Anyconnect Ask None Default Anyconnect

Posted on by



Overview

The none default anyconnect part tells the ASA not to ask the user if he/she wants to use WebVPN or anyconnect but just starts the download of the anyconnect client automatically. The anyconnect dpd-interval command is used for Dead Peer Detection. The remote user’s anyconnect client will check every 30 seconds if the ASA is still responding. In the Add from the gallery section, type Cisco AnyConnect in the search box. Select Cisco AnyConnect from results panel and then add the app. Wait a few seconds while the app is added to your tenant. Configure and test Azure AD SSO for Cisco AnyConnect. Configure and test Azure AD SSO with Cisco AnyConnect using a test user called B.Simon. Wins-server none dns-server value 172.16.1.1 vpn-tunnel-protocol ikev2 ssl-client ssl-clientless webvpn url-list value CBB anyconnect ask enable default webvpn timeout 30 customization value CBB tunnel-group BBC type remote-access tunnel-group BBC general-attributes address-pool SSLPool1 default-group-policy CBB tunnel-group BBC webvpn-attributes. I'm trying to configure the VPN on a Cisco ASA 5510. I can connect to it without any problem and I can ping my switch (172.16.1.2/24) but I can't ping the gateway (172.16.1.1/24) nor the Google public DNS.Here is my config: ASA Version 9.1(1)! Hostname ciscoasa names ip local pool VPN-POOL 172.16.50.1-172.16.50.10 mask 255.255.255.0! Interface Ethernet0/0 speed 100 duplex full nameif. . Replace with the FQDN of your ASA gateway-fqdn value asa.example.com address-pools value PoolVPN client-access-rule none webvpn anyconnect profiles value ExampleVPN type user anyconnect ask none default anyconnect tunnel-group TGVPN type remote-access tunnel-group TGVPN general-attributes address-pool PoolVPN default-group-policy GPVPN.

ASA: 8.3+ (Written/Tested on 9.0)

Authentication: Local (Local ASA User Database)

Type: Split-tunnel OR Non split-tunnel

The below configurations will work with 8.3+, but was written and tested with 9.0. When setting up a Anyconnect VPN tunnel, you can push all traffic from the client over the VPN (Tunnel all) or you can use a split tunnel to only push traffic destined for selected subnets over the VPN tunnel. In laymen terms, the clients internet traffic originates from their ISP in a split tunnel, and it originates from the ASA when using tunnel all. The below configuration examples assume you have a basic setup equivalent to running factory-default and are setup to authenticate locally to the ASA. I will give examples of each configuration below.

Network Diagram

Cisco anyconnect secure download

The ASA has a command that gives an overview of how to configure an Anyconnect SSL VPN, which in global configuration mode is vpnsetup ssl-remote-access steps. Here are the results of that command:

There are a few important things to note from Cisco’s directions:

  1. They are using the default names for configuring the group policy and tunnel groups, which will throw a warning that they already exist since they’re defaults
  2. The directions do not specify that you MUST attach the VPN Address pool to the tunnel group, which is necessary for it to work!
  3. They do not include how to create a split tunnel or a tunnel all to allow internet from the Anyconnect client.
  4. They are using outdated “svc” commands, which were replaced with “anyconnect”.

With that said, let’s move on to the configurations!

Anyconnect Configuration 1: Tunnel All

Anyconnect Configuration 2: Split Tunnel

Anyconnect Ask None Default Anyconnect

Testing the Configuration

Open a web browser, connect to your ASA (https://vpn.domain.com OR https://172.31.100.1), and you’ll be prompted to login. You can login with the user account you’ve created in the configuration above. The Anyconnect client will automatically install, if it fails you may need to download and manually install it. Once installed, you can connect to your ASA by the outside interface (vpn.domain.com OR 172.31.100.1) and authenticate with the user you’ve created.

Additional Notes

Anyconnect

You may wish to use a 3rd party SSL certificates (ie: Verisign, Thawte, Godaddy, etc) so end users do not get prompted about certificate warnings. Cisco ASA’s will regenerate it’s certificate upon reboot, and due to this you should create a self signed certificate whenever you cannot use a 3rd party. Download macos mojave 10.14 3. You can create the self signed certificate as follows:

As a matter of personal preference, I was never a HUGE fan of the ASA as a firewall appliance. For VPN termination, it’s pretty slick but still has some issues. Either way, I have a 5505 at home that I use for firewall and VPN. Being bored some time ago (wish I had free time now) I decided to upgrade the device from 8.2 to 9.1 code. Along with this change came the dreaded ASA 8.3 NAT configuration change. I’d argue that NAT on the ASA never made true sense, but once you knew how it worked, you could make it do what you wanted it to do. Not knowing how to configure the new mode of NAT in the CLI, I decided to try it through ASDM (this of course breaking my ‘ASDM is awful never use it’ rule (and yes, I know you have to use ASDM for some of the AnyConnect XML stuff)). The ASDM configuration lead to the automagic creation of NAT groups I didn’t need, object groups I didn’t need, and ACLs I didn’t need. Somehow I managed to click enough buttons that it worked, but I wasn’t happy with the end state of the config.

Fast forward to now. Now I want to be able to connect to VPN at my house, access local resources, as well as access the internet through my local Comcast connection (internet hairpin). Thinking this would be straight forward, I pulled down a copy of my ASA config into notepad and realized that it was full of random stuff I didn’t need. After some clean up, I came to some realizations about NAT on the newer ASA code. Namely, the fact that you don’t HAVE to use the NAT configuration under the objects themselves. This, at least for me, was a HUGE help. Let’s take a quick look at my config so you can see what I’ve setup…

Ford ranger transmission. So the real goal here is to be able to access a hosting container I use out on the internets from my laptop. The hosting container only allows certain IP addresses (my home IP) to access it. So if I could VPN to my house and use my home internet connection to access the hosting space from my laptop, I’d be all set!

In order to accomplish this, you need to do some ‘weird’ NAT configuration. I’m not going to run through my whole ASA config, but here are the important pieces…

hostname ASA
!
ip local pool vpn 10.20.30.249-10.20.30.253 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
interface Vlan1
nameif inside
security-level 100
ip address 10.20.30.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address <removed> 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif guest
security-level 50
ip address 192.168.127.1 255.255.255.248
!
boot system disk0:/asa911-k8.bin
!
same-security-traffic permit intra-interface
object network guest
subnet 192.168.127.0 255.255.255.248
object network locallan
subnet 10.20.30.0 255.255.255.0
object-group network VPNPOOL
network-object 10.20.30.248 255.255.255.248
!
nat (outside,inside) source static VPNPOOL VPNPOOL
nat (outside,outside) source dynamic VPNPOOL interface
nat (inside,outside) source dynamic locallan interface
nat (guest,outside) source dynamic guest interface
!
route outside 0.0.0.0 0.0.0.0 <removed> 1
route inside 10.0.0.0 255.255.255.0 10.20.30.117 1
!
telnet 10.20.30.0 255.255.255.0 inside
telnet timeout 1440
ssh timeout 5
console timeout 0
management-access inside
!
dhcpd address 10.20.30.100-10.20.30.200 inside
dhcpd dns 4.2.2.2 8.8.8.8 interface inside
dhcpd enable inside
!
dhcpd address 192.168.127.2-192.168.127.6 guest
dhcpd dns 4.2.2.2 8.8.8.8 interface guest
dhcpd enable guest
!
webvpn
enable outside
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2017-k9.pkg 1
anyconnect image disk0:/anyconnect-win-2.5.3055-k9.pkg 2
anyconnect profiles vpn disk0:/vpn.xml
anyconnect enable
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
group-policy gp_anyconnect internal
group-policy gp_anyconnect attributes
dns-server value 4.2.2.2 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value splitvpn
webvpn
anyconnect profiles value vpn type user
anyconnect ask none default anyconnect
username <removed> password <removed>
tunnel-group tg_vpn type remote-access
tunnel-group tg_vpn general-attributes
address-pool vpn
default-group-policy gp_anyconnect
tunnel-group tg_vpn webvpn-attributes
group-url <removed> enable
without-csd

Anyconnect

Lot’s of config there, but I want to focus on are the bolded lines. The first bolded line is what tells the ASA to allow the ‘hairpin’ to occur. Specifically, you are telling the ASA with this command that it’s ok for traffic to come in a interface with a certain security level (0) and leave through an interface with an identical security level (0). This allows VPN traffic to come in the outside interface encrypted, and leave back out the outside interface to get to the internet.

The next 4 bolded lines are the NAT configuration. This is what I’m really interested in…

Cisco Anyconnect App Download

nat (outside,inside) source static VPNPOOL VPNPOOL
nat (outside,outside) source dynamic VPNPOOL interface
nat (inside,outside) source dynamic locallan interface
nat (guest,outside) source dynamic guest interface

Anyconnect Ask None Default Anyconnect Password

Let’s line these statements up on our diagram to give you a visual of what’s actually going on…

The first NAT statement tells the ASA to allow the client space in from the outside interface to the inside interface and to not modify the addresses. This allows my VPN pool (tail end of my 10.20.30.40/24) to talk to the Local LAN space.

The second NAT statement tells the ASA to take the VPN client space in the outside interface, back out the outside interface, but to dynamically overload it to the outside interface IP. This is the actual NAT hairpin configuration that allows a VPN client to come in the outside and then leave back out towards the internet with the NAT overload.

The last two NATs are simple dynamic overloads for the Local LAN and the Guest LAN network. This allows both RFC 1918 spaces to be hidden behind the outside interface of the ASA.

Best finishing paint brush. Not really a ton too it actually, but I did struggle initially with the NAT until I figured out I could do it without defining the NAT under the object group itself.