Cisco ASA SSL VPN with AnyConnect: From zero to hero!

My favourite way of learning things is to create some very basic configuration, run it, then learn the details by playing around and testing every single feature i find in docs. Unfortunately, most of configuration guides overhelms us with details without giving the big picture. It can dramatically reduce fun of learning new things. Cisco ASA SSL VPN configuration guide is no exception to this rule. You need to read all the docs, then figure out how to start your own configuration.

The goal is to create very-very basic SSL VPN configuration using ASA CLI. Then tweak this configuration to achive basic, but fully functional VPN.

First of all, let's try to connect to our unconfigured ASA (there is no ssl vpn service configured) with anyconnect to see the results. It may seem silly, but it's good to know the behaviour. Just enter IP address of your ASA and click "Connect" button.

After a little bit of time we will see a window saying that connection is impossible:

And additional error message:

There is one additional thing. If you have enabled you http server with ssl on port 443 on the same interface that you use to connect your vpn client, asa will accept the conection. You will probably see warning about ssl certificate, then asa will keep asking you about the credentials and complain that "AnyConnect is not enabled on VPN server".

Note: At this point I will assume that http secure server on port 443 is disabled on vpn endpoint interface.

Okay, that's a good start. Let's do something that is obvious enough to be easily forgoten - create our test vpn user:

asa(config)# username vpnuser password vpntest

asa(config)#

Since now we will try to connect to our vpn service with credentials vpnuser/vpntest.

What we want to do now, is to enable asa to accept SSL connections on port 443. There is an potential conflict between asdm service working on secured http port 443 and SSL VPN on the same interface. Both use tcp connection on the same port. The good thing is that if we use AnyConnect, asa will know about it and let us connect to asdm via web browser and to ssl vpn via AnyConnect client. If you want to use webvpn, you need to change port numers to avoid conflict.

At this point we don't care about ssl certificates at all, let asa generate one and we are going to accept all warnings.

Next step is to configure webvpn service - enable it on "outside" interface.

asa(config)# webvpn

asa(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.

Results? From AnyConnect viewpoint are exactly the same as if you enable http secure server. But if you try to connect to asa using web browser, you will see webvpn login page instead of asdm. You may need to clear your browser cache to see the results if you were playing with asdm.

There is some progress, but we still cannot connect to our vpn service. Next step is to enable AnyConnect service on asa. This is done by command: "svc enable". Note, If you use asa software release 8.4 or greater, the command has been renamed to "anyconnect enable". It's actually good change, more descriptive commands are easier to memorize. Before issuing this command we also need to provide path to anyconnect image on local asa storage - it will be used during vpn negotiation to make sure that client is using appropriate version of software.

asa# conf t
asa(config)# webvpn
asa(config-webvpn)# svc image disk0:anyconnect-win-3.1.02026-k9.pkg
asa(config-webvpn)# svc enable
asa(config-webvpn)#

Good! We have just instructed asa, that anyconnect vpn connections shall be allowed.

Let's try to establish VPN connection. Still no changes. ASA says that AnyConnect is not enabled. So why do we need to do this? Configuration guide says, that "Without issuing this command, AnyConnect does not function as expected". So I guess that we need to trust Cisco on this and move forward.

This is a good time to explain a little bit default configuration of ASA. When you issue "show run", you will see only part of configuration. There is more hidden default config and you can see it by issuing "show run all" command. The reason why I mention about this is that AnyConnect SSL VPN on ASA uses this hidden default configuration. Namely there are two components interesting to as:

group-policy DfltGrpPolicy and tunnel-group DefaultWEBVPNGroup.

While big deployments would probably use their own policies, we just stick to the defaults only modifying them to suit our needs. Remember, they cannot be removed, only modified.

Let's modify our default group-policy to allow SSL as a permitted VPN tunneling protocol:

asa# conf t
asa(config)# group-policy DfltGrpPolicy attributes
asa(config-group-policy)# vpn-tunnel-protocol svc
asa(config-group-policy)#

 

And our connection attempt fails, but with another error message. We are moving forward.

This time asa is more than helpful and directly says that it cannot assign an IP address to SVC connection. Sure, if you want to connect you need an IP address. So let's instruct ASA how to assign IP addresses. This time we will also use default configuration - tunnel-group DefaultWEBVPNGroup. 

Let's create pool of ip adresses:

asa# conf t
asa(config)# ip local pool sslvpn-default-pool 192.168.255.0-192.168.255.255 mask 255.255.255.0

And instruct ASA to use them for the ssl vpn service.
asa(config)# tunnel-group DefaultWEBVPNGroup general-attributes
asa(config-tunnel-general)#  address-pool sslvpn-default-pool
asa(config-tunnel-general)#

Okay. Looks good. Let's try to connect and see results:

Finally! Now we are connected to SSL VPN Service. Are we done? Not yet. We need to check some additional things on our client and try to pass some traffic through our new vpn.

Let's start by validating our vpn client interface configuration:

You can also verify your routing table (cmd.exe, route print) to see that your default route is now pointing to vpn gateway. By default split-tunneling mode is disabled, so once connected, every traffic from your host is redirected through vpn tunnel.

One more thing about tunnel-group and group-policy, how are they bound toghether and with ssl vpn service? You can create your own groups or policies and have multiple of them if needed. By default ASA puts all ssl vpn connections to tunnel-group DefaultWEBVPNGroup. This tunnel-group references policy-group DfltGrpPolicy. You can verify this by issuing following commands:

asa# sh run all tunnel-group DefaultWEBVPNGroup | i group-policy
 default-group-policy DfltGrpPolicy  

Okay, so far we can succesfully connnect to our SSL VPN service, now it's time to grant some access.

Let's assume, that we have two networks behind ASA: 172.16.1.0/24 and 172.16.2/24, and there are host with 1 on last octet at both of them. We need access to both of them, so we need to create appropriate access rules.

First, create an access-list:

access-list vpn-dflt-access extended permit ip 192.168.255.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list vpn-dflt-access extended permit ip 192.168.255.0 255.255.255.0 172.16.2.0 255.255.255.0

Second, apply this access-list as vpn-filter to group-policy:

asa# conf t
asa(config)# group-policy DfltGrpPolicy attributes
asa(config-group-policy)# vpn-filter value vpn-dflt-access
asa(config-group-policy)#

And test:

C:\>ping 172.16.1.1

Pinging 172.16.1.1 with 32 bytes of data:
Reply from 172.16.1.1: bytes=32 time=5ms TTL=255
Reply from 172.16.1.1: bytes=32 time=3ms TTL=255
Reply from 172.16.1.1: bytes=32 time=3ms TTL=255
Reply from 172.16.1.1: bytes=32 time=5ms TTL=255

Ping statistics for 172.16.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 3ms, Maximum = 5ms, Average = 4ms

C:\>ping 172.16.2.1

Pinging 172.16.2.1 with 32 bytes of data:
Reply from 172.16.2.1: bytes=32 time=11ms TTL=255
Reply from 172.16.2.1: bytes=32 time=8ms TTL=255
Reply from 172.16.2.1: bytes=32 time=5ms TTL=255
Reply from 172.16.2.1: bytes=32 time=4ms TTL=255

Ping statistics for 172.16.2.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 4ms, Maximum = 11ms, Average = 7ms

Great! Let's verify access-list on ASA:

asa# sh access-list vpn-dflt-access
access-list vpn-dflt-access; 2 elements; name hash: 0xea3ab48f
access-list vpn-dflt-access line 1 extended permit ip 192.168.255.0 255.255.255.0 172.16.1.0 255.255.255.0 (hitcnt=4) 0x89f39a32
access-list vpn-dflt-access line 2 extended permit ip 192.168.255.0 255.255.255.0 172.16.2.0 255.255.255.0 (hitcnt=4) 0x857145e8

As expected, we can see hits on both entries.

This short article shows you how to create very basic, but working SSL VPN configuration. It's a good starting point to actually learn how to configure ssl vpn on asa. To sum up, if you want to create working vpn configuration on asa, there is your basic config (excl acls):

username vpnuser password vpntest

ip local pool sslvpn-default-pool 192.168.255.0-192.168.255.255 mask 255.255.255.0

webvpn
 enable outside
 svc image disk0:/anyconnect-win-3.1.02026-k9.pkg 1
 svc enable
group-policy DfltGrpPolicy attributes
 vpn-filter value vpn-dflt-access
 vpn-tunnel-protocol svc
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool sslvpn-default-pool

Easy, isn't it? :-)