AnyConnect SSL VPN in ASA for 8.2
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
Assigning IP address
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.10.1.1 255.255.255.0
no shut
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0
no shut
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
copying anyconnect software client
copy tftp://192.168.200.10/anyconnect-win-2.4.1012-k9.pkg flash:
configuring Access-list
access-list no_nat extended permit ip 192.168.200.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list split-tunnel standard permit 192.168.200.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
Accessing address-pool for anyconnect SSL VPN clients
ip local pool SSLClientPool 192.168.25.1-192.168.25.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
copying asdm in ASA
copy tftp://192.168.200.10/asdm-603.bin flash:
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
Exempting access-list with nat 0
nat (inside) 0 access-list no_nat.
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
enable asdm on asa
http server enable
http 192.168.200.10 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
Enabling Anyconnect Access
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
tunnel-group-list enable
Create a new Group Policy by name SSLCLientPolicy
group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 192.168.200.20
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value tsweb.local
address-pools value SSLClientPool.
Create a new Group Policy by name manager
group-policy manager internal
group-policy manager attributes
banner value manager
dns-server value 192.168.200.20
default-domain value tsweb.local
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
address-pools value SSLClientPool
sysopt connection permit-vpn
creating username for asdm access
username test password P4ttSyrm33SV8TYp encrypted privilege 15
creating user for anyconnect vpn
username user1 password user1 encrypted privilege 2
username user1 attributes
vpn-group-policy SSLCLientPolicy
vpn-tunnel-protocol svc
service-type remote-access
creating user for anyconnect vpn
username manager1 password XrIbbjUkyfTmkooo encrypted privilege 2
username manager1 attributes
vpn-group-policy manager
vpn-tunnel-protocol svc
vpn-framed-ip-address 192.168.25.10 255.255.255.0
group-lock value manager
Create a Connection Profile and Tunnel Group for the AnyConnect Client Connections by name SSLClientProfile
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
Create a Connection Profile and Tunnel Group for the AnyConnect Client Connections by name manager
tunnel-group manager type remote-access
tunnel-group manager general-attributes
address-pool SSLClientPool
default-group-policy manager
tunnel-group manager webvpn-attributes
group-alias manager enable
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
ciscoasa(config)#
open web browser and type ASA outside IP address https://10.10.1.1
Type down username and password it will install any connect software (you must be have administration permission on PC you are using ) and you are ready to access LAN resources
Great!
ReplyDelete