What You’ll Learn

What You’ll Need

Users today are increasingly working remotely, and they need the ability to access local network resources from the HQ or a branch office. In the late 1990s, the IETF formed the IP Security Working Group, which was charged with making the IPsec framework possible. After IPsec was ratified by the working group, an HQ and many branch offices could connect together using a secure tunnel utilizing the IPsec framework. But if you wanted to connect remote users who traveled from state to state or country to country, it was very difficult because you would need to lug around a router in a suitcase. So, a software solution was created to run a remote access VPN client program that would allow a computer running a popular operating system to create an IPsec VPN tunnel. As time went on, SSL/TLS was supported as a tunnel method to secure data from a remote access VPN client. Remote access VPN opened up many possibilities of remote work around the world.

img.avif

At Cisco, the remote access VPN client was called Cisco AnyConnect Secure Mobility Client for a long time, but starting with version 5.x, it was renamed Cisco Secure Client.

Cisco Secure Client supports VPN but has grown to also support other technologies that can be added as modules.

Current modules:

img.avif

As you can see, the client look and feel did not change much. All the user needed to do was type in the fully qualified domain name (FQDN) of the ASA outside interface or public IP where the remote access VPN was configured, and the remote access VPN client would ask for a username and password. This username could be locally configured on the ASA, or other supported databases could be used like a RADIUS server. Based on the remote access VPN policy, the user would get limited or unlimited access to the remote network.

When configuring a remote access VPN on the ASA, the administrator has two options:

In this example, we are using the local ASA database:

ciscoasa(config)# username vpnuser password CiscoVPN!@# privilege 2
ciscoasa(config)# username vpnuser attributes
ciscoasa(config-username)# service-type remote-access
ciscoasa(config-username)# exit

Note: Setting the privilege level to 2 locks down the user from accessing the CLI or GUI on the ASA, and the service-type attribute allows the username to be used for the remote access VPN only.

As users authenticate to the ASA with the username accounts created locally, they will need to be assigned an IP address that is not being used on the network. These IPs allow the ASA not only to track each user but to apply access restrictions based on their IP.

The ASA can be used to assign the IPs to remote access VPN client users as a DHCP server, using a VPN client pool.

ciscoasa(config)# ip local pool VPNLocalPool 192.168.2.10-192.168.2.100 mask 255.255.255.0

Note: A remote DHCP server can be used for large deployments.

The ASA is able to store the VPN client on the local flash drive and upload Cisco Secure Client to the remote user’s computer, giving the administrator the ability to control which version of the VPN client the user is using. This task can be done via the Cisco IOS WebVPN configuration.

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# anyconnect image cisco-secure-client-macos-5.0.05040-webdeploy-k9.pkg 1
ciscoasa(config-webvpn)# anyconnect image cisco-secure-client-win-5.0.05040-webdeploy-k9.pkg 2
ciscoasa(config-webvpn)# anyconnect enable # Enables AnyConnect clients

To enable a remote access VPN on a certain interface, you need to apply it to the WebVPN configuration:

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# enable outside # Remote access on outside interface.

Another option (not required) is to use the ssl command under the WebVPN configuration.

The most popular option is to set the encryption type.

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# ssl encryption aes256-sha1 aes128-sha1 3des-sha1

Other options that can use the ssl command include:

Once the client is connected to the VPN tunnel, they will be able to access the internal HQ and branch office networks, but they will have no internet access. To address this problem, the Network Address Translation (NAT) configuration on the ASA will need to allow the VPN client pool to use NAT on the ASA.

ciscoasa(config)# object network any-ip
ciscoasa(config-network-object)# subnet 0.0.0.0 0.0.0.0
ciscoasa(config-network-object)# nat (any,outside) dynamic interface dns

Note: On subnet 0.0.0.0 0.0.0.0, the administrator is applying this configuration to all interfaces that include the VPN client pool addresses. The NAT configuration can be more restrictive if needed.

The last requirement for the VPN client pool to work is to apply the same-security-traffic command:

ciscoasa(config)#same-security-traffic permit intra-interface

This command lets traffic enter and exit the same interface. In our case, if the traffic is destined to the internet, then the outside interface would be used as a U-turn interface. This approach is not normally allowed on the ASA unless you use the same-security-traffic permit intra-interface command.

Tunnel groups are used to assign a tunnel policy to any remote access connections that are being made to the ASA. By default, there are three already configured:

If the administrator does not configure a custom tunnel group, the ASA will use one of the default groups, depending on the tunneling technology being used.

Creating a custom tunneling group is recommended for better customization and control of tunnels being used by the ASA.

To create a custom tunneling group that allows a local username created on the ASA to access the VPN, the administrator would use the following configuration:

ciscoasa(config)# tunnel-group RemoteAccessVPN type remote-access
ciscoasa(config)# tunnel-group RemoteAccessVPN general-attributes
ciscoasa(config-tunnel-general)# address-pool VPNLocalPool # Address Pool
ciscoasa(config-tunnel-general)# authentication-server-group LOCAL # Username Database
ciscoasa(config-tunnel-general)# default-group-policy MyGroupPolicy # Group Policy
ciscoasa(config-tunnel-general)# tunnel-group RemoteAccessVPN webvpn-attributes
ciscoasa(config-tunnel-webvpn)# group-alias RemoteAccessVPN enable # Alias for user selection
ciscoasa(config-tunnel-webvpn)# group-url https://ra-vpn.domain.com/ra-vpngroup enable # User URL alias tunnel group

Note: If there is no authentication-server-group specified, LOCAL will always be used.

When a remote user opens the Cisco Secure Client application, all they need to do is enter the ra-vpn.domain.com/ra-vpngroup URL in the FQDN dialog window of the Secure Client. The client will then connect to the ASA with that FQDN (assuming that the administrator registered that domain to the public IP of the ASA). Based on the FQDN, the ASA will know which tunnel group should apply; because we assigned the ra-vpn.domain.com/ra-vpngroup URL to the RemoteAccessVPN tunnel group, that group would be used.

img.png

Group policies allow the ASA to provide settings that are likely to be common for many users, or access restrictions that the administrator wishes to impose on users. By default, there is one group policy already configured: DfltGrpPolicy is applied to all tunnel groups if no custom policy is configured and applied.

To create a custom group policy that allows a local username created on the ASA to access the VPN, the administrator would use the following configuration:

ciscoasa(config)# group-policy MyGroupPolicy internal
ciscoasa(config-group-policy)# group-policy MyGroupPolicy attributes
ciscoasa(config-group-policy)# dns-server value 192.168.1.26 # Internal DNS Server
ciscoasa(config-group-policy)# default-domain value domain.com # Internal Domain
ciscoasa(config-group-policy)# vpn-tunnel-protocol ssl-client # VPN Protocol that is used for Remote Access

With this group policy, the user will have no access restrictions to the network in which they are using a VPN. As standard practice, the ASA has a default setting called sysopt connection permit-vpn that allows all traffic that enters the ASA with a VPN tunnel and makes sure that it cannot be stopped by the interface access control lists (ACLs).

However, if the administrator wants to filter traffic that is being sent through the tunnel, the group policy vpn-filter option can be used.

ciscoasa(config)# access-list Filter_VPN_Traffic extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.2 eq http
ciscoasa(config)# access-list Filter_VPN_Traffic extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.2 eq smtp
ciscoasa(config)# access-list Filter_VPN_Traffic extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.3 eq ftp
ciscoasa(config)# access-list Filter_VPN_Traffic extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.3 eq ftp-data
ciscoasa(config)# group-policy MyGroupPolicy attributes
ciscoasa(config-group-policy)# vpn-filter Filter_VPN_Traffic

Note: 192.168.2.0 255.255.255.0 is the subnet that applies to the VPN client pool.

As discussed in the “Remote Access VPN User Configuration and Other Options” topic, in order to enable remote access VPN on a certain interface, you will need to use the following command under WebVPN:

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# enable outside # Remote access on outside interface.

Cisco Secure Client can use the IP of the ASA, but it is better to use the group URL. The reason is simple: If you use the IP, the ASA will not know which custom tunnel group to use, so it will instead use DefaultWEBVPNGroup.

Once connected, the administrator can use the show vpn-sessiondb anyconnect command to verify the connection:

ciscoasa# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username     : vpnuser                  Index        : 526062
Assigned IP  : 192.168.2.20           Public IP    : 166.198.34.26
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES-GCM-256  DTLS-Tunnel: (1)AES-GCM-256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA384  DTLS-Tunnel: (1)SHA384
Bytes Tx     : 168926                 Bytes Rx     : 41720
Group Policy : MyGroupPolicy    Tunnel Group : RemoteAccessVPN
Login Time   : 19:03:09 UTC Wed Oct 4 2023
Duration     : 0h:02m:10s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : c0a8c808806ee000651db6ed
Security Grp : none

As you can see, the group policy and tunnel group policy were applied to the VPN tunnel connection.

The show conn | inc 192.168.2 command will show you the action connection that your VPN client pool has:

ciscoasa# show conn | inc 192.168.2
TCP outside  76.25.19.22(192.168.2.20):63733 outside  44.230.79.122:443, idle 0:00:08, bytes 10962, flags UxIOB
TCP outside  76.25.19.22(192.168.2.20):63765 outside  104.254.148.252:443, idle 0:00:00, bytes 4620, flags UxIOB
TCP outside  76.25.19.22(192.168.2.20):63771 outside  18.155.184.56:443, idle 0:00:00, bytes 17805, flags UxIOB
TCP outside  76.25.19.22(192.168.2.20):63755 outside  104.122.28.169:443, idle 0:00:00, bytes 52961, flags UxIOB
TCP outside  76.25.19.22(192.168.2.20):63741 outside  151.101.3.5:443, idle 0:00:00, bytes 381642, flags UxIOB
TCP outside  76.25.19.22(192.168.2.20):63729 outside  17.248.192.2:443, idle 0:00:10, bytes 14606, flags UxIOB
TCP outside  76.25.19.22(192.168.2.20):63769 outside  151.101.1.67:443, idle 0:00:01, bytes 50100, flags UxIOB
TCP outside  76.25.19.22(192.168.2.20):63743 outside  104.26.7.139:443, idle 0:00:06, bytes 12245, flags UxIOB
TCP outside  76.25.19.22(192.168.2.20):63750 outside  151.101.131.5:443, idle 0:00:00, bytes 125346, flags UxIOB
TCP outside  76.25.19.22(192.168.2.20):63767 outside  108.138.246.118:443, idle 0:00:01, bytes 6794, flags UfFRxIOB
TCP outside  76.25.19.22(192.168.2.20):63766 outside  18.244.214.80:443, idle 0:00:00, bytes 7048, flags UxIOB

Note: 76.25.19.22 is the IP on the outside interface that the pool is using.

Learn More