Understanding & Configuring Cisco AnyConnect

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome back first of all I would like to thank you for supporting me in doing this good job I want you to know that I always try to bring accurate and clear information to you the sole purpose of me creating these videos is to help you understand those concepts that you always wanted to learn at the end of this video if you find it helpful please do like and share if you are new to this if you are sitting at office and you're working you have got direct access to your company's network right if you need to work from home and you would like to access the same resources that you were able to when you were at office how will you do that you need a dedicated line right you need to just put a cable from your home to the office and connect it to the port where your PC or your laptop or maybe your desktop was connected to and then you get direct access is it possible No then how do you do it so it's done by our anymore access we've been technology this user will use his internet connection and connect to this firewall remotely using a remote access VPN technology he gets connected to the firewall which establishes a VPN tunnel between this user and the firewall similarly if there are other users who are sitting at home they would like to have access to the internal network he will do the same thing connect the firewall using remote access VPN technology and that creates it dedicated beep internal between that PC it's named it has PC to and in this guy is PC one that creates a terminal between PC two and the firewall and same way there can be multiple users and they can have all dedicated web internals with the firewall so you know the purpose of weepin tunnel right the VPN tunnel the VPN technology is to make you feel that you are actually connected to your official network with cisco anyconnect the connectivity will be like he user sitting at home using his own internet connection gets connected to the a SA or the firewall placed inside the organization once he gets connected to this firewall he gets a dedicated VPN connectivity we have internal that's created between user PC and the a SA and all the traffic through this tunnel goes encrypted now he gets he gets to feel that he's actually sitting in the office and working because he is now able to access all the resources that are within the organization because he's connected to a firewall in the organization that firewall has connectivity to all the resources so cisco anyconnect VPN is a remote access VPN solution that provides connectivity to the users directly from their PC to the company's internal network using a software which is cisco anyconnect in this session we will see how to configure cisco anyconnect for demonstration we will use a cisco a SA and one Windows computer I'm going to divide the configuration into three parts enabling feature connection lending and controlling the access we first enable the feature on the a SA so that a si starts accepting the VPN connections in the connection lending we tell the a si we you know train the essay about how to accept that connection and controlling the access after connecting what a user can access that can be controlled cisco anyconnect works home port 443 search TCP 403 that means when a user sitting at home tries to establish a VPN connection with an ASC in any connect session the connection gets established on TCP hoho three now why would this ASC establish a connection with this PC on port 443 if this guy is listening on port 443 then he can establish a connection why would your ASC accept SSH because you enable it right you can figure SSH and you enable it then only it you know it accepts SSH connection after enabling SSS connection what you actually do is make your arrays say listen on both TCP 22 so if I go back to my essay and check the port's that it's listening at there will be one 422 because my ace is listening on port 22 that's why it it's accepting SSH connection so how do we check if this is on what ports the SA is listening on so you can say show you spin table socket if you see my essay is listening on this IP address and port 22 so this must be the IP address on my outside interface where I've been able to SSH so if I say show IP it's gonna say yes that's them that's the IP on my outside to say it says listening on port 22 and because right now I've come solved in so that's why you do not see any SSH connection established so I can do another connection do an SSH and you will see I go here and check the check again ESP table socket there's one that says listening one for 22 and another one it's established connection one for 22 this is my IP from my IP it's it has stablished a connection all right so we are not talking about SSH here the only reason I've shown this to you because I wanted you to know what is the difference in listening and established so if your a is listening on some port then only you can establish a connection on that particular port same way because because any connect works on TCP for for three so your way is same must be first listening on port 443 so to enable that we have to do some configuration so we will be going into the VPN mode and there we enable the VPN means any connect so it's a it actually enables the AC to listen on port 443 so we enable it on which interface do you want to enable you define tell Ian Tracy oh and then we enable any connected right any few more things the a is same must have any connect image in the flash that image must be called here only when we pin configuration so the first step would be go to Cisco website download the any connect package file C dot pkg for Windows and upload it to your flash and that's the file I'm talking about so this is for particular version 4.3 yeah you may get it for any origin from the square website you just need to have a valid support contract once you have the file in the flash we can start doing the configuration for web if Ian so you go to a VPN and then say enable if you do a question mark it's gonna give you a list of interfaces that are available on the essay on which interface do you want to enable the feature so I want to enable it on outside once the moment you enter this command it's gonna save a VPN and DTLS are enabled on outside that web you can means TCP for three and D TLS is UDP for over three at this moment if you check on what port erased is listening at so sure a sweet able soak it now it's listening on port TCP for 4-3 and UDP 443 which is SSL and DTLS so that enables the aasa' to listen on port 443 good now we also have to enable the ASC to accept those connections from any connect software right to do that we have to episode any connect enable now because you see the warning it says no any connect image command have been issued so first we have to you call the anyconnect image from the flash to this configuration then only you can enable any connect so any connect image and where is the image stored so it's in desc 0 final name is close any connect and I just hit enter here so that I that is actually binding the emails from my flash memory to the configuration and now if I say any connect enable there's going to be no error right so that successfully accepted the command if I say now how do you check what configuration have you you know how do you how do you check what configuration you've just done so you say show run the VPN let's the config where we can enable outside so you're enabling the feature to aasa to listen on port 443 and then you're gonna enable any connect to it they will any connect you first must have the Packers file into the flash memory then you can so that you can call it in the configuration and then you hit any connection able command these are default configuration events right so we have gone through the first step to enable the feature on the SA so that it listens on board for for 3 once the feature is enabled now we're going to go to step two step two is so for a connection to land on a particular tunnel group you have your first configure the Turner group so channel group will be a place where your connection will first land now it can also work without configuring an eternal group because by default the Aces will have a default Turner group and if you tweak some settings into the default tunnel group you can get your own your networking but the problem with deep internal group using default tunnel group is you don't have you know very granular control over it let's say you have various departments in your company right and you you know you'd want to give them different access like if you have HR department you want to give them different exits after connecting with after connecting with any connect right or you probably want to make them feel different that once they connect to VPN they choose something it's a HR and then connect to it right then you have your IT so you want to give them an option that if they connect to VPN they choose an option IT and get related access similar way if you have your tech support and if they connect to VPN they get you know an option to choose the tech support option and get that kind of access so this kind of granular control is only possible when you create specific tile groups right let's see how turn group can help us you know doing this task achieving this task you have to understand one more things like how does it work so this is the remote user was sitting at home here is your company's network internal network let's suppose this user is at office right how how does he work he goes you know he plugs into the cable to the LAN port and he gets an IP address so probably he gets an IP address 10 or 10 or 10.1 and then he starts working he can access all the internal network as well as intranet right now if the same user is sitting at home what IP address will he get when he connects to his internet he will have his router by his service provider usually these routers are configured to provide you an IP address from this range 192 168 probably $1.00 0/24 so you may get 192 168 1.35 I'd say this user will get this IP address and similarly all of the users who are sitting at home connected to their ISP routers they will also get IP address from kind of similar range because these ISP routers they've been configured with a pool to give you IP addresses from this frame this is a private IP address range and so is this this is usually used at home you know in home networks so everyone who is working from home might get IP addresses from this range this range this range of IP addresses is that probably not because this is private I be private ideas cannot go over the VPN and sorry cannot go over the Internet the sole purpose of using a remote access VPN is to get you a feel that you are in office you have access to your internal network and how can you get access to your internal network if you get an IP address assigned from your internal network so for a remote access VPN to work this user must also get an IP address similar to what he was getting when he when he when he was in the office we have to get the IP address as well to get the IP address we can use several methods so we'll discuss them one by one when we keep you know moving forward into the series simplest way to do the IP address configuration on your essay or do that will be to using an address pool so we'll have to create an address pool on the essay so that from that pool it can give these clients an IP address so once you are connected with any connect you will get one more IP address that will be from your internal network and using that IP address you're gonna talk to your you know organisation network not with this IP so there is a need to add you know creating an address pool so let's create an address book so how do we how do we create an address pool and is IP local pool pool name my pool and then you can define a range of IP addresses so let's say $10 $10 $10 maybe 15 to 10 dot 10.10 dot and then you have you can specify the net mask to mask 255.255.255.0 that's how you create a booth so now poon has been created we're gonna start configuring the tunnel group so you know say it's not Tunnel group and give it a name I'm gonna say Ross VPN and which type is going to be or let's let make it more sensible so I'm gonna create this channel growth for my IT admins I'm gonna say IT admin and the type so that this group is of for which type of VPN sites for the mod access so we were creating the stronger for remote access VPN then in this tunnel group we are going to bind the address pool so to find the address pool you'll have to go to trunk groups shown attributes the name is not correct ite admin page owner attributes hindi general attributes you can say address pool in the pool name so what was the pool name I think it was my pool so creative night we'd already had a who created my pool just called the pool name here so we've got the address boat next thing we're gonna do is the third step third step was to control don't configure something that can control your exes to control the access we have to create a group policy a group policy gives you too many options to control what a user can do after connecting so the group policy gives you an option what do user can do after connecting with any connect what he can access so if I'm sure everyone needs that kind of controller what what they do what their users can do and that can be done using group policy so how do you create a group policy group policy group policy name so I usually prefer to give it same that I've just given to my Colonel group that way I will know that this group policy is for this particular town group the group policy IT admin and the script policies of type internal in this group policy right now I'm not going to do too much configuration I'm just gonna do a very basic unification that's currently required which is to enable the VP internal protocol what kind of protocol are we going to use and that is done in group policy IT admins attributes how do they do it VPN - tunnel protocol what kind of what protocols are available here so it's just a question mark c IP 192 l2tp IPSec s itself lioness is a client list for Cisco anyconnect we cannot need SSL flight so just enabled we VP internal protocol SSL client right that's a very basic configuration we have done now we're gonna give it a shot so three paths we have done our configuration one is sure on web the appian enable the web you can feature on outside interface we have enabled any connect right the next is we have created a tunnel group so how do you check the turn group show one tunnel group the Tron group name is channel group IT admin itself it so it's how a type remote access and then you have created an address pool and called it in to the tunnel group address pool name is Michael how do you check address pool so you just say show one IP local pool there can be more than one pools configured we can call them in different internal groups so I have two pools here one is from 1000 1000 201 to 12 and then second one is from 15 to 20 so we have used this one so any anyway who connects to the VPN on internal group IT admins he will get an IP address from this pool okay now where is the group policy this was eternal group raishin where is the group policy so the group policy is a show run group policy and you can give give a name of name for group policy IT admin that's what we confer in the group policy group policy IT admin internal and in the attributes of the group policy we have enabled deep internal protocol as SSL client now if you see these things are showing the VPN show internal group and show run group policy IT - admin there's no relation between channel group and group policy except the name is same so we have to find a way to bind them together the way to bind them is you go to tunnel group IT admin group IT admin general attributes and find the group policy here so how do you bind the group policy is a say T default group policy for this Turner group is going to be IT admin now if you look at the Turner group configuration you're gonna see it's your internal group that there is a group policy now default group policy is IT admin so with that we have completed the terminal configuration it's time that we give it a shot so I'm gonna open my cisco anyconnect SEP typed in the IP address in hit connect getting a certificate warning because if this PC does not trust the certificate presented by the a SA because I guess it does not have a certificate from a third party and that's why my PC does not trust it so about this I'm gonna do a different video do you help you understand how this works this certificate thing for now you can just say connect anyway it's it's asking if I user name and password so of course I didn't end you that I've configured already configured a username and password on my say local username and password I'm not using any ad you know Active Directory or LDAP for now there may be an option later point of crime in the series so I'm gonna use Cisco Cisco that's what I've configured here it says login tonight unauthorized connection mechanism contact your administrator see the masses it doesn't say that user name and password is incorrect it says login denied because you are using an unauthorized connection mechanism that's strange now how do you figure out what's wrong so usually one thing comes into the mind that's 2d bugs but in this case T bugs will not help well it's worth a shot let's enable the debug debug how do you enable debug for any connect so it's a debug by BP in any connect two five five that's the maximum level of debugging you can do I'm gonna go here and hit connect once again connect anyway and you see nothing in the D works what you can do is you can look at the logs for that you must have logging enabled and you must have you know enough prefer memory the available for logging sure on logging so here we see enabled logging buffer size yes pretty much and then the level of you know logging you need is debugging so I'm logging everything in the buffer memory of a level deeper game okay so this connection attempt that we just did must be storing the logs so I'm just gonna say Sherlock logging before it's too much it is what it is so it's gonna have to wait for it to finish somewhere in these logs you will see this kind of thing so it says device completed SSL handshake with client outside so SSL handshake is completed then it says triple a user authentication successful local database username is Cisco so that is good news that my user authentication is getting successful so it wasn't an authentication issue Triple A retrieved default group policy the group policy name is default group policy for users Cisco so it says whatever group policy you created the respective that you are getting assigned a group policy whose name is default group policy see here it says again that you're getting default group policy user name is Cisco and you're getting a tunnel group the tunnel group is default web you can group wait a second did we not create a triangle we did actually but the connection is still not landing on that tunnel group its landing on default where you can group because that's where a default connection will land when you do not create a tunnel group and a group policy your any connect connection will by default land on a tunnel group named default web you can group and you will get it default group policy assigned so by tweaking the settings of these this group policy internal group you can get your connection working but of course you will not get that kind of granular control that we talked about that for different departments you can create different tunnel groups and give them different kind of access if everyone connects to one tile group and get one group policy assigned then they they all get same kind of access you know our connection is making to the aasa' and it's trying to connect but the problem is it's not getting to the correct external group we wanted it to connect to the terminal group IT admins but it's not letting on that group how do we make sure that it just goes there if you would have noticed when I was trying to connect with any connect it wasn't giving me any option to select a group for no it was showing me that you are going to connect to this turn group see it just directly asked for username and password no other option we have to first enable the option so that when you kid connect give it gives you an option to choose the tunnel group that you would like to connect how do we do that so that can be done to do that we have to make two changes one in the tunnel group so show run tunnel group you go to config mode go to tunnel group IT admin and this change will be done internal groups read VPN attribute so if I do a question mark here you will see tunnel group has these attributes general attribute I decide to Butte PPP attribute and web be an attribute so will have to go to favicon attributes and in will grow peleas group alias you can give it any name you want but I will recommend that we use the same name that has the tunnel group so sorry we'll have to say enable as well say sure internal group and it says group alias IT admin enable that's not it just go back go to your web event configuration so let's first see what what has been currently configured sure on web you can and now I go into web VPN and you say Tunnel group list enable that's enable the option to list down the tunnel group names once you enable this feature it will start displaying the names of the tunnel group but which tunnel group the tunnel groups that have a group alias configured only names for those tunnel groups will be displayed which names the name that you give here in the group alias that name will be displayed so let's see it so if I say connect next anyway and there you go so now you get an additional option to select a group and by default there is one because there is only one tunnel group where you have a group alias enabled so now you are getting an option to choose a group and you know that your connection is going to land on IT admin so user name Cisco and my password is going to be Cisco so this progressing and you're getting download or I've updated blah blah blah activating VPN adapter so if you're there that means your VPN is going to connect hey it is corrected just got a pop-up here connect it steadies connected you can go here the this gear icon the mechanical gear and you see state is connected the channel mode is tunnel all traffic we'll talk about that later since I have read it out so turn on all traffic means send all the traffic over the VPN duration how long this has been connected for so 42 seconds counting what is the client IP address so this guy has got an IP address assigned 10.10 or 10.15 what is the server's IP address so the server IP address here we'll be the IP address of the ASC on which interface it has connected white sent and received how much data are we sending here and is saving in blah blah blah right so these are the details we're just gonna test if we are able to access something that is on that is you know within our internal network let me show you the topology again so in this topology you have this a say this is the SA where we are doing the configuration where we have configured and connect and this is the PC that I have it's IP addresses 192 169 0.2 so see on the a8 must be learning an ARP that's it show ARP so there is one PC connected on inside one ninety two dot one sixty nine dot zero dot one sorry 0.2 one night two one six two nine zero to show IP that's connected behind inside it's worth inside network let's see if we are able to ping that IP they will confirm the PC is live yes we are this command prompt if you do IP config you will see the very first step term will be your Cisco anyconnect adapter it says Ethernet adapter either at two and that's where you are getting an IP address assigned 10.10 or 10.15 seven and ask to 5 5 to 5 5 to 55.0 the default gateway is 10 10 10.1 so it usually takes the first IP address of that subnet as hidey-hole gateway 5 connected using Wi-Fi so I'm gonna look for my real life here on the Wi-Fi interface so that's my real likely here Wireless then interface 190 168 1 dot 100 that's the real IP so you see this PC has now got 2 IP is 1 for my actual Wi-Fi adapter the second one is for any connected Apter so when any connect connect it creates its own adapter and that's where an IP address gets assigned because you know the IPS are assigned on the adapters to understand the flow let's look at this diagram this is the end-user machine where do you have any connect connected and you've got an IP tender 10.15 right this user is then connected to this say sa let's say say outside interface this is inside interface and this is william go to pc whose IP addresses one ninety two dot one sixty nine dot 0 dot to this is zero at one so now we have done a ping from here to this IP 192 169 0.2 so first thing this traffic would be the thing that you're doing it must reach here on this ASC right in this path starting from this pc by reaching the the say si here everything will be encrypted so this is this will be your encrypted data here so if you captured that packet here anywhere till the outside interface you will not see anything you will only see the encrypted data what kind of encryption it is it has HTTPS as a cell that's the encryption as is a encryption it is so if you captured the data on outside interface you will not be able to see anything because that will be encrypted data once that reaches the ASA's outside interface and goes in then ASC will decrypt it decrypt the data after decrypting it figures out the actual package so the actual packet will be so scipy 10.10.5.3 192 169 0.2 then it checks that's been on my inside and should send it here and then there should be a reply back that should be the flow what about this flow what will be the IP addresses here so this this is the virtual IP that got assigned to him right this pc had some real IP as well so i'm gonna use some different color the real IP of this PC was 192 68 1 . 100 that's do you really like the only physical entities the real IP of this a sa is 192 168 1 . 104 let's do a light of the essay now let me tell you this this is very interesting right and if you understand this you can probably figure out any problem with Cisco anyconnect now how it works this is the virtual adapter right it creates a packet so said the real packet from this interface will have a so side be off I'm just gonna use the same different color over here this will be the first you know the real packets whose source IP is 10.10.5.3 15 and destination IP is 192 169 0 or 2 so that will be a packet from any connected Apter then it goes to the physical adapter of the machine on the physical adapter you know on any connected Apter the this packet gets encrypted and when it leaves the any connected after it gets encrypted after encryption the packet becomes this so this is your encrypted data what is the data this was the real data now this is encrypted once this data is encrypted it gets another outtro IP header oh no changes in this theta this packet will have an outer IP header source IP is 192 168 1 . 100 the IP address of your physical adapter and the destination IP will be 192 168 1 . 104 the IP address of the server where the VPN is connected so this was the actual data that was received on any connected Apter the virtual adapter who had this IP address assigned that's why it is saying my source is this destination is 1 92162 92163 the physical adapter it gets encrypted and the this is the encrypted data and an outer IP header gets attached so the outer I Piedra now becomes the source IP is of physical adapter and the destination IP is the aasa' when the weekend has been established this packet goes to your ISP router which performs probably a NAT or a pat and then your source IP address again changes so your source IP address becomes some NAT IP destination IP remains same in my case because I'm doing this locally usually you will have this IP address is a public IP right destination IP then it goes because now destination IP is your ASA's IP goes to the ISP and the ISP figures out where is this public IP takes it there that reaches this is a when it reaches the aasa' the airside checks that this is a VPN packets in any connect packet it decrypts it so it removes the outer IP headers this thing it takes it off what you get you get this actual data so that is your be cryptid data that's how you get to decrypt you know that's how this data get stick update on the SA so now you know the concept of how there's this packet moves through different gears so first thing we need to understand that this packet is actually getting decrypted here and it should then go to inside we have forgetten decrypted if we are able to bring one 90210 lot to and that's him to work let's do a debug on the si4 ICMP debug ICMP trace ah d well ICMP trace one and I do a ping again should be able to see those he works here going through the SA so it says I could request from outside from the IP address 10 or 10 or 10 or 15 to inside 192 169 0.2 and then there is I could apply from inside going to outside that's how it is supposed to be working for now I hope this has been informative to you and I would like to thank you for watching it it is your support your likes comments that keep me motivated for bringing up more stuff like this please let me know if this has helped you if you are new to this channel also hit the subscribe button

Info

Channel: ASAme2

Views: 15,261

Rating: undefined out of 5

Keywords: Cisco Anyconnect, Anyconnect VPN, Understanding about anyconnect, How to configure Cisco Anyconnect?

Id: MXLV8t8ry6Y

Channel Id: undefined

Length: 38min 16sec (2296 seconds)

Published: Sat Apr 18 2020