12. August 2012 · Comments Off on Anyconnect without the portal? · Categories: Cisco · Tags: , ,

In ASDM go to Remote Access VPN > Network Client Access > Group Policies  and select the group policy you would like to change and click edit. In the group policy screen click on More Options, then make uncheck Clientless SSL VPN and SSL VPN Client is checked. Apply the change.

After this change users will hit the SSL VPN web page, log in, and then be connected with the anyconnect client. The credentials from the SSL Login web page will pass through to the AnyConnect client. If AnyConnect was not installed, it will be after the log in.

18. July 2012 · Comments Off on ASA VPN Quick Copy Paste Setup · Categories: Cisco · Tags: , , , ,

ASA VPN Quick Copy Paste Setup

webvpn
enable outside
tunnel-group DefaultWEBVPNGroup tunnel-group DefaultWEBVPNGroup webvpn-attributes
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LOCAL
!
username Username password UserPassword
username Username attributes
!
webvpn
svc image anyconnect-win-2.5.2014-k9.pkg 1
svc image anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc image anyconnect-linux-2.5.2014-k9.pkg 3
!
svc enable
!
ip local pool client-pool 172.16.21.1-172.16.21.254 mask 255.255.255.0
!
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol svc webvpn
!
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool client-pool
!

!
object-group network VPN
network-object 172.16.21.0 255.255.255.0
object-group network INSIDE-NETWORK
network-object 10.10.10.0 255.255.255.0
group-object VPN
!
access-list VPNUSERS extended permit ip 10.10.10.0 255.255.255.0 any
access-list SplitACL standard permit 10.10.10.0 255.255.255.0
!
group-policy DfltGrpPolicy attributes
split-tunnel-network-list value VPNUSERS
dns-server value 10.10.10.20 10.10.10.21
default-domain value MyDomain.local
!
group-policy DfltGrpPolicy attributes
split-tunnel-policy tunnelspecified
!
group-policy DfltGrpPolicy attributes
webvpn
svc ask none default svc
!
End


The above config is a vpn setup on a different subnet.  Works well tested several times on a Cisco Adaptive Security Appliance Software Version 8.4(4)1

** The Setup command (guide) on the ASA Below.  Doesn’t harm the config..shows you the steps **

vpnsetup ssl-remote-access steps

18. July 2012 · Comments Off on Cisco ASA Anyconnect Setup · Categories: Cisco · Tags: , , ,

Getting Started with Cisco Anyconnect

For the last few years, Cisco has been attempting to do away with what they call the Cisco EZVPN client. This has been the solution used by many corporate users in the mobile workforce for secure access to enterprise data. The need for mobility certainly isn’t going away and Cisco has a new solution for this called Anyconnect. While the EZVPN client used IPSec, Anyconnect uses SSL to create a secure tunnel. From the wire, this connection looks very much like accessing any ecommerce site and alleviates some of the challenges of using IPSec in an adhoc basis. In this article, we will start with a very basic ASA configuration and add a very basic Anyconnect configurations. There is actually a command that we can use to show us many of the configuration steps. We will also look at some of the additional items that typically need to be configured to achieve a basic Anyconnect environment.

Let’s start with the simplest possible ASA configuration. This can be achieved by using the “configure factory-default” command followed by configuring an outside IP address and default route. The relevant configuration is posted below. This output is from an ASA5505, so it uses VLANs as the layer 3 interfaces.

!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
!
interface Vlan1
 name if inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 name if outside
 security-level 0
 ip address 192.0.2.2 255.255.255.0
!
!
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.0.2.1 1 ! !

The configuration above is sufficient in order to achieve the NAT and Firewall configuration for the following image.

More »