Solved

CISCO ASA 5505 Any Connect

Posted on 2013-01-31
5
1,288 Views
Last Modified: 2013-01-31
Could someone please help me configure IN ASDM if possible or by commands, an ANY Connect SSL VPN from scratch. I was able to make a client connect and he was able to do remote desktop and use some features however as soon as a VPN was established he automatically lost the capability to browse the Internet. Any device on the ASA 5505 network can browse and do what its supposed to but a client using ANY Connect on a different network looses the ability to access the internet as soon as they connect with the VPN. I have read that it has to do with split tunneling but i was hoping someone could give help me get this up and running from the ground up.
0
Comment
Question by:kajumblies
  • 3
5 Comments
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
Example

! standard access list tells the clients which destination subnets should go across the tunnel
access-list VPNCLIENTSPLITTUNNEL standard permit 10.1.1.0 255.255.255.0

ip local pool VPNCLIENTPOOL 192.168.254.1-192.168.254.50 mask 255.255.255.0

nat (inside,outside) source static SUBNETS-INTERNAL SUBNETS-INTERNAL destination static SUBNET-VPNCLIENT SUBNET-VPNCLIENT
!
crypto isakmp identity address
crypto ikev1 enable outside

crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

webvpn
port 4443
enable outside
dtls port 4443
anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.00495-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-3.1.00495-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-64-3.1.00495-k9.pkg 4
anyconnect enable
tunnel-group-list enable

group-policy VPNCLIENTGP internal
group-policy VPNCLIENTGP attributes
dns-server value x.x.x.x
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNCLIENTSPLITTUNNEL
default-domain value company.com

tunnel-group VPNCLIENT type remote-access
tunnel-group VPNCLIENT general-attributes
address-pool VPNCLIENTPOOL
default-group-policy VPNCLIENTGP

tunnel-group VPNCLIENT webvpn-attributes
group-alias "group alias" enable

tunnel-group VPNCLIENT ipsec-attributes
ikev1 pre-shared-key xxxxxxxxxxxxx
!
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
Comment Utility
0
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
Assumptions from above:

Your only inside network is 10.1.1.0/24. Modify the splittunnelacl as needed
The IP's being handed out to the client is 192.168.254.1-192.168.254.50 and shouldn't overlap with any other existing subnet in your network.
The object groups "SUBNETS-INTERNAL" and "SUBNET-VPNCLIENT" are defined and include the appropriate subnets.
To enable both ASDM and anyconnect, they cannot use the same port number. ASDM will now require https://[ip_address]:8443 to access the ASA
The anyconnect images should reflect the actual files you have loaded on your ASA.
No authentication server is defined so by default it will use local authentication. It is up to you to decide if that's ok or to use another method such as RADIUS or LDAP.
If you ONLY want users to connect via SSL, you don't need:
group-policy VPNCLIENTGP attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

tunnel-group VPNCLIENT ipsec-attributes
ikev1 pre-shared-key xxxxxxxxxxxxx

!
0
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
I didn't realize until after responding that I've already worked with you on this.

The only thing missing from your config before was the split tunnel. The split tunnel must be defined for each group policy you want this applied.

Also, when posting firewall configs make sure you scrub the configs of identifying information such as full public IP address and usernames/passwords. Even if some of it is encrypted, a plain text username is still a starting point for someone to get on your network.
0
 

Author Closing Comment

by:kajumblies
Comment Utility
This was exactly what i needed thanks so much
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SSL RA VPN 7 72
MPLS Network Question 2 31
Order of preference for routing protocol 1 33
Switch requirement for IP Phones 4 20
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now