ASA AnyConnect SSL-VPN

This blog post will document how to configure an AnyConnect SSL-VPN on a Cisco ASA firewall using Cisco ISE (2.1 patch 5) as a RADIUS server for authentication.

ISE Configuration

It is assumed that ISE is installed and configured with the basics (IP addresses and integrated into AD).

Define the ASA as a Network Device

  • Navigate to Administration > Network Resources > Network Devices
  • Create new by clicking Add and define the ASA
  • Specify the INSIDE interface IP address of the ASA
  • Tick the RADIUS Authentication Settings box
  • Specify a shared secret, this will need to match on the ASA configuration
  • Click Save

Configure a DACL

  • Navigate to Policy > Policy Elements > Results > Authorization > Downloadable ACLs
  • Create new by clicking Add and create a new DACL

Configure an Authorization Profile

  • Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles
  • Click Add and create a new Authorization Profile
  • Select DACL Name and from the drop down box select the previously create DACL

Configure Allowed Protocols

  • Navigate to Policy > Policy Elements > Results > Authentication > Allowed Protocols
  • Click Add to create new
  • Create new list called RAVPN and select PAP & MS-CHAPv2, deselect other protocols

Configure Policy Set

  • Create a new Policy Set called ASA VPN
  • Define condition as RADIUS:NAS-IPAddress EQUALS
  • Define Authentication Policy
    • Radius:NAS-Port-Type EQUALS Virtual
    • Allowed Protocols: RAVPN
    • Use All_AD_Join_Points
  • Define Authorization Policy
    • Create new Rule called AnyConnect Client
    • Conditions: Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name CONTAINS TG-1 AND Cisco-VPN3000:CVPN3000/ASA/PIX7x-Client-Type EQUALS AnyConnect-Client-SSL-VPN
    • Permissions: VPN_Permit_DACL

The conditions used in the Authorization Policy define the Tunnel Group TG-1 the user will be connecting from and also the type of VPN Client AnyConnect SSL-VPN. These conditions do not necessarily need to be used but will be the most granular and ensure only AnyConnect users from the specified Tunnel Group are authorized with the defined DACL.

ASA Configuration

Enable WebVPN on OUTSIDE interface and enable AnyConnect image

enable OUTSIDE
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-4.5.00058-webdeploy-k9.pkg 1
anyconnect enable

Define AAA Server Group & Server

aaa-server ISE protocol radius
interim-accounting-update periodic 24
realm-id 1
aaa-server ISE (INSIDE) host
key Cisco1234
radius-common-pw Cisco1234
authentication-port 1812
accounting-port 1813

VPN Pool

ip local pool VPN_POOL mask

Group Policy

group-policy GP-1 internal
group-policy GP-1 attributes
dns-server value
vpn-tunnel-protocol ssl-client
address-pools value VPN_POOL

Split Tunneling (optional)

access-list SPLIT_TUNNEL standard permit
group-policy GP-1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL

Tunnel Group    

tunnel-group TG-1 type remote-access
tunnel-group TG-1 general-attributes
 authentication-server-group ISE
 default-group-policy GP-1
tunnel-group TG-1 webvpn-attributes
 group-alias TG-1 enable

Testing & Verification

  • Connect to the VPN enter the FQDN or IP address of the ASA, you will receive a Certificate error message unless you’ve configured a certificate (out of scope for this blog post).
  • At the login prompt enter a valid Username and Password
  • If you did not upload the AnyConnect package to the ASA and enable it you will receive the message “AnyConnect is not enabled on the VPN server”. See the initial configuration steps on how to do this.
  • Once connected, open the AnyConnect client settings and browse to VPN > Statistics
  • If using Split tunnelling, ensure “Tunnel Mode (IPv4) = Split Include
  • Click the “Route Details” tab and ensure “Secured Routes (IPv4) includes the routes specified in the Split Tunnel ACL configured previously
  • On the ASA run the command show vpn-sessiondb detail anyconnect to display the connection details for the test user.
  • You will notice the Username, assigned VPN IP address, Encryption/Hashing algorithms negotiated, Group Policy and Tunnel Group etc.
  • You will also notice under Filter Name the DACL has been applied to the session
  • On the client PC open a command prompt to test the DACL is working
  • As displayed in the screenshot below, the test DACL denied all traffic to IP address with all other traffic permitted.
  • On the ASA, if logging to the console is enabled you can see the ping is dropped by the DACL
  • You can also see the configuration of the DACL by running the command show access-list
  • This access-list is per user and will be removed from the ASA once the session has been disconnected
  • The ISE logs will provide useful information and help to identify any problems

One thought on “ASA AnyConnect SSL-VPN”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.