Solved

CISCO ASA 5505 Any Connect

Posted on 2013-01-31
5
1,294 Views
Last Modified: 2013-01-31
Could someone please help me configure IN ASDM if possible or by commands, an ANY Connect SSL VPN from scratch. I was able to make a client connect and he was able to do remote desktop and use some features however as soon as a VPN was established he automatically lost the capability to browse the Internet. Any device on the ASA 5505 network can browse and do what its supposed to but a client using ANY Connect on a different network looses the ability to access the internet as soon as they connect with the VPN. I have read that it has to do with split tunneling but i was hoping someone could give help me get this up and running from the ground up.
0
Comment
Question by:kajumblies
  • 3
5 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38840244
Example

! standard access list tells the clients which destination subnets should go across the tunnel
access-list VPNCLIENTSPLITTUNNEL standard permit 10.1.1.0 255.255.255.0

ip local pool VPNCLIENTPOOL 192.168.254.1-192.168.254.50 mask 255.255.255.0

nat (inside,outside) source static SUBNETS-INTERNAL SUBNETS-INTERNAL destination static SUBNET-VPNCLIENT SUBNET-VPNCLIENT
!
crypto isakmp identity address
crypto ikev1 enable outside

crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

webvpn
port 4443
enable outside
dtls port 4443
anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.00495-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-3.1.00495-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-64-3.1.00495-k9.pkg 4
anyconnect enable
tunnel-group-list enable

group-policy VPNCLIENTGP internal
group-policy VPNCLIENTGP attributes
dns-server value x.x.x.x
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNCLIENTSPLITTUNNEL
default-domain value company.com

tunnel-group VPNCLIENT type remote-access
tunnel-group VPNCLIENT general-attributes
address-pool VPNCLIENTPOOL
default-group-policy VPNCLIENTGP

tunnel-group VPNCLIENT webvpn-attributes
group-alias "group alias" enable

tunnel-group VPNCLIENT ipsec-attributes
ikev1 pre-shared-key xxxxxxxxxxxxx
!
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 38840252
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38840275
Assumptions from above:

Your only inside network is 10.1.1.0/24. Modify the splittunnelacl as needed
The IP's being handed out to the client is 192.168.254.1-192.168.254.50 and shouldn't overlap with any other existing subnet in your network.
The object groups "SUBNETS-INTERNAL" and "SUBNET-VPNCLIENT" are defined and include the appropriate subnets.
To enable both ASDM and anyconnect, they cannot use the same port number. ASDM will now require https://[ip_address]:8443 to access the ASA
The anyconnect images should reflect the actual files you have loaded on your ASA.
No authentication server is defined so by default it will use local authentication. It is up to you to decide if that's ok or to use another method such as RADIUS or LDAP.
If you ONLY want users to connect via SSL, you don't need:
group-policy VPNCLIENTGP attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

tunnel-group VPNCLIENT ipsec-attributes
ikev1 pre-shared-key xxxxxxxxxxxxx

!
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38840301
I didn't realize until after responding that I've already worked with you on this.

The only thing missing from your config before was the split tunnel. The split tunnel must be defined for each group policy you want this applied.

Also, when posting firewall configs make sure you scrub the configs of identifying information such as full public IP address and usernames/passwords. Even if some of it is encrypted, a plain text username is still a starting point for someone to get on your network.
0
 

Author Closing Comment

by:kajumblies
ID: 38840461
This was exactly what i needed thanks so much
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Monitor Internet Edge Router behind Firewall 2 22
BGP DUAL ISP with IP SLA 10 18
VPN connection 7 23
snmp v2 configuration on a switch 3 16
Let’s list some of the technologies that enable smooth teleworking. 
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question