Understanding & Configuring Cisco AnyConnect - (Sound quality improved)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome back first of all i would like to thank you for supporting me in doing this good job i want you to know that i always try to bring accurate and clear information to you the sole purpose of me creating these videos is to help you understand those concepts that you always wanted to learn at the end of this video if you find it helpful please do like comment and share if you are new to this channel also hit the subscribe button in right bottom corner with that being said let's see what we have got today [Music] cisco any connect to remote access vpn technology by remote access what i mean is the user is sitting at home he needs to work this is office environment so if you are sitting at office and you're working you have got direct access to your company's network right if you need to work from home and you would like to access the same resources that you were able to when you were at office how will you do that you need a dedicated line right you need to just put a cable from your home to the office and connect it to the port where your pc or your laptop or maybe your desktop was connected to and then you get direct access is it possible no then how do you do it so it's done by a remote access vpn technology this user will use his internet connection and connect to this firewall remotely using a remote access vpn technology he gets connected to the firewall it establishes a vpn tuner between this user and the firewall similarly if there are other users who are sitting at home they would like to have access to the internal network he will do the same thing connect the firewall using a remote access vaping technology and that creates a dedicated vp internal between that pc let's name it as pc2 and name this guy as pc1 that creates a terminal between pc2 and the firewall and same way there can be multiple users and they can have all dedicated vpn tunnels with the firewall so you know the purpose of vpn tunnel right the vpn internal the vpn technology is to make you feel that you are actually connected to your official network with cisco any connect the connectivity will be like a user sitting at home using his own internet connection gets connected to the asa or the firewall placed inside the organization once he gets connected to this firewall he gets a dedicated vpn connectivity a vp internal gets created between user pc and the asa and all the traffic through this tunnel goes encrypted now he gets he gets to feel that he's actually sitting in the office and working because he's now able to access all the resources that are within the organization because he's connected to a firewall in the organization the firewall has connectivity to all the resources so cisco any connect vpn is a remote access vpn solution that provides connectivity to the users directly from their pc to the company's internal network using a software which is cisco anyconnect in this session we will see how to configure cisco anyconnect for demonstration we will use a cisco asa and one windows computer i'm going to divide the configuration into three parts enabling feature connection lending and controlling the access we first enable the feature on the asa so that asa starts accepting the vpn connections in the connection landing we tell the asa we you know train the asa about how to accept that connection and controlling the access after connecting what a user can access that can be controlled cisco any connect works on port 443 so it's tcp 443 that means when a user sitting at home tries to establish a vpn connection with an asa in any connect session the connection gets established on tcp 443 now why would this asa establish a connection with this pc on port 443 if this guy is listening on port 443 then he can establish a connection why would your asa accept ssh because you enable it right you can figure ssh and you enable it then only it you know it accepts ssh connection after enabling ssh connection what you actually do is make your way say listen on board tcp 22. so if i go back to my essay and check the post that it's listening at there will be one for 22 because my ac is listening on port 22. that's why it's accepting ssh connection so how do we check if this is on what posts the sa is listening on so you can say show asp table socket see my essay is listening on this ip address on port 22. so this must be the i characters on my outside interface where i've enabled ssh so if i say show ip it's gonna say yes that's done that's the ip on my outside this is listening on port 22. and because right now i've consoled in so that's why you do not see any ssh connection established so i can do another connection do an ssh and you will see if i go here and check the check again asp table socket there's one that says listening on port 22 and another one is established connection on so this is my ip from my ip it's it has established a connection right so we are not talking about ssh here the only reason i've shown this to you because i wanted you to know what is the difference in listening and established so if your ass is listening on some port then only you can establish a connection on that particular port same way because because any connect works on tcp 443 so your asa must be first listening on port 443 so to enable that we have to do some configuration so we will be going into the vpn mode and there we enable the vpn means any connect so it's like it actually enables the asd to listen on port 443 all right so we enable it on which interface do you want to enable you define tell the interface here and then we enable any connect right and a few more things the asa must have any connect image in the flash that image must be called here only by vpn configuration so the first step would be go to cisco website download the any connect package file see dot pkg for windows and upload it to your flash and that's the file i'm talking about so this is for particular version 4.3 you may get it for any version from cisco website you just need to have a valid support contract once you have the file in the flash we can start doing the configuration for web vpn so you go to the vpn and then say enable if you do a question mark it's going to give you a list of interfaces that are available on the asa on which interface do you want to enable the feature so i want to enable it on outside once the moment you enter this command it's going to say fairvpn and dtls are enabled on outside the web vpn means tcp for three and dtls is udp 403 at this moment if you check on what ports yours is listening at so show asp table socket i was listening on port tcp 443 and udp 443 which is ssl and dtls so that enables the asa to listen on port 443 good now we also have to enable the asc to accept those connections from any connect software right to do that we have to have to see any connect enable now because you see a warning it says no any connect image command have been issued so first we have to you know call the any connect image from the flash to this configuration then only you can enable any connect so any connect image and where is the image stored so it's in disk 0 the file name is close any connect and i just hit enter here so that i that is actually binding the image from my flash memory to the configuration and now if i say any connect enable there is going to be no error right so it has successfully accepted the command if i say now how do you check what configuration have you you know have you how do you check what configuration you've just done so you say show run the vpn let's see config web vpn enable outside so you're enabling the feature to asc to listen on port 443 and then you're gonna enable any connect to enable any connect you first must have the package file into the flash memory then you can so that you can call it in the configuration and then you hit any connect enable command these are default configuration commands right so we have gone through the first step to enable the feature on the asa so that it listens on port 443 once the feature is enabled now we're gonna go to step two step two is so for a connection to land on a particular tunnel group you have to first configure the terminal group so channel group will be a place where your connection will first land now it can also work without configuring any tunnel group because by default the ass will have a default tunnel group and if you just tweak some settings into the default tunnel group you can get your internet working but the problem with default tunnel group using default tunnel group is you don't have you know very granular control over it let's say you have um various departments in your company right and you you you know you want to give them different access like if you have hr department you want to give them different taxes after connecting it with after connecting with any connect right or you probably want to make them feel different that once they connect to vpn they choose something let's say hr and then connect to it right then you have your it so you want to give them an option that if they connect to vpn they choose an option i t and get related access similar way if you have your tech support and if they connect to vpn they get you know an option to choose the tech support option and get that kind of access so this kind of granular control is only possible when you create specific tile groups right let's see how turn group can help us you know uh doing this task achieving this task we have to understand one more thing like how does it work so is the remote user who is sitting at home here is your company's network internal network let's suppose this user is at office right how does he work because you know he plugs into the cable to the lan port and he gets an ip address so probably he gets an ip address 10.10.10.1 and then he starts working he can access all the internal network as well as internet right now if the same user is sitting at home what ip address will he get when he connects to his internet he will have his router by his service provider usually these routers are configured to provide you an ip address from this range 190 to 168 probably 1.0024 so you may get 192 168 1.5 right this user will get this iprs and similarly all other users who are sitting at home connected to their isp routers they will also get ip address from kind of similar range because these isp routers they've been configured with a pool to give you ip addresses from this frame this is a private ipad restraint and so is this this is usually used at home you know in home networks so everyone who is working from home might get ip addresses from this range now this range this range of ip addresses is probably not uh because this is private ib private ips cannot go over the vpn sorry cannot go over the internet the sole purpose of using a remote access vpn is to get you a feel that you are in office you have access to your internal network and how can you get access to your internal network if you get an ip address assigned from your internal network so for a remote access vpn to work this user must also get an ip address similar to what he was getting when he when he when he was in the office we have to get the ip address as well to get the ip address we can use several methods so we'll discuss them one by one when we keep you know moving forward into the series simplest way to do the iprs configuration on your essay or that will be to using an address pool so we'll have to create an address pool on the asa so that from that pool it can give these clients an ip address so once you're connected with any connect you will get one more ip address that will be from your internal network and using that ip address you're going to talk to your you know organization network not with this ip so there is a need to add you know create an address pool so let's create an address board so how do we how do we create an address pool client is ip local pool pool name my pool and then you can define a range of ip addresses so let's see dot uh maybe 15 to 10.10.10 dot let's say up to 20 and then you have you can specify the net mask so mask 255.255.5.0 so that's how you create a proof so now pool has been created we're gonna start configuring the tunnel group so you're gonna say tunnel group and give it a name so i'm gonna say ross vpn and each type is going to be or let's let's make it more sensible so i'm going to create this general group for my it admins so i'm going to say it admin and the type so this tunnel group is of for which type of vpn so it's for remote access so we are creating this term group for the mod access vpn then in this tunnel group we are going to bind the address pool so to find the address pool you'll have to go to channel groups journal attributes so the name is not correct it admin you see journal attributes in the journal attributes you can say address pool and the pool name so what was the pool name i think it was my pool so i've created that we'd already had who created my pool so just called the pool name here so we have got the address board next thing we're gonna do is the third step third step was to control you know configure something that can control your access to control the access we have to create a group policy a group policy gives you too many options to control what a user can do after connecting so the group policy gives you an option what a user can do after connecting with any connect what he can access so if i'm sure everyone needs that kind of control over what they what their users can do and that can be done using your policy so how do you create a group policy group policy calls in name so i usually prefer to give it the same name that i've just given to my tunnel group that way i will know that this group policy is for this particular channel group it's a good policy it admin and the script policies of type internal in this group policy right now i'm not going to do too much configuration i'm just gonna do a very basic configuration that's currently required which is to enable the vp internal protocol what kind of protocol are we going to use and that is done in group policy i t admin attributes how do you do it vpn hyphen tunnel protocol what kind of what protocols are available here so you just do question mark let's say ip1 knight v2 l3dp ipsec ssl client ssl clientless forces clear any connect we're gonna need ssl client so just enabled we vpn turn on protocol ssl client right so that's a very basic configuration we have done now we're gonna give it a shot so three parts we have done our configuration one is sure and web apn we have enabled the web you can feature on outside interface we have enabled any connect right the next is we have created a term group so how do you check the term group show run tunnel group the term group name is channel group id admin it's so it's so it's okay type remote access and then you created an address pool and called it into the turn group address pool name is michael how do you check address pool so you just say show one ip local pool there can be more than one pools configured you can call them in different tunnel groups so i have two pools here one is from 10.10 1 to 12 and then second one is from 15 to 20. so we have used this one so any anybody who connects to the vpn or internal group i.t admins he will get an ip address from this pool okay now where's the group policy this was the term group configuration what is the group policy so the group policy is show one group policy and you can give give a name of name for our group policy id admin that's what we can figure in the group power secret policy it admin internal and in the attributes of the group policy we have enabled vp internal protocol as ssl client now if you see these things are shown by vpn showroom tunnel group and show run group policy i t hyphen admin there's no relation between channel group and group policy except the name is same so we have to find a way to bind them together the way to bind them is you go to tunnel group i t admin uh downgrade by t admin general attributes and binary policy here so how do you bind the group policy user say default group policy for this tunnel group is going to be it admin and now if you look at the eternal group configuration you're going to see it show internal group that there is a group policy now default group policy is id admin so with that we have been completed the terminal configuration it's time that we give it a shot so i'm going to open my cisco anyconnect so type in the ip address and hit connect getting a certificate warning because this pc does not trust the certificate presented by the asa because asc does not have a certificate from a third party and that's why my pc does not trust it so about this i'm gonna do a different video to help you understand how this works the certificate thing for now you can just say connect anyway it's it's asking you for username and password so of course i didn't tell you that i've configured already you can figure out a username and password on my asa local username and password i'm not using any ad you know directory or ldap for now there may be a an option later point of time in the series so i'm gonna use cisco cisco that's what i've configured here it says login tonight unauthorized connection mechanism contact your administrator see the message it doesn't say that my username and password is incorrect it says login deny because you are using an unauthorized connection mechanism that's strange now how do we figure out what's wrong so usually one thing comes into the mind let's do debugs but in this case your debugs will not help but it's worth a shot let's enable the debugs debug how do you enable dbx for any connector you say divide by vpn and you connect to five five that's the maximum level of debugging you can do i'm gonna go here and hit connect once again connect anyway and you see nothing in the debugs what you can do is you can look at the logs so for that you must have logging enabled and you must have you know enough buffer memory it's available for logging sure on logging so here you see i've enabled the logging buffer size is pretty much and then the level of you know logging you need is debugging so i'm logging everything in the buffer memory of a level debugging okay so this connection attempt that we just did must be stored in the logs so i'm just gonna say sherlock ah logging buffer is too much so it is what it is so it's gonna have to wait for it to finish somewhere in these logs you will see this kind of thing so it says device completed ssl handshake with client outside so ssl handshake is completed then it says triple a user authentication successful local database username is cisco so that is good news that my user authentication is getting successful so it wasn't an authentication issue triple a retrieved default group policy the group policy name is default group policy for user cisco so it says whatever group policy you created irrespective of that you are getting assigned a good policy whose name is default group policy see here it says again that you're getting default group policy your name is cisco and you're getting eternal group the tunnel group is default by vpn group wait a second did we not create a triangle we did actually but the connection is still not landing on that telegraph it's landing on default where you can group because that's where a default connection will land when you do not create a tunnel group in a group policy your any connect connection will by default land on a tunnel group named default web vpn group and you will get a default group policy assigned so by tweaking the settings of these this group policy internal group you can get your connection working but of course you will not get that kind of granular control that we talked about that for different departments you can create different tunnel groups and give them different kind of access if everyone connects to one tunnel group and get one group policy assigned then they they all get same kind of access you know our connection is making to the asa and it's trying to connect but the problem is it's not getting to the correct tunnel group we wanted it to connect to the internal group it admins but it's not landing on that group how do we make sure that it just goes there if you would have noticed when i was trying to connect with any connect it wasn't giving me any option to select a group or no it was showing me that you are going to connect to this turn group see it just directly asks for username and password no other option we have to first enable the option so that when you hit connect it give it gives you an option to choose the internal group that you would like to connect how do you do that so that can be done to do that we have to make two changes one in the turn group so show one tunnel group you go to config mode go to tunnel group i t admin and this change will be done internal groups web vpn attributes so if i do a question mark here you will see tunnel group has these attributes general attribute ipsec attribute ppp attribute and babyfin attribute so we'll have to go to webvpn attributes and enable group alias group alias you can give it any name you want but i will recommend that we use the same name that as the tunnel group so sorry we'll have to say enable as well because there's your internal group and it says group alias it admin enable that's not it just go back go to your web vpn configuration so let's first see what what has been currently configured should runway vpn and now i go into webvpn and you see tunnel group list enable that enable the option to list down the tunnel group names once you enable this feature it will start displaying the names of the tunnel group but which tunnel group the tunnel groups that have a group area is configured only names for those tunnel groups will be displayed which names the name that you gave here in the group alias that name will be displayed so let's see it so if i say connect connect anyway and there you go so now you get an additional option to select a group and by default there is one because there is only one tunnel group where you have group areas enabled so now you are getting an option to choose a group and you know that your connection is going to land on it admin so username cisco and my password is going to be cisco so it's progressing and you can download or have updated blah blah blah activating vpn adapter so if you're there that means your vpn is going to connect it is connected just got it pop up here connect it status connected you can go here this gear icon the mechanical gear and you see state is connected the channel mode is tunnel all traffic we'll talk about that later since i've got it out so tunnel traffic means send all the traffic over the vpn duration how long this has been connected for so 42 seconds counting what is the client ip address so this guy has got an ip address assigned 10.10.10.15 what is the server's ip address so the server ip address here will be the ip address of the asa on which interface it has connected why it's sent and received how much data are we sending here and receiving and blah blah blah right so these are the details so we're just gonna test if we are able to access something that is our that is uh you know within our internal network let me show you the topology again so in this topology you have uh this is so this is the essay where we are doing the configuration where we have configured any connect and this is the pc that i have its ip address is 192 169 0.2 so let's see on the as8 must be learning an arp let's say show up so there's one pc connected on inside 192.169.0.1 sorry 0.2 192 169 0.2 show ip that's connected behind inside so that's the inside network let's see if you are able to ping that ip that will confirm the pc is live yes we are in this command prompt if you do ip config you will see the very first adapter will be your cisco any connect adapter it says ethernet adapter ethernet 2 and that's where you are getting an ipad as assigned 10.10 or 10.15 subnet mask two five five two five five two five five dot zero and the default gateway is 10 10 10.1 so it usually takes the first ip address of that subnet as your default gateway i've connected using wi-fi so i'm gonna look for my real ip on the wi-fi interface so that's my real ip here wireless lan interface 192.168.1.100 that's the real ip so you see this pc has now got two ips one for my actual wi-fi adapter and the second one is for any connect adapter so when any connect connects it creates its own adapter and that's where an ipad just gets assigned because you know the ips are assigned on the adapters to understand the flow let's look at this diagram this is the end user machine where you have any connect connected and you've got an ip 10.10.10.15. right this user is then connected to this asa this is the outside interface this is inside interface and this is where you've got a pc those ip addresses 192.169 at 0.2 this is 0.1 so now we have done a ping from here to this ip 192 169 0.2 so first thing this traffic would be the thing that you are doing it must reach here on this asa right in this path starting from this pc by reaching the this asc here everything will be encrypted so this is this will be your encrypted data here so if you capture that packet here anywhere till the outside interface you will not see anything you will only see the encrypted data what kind of encryption it is it is https ssl right that's the encryption ssl encryption it is so if you capture the data on outside interface you will not be able to see anything because that will be encrypted data once that reaches the asa's outside interface and goes in then asc will decrypt it decrypt the data after decrypting it figures out the actual packet so the actual packet will be source ip 10.10.10.15 destination ip 192 169 002 then it checks it's behind my inside and should send it here and then there should be a reply back that should be the flow what about this flow what will be the ip addresses uh here so this this is the virtual ip that got assigned to him right this pc had some real ip as well so i'm going to use some different color the real ip of this pc was 192 168 1.100 that's the real id on the physical interface the real ip of this asa is 192 168 1.104 that's the reality of the essay now let me tell you this this is very interesting right and if you understand this you can probably figure out any problem with cisco any connect how it works this is the virtual adapter right it creates a packet so so the rear packet from this interface will have a source ip off i'm just gonna use the same different color here this will be the first you know real packets whose source ip is 10 or 10 or 10.15 and destination ip is 192 169 002 so that will be the packet from any connect adapter then it goes to the physical adapter of the machine on the physical adapter you know on any kind of adapter this packet gets encrypted and when it leaves the anyconnect adapter it gets encrypted after encryption the packet becomes this so this is your encrypted data what is the data this was the real data now this is encrypted once this data is encrypted it gets another outer ip hydra node changes in this data this packet will have an auto ip header source ip is 192 168 1.100 the ip address of your physical adapter and the destination ip will be 192 168 1.104 the ip address of the server where the vpn is connected so this was the actual data that was received on any connect adapter the virtual adapter who had this ip address assigned that's why it is saying my source is this and destination is 192.169.0.2 when it leaves the any kind of adapter and goes towards the physical adapter it gets encrypted and the this is the encrypted data and an auto ip header gets attached so the outer api editor now becomes the source ip is of physical adapter and the destination ip is the asa where the vpn has been established this packet goes to your isp router which performs probably a nat or a pack right and then your source ip address again changes so your source if your address becomes some nat ip destination ip remains same in my case because i'm doing this locally usually you will have this ip address as a public ip right destination ip then it goes because now destination ip is your asa vip goes to the isp and the isp figures out where is this public ip takes it there that reaches this essay when it reaches the asa the ast checks that this is a vpn packet it's in any connect packet it decrypts it so it removes the outer ip headers this thing it takes it off what you get you get this actual data so that is your decrypted data that's how you get the you know that's how this data gets decrypted on the essay so now you know the concept of how this this packet moves through different gears so first thing we need to understand that this packet is actually getting decrypted here and it should then go to inside right after getting decrypted if we are able to ping 192.160.2 and that seemed to work let's do a debug on the asa for icmp diver icmp trace of icmp trace1 and if i do a ping again i should be able to see those debugs here going through the essay so it says i can request from outside from the iphone 10.10.15 to inside 192.169.0.2 and then there is echo reply from inside going to outside that's how it is it's supposed to be working that's all for now i hope this has been informative to you and i would like to thank you for watching it it is your support your likes comments that keep me motivated for bringing up more stuff like this please let me know if this has helped you if you are new to this channel also hit the subscribe button [Music]

Info

Channel: ASAme2

Views: 248

Rating: undefined out of 5

Keywords:

Id: lJ8y5FnT7m4

Channel Id: undefined

Length: 38min 16sec (2296 seconds)

Published: Mon Sep 13 2021