msgbartop
msgbarbottom

21 Nov 12 Internet traffic and Cisco AnyConnect

Routing Internet traffic when using Cisco AnyConnect – Cisco ASA 5520 Code 8.4

Previously I worked on Cisco AnyConnect VPN Configuration on Cisco ASA 5520 running 8.4 code. Now since everything is working good I was able to access all the internal resources however I was unable to access the Internet. Now I need to be able to give users access to the Internet. There are two ways of doing this:

  • Split tunneling
  • Tunnel All Traffic

If I do split tunneling users will be able to access the Internet when they are using Cisco AnyConnect VPN, however they will be using their local Internet and it is not considered very secure. So I decided to send their Internet Traffic via Cisco AnyConnect VPN as well so when they go out to the Internet they will be going out via the corporate connection. Here are quick examples of both:

Split Tunneling

If you want to do split tunneling then look at the screen shot below. Under Group Policy you will go to: “Advanced –> Split Tunneling”, then change the Policy to “Tunnel Network List Below”, under Network List change that to access list associated. Access List will look something like this:

“access-list ACL-NAME extended permit ip object-group INSIDE-NETWORK object-group REMOTE-VPN-NETWORK”.

Split Tunnel Cisco ASA 5520

Here is how the command line will look:
group-policy SPLIT-TUNNEL internal
group-policy SPLIT-TUNNEL attributes
banner value You are accessing a secure system, all activity will be logged.
wins-server value 192.168.0.2 192.168.0.13
dns-server value 192.168.0.2 192.168.0.12
vpn-simultaneous-logins 10
vpn-idle-timeout 240
vpn-session-timeout 1440
vpn-tunnel-protocol ikev2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL-ACL
default-domain value XXXX.COM
split-tunnel-all-dns enable

Tunnel All

Now with this method all traffic including the Internet traffic will traverse through the Cisco AnyConnect VPN and will utilize the corporate Internet Connection to go online. Group Policy will look look this:
Tunnel All Cisco ASA 5520

Here is how the command line will look like:
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 192.168.0.2 192.168.0.12
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelall
default-domain value xxx.com

Now there is a small step that I performed so that outgoing traffic from all the remote users will use a different Public IP address than what is defined on the outside interface. Also the key term here is that in order to Tunnel All Traffic all VPN traffic needs to be able to make a “U” turn i.e go out the same interface it came from. There are a couple of commands that were needed for that part such as:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Now for the NATing a different public IP here is what I did:

object network AnyConnect
subnet 172.16.0.128 255.255.255.128
nat (outside,outside) dynamic x.x.x.x

I took the AnyConnect network and made it go back out the outside interface with a different public IP

Tags: , , , , , , , ,

05 Nov 12 Configure Microsoft NPS 2008 for Cisco AnyConnect VPN

Microsoft NPS 2008 Server configuration for Cisco AnyConnect VPN Client

Previously I explained how I configured Cisco AnyConnect VPN on the Cisco ASA 5520. In that configuration instead of using the Local Authentication I utilized RADIUS Authentication. In this article I am going to talk about how I configured the RADIUS Server – Microsoft NPS 2008 to provide Authentication for Cisco AnyConnect clients.

Since Cisco ASA configuration has already been explained I’m only putting the Microsoft NPS 2008 Server steps here:

  • I started with creating a new profile, under Overview I left the settings as shown in the picture below: (Note: you can name the policy whatever you like)
  • Next under Conditions, there are two things I had to add. 1) Windows Group that I wanted to allow to be able to use Cisco AnyConnect VPN, 2) NAS IPv4 Address = Cisco ASA’s inside interface IP
  • Next under Constraints, the only thing I changed was the Authentication Method I set it up for MS-CHAP-v2. There are other methods available as well but for now I just picked this
  • That is it after all these steps and saving my settings I added a test user into my AnyConnect group and was able to sign into the Cisco AnyConnect VPN. As soon as I took that user out of that group I was no longer able to sign in.

Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo :).

Tags: , ,

05 Nov 12 Configuring Cisco Any Connect on Cisco ASA 8.4

Cisco Any Connect configuration on Cisco ASA 5520 – 8.4 code

As most of us know by now that Cisco has announced End of Sale and End of Life for Cisco VPN Client, Details Here. Our migration option from Cisco VPN Client is Cisco AnyConnect. Cisco AnyConnect is supported by 32 as well as 64 bit version of Windows. And yes there is licensing involved too. Here is some information on the Cisco ASA and Cisco AnyConnect Licensing. So now my notes on configuring Cisco AnyConnect VPN on Cisco ASA 5520 Firewall running 8.4 Code.

There are different ways to accomplish this i.e; Command Line or utilizing Cisco ASDM. I actually used a mixture of both. It is pretty easy and fast to configure Cisco AnyConnect profile via ASDM Wizard initially so I used that procedure:

  • After opening up the ASA’s ASDM form the top I picked the option Wizard –> VPN wizard –> AnyConnect VPN wizard. Here is what the first screen looks like:
  • Next you name the connection profile, now note here that multiple profiles can be created for different purposes such as a profile for the IT department, profile for the executives, profile for the regular users and give them access accordingly.
  • On the next screen under VPN Protocols – SSL/IPSec I picked out both protocols for now, however eventually I am going to change that as I will be getting the Essentials license which gives me Cisco AnyConnect IPSec license. But for now by default I have two SSL licenses so I wanted to use them at least for testing purposes. Also under Device Certificate I picked the self signed certificate for now however eventually I will be adding a valid third party SSL Certificate and will have a separate how to on that.
  • Next I had to specify the Cisco AnyConnect client image. I already had it loaded on the ASA 5520 Firewall, so I simply clicked on Browse Flash and added it from there, however you also have the option to upload it here if you do not have it already loaded on the Cisco ASA. I was using the latest version, file name: anyconnect-win-3.1.00495-k9.pkg.

  • Next screen asks for the Authentication Methods. Since I already have the Microsoft NPS 2008 server setup, I picked RADIUS. Note: I will have a separate how to on setting up the Microsoft NPS 2008 Server as RADIUS server for Cisco AnyConnect. You can also use other type of Authentication methods such as Kerberos, LDAP etc if you like.

  • Next screen asks for the DHCP Pool to be used for the Cisco AnyConnect VPN Clients. If there is one already defined that can be used I defined a new scope by clicking on the New button. This can also be created easily via command line as well in advance.

    ip local pool AnyConnect_DHCP 10.251.0.34-10.251.0.46 mask 255.255.255.240

  • In the next section I specified the DNS Servers that Cisco AnyConnect Clients will use after connecting
  • Next screen was for >NAT Exempt. Which means it was asking me if I want the Cisco AnyConnect VPN Clients network to be excluded from any kind of NAT. On the top first lines says, If network address translation is enabled on the ASA, the VPN traffic must b exempt from this translation. Well NAT is enabled so I check the box. If you forget to check it or leave it for now, it can easily be done via command line

    object-group network Inside_Net
    network-object 192.168.0.0 255.255.255.0
    network-object 192.168.1.0 255.255.255.0
    network-object 192.168.2.0 255.255.255.0
    !
    object network AnyConnect
    subnet 10.251.0.32 255.255.255.240
    !
    nat (inside,outside) source static Inside_Net Inside_Net destination static AnyConnect AnyConnect
    !
    object network VPN-Pool-internet
    subnet 10.251.0.32 255.255.255.240
    nat (outside,outside) dynamic second-public-ip (This is the outgoing Public IP for the VPN)

  • Next screen I checked the option to Allow Web Launch
  • Next screen is the last screen and just shows the summary of everything. I simply clicked on “Finish” and that is it

Article Resources

Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂

Tags: , , , , ,

30 Oct 12 AnyConnect Error – No Address Available for SVC Connection

Cisco AnyConnect Client error message – No address available for SVC Connection

Recently working on a Cisco Any Connect project I ran into this error message. I was able to see that it is connecting and was letting me type my password in but it would then disconnect giving me the error message “No Address Available for SVC Connection. After looking around for a few min it was actually a pretty easy fix. I setup a Local DHCP Pool on the ASA for the Cisco Any Connect VPN but under Assignment Policy I forgot to check a button to allow the locally created DHCP Pool. See Screen shot below:

This was on Cisco ASA 5520 with 8.4 code

Tags: , ,

16 Jul 12 Cisco ASA Policy Based Static Source NAT

How to perform Policy Based Static Source NAT for an IPSec VPN between Cisco ASA and IOS Router

Setting up VPN Connectivity between multiple locations is a pretty common task these days. It is a very simple and straight forward setup unless NAT comes into the play, there are multiple offices with overlapping subnets etc. Usually in that scenario solution is simple both sides will perform NAT and present their internal network as something else to the other location in the VPN Tunnel.

Recently I had a unique situation. I was working on a firewall with multiple VPN’s and they pretty much all had a standard setup. There were couple of VPN’s that needed to be setup with a non standard setup because of the overlap in their network. This was the scenario:

  • Subnets on both sites were same i.e; 192.168.1.0/24
  • Site A had Cisco ASA and Site B had Cisco IOS Router
  • Site B was performing a NAT overload and presenting their internal subnet as another IP via the IPSec Tunnel
  • Site B needed to communicate with couple of hosts located at Site A (192.168.1.10 and 192.168.1.11)
  • Since 192.168.1.0/24 network was also being utilized at Site B, hosts at Site B couldn’t see those two hosts at Site A
  • What we needed was a to perform a static policy based source NAT on Cisco ASA so that hosts from Site B, instead of sending traffic to 192.168.1.10 and 192.168.1.11, they send traffic to other IP’s such as 1.1.1.1 and 2.2.2.2
  • Next issue was since there were multiple VPN’s on Cisco ASA and other remote sites were accessing those 192.168.1.11 and 192.168.1.10 hosts, I needed to setup NAT on my end in a way that it will only apply to this one site and not affect other VPN’s
  • Take a look at the picture below to get an idea and after that I will elaborate a bit more how I accomplished it

I’m not going to go deep into setting up the whole VPN on both ends because that is not the topic here. Basically on the Cisco Router at Site B, NAT Overload was utilized for the IPSec VPN and the whole internal network 192.168.1.0/24 was being NATed as 172.16.1.1 to the Cisco ASA at Site A. Now for the interesting traffic on both ends instead of 192.168.1.10 and 192.168.1.11 (1.1.1.1 and 2.2.2.2) was used.

Here are the Cisco ASA steps that I used to perform Policy Based Static Source NAT:

access-list POLICYNAT1 extended permit ip host 192.168.1.10 host 172.16.1.1
access-list POLICYNAT2 extended permit ip host 192.168.1.11 host 172.16.1.1
!
static (inside,outside) 1.1.1.1 access-list POLICYNAT1
static (inside,outside) 2.2.2.2 access-list POLICYNAT2

Don’t forget the crypto map on the Cisco ASA used the reverse of was setup on the Cisco IOS Router at Site B i.e; 1.1.1.1 to 172.16.1.1 and 2.2.2.2 to 172.16.1.1. So this basically allowed 192.168.1.10 and 192.168.1.11 to be translated into 1.1.1.1 and 2.2.2.2 every time source was 192.168.1.10 or 192.168.1.11 and destination was 172.16.1.1 (ONLY). Similarly when the hosts from Site B communicated with 1.1.1.1 or 2.2.2.2 Cisco ASA translated those IP’s to 192.168.1.10 and 192.168.1.11 and then back to 1.1.1.1 and 2.2.2.2. Hope this will help out some one else out there 🙂

Note: This example is for pre 8.3 code. Please keep in mind that this is a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂 .

Tags: ,

27 Mar 12 Linksys RV042 and RV082 NAT for IPSec VPN

How to NAT internal subnet to another network on RV042/RV082 when creating an IPSec VPN?

Recently I had to work on couple of situations where customers on the other end were using Linksys RV042 and RV082 routers and we were using a Cisco 2851 router. Building a simple IPSec VPN Peer to Peer or Gateway to Gateway was not an issue. Issue was getting traffic from customers internal network to our network. We asked customer if they can NAT their internal subnet or at least one or two IP’s to another network so that the traffic being presented to our device is not their internal subnet but instead it is the other network. Note: this comes in handy when there is an issue with overlapping subnets.

Now these two Linksys models, RV042 and RV082 offer an option One to One NAT. However this option only is applicable if you want to NAT the internal host (IP) to a Public IP. It will not work if you are trying to NAT an internal subnet to another private network for the IPSec VPN.

Work around is to perform the NAT on the Cisco Router. I hope Linksys will enable that feature in later releases of the firmware but as of now it isn’t available. If any one else finds out any other information related to this I’d be happy to check it out and it would be useful to so many of us.

Tags: , , , , ,

WordPress SEO