Remote-access Guide

design network with cluster asa 5516 vpn remote access

by Bradley Kessler Published 2 years ago Updated 2 years ago

What is Cisco ASA remote access VPN?

Cisco ASA Remote Access VPN. The remote user requires the Cisco VPN client software on his/her computer, once the connection is established the user will receive a private IP address from the ASA and has access to the network. The Cisco VPN client is end-of-life and has been replaced by the Cisco Anyconnect Secure Mobility Client.

Does the ASA 5516-x now support 2-unit clusters?

The ASA 5516-X now supports 2-unit clusters. Clustering for 2 units is enabled by default in the base license. We did not modify any commands. Cisco Locator/ID Separation Protocol (LISP) architecture separates the device identity from its location into two different numbering spaces, making server migration transparent to clients.

How does the ASA assign IP addresses to remote users?

The ASA will assign IP addresses to all remote users that connect with the anyconnect VPN client. We’ll configure a pool with IP addresses for this: Remote users will get an IP address from the pool above, we’ll use IP address range 192.168.10.100 – 200.

What is the impact of remote access VPN on Cisco ASA/FTD?

However, as the number of remote access VPN users has rapidly increased, access is concentrated on the remote access VPN servers, Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD), which terminate the access, and the performance of ASA and FTD is reduced. There are quite a few cases that suffer from deterioration.

What is ASA with Firepower Services?

There’s the traditional ASA image, also known as “ASA with Firepower Services”. The “Firepower services” part is optional. This ASA code has been around for years. Firepower services, if you have it, will run as a separate software module. The other software type is Firepower Threat Defence.

How many members can a 5512-X have?

You may not have the answer to this yet, but there is a critical piece of information to be aware of. All appliances from the 5512-X to the 5555-X can have two members per cluster.

Why not use VLAN in hashing?

Do not use VLAN in the hashing algorithm. This is because the VLAN will change as the traffic passes across the ASA interfaces. A change in VLAN would result in a change in hashing.

What is spanned etherchannel mode?

In spanned-etherchannel mode, the cluster connects to switches with etherchannel. The switch handles the load-balancing of connections over the cluster. The switch’s hashing algorithm will determine how effective it will be.

How much of the connections per second in a cluster?

You will get 50% of the connections per second of all members in the cluster

Can ASA 5500-X run software?

You may be aware of ASA 5500-X series appliances and Firepower appliances. While they’re quite different internally, both appliances can run either software image. In this article, the term ASA refers to both appliances, unless otherwise specified.

Is a Cisco cluster connected to a switch?

The cluster is usually connected to upstream switches. This is definitely the case with spanned-etherchannel. Any upstream switch should be fine, as long as it runs LACP. The good news is Cisco has validated a range of their switches. To see an up to date list, see the BRKSEC-3032 presentation, page 9.

How many tunnels can you use for ASA 5516-X?

For example, you have a cluster of eight units (5516-X). The Other VPN license allows a maximum of 300 site-to-site IPsec tunnels for one ASA 5516-X. For the entire cluster of eight units, you can only use 300 tunnels; the feature does not scale.

Where do ASA cluster members reside?

The ASA cluster members must reside between the first hop router and the ITR or ETR for the site . The ASA cluster itself cannot be the first hop router for an extended segment.

Why do filters need to be removed from OTV?

If a site goes down, the filters need to be removed from OTV because you do not want to block the global MAC address anymore . There are some additional configurations required.

What are the benefits of using ASA clustering?

One of the benefits of using ASA clustering is the ease of management. This section describes how to manage the cluster.

How high should the MTU be for a cluster control link?

You should configure the cluster control link interface MTU to be at least 100 bytes higher than the data interface MTU, so make sure to configure the cluster control link connecting switch appropriately. Because the cluster control link traffic includes data packet forwarding, the cluster control link needs to accommodate the entire size of a data packet plus cluster traffic overhead.

How much bandwidth does ASA 5585-X handle?

For example, for throughput, the ASA 5585-X with SSP-40 can handle approximately 10 Gbps of real world firewall traffic when running alone. For a cluster of 8 units, the maximum combined throughput will be approximately 70% of 80 Gbps (8 units x 10 Gbps): 56 Gbps.

How many GE I/O licenses are required for ASA 5585-X?

Must have the same cluster, encryption and, for the ASA 5585-X, 10 GE I/O licenses.

How many interfaces does an ASA have?

The ASA has two interfaces: inside and outside. Imagine the outside interface is connected to the Internet where a remote user wants to connect to the ASA. On the inside we find R1, I will only use this router so the remote user has something to connect to on the inside network. Let’s look at the configuration!

What is VPN_POLICY?

The group policy is called VPN_POLICY and it’s an internal group policy which means it is created locally on the ASA. You can also specify an external group policy on a RADIUS server. I added some attributes, for example a DNS server and an idle timeout (15 minutes). Split tunneling is optional but I added it to show you how to use it, it refers to the access-list we created earlier.

Does Cisco VPN require ASA?

The remote user requires the Cisco VP N client software on his/her computer, once the connection is established the user will receive a private IP address from the ASA and has access to the network .

Can remote VPN users access certain networks?

If you want to configure an access-list so the remote VPN users can only reach certain networks , IP addresses or ports then you can apply this under the group policy.

Can you use VPN on remote network?

If you don’t want this then you can enable split tunneling. With split tunneling enabled, we will use the VPN only for access to the remote network. Here’s how to enable it:

What is AnyConnect VPN?

Anyconnect is the replacement for the old Cisco VPN client and supports SSL and IKEv2 IPsec. When it comes to SSL, the ASA offers two SSL VPN modes: Clientless WebVPN. AnyConnect VPN. The clientless WebVPN method does not require a VPN client to be installed on the user’s computer. You just open your web browser, ...

What is the IP address of AnyConnect?

You can see that we received IP address 192.168.10.100 (the first IP address from the VPN pool). Anyconnect creates an additional interface, just like the legacy Cisco VPN client does.

What happens when a VPN user terminates a session?

Normally when the remote VPN user terminates the session, the anyconnect installer will be uninstalled. The anyconnect keep-installer installed command leaves it installed on the user’s computer.

What happens when you have an inbound access list?

When you have an inbound access-list on the outside interface then all your decrypted traffic from the SSL WebVPN has to match the inbound access-list. You can either create some permit statements for the decrypted traffic or you can just tell the ASA to let this traffic bypass the access-list:

Why does my client tries to download AnyConnect?

The client tries to download the Anyconnect automatically, this is because of the anyconnect ask none default anyconnect command that we used. Since we are using a self-signed certificate you will get the following error message:

When remote users connect to our WebVPN, do they have to use HTTPS?

The following option is not required but useful, whenever someone accesses the ASA through HTTP then they will be redirected to HTTPS:

What is an ayconnECT_policy?

The group policy is called “ANYCONNECT_POLICY” and it’s an internal group policy which means that we configure it locally on the ASA. An external group policy could be on a RADIUS server.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9