April 1, 2012

Cisco AnyConnect VPN on ASA 5505 with full tunneling

I have a remote server that I use for backup of my files in my home network. I wanted my backup server to be a part of my internal network as a member of my AD.

My backup solution is fairly simple as I use robocopy to mirror my local backup to my remote backup server. I have set the robocopy script to run through Task Scheduler in Windows.

I did not want my backup server to have any connection to the network it was physically connected to. So split-tunneling was not an option.

I found a couple of sources that I used. One over at Tech 21 Century, witch i practically followed most of the way, and the the other over at Cisco for the internet access part.

A TFTP server
The AnyConnect client software for your OS. Can be downloaded from here

In this example
The local network is:
The VPN network is:
Downloaded client software file: anyconnect-win-2.5.3055-k9.pkg
Cisco ASA Software Version 8.2(3)
Hardware: ASA5505
AD Domain FQDN: yourdomain.local

Here is the entire configuration I used: (don't copy paste the entire code on to your ASA, I recommend that you copy a line at the time)
copy tftp flash: cisco/anyconnect-win-2.5.3055-k9.pkg conf t webvpn svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1 enable outside svc enable exit ip local pool SSLClientPool mask access-list NONAT extended permit ip nat (inside) 0 access-list NONAT username user1 password YourPassword username user1 attributes service-type remote-access exit group-policy SSLCLientPolicy internal group-policy SSLCLientPolicy attributes dns-server value default-domain value yourdomain.local vpn-tunnel-protocol svc address-pools value SSLClientPool exit tunnel-group SSLClientProfile type remote-access tunnel-group SSLClientProfile general-attributes default-group-policy SSLCLientPolicy tunnel-group SSLClientProfile webvpn-attributes group-alias SSLVPNClient enable webvpn tunnel-group-list enable exit conf t same-security-traffic permit intra-interface group-policy SSLCLientPolicy attributes split-tunnel-policy tunnelall webvpn svc ask none default svc svc keep-installer installed svc rekey time 30 svc rekey method ssl exit exit aaa local authentication attempts max-fail 16 nat (outside) 1 That's it :)

default-domain value yourdomain.local This is not nessasary if you dont have a domain. This is so you can access netbios names on your domain.

conf t same-security-traffic permit intra-interface group-policy SSLCLientPolicy attributes split-tunnel-policy tunnelall webvpn svc ask none default svc svc keep-installer installed svc rekey time 30 svc rekey method ssl exit exit aaa local authentication attempts max-fail 16 nat (outside) 1 This is the part of the configuration where you enable access to the internet. If you are okay with split-tunneling, which uses the internet on the network where your client are connected, check out the article from Tech 21 Century below.

Tech 21 Century
Title: How To Configure AnyConnect SSL VPN on Cisco ASA 5500
URL: http://www.tech21century.com/how-to-configure-anyconnect-ssl-vpn-on-cisco-asa-5500/

Title: ASA 8.x: AnyConnect VPN Client for Public Internet VPN on a Stick Configuration Example
URL: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080972e4f.shtml

No comments:

Post a Comment