Cisco AnyConnect VPN with CLI

Refer to the steps below on how to configure Cisco AnyConnect VPN with CLI

  1. Setup TFTP Server on RHEL 8

  2. Download Cisco AnyConnect 4.8 WebDeploy Client (anyconnect-win-4.8.02042-webdeploy-k9.pkg) from Cisco.com and upload to TFTP Server

  3. Donwload Cisco AnyConnect Client to ASAv

ciscoasa# copy tftp flash

Address or name of remote host [192.168.1.231]?

Source filename [anyconnect-win-4.8.02042-webdeploy-k9.pkg]?

Destination filename [anyconnect-win-4.8.02042-webdeploy-k9.pkg]?

Accessing tftp://172.16.1.115/anyconnect-win-4.8.02042-webdeploy-k9.pkg...
Writing file disk0:/anyconnect-win-4.8.02042-webdeploy-k9.pkg...
INFO: No digital signature found
43347002 bytes copied in 330.20 secs (131354 bytes/sec)
  1. Verify the Anyconnect Package is downloaded to flash successfully
ciscoasa# show flash: | grep anyconnect*
  195  43347002    Sep 27 2018 17:32:47  anyconnect-win-4.8.02042-webdeploy-k9.pkg

Preparation of required components

The following components will be need to be configured

  1. IP Pool (pool_ANYCONNECT) to assign IP address to AnyConnect Client
  2. Network object (obj_ANYCONNECT-POOL) for AnyConnect IP Pool
  3. Network object (obj_LAN) for Local LAN
  4. Access List for Split Tunnel (acl_SPLIT-TUNNEL)

Split tunneling to allow users to send only traffics to corporate network across the tunnel while all other traffics to Internet via the Local LAN

  1. Group Policy (gp_ANYCONNECT) is a set of user-oriented attribute/value pairs for IPSec connections that are stored either internally (locally) on the device or externally on a RADIUS server

  2. Connection Profile (prof_ANYCONNECT) uses a group policy that sets terms for user connections after the tunnel is established.

Multiple Connection Profiles can be defined and associate with different Group Policy

IP Pool for AnyConnect Client

Create an IP Pool for AnyConnect Client

ip local pool pool_ANYCONNECT 10.10.8.10-10.10.8.250 mask 255.255.255.0

Create a network object for AnyConnect IP Pool

object network obj_ANYCONNECT-POOL
 subnet 10.10.8.0 255.255.255.0

Enable Cisco AnyConnect VPN with CLI on outside interface

Enable AnyConnect on outside interface

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# enable outside
    INFO: WebVPN and DTLS are enabled on 'outside'.
ciscoasa(config-webvpn)# tunnel-group-list enable
ciscoasa(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.02042-webdeploy-k9.pkg
ciscoasa(config-webvpn)# anyconnect enable

Local User for AnyConnect VPN

Create a LOCAL username & password

ciscoasa(config)# username vpn password P@ssw0rd!@#$

Refer to Restrict Cisco AnyConnect VPN Login based on AD Group if you would like to integrate with Active Directory (AD) for Single Sign On (SSO)

Split Tunnel

Allow only traffic to corporate network via SSL VPN Tunnel

ciscoasa(config)# access-list acl_SPLIT-TUNNEL standard permit 10.10.10.0 255.255.255.0

Group Policy

Create a new Group Policy – gp_ANYCONNECT to configure the internal DNS Server, Default-Domain, split-tunnel

ciscoasa(config)# group-policy gp_ANYCONNECT internal
ciscoasa(config)# group-policy gp_ANYCONNECT attributes
ciscoasa(config-group-policy)# vpn-tunnel-protocol ssl-client
ciscoasa(config-group-policy)# dns-server value 10.10.10.230
ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)# split-tunnel-network-list value SPLIT-TUNNEL
ciscoasa(config-group-policy)# default-domain value aventislab.com.

Connection Profile

reate a new Connection Profile – prof_ANYCONNECT

ciscoasa(config-group-policy)# tunnel-group prof_ANYCONNECT type remote-access
ciscoasa(config)# tunnel-group prof_ANYCONNECT general-attributes
ciscoasa(config-tunnel-general)# default-group-policy gp_ANYCONNECT
ciscoasa(config-tunnel-general)# address-pool pool_ANYCONNECT
ciscoasa(config-tunnel-general)# tunnel-group prof_ANYCONNECT webvpn-attributes
ciscoasa(config-tunnel-webvpn)# group-alias AVENTISLAB enable

Group-Alias to set the name which appear on the client login page below

Cisco AnyConnect VPN with CLI

No NAT for AnyConnect Client

Exclude traffic for AnyConnect Client (obj_ANYCONNECT-POOL) from being NATed

ciscoasa(config)# nat (inside,outside) 2 source static any any destination static obj_ANYCONNECT-POOL obj_ANYCONNECT-POOL no-proxy-arp route-lookup

Save and Activate settings

wri mem

Connect from Client Machine

Login to https://ASA_EXTERNAL_IP with the local username & password

Download and install Cisco VPN Client

Enter the Gateway IP / FQDN and click Connect

Perform the test below to verify the SSL VPN is working fine

  • Ping to FQDN & IP Address of Internal Servers successfully
  • Can Access to Internet as normal via existing Gateway

Refer to Let’s Encrypt SSL Certificate for Cisco AnyConnect VPN to replace the default selfsign SSL Cert with Public SSL Certificate to avoid the Certificate Error

Appendix

A. Stop the local user (vpn) from login to ADSM and CLI

Local User (VPN) created can be used to login to ASDM & SSH and we need to remove this for security concern

Enable Authentication & Authorization for http console

aaa authentication http console LOCAL
aaa authorization exec LOCAL
aaa authorization http console LOCAL

Assign Remote-Access attribute for normal user only

username test attributes
 service-type remote-access

Access Lists for VPN Client

Access Lists can be configured to restrict AnyConnect VPN Client to have access to identified Services & Servers as below

Create a new Service Object (obj_TCP3389)for TCP 3389 (RDP)

object service obj_TCP3389
 service tcp destination eq 3389 
 description RDP

Create a new Service Group (obj_SERVICES-VPN-IN) to allow only RDP & PING for AnyConnect VPN Client

object-group service obj_SERVICES-VPN-IN
 service-object object obj_TCP3389 
 service-object icmp echo

Create an Access Rule – acl_OUT_ACCESS_IN and bind it to outside interface

access-list acl_OUT_ACCESS_IN extended permit object-group obj_SERVICES-VPN-IN object obj_ANYCONNECT-POOL 10.10.10.0 255.255.255.0 

access-group acl_OUT_ACCESS_IN in interface outside

Bind the Access List to Group Policy gp_ANYCONNECT

group-policy GP_ANYCONNECT attributes
    vpn-filter value acl_OUT_ACCESS_IN

AnyConnect VPN Client connected to corporate network can only access

  • Ping
  • Remote Desktop (RDP)
  • All other traffics will be blocked

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top