Remote Access SSL VPN Configuration on Cisco ASA Firewall Through CLI by Using Certificate/Username for Authentication and AnyConnect Client

In new age of remote access VPN we have TCP/SSL or TCP/TLS as preferable protocol over IPSec. As advantages of this VPN method over IPSec we can find its flexibility(it does not requires additional ports over 443 allowing through corporate firewalls), similar security strength as IPSec(asymmetric encryption key, strong encryption and authentication protocols etc.), reliability etc. In last few years Cisco went through migration from its traditional Cisco VPN client which used IPSec protocol to AnyConnect client which preferably uses SSL.

 In this article I will explain process of SSL VPN remote access configuration through CLI on Cisco ASA firewall. We will see configuration steps needed to be performed to have functional VPN SSL VPN access. User will be authenticated with certificate and username which will be checked and configured on external radius server. All IP addresses used in configuration are examples.

 

Step 1 – Enable SSL VPN access on interface

In order to enable client SSL VPN connection you should enable it on the interface on which connections will be terminated. So, if you did not it, enable SSL VPN client connections at the interface with next commands:

webvpn
 enable INTERFACE_NAME
 svc enable

where INTERFACE_NAME is interface on your ASA where VPN connections from client are terminated.

 

Step 2 – Configure IP address pool

At this step we will configure IP address pool from which VPN clients will get IP addresses when connect to VPN. This can be done with next line:

ip local pool ssl-vpn-pool 192.168.1.1-192.168.116.254

 So, clients will get addresses from 192.168.1.1 to 192.168.1.254

Step 3 – Configure access list (ACL) for traffic filtering

Now, we will define ACL and related objects for VPN traffic filtering:

object-group network ssl_vpn_servers  
 network-object host 10.0.0.100

object-group service ssl_vpn_protocols tcp-udp  
  port-object eq 3389

access-list ssl-vpn-acl extended permit tcp 192.168.1.0 255.255.255.0 object-group ssl_vpn_servers  object-group ssl_vpn_protocols  

So, in above lines we configured:

  • Object group ssl_vpn_servers which are server our VPN clients will connect to
  • Object group ssl_vpn_protocols which are protocols our VPN clients will use to connect to servers
  • ACL ssl-vpn-acl which is ACL for filtering VPN traffic for clients. We have our IP address scope (192.168.1.0/24) allowed to connect to server 10.0.0.100 through RDP protocol port 3389.

 

Step 4 – Configure split tunnel ACL

At this step we will configure ACL which will be used for tunnel splitting on client. With this ACL on client computer will be defined traffic which must go through VPN tunnel. All other traffic will not go through tunnel.

access-list acl-split-vpn standard permit host 10.0.0.100

 With above lines we configured that all traffic going to 10.0.0.100 server will go through VPN tunnel. All other traffic will go through client network connection.

Step 5 – Configure tunnel policy

At this step we will configure VPN group policy in which some VPN parameters are configured. We will use next lines:

group-policy ssl_vpn_policy internal
group-policy ssl_vpn_policy attributes
 vpn-filter value ssl-vpn-acl
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value acl-split-vpn

In group policy we configured next parameters:

  • ACL applied for traffic filtering which is ssl-vpn-acl(we configured it in step 3)
  • Type of VPN which is SSL client(another is clientless)
  • ACL for traffic splitting is acl-split-vpn(we configured it in step 4)

 

Step 6 – Configure tunnel group

At this step we will configure tunnel group. It is one of the most important part of this configuration because tunnel group defines important VPN connection attributes and identifies group of VPN users with same attributes at VPN server(in our case VPN server is Cisco ASA). So next lines are configuration of tunnel group:

tunnel-group ssl_vpn_group type remote-access
tunnel-group ssl_vpn_group general-attributes
 address-pool ssl-vpn-pool
 authentication-server-group YOUR_RADIUS
 default-group-policy ssl_vpn_policy
tunnel-group ssl_vpn_group webvpn-attributes
 authentication aaa certificate

In above lines we configured new VPN tunnel group (ssl_vpn_group) which is type of remote access. We configured general attributes of this VPN such as address pool (ssl-vpn-pool configured in step 2), radius server which will be used for user authentication (YOUR_RADIUS) and VPN policy which will be applied to clients when connected (ssl_vpn_policy configured in step 5). We also configured one of webvpn attributes for connections such as authentication. In this attribute we set that for client authentication will be used certificate. So, certificate should be installed on client machine.

 

Step 7 – Configure certificate field mapping

 In order to identify tunnel group to which VPN client will belong we should map group name to field in certificate. For this example we will use next lines:

crypto ca certificate map ssl_vpn_map 10
 subject-name attr ou eq ssl_vpn_group

webvpn
 certificate-group-map ssl_vpn_map 10 ssl_vpn_group

In above lines we mapped OU field of certificate to name of clients tunnel group (ssl_vpn_group). So, when you issue certificates for clients at your CA authority or at some external authority you should set tunnel group name to OU field of certificate and it it’s mandatory for client group identification.

Note:

There is something you should note if you are using certificates for client authentication. Both Cisco ASA and client should have both CA trusted root authority certificate and client certificate. In this article neither issuing certificates for Cisco ASA nor issuing certificates for clients is covered. Also, considering radius server is used for authentication it should be configured on ASA and it can be done through next lines:

aaa-server YOUR_RADIUS protocol radius
aaa-server YOUR_RADIUS  (YOUR_INTERFACE) host 10.0.0.5
 key your_radius_key

Where YOUR_RADIUS is name of your radius server configured on ASA, your_radius_key is key used to authenticate ASA on YOUR_RADIUS server and YOUR_INTERFACE is interface on your ASA where radius server is connected.

Advertisements

3 thoughts on “Remote Access SSL VPN Configuration on Cisco ASA Firewall Through CLI by Using Certificate/Username for Authentication and AnyConnect Client

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s