Remote-access Guide

configuring remote access vpn on cisco asa

by Dr. Gennaro Metz III Published 2 years ago Updated 2 years ago
image

There are eight basic steps in setting up remote access for users with the Cisco ASA.
  1. Configure an Identity Certificate.
  2. Upload the SSL VPN Client Image to the ASA.
  3. Enable AnyConnect VPN Access.
  4. Create a Group Policy.
  5. Configure Access List Bypass.
  6. Create a Connection Profile and Tunnel Group.
  7. Configure NAT Exemption.
Mar 19, 2009

How to connect to Cisco ASA?

To power on the Cisco ASA 5505, perform the following steps:

  1. Connect the power supply with the power cable.
  2. Connect the small, rectangular connector of the power supply cable to the power connector on the rear.
  3. Connect the AC power connector of the power supply input cable to an electrical outlet. ...
  4. Check the power LED; if it is solid green, then the device is powered on.

How to setup a remote access VPN?

  • Create a virtual network gateway (if one does not exist).
  • Configure point-to-site VPN on the gateway (see Scenario 1 ).
  • Configure a site-to-site tunnel on the Azure virtual network gateway with BGP enabled.
  • Configure the on-premises device to connect to Azure virtual network gateway.

More items...

Can the Cisco ASA be used as a router?

The ASA is NOT a router, though and while you can do things on the ASA that can make it act something like a router it is important to understand the differences between true routing and what the ASA actually does.

How to check VPN tunnel status Cisco ASA?

  • show vpn-sessiondb l2l
  • show vpn-sessiondb ra-ikev1-ipsec
  • show vpn-sessiondb summary
  • show vpn-sessiondb license-summary
  • and try other forms of the connection with "show vpn-sessiondb ?"

image

How do I setup remote access to VPN?

Configure Remote Access as a VPN ServerOn the VPN server, in Server Manager, select the Notifications flag.In the Tasks menu, select Open the Getting Started Wizard. ... Select Deploy VPN only. ... Right-click the VPN server, then select Configure and Enable Routing and Remote Access.More items...•

How configure Cisco ASA site to site VPN?

1:0814:10Cisco ASA Site-to-Site VPN Configuration (Command Line)YouTubeStart of suggested clipEnd of suggested clipFirst of all we need to go into configuration mode so config T and now we're going to enable ISOMoreFirst of all we need to go into configuration mode so config T and now we're going to enable ISO camp on the outside interface that ISO camp is the handshake part of the configuration.

What is Cisco remote access VPN?

This allows remote users to connect to the ASA and access the remote network through an IPsec encrypted tunnel. The remote user requires the Cisco VPN client software on his/her computer, once the connection is established the user will receive a private IP address from the ASA and has access to the network.

How does Cisco AnyConnect VPN Work?

Remote and mobile users use the Cisco AnyConnect Secure VPN client to establish VPN sessions with the adaptive security appliance. The adaptive security appliance sends web traffic to the Web Security appliance along with information identifying the user by IP address and user name.

What is Phase 1 and Phase 2 in VPN?

VPN negotiations happen in two distinct phases: Phase 1 and Phase 2. The main purpose of Phase 1 is to set up a secure encrypted channel through which the two peers can negotiate Phase 2. When Phase 1 finishes successfully, the peers quickly move on to Phase 2 negotiations.

How can I check my Cisco ASA VPN status?

Please try to use the following commands.show vpn-sessiondb l2l.show vpn-sessiondb ra-ikev1-ipsec.show vpn-sessiondb summary.show vpn-sessiondb license-summary.and try other forms of the connection with "show vpn-sessiondb ?"

How does remote access VPN Work?

A remote access VPN works by creating a virtual tunnel between an employee's device and the company's network. This tunnel goes through the public internet but the data sent back and forth through it is protected by encryption and security protocols to help keep it private and secure.

Is Cisco AnyConnect IPSec or SSL?

Anyconnect is the replacement for the old Cisco VPN client and supports SSL and IKEv2 IPsec. When it comes to SSL, the ASA offers two SSL VPN modes: Clientless WebVPN.

What type of VPN is AnyConnect?

Cisco AnyConnect VPNs utilize TLS to authenticate and configure routing, then DTLS to efficiently encrypt and transport the tunneled VPN traffic, and can fall back to TLS-based transport where firewalls block UDP-based traffic.

How do I change my Cisco AnyConnect settings?

If you are in ASDM, go to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profiles, highlight the client profile you have and click the “Edit” button. Update the hostname to be the domain name and update the host address to be the new IP address and click OK.

Which two protocols can be used by the Cisco AnyConnect VPN?

Explanation: When a full tunnel is creating using the Cisco AnyConnect VPN Wizard, the VPN protocols should be selected to protect the traffic inside the tunnel. The VPN protocol choices are SSL and/or IPsec.

Is Cisco AnyConnect a VPN?

Cisco AnyConnect Client helps us to make secure , safe and reliable VPN connection to our organization's private network with multiple security services to safe and protect company's data. It gives freedom to employees to get connected from anywhere anytime, thus making life easier for remote workers.

What is site to site IPsec VPN?

A site-to-site VPN is a permanent connection designed to function as an encrypted link between offices (i.e., “sites”). This is typically set up as an IPsec network connection between networking equipment.

How do I enable IKEv2 on Cisco ASA?

Configure the remote IPsec tunnel pre-shared key or certificate trustpoint. Create a crypto map and match based on the previously created ACL....IPsec IKEv2 Example.1Create and enter IKEv2 policy configuration mode.asa1(config)#crypto ikev2 policy 17Enable IKEv2 on an interface.asa1(config)#crypto ikev2 enable outside17 more rows•Nov 15, 2013

How does remote access VPN Work?

A remote access VPN works by creating a virtual tunnel between an employee's device and the company's network. This tunnel goes through the public internet but the data sent back and forth through it is protected by encryption and security protocols to help keep it private and secure.

How can I learn Cisco ASA?

0:003:10:11Cisco ASA Firewall Full Course - YouTubeYouTubeStart of suggested clipEnd of suggested clipHi everyone welcome to our course cisco is a firewall lab guide in this particular. Course you willMoreHi everyone welcome to our course cisco is a firewall lab guide in this particular. Course you will learn about asa firewall obviously.

VPN Pool

First we will configure a pool with IP addresses that we will assign to remote VPN users:

NAT Exemption

If you have NAT enabled on the ASA then we need to make sure that traffic between 192.168.1.0 /24 (the local network) and 192.168.10.0 /24 (our remote VPN users) doesn’t get translated. To accomplish this we will configure NAT excemption. The example below is for ASA version 8.3 or higher:

Group Policy

When the remote user has established the VPN, he or she will be unable to access anything on the Internet…only the remote network is reachable. For security reasons this is a good practice as it forces you to send all traffic through the ASA. If you don’t want this then you can enable split tunneling.

Username

We configured a group policy and user but we haven’t configured any IPsec settings yet. Let’s configure phase 1…

IPsec Phase 1

This is just a basic example. We will use AES for encryption, SHA for integrity, a pre-shared key and Diffie-Hellman group 2 for key exchange. The lifetime before we have to do a renegotiation is 86400 seconds. Let’s enable this IKEv1 policy on the outside interface:

IPsec Phase 2

We will configure a transform set called “MY_TRANSFORM_SET” and we use ESP with AES/SHA. The next step is to configure a crypto map, this has to be a dynamic crypto map since the remote VPN users probably are behind dynamic IP addresses and we don’t know which ones:

About Remote Access IPsec VPNs

Remote access VPNs allow users to connect to a central site through a secure connection over a TCP/IP network. The Internet Security Association and Key Management Protocol, also called IKE, is the negotiation protocol that lets the IPsec client on the remote PC and the ASA agree on how to build an IPsec Security Association.

Restrictions for IPsec VPN

Context Mode Guidelines-Supported only in single context mode. Does not support multiple context mode.

Configuration Examples for Standards-Based IPSec IKEv2 Remote Access VPN in Multiple-Context Mode

The following examples show how to configure ASA for Standards-based remote access IPsec/IKEv2 VPN in multi-context mode. The examples provide information for the System Context and User Context configurations respectively.

Configuration Examples for AnyConnect IPSec IKEv2 Remote Access VPN in Multiple-Context Mode

The following examples show how to configure ASA for AnyConnect remote access IPsec/IKEv2 VPN in multi-context mode. The examples provide information for the System Context and User Context configurations respectively.

Information About Remote Access IPsec VPNs

Remote access VPNs allow users to connect to a central site through a secure connection over a TCP/IP network such as the Internet. The Internet Security Association and Key Management Protocol, also called IKE, is the negotiation protocol that lets the IPsec client on the remote PC and the ASA agree on how to build an IPsec Security Association.

Licensing Requirements for Remote Access IPsec VPNs

The following table shows the licensing requirements for this feature:

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Configuring Remote Access IPsec VPNs

This section describes how to configure remote access VPNs and includes the following topics:

What is remote access VPN?

Remote access VPNs allow users to connect to a central site through a secure connection over a TCP/IP network such as the Internet. The Internet Security Association and Key Management Protocol, also called IKE, is the negotiation protocol that lets the IPsec client on the remote PC and the ASA agree on how to build an IPsec Security Association. Each ISAKMP negotiation is divided into two sections called Phase1 and Phase2.

How many interfaces does an ASA have?

An ASA has at least two interfaces, referred to here as outside and inside. Typically, the outside interface is connected to the public Internet, while the inside interface is connected to a private network and is protected from public access.

How many remote access VPN terminations are allowed on ASA5505?

For the ASA5505 and ASA5500-X series, if the Activation key of the AnyConnect license is not enabled in hardware, the maximum number of remote access VPN terminations is 2 in the single configuration and 4 in the redundant configuration. Limited to one.

Why is it necessary to replace an ASA?

If the existing ASA does not have sufficient performance or processing capacity due to an increase in throughput or the number of simultaneous connections even if it is optimized, it will be necessary to replace it with a higher-level device or add an ASA. The following is an example of how to respond by changing the configuration.

Why is VPN throughput limited?

VPN throughput is the sum of transmission (tx) and reception (Rx).

Why is it important to check the number of VPN sessions?

There are several reasons why it is important to check the number of VPN sessions and maintain an appropriate number of sessions, but most importantly, as the number of VPN sessions increases, VPN throughput is shared among connected users. The available throughput per user is reduced. It is desirable to be able to provide business-free throughput, but if VPN access is concentrated and the number of users increases, the available throughput per user will decrease accordingly. However, it is usually necessary to provide each connected user with the minimum required throughput for performing business, even under the condition that access is extremely concentrated, even if there is delay or stress.

What is VPN throughput?

VPN throughput is the sum of transmission (tx) and reception (Rx). For example, in the case of TCP communication, while a terminal is downloading a file via the ASA (= Rx), there is also some communication (= Tx) of a confirmation response (ACK) from the terminal to the ASA.

What is ASAv in ESXi?

ASAv is a virtual appliance and can be installed and used on a virtual infrastructure such as ESXi, KVM, AWS, and Hyper-v. Below are some best practices and verification examples for ASAv performance optimization.

How does CPU affect VPN?

The CPU usage rate increases as the number of encryption and decryption processes increases, so when the VPN throughput is close to the limit, you can almost always see a high CPU usage rate. Even if the same VPN throughput is generated, the CPU usage rate will be affected by various factors such as the products and functions used, the setting amount, the number of simultaneous connections, the traffic pattern, the usage version, and the environment.

Introduction

Let me introduce you the ASA setting method for terminating SSL-VPN access from Cisco AnyConnect Secure Mobility Client in this document. Ultimately, I want to introduce more advanced content like using certificates, but first, let me start with the most basic configuration in the following settings:

Issuing Self-Signed Certificate

Now, let's get started with the detailed settings. ASA creates a certificate to present to the client as a server certificate.

Configuring and Uploading Cisco AnyConnect Secure Mobility Client Image

Next, we will configure the AnyConnect image used on ASA. To configure this setting, the AnyConnect package file must exist on ASA in advance. As mentioned earlier, we will use anyconnect-win-3.1.04072-k9.pkg this time.

Defining Local Address Pool

Next, we will define the pool of IP addresses dispensed to the client during the connection via AnyConnect.

Defining Group Policy

Here, we will define the policy applicable to each group when establishing a connection from AnyConnect.

Selecting ID Certificate Used for AnyConnect Connection

Configure the self-signed certificate created at Step 1 to be used as a server certificate for the AnyConnect connection.

Group URL Settings

You can configure items other than the Step 6 item for the Tunnel Group. Considering convenience when connecting via AnyConnect, the typical operation would distribute AnyConnect Client Profile from ASA and select the Profile used by the client side while being connected.

image
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9