going to plug in the IP address of 12.0.0 dot 100 I'm gonna click on connect now it's gonna reach out to it if it successfully connects to it what should end up happening should be prompted for communication now one of the things that happens with any connect is and it did reach out to it is if you click right here ok I'm gonna connect anyway it's gonna pop this guy up if you click right here and you go into preferences by default it's going to block connections to untrusted servers so if you don't download a certificate and you sound interested you don't trust it it's not going to allow you to come up the route details haven't come up yet the message history I'm actually going to let that sit over here because I want you guys to be able to see what happens and then the VPN user I'm going to come in here type in at sign SSW 0d what's gonna dip happening is okay login credentials failed okay clearly does not like whatever I'm typing it let me go ahead and use a username VPN user so if I do a show run type included user then so it should that should be strong enough should be strong enough anyway Oh typing VPN user and type in p @ sign SS wo Rd okay that time that time it worked I don't maybe I had the password typed incorrectly but you can see it's going through and these messages are really helpful because it shows you what's going on and it's activating the VPN adapter and then we are connected so now we have an active connection to the VPN click them over here on this guy we go to jump out of global config let I have been show VPN - session database any connect we are connecting on this is my V IP address this is the IP address that I'm the public IP that I'm receiving traffic from and this is the tunnel group that it's landing in on basically this is the the connection profile we've created so it is working now the key act the key attribute now is to go over to PC 3 and on here we're going to go ahead and we're gonna ping 10.1.1.10 I can ping it and I will let's see can I prove to you that it didn't work before yes earlier today no I can I did there's no timestamp here so just it's more like I just take my word for it I tried to ping this IP and it didn't work I tried to ping I had to actually add some addressing so that I could hear prove reach ability but this 1010 1010 one 110 didn't work but now it does so now that the trick is is type in is to telnet to 10.1.1.10 I'm gonna type in Cisco and Cisco okay now I'm connected to r1 now again I am on PC three and on our topology I have formed in any connect connection from PC three to na sa one and Pete and r1 is sitting behind that now what happened now I kind of I kind of cheated a little bit and the reason why I cheated is what's gonna dip happening is on the a si by default a si does what they call reverse route injection by default show run router OSPF one thing you have to do is you have to take those and it's actually kind of interesting how it looks I'm gonna I want you guys and see this it's a one that I have this static route that's automatically inject into the routing table this happens by default by a si for any type of remote access VPN and what it's doing is it's basically creating a route back to the client and what it's doing is I'm doing this on a si one I'm sorry a si two is doing it but I'm not doing it on a si one and if we go to r1 we don't see a 192 168 three network here but because the fact that I have a default route every one doesn't make much of a difference but if I go to a si one and I go to global config it's have been router OSPF one time to redistribute static subnets and I go to r1 and I hit the up arrow I should now have an external route once it propagates there it goes I now have an external route to security PC three now you might say well how do you know on security pc3 well I'm glad you asked on here we're going to go ahead and right click here and go to open network and sharing we have this anyconnect secure mobility client connection or to click on it and go details my IP address is 192 168 3.2 now I don't I do have a DNS server you can add as much information to this as you want just a quick look here at the any kind of client this is how you want the and can I do communicate with aasa statistics are that I am split included meaning I am split tunneling and that I do have data going across the wire and these are the details behind it the route details the non-security routes is pretty much everything outside of this range okay that's basically what I what I've added here and it's sending stuff over so if you're not sure what this is a quick look on the a sa which would tell you that this is gonna be DNS and how you might say okay how do you know that come back over here to a si one and you do a show run pulsed group policy you'll see right here where the DNS server value this matches so if I was to do a show run pipe include ten dot 255 dot one dot 101 if you're not sure what that is it's literally gonna come in here and do that for you so now mind you this is very very basic there's nothing complicated about this setup at all there are some advanced attributes you can do there's actually a lot of advanced configurations you can do and I've literally I feel like I haven't even really scratched the surface yet on what all the abilities are and stuff like that but that's pretty much how it goes now just to be clear here with this setup here if I was to go ahead and delete the any kinetic mobility claim so now that we're at the end of the video and you've seen everything go through and I've got an active connection let's go ahead and blow away any connect so I want you guys to see what this will look like so we're going to go disconnect and I'm gonna go ahead and close close this guy out I did this earlier today and the goal was to not have to do this again no go to control panel uninstall program and I'm going to uninstall the any connection client yes I wanted to go ahead and delete it it does take a minute or two for it to uninstall what I want you guys to see is how to install the any kind of client and it's actually pretty simple so it should it doesn't take very long the problem that we're gonna have is my connectivity is go ahead and bring this over here a little bit for you I am connecting pc3 through router 2 to a si one well the problem with that being is router 2 has a backplane limit of 100 kilobits per second which means that my download speed is like 10k per second so let's go ahead and see if I'm done installing it I am done uninstalling which is awesome I'm gonna go ahead and close all this out my connection was lost because I lost my connection and so there we go so now we're gonna do is I have to come over here and I type in HTTP colon forward slash forward slash 12.0.0 dot 100 hit the enter key now I'm skeptical out there it's gonna have to communicate with the a SA and it does have the ability to reach CAS a I'm going to continue to this website and then what it's going to do is it's going to check and as soon as I ought indicate its going to allow me to download any connect so VPN user and then P at sign SSW Ord so what it's going to do is it's automatically going to start pushing any connect I don't have a choice in the matter platform detection I'm gonna go ahead and say download I'm gonna click on any connect and once it's done doing some stuff on the background I'm gonna go ahead and I'm gonna go ahead and click on run so now it's going to download now mind you this tell toad is gonna go really slow so I'm gonna pause the video while I wait for this to finish doing its thing and then once it's done I'll bring you guys back in and then we'll go ahead and go from there just a quick status update I wanted to prove to you ten point four kilobits kilobytes a second is my total throughput which is really slow so it isn't the process of coming down it's been going for a few minutes now like I said as soon as it's done downloading the anyconnect will go to the next step of actually reconnecting to the a si and going from there so we are just about completely done with the download it's just about finished and as soon as this is done doing its thing which should take just a couple more seconds we'll go ahead and then get the next portion which is the install and we're gonna go ahead and click on run and then next accept the License Agreement and install that's pretty much it I mean there's not a whole lot to be anyconnect client in case you've never seen the install there you have it there's a question how come I didn't do this uni in the video do I just didn't know I'm the reason why is that I didn't want to waste any time with an install that just about anybody that's got any level of common sense can figure out but I know it can be a little tricky to get it installed out of the gate now mind you there's another question where did you get the anyconnect client to upload I work for a Cisco partner so I have access to it but to be honest with you if you have access to a aasa with any case already installed on it you can actually download it or you could take and use any connect to connect with it now what's kind of happening if you already have any connect installed and you any connect into a aasa that's got a newer version it'll automatically detect that and it'll download the newer version so if you've got an older version like 3.1 like I used to have and then you connect another aasa with like 4.2 it'll automatically update for you finish and then you can then take this guy and then you get the start and then I would scroll to here and then you get this guy to pop up and then we're going to go ahead and click on connect and again it just reaches out make sure that the configuration is there like I said I am literally just scratching the surface of what's available for mode access VPN I haven't even truck tempted to do anything with SSL VPN like client lists VPN web portals bookmarks I haven't done any of that yet so you guys can only imagine how much more material is going to come out as we go along this is a little bit longer a video some before the fact of it's a little bit more of an involved configuration so I'm gonna go ahead and type in P at sign SSW ORD and we should be able to connect here in just a moment and be ready to go but I wanted you guys at least see that portion of it and go from there is there a way to debug there is a way to debug it's not done on the a si side this way here if you were to pull this guy up here and go to here and click on line at the gear and go to message history you would literally be able to see everything that goes on and obviously nothing really there to look at right here but I give you gives you some statistics you can see what rocks you've got the firewall if there's anything in there that you need to be worried about stuff like that and sometimes time guys thank you so much for stopping by and we'll catch you guys in the next video
Info
Channel: Rob Riker's Tech Channel
Views: 41,427
Rating: undefined out of 5
Keywords: asa, sslvpn, anyconnect, vpn, split tunnel, security, ccnp, ccie
Id: t_3LCppi23c
Channel Id: undefined
Length: 27min 7sec (1627 seconds)
Published: Wed Jul 26 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.