Cisco AnyConnect VPN with CLI

Cisco AnyConnect VPN with CLI

Refer to the steps below on how to configure Cisco AnyConnect VPN with CLI

  1. Download TFTP Server and install on your workstation
  2. Download Cisco AnyConnect WebDeploy Client (anyconnect-win-4.6.03049-webdeploy-k9.pkg) from Cisco.com

  3. Transfer to Cisco AnyConnect to Flsh via TFTP Server

ciscoasa# copy tftp flash

Address or name of remote host []? 172.16.1.115

Source filename []? anyconnect-win-4.6.03049-webdeploy-k9.pkg

Destination filename [anyconnect-win-4.6.03049-webdeploy-k9.pkg]?

Accessing tftp://172.16.1.115/anyconnect-win-4.6.03049-webdeploy-k9.pkg...
%Error reading tftp://172.16.1.115/anyconnect-win-4.6.03049-webdeploy-k9.pkg (File not found)
ciscoasa# copy tftp flash

Address or name of remote host [172.16.1.115]?

Source filename [anyconnect-win-4.6.03049-webdeploy-k9.pkg]?

Destination filename [anyconnect-win-4.6.03049-webdeploy-k9.pkg]?

Accessing tftp://172.16.1.115/anyconnect-win-4.6.03049-webdeploy-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-4.6.03049-webdeploy-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
INFO: No digital signature found
43347002 bytes copied in 330.20 secs (131354 bytes/sec)

Verify the file had been uploaded to Flash in Cisco ASA successfully

ciscoasa# show flash: | grep anyconnect*
  195  43347002    Sep 27 2018 17:32:47  anyconnect-win-4.6.03049-webdeploy-k9.pkg
  1. Create a pool of IP Address to be assigned to AnyConnect Client
ip local pool ANYCONNECT-POOL 10.10.8.10-10.10.8.30 mask 255.255.255.0

Prepare the Network Object for ANYCONNECT-POOL for configuration later

object network OBJ-ANYCONNECT-SUBNET
 subnet 10.10.8.0 255.255.255.0
  1. Enable webvpn & Anyconnect by defining the AnyClient Package you uploaded
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
ciscoasa(config-webvpn)# tunnel-group-list enable

ciscoasa(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.6.03049-webdeploy-k9.pkg 
ciscoasa(config-webvpn)# anyconnect enable
  1. Creating a LOCAL username & password for this lab or refer to Restrict Cisco AnyConnect VPN Login based on AD Group
ciscoasa(config)# username vpn password P@ssw0rd!@#$
  1. Enable Split Tunnelling by only route traffic to Internal LAN via the SSL VPN Tunnel
ciscoasa(config)# access-list SPLIT-TUNNEL standard permit 172.16.1.0 255.255.255.0

In a basic VPN Client to ASA scenario, all traffic from the VPN Client is encrypted and sent to the ASA no matter what its destination is. Based on your configuration and the number of users supported, such a set up can become bandwidth intensive. Split tunneling can work to alleviate this problem since it allows users to send only that traffic which is destined for the corporate network across the tunnel. All other traffic such as instant messaging, email, or casual browsing is sent out to the Internet via the local LAN of the VPN Client.

  1. Create a new Group Policy – GP_ANYCONNECT, and define the internal DNS Server, Default-Domain, split-tunnel

A group policy is a set of user-oriented attribute/value pairs for IPSec connections that are stored either internally (locally) on the device or externally on a RADIUS server. The connection profile uses a group policy that sets terms for user connections after the tunnel is established. Group policies let you apply whole sets of attributes to a user or a group of users, rather than having to specify each attribute individually for each user.

ciscoasa(config)# group-policy GP_ANYCONNECT internal
ciscoasa(config)# group-policy GP_ANYCONNECT attributes
ciscoasa(config-group-policy)# vpn-tunnel-protocol ssl-client
ciscoasa(config-group-policy)# dns-server value 8.8.8.8 8.8.4.4
ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)# split-tunnel-network-list value SPLIT-TUNNEL
ciscoasa(config-group-policy)# default-domain value aventistech.info
  1. Create a new Connection Profile – ANYCONNECT-PROFILE – The Name will appear on the AnyConnect Login Page, thus please use a meaningful name.

Multiple Connection Profiles can be defined and associate with different Group Policy

ciscoasa(config-group-policy)# tunnel-group ANYCONNECT-PROFILE type remote-access
ciscoasa(config)# tunnel-group ANYCONNECT-PROFILE general-attributes
ciscoasa(config-tunnel-general)# default-group-policy GP_ANYCONNECT
ciscoasa(config-tunnel-general)# address-pool ANYCONNECT-POOL
ciscoasa(config-tunnel-general)# tunnel-group ANYCONNECT-PROFILE webvpn-attributes
ciscoasa(config-tunnel-webvpn)# group-alias ANYCONNECT-PROFILE enable
  1. Stop the traffic to & from OBJ-ANYCONNECT-SUBNET (10.10.8.0) from being NATed
ciscoasa# nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
  1. Save the configuration
wri mem
  1. Login to https://sslvpn.aventistech.info with the local username & password defined and download the Cisco AnyConnect VPN Client

  1. Install and connect to SSL VPN

  2. Traffic to Internal LAN is routed to VPN Tunnel, and tested the followig are working fine

  • Ping to FQDN & IP Address of Internal Servers successfully
  • Can Access to Internet as normal

You can refer to Let’s Encrypt SSL Certificate for Cisco AnyConnect VPN if you want to apply Public SSL Certificate for Cisco AnyConnect.

Appendix
A. To prevent the local users (vpn) from login to ADSM and CLI

  1. Enable Authentication & Authorization for http console
aaa authentication http console LOCAL
aaa authorization exec LOCAL
aaa authorization http console LOCAL
  1. Assign Remote-Access attribute for normal user only
username test attributes
 service-type remote-access

username mode commands/options:
  admin          User is allowed access to the configuration prompt.
  nas-prompt     User is allowed access to the exec prompt.
  remote-access  User is allowed network access.

Leave a Comment