In new age of remote access VPN we have TCP/SSL or TCP/TLS as preferable protocol over IPSec. As advantages of this VPN method over IPSec we can find its flexibility(it does not requires additional ports over 443 allowing through corporate firewalls), similar security strength as IPSec(asymmetric encryption key, strong encryption and authentication protocols etc.), reliability etc. In last few years Cisco went through migration from its traditional Cisco VPN client which used IPSec protocol to AnyConnect client which preferably uses SSL.
In this article I will explain process of SSL VPN remote access configuration through CLI on Cisco ASA firewall. We will see configuration steps needed to be performed to have functional VPN SSL VPN access. User will be authenticated with certificate and username which will be checked and configured on external radius server. All IP addresses used in configuration are examples.
Step 1 – Enable SSL VPN access on interface
In order to enable client SSL VPN connection you should enable it on the interface on which connections will be terminated. So, if you did not it, enable SSL VPN client connections at the interface with next commands:
webvpn enable INTERFACE_NAME svc enable
where INTERFACE_NAME is interface on your ASA where VPN connections from client are terminated.
Step 2 – Configure IP address pool
At this step we will configure IP address pool from which VPN clients will get IP addresses when connect to VPN. This can be done with next line:
ip local pool ssl-vpn-pool 192.168.1.1-192.168.116.254
So, clients will get addresses from 192.168.1.1 to 192.168.1.254
Step 3 – Configure access list (ACL) for traffic filtering
Now, we will define ACL and related objects for VPN traffic filtering:
object-group network ssl_vpn_servers network-object host 10.0.0.100 object-group service ssl_vpn_protocols tcp-udp port-object eq 3389 access-list ssl-vpn-acl extended permit tcp 192.168.1.0 255.255.255.0 object-group ssl_vpn_servers object-group ssl_vpn_protocols
So, in above lines we configured:
- Object group ssl_vpn_servers which are server our VPN clients will connect to
- Object group ssl_vpn_protocols which are protocols our VPN clients will use to connect to servers
- ACL ssl-vpn-acl which is ACL for filtering VPN traffic for clients. We have our IP address scope (192.168.1.0/24) allowed to connect to server 10.0.0.100 through RDP protocol port 3389.
Step 4 – Configure split tunnel ACL
At this step we will configure ACL which will be used for tunnel splitting on client. With this ACL on client computer will be defined traffic which must go through VPN tunnel. All other traffic will not go through tunnel.
access-list acl-split-vpn standard permit host 10.0.0.100
With above lines we configured that all traffic going to 10.0.0.100 server will go through VPN tunnel. All other traffic will go through client network connection.
Step 5 – Configure tunnel policy
At this step we will configure VPN group policy in which some VPN parameters are configured. We will use next lines:
group-policy ssl_vpn_policy internal group-policy ssl_vpn_policy attributes vpn-filter value ssl-vpn-acl vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value acl-split-vpn
In group policy we configured next parameters:
- ACL applied for traffic filtering which is ssl-vpn-acl(we configured it in step 3)
- Type of VPN which is SSL client(another is clientless)
- ACL for traffic splitting is acl-split-vpn(we configured it in step 4)
Step 6 – Configure tunnel group
At this step we will configure tunnel group. It is one of the most important part of this configuration because tunnel group defines important VPN connection attributes and identifies group of VPN users with same attributes at VPN server(in our case VPN server is Cisco ASA). So next lines are configuration of tunnel group:
tunnel-group ssl_vpn_group type remote-access tunnel-group ssl_vpn_group general-attributes address-pool ssl-vpn-pool authentication-server-group YOUR_RADIUS default-group-policy ssl_vpn_policy tunnel-group ssl_vpn_group webvpn-attributes authentication aaa certificate
In above lines we configured new VPN tunnel group (ssl_vpn_group) which is type of remote access. We configured general attributes of this VPN such as address pool (ssl-vpn-pool configured in step 2), radius server which will be used for user authentication (YOUR_RADIUS) and VPN policy which will be applied to clients when connected (ssl_vpn_policy configured in step 5). We also configured one of webvpn attributes for connections such as authentication. In this attribute we set that for client authentication will be used certificate. So, certificate should be installed on client machine.
Step 7 – Configure certificate field mapping
In order to identify tunnel group to which VPN client will belong we should map group name to field in certificate. For this example we will use next lines:
crypto ca certificate map ssl_vpn_map 10 subject-name attr ou eq ssl_vpn_group webvpn certificate-group-map ssl_vpn_map 10 ssl_vpn_group
In above lines we mapped OU field of certificate to name of clients tunnel group (ssl_vpn_group). So, when you issue certificates for clients at your CA authority or at some external authority you should set tunnel group name to OU field of certificate and it it’s mandatory for client group identification.
There is something you should note if you are using certificates for client authentication. Both Cisco ASA and client should have both CA trusted root authority certificate and client certificate. In this article neither issuing certificates for Cisco ASA nor issuing certificates for clients is covered. Also, considering radius server is used for authentication it should be configured on ASA and it can be done through next lines:
aaa-server YOUR_RADIUS protocol radius aaa-server YOUR_RADIUS (YOUR_INTERFACE) host 10.0.0.5 key your_radius_key
Where YOUR_RADIUS is name of your radius server configured on ASA, your_radius_key is key used to authenticate ASA on YOUR_RADIUS server and YOUR_INTERFACE is interface on your ASA where radius server is connected.