kajumblies
asked on
CISCO ASA 5505 Any Connect
Could someone please help me configure IN ASDM if possible or by commands, an ANY Connect SSL VPN from scratch. I was able to make a client connect and he was able to do remote desktop and use some features however as soon as a VPN was established he automatically lost the capability to browse the Internet. Any device on the ASA 5505 network can browse and do what its supposed to but a client using ANY Connect on a different network looses the ability to access the internet as soon as they connect with the VPN. I have read that it has to do with split tunneling but i was hoping someone could give help me get this up and running from the ground up.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Assumptions from above:
Your only inside network is 10.1.1.0/24. Modify the splittunnelacl as needed
The IP's being handed out to the client is 192.168.254.1-192.168.254.
The object groups "SUBNETS-INTERNAL" and "SUBNET-VPNCLIENT" are defined and include the appropriate subnets.
To enable both ASDM and anyconnect, they cannot use the same port number. ASDM will now require https://[ip_address]:8443 to access the ASA
The anyconnect images should reflect the actual files you have loaded on your ASA.
No authentication server is defined so by default it will use local authentication. It is up to you to decide if that's ok or to use another method such as RADIUS or LDAP.
If you ONLY want users to connect via SSL, you don't need:
group-policy VPNCLIENTGP attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
tunnel-group VPNCLIENT ipsec-attributes
ikev1 pre-shared-key xxxxxxxxxxxxx
!
Your only inside network is 10.1.1.0/24. Modify the splittunnelacl as needed
The IP's being handed out to the client is 192.168.254.1-192.168.254.
The object groups "SUBNETS-INTERNAL" and "SUBNET-VPNCLIENT" are defined and include the appropriate subnets.
To enable both ASDM and anyconnect, they cannot use the same port number. ASDM will now require https://[ip_address]:8443 to access the ASA
The anyconnect images should reflect the actual files you have loaded on your ASA.
No authentication server is defined so by default it will use local authentication. It is up to you to decide if that's ok or to use another method such as RADIUS or LDAP.
If you ONLY want users to connect via SSL, you don't need:
group-policy VPNCLIENTGP attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
tunnel-group VPNCLIENT ipsec-attributes
ikev1 pre-shared-key xxxxxxxxxxxxx
!
I didn't realize until after responding that I've already worked with you on this.
The only thing missing from your config before was the split tunnel. The split tunnel must be defined for each group policy you want this applied.
Also, when posting firewall configs make sure you scrub the configs of identifying information such as full public IP address and usernames/passwords. Even if some of it is encrypted, a plain text username is still a starting point for someone to get on your network.
The only thing missing from your config before was the split tunnel. The split tunnel must be defined for each group policy you want this applied.
Also, when posting firewall configs make sure you scrub the configs of identifying information such as full public IP address and usernames/passwords. Even if some of it is encrypted, a plain text username is still a starting point for someone to get on your network.
ASKER
This was exactly what i needed thanks so much
! standard access list tells the clients which destination subnets should go across the tunnel
access-list VPNCLIENTSPLITTUNNEL standard permit 10.1.1.0 255.255.255.0
ip local pool VPNCLIENTPOOL 192.168.254.1-192.168.254.
nat (inside,outside) source static SUBNETS-INTERNAL SUBNETS-INTERNAL destination static SUBNET-VPNCLIENT SUBNET-VPNCLIENT
!
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
webvpn
port 4443
enable outside
dtls port 4443
anyconnect image disk0:/anyconnect-win-3.1.
anyconnect image disk0:/anyconnect-macosx-i
anyconnect image disk0:/anyconnect-linux-3.
anyconnect image disk0:/anyconnect-linux-64
anyconnect enable
tunnel-group-list enable
group-policy VPNCLIENTGP internal
group-policy VPNCLIENTGP attributes
dns-server value x.x.x.x
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNCLIENTSPLITTUNNEL
default-domain value company.com
tunnel-group VPNCLIENT type remote-access
tunnel-group VPNCLIENT general-attributes
address-pool VPNCLIENTPOOL
default-group-policy VPNCLIENTGP
tunnel-group VPNCLIENT webvpn-attributes
group-alias "group alias" enable
tunnel-group VPNCLIENT ipsec-attributes
ikev1 pre-shared-key xxxxxxxxxxxxx
!