Re: AnyConnect VPN using NAT instead of Routing?

lmalhoit · ‎09-05-2012

Hi All,

I have a CIsco ASA 5505 with the default license that only allows the use of 3 interfaces (inside, outside, DMZ). I'm already utilizing all 3 but I'd like to configure the AnyConnect Client VPN stuff. I know with solutions like OpenVPN you can configure it to use NAT instead of actually giving it an interface with a different network and configuring routing. Can anyone point me in the right direction on this for the ASA 5505? Any help or documention would be appreciated.

Thanks!

Javier Portuguez · ‎09-05-2012

Hi Lauren,

There are three ways to assign an IP address to a VPN client:

vpn-addr-assign aaa

vpn-addr-assign dhcp

vpn-addr-assign local reuse-delay 5

For the AnyConnect client to be able to connect, an IP address must be assigned using any of the above methods.

On the ASA, it is required to set up a routable interface and the necessary commands to let the AnyConnect clients to connect.

Please correct me if I am wrong, but if my understanding of the description is correct, then the OpenVPN solution is not an option.

Let me know.

Thanks.

lmalhoit · ‎09-05-2012

Thanks for the quick reply! So, I basically can't have VPN without getting licensing for more interfaces?

Javier Portuguez · ‎09-05-2012

Thanks for the prompt response.

I am sorry, I am not understanding the question.

Could you please rephrase your problem or what you are trying to accomplish?

By default (Base license) the ASA allows two SSL connections (AnyConnect or WebVPN), so you can test it and then purchase more licenses.

There is a license limitation on the ASA5505, without a plus license, users from the DMZ interface won't be able to access either the inside or the outside, but the VPN terminates on the Outside, so you could still test access from outside to DMZ and from outside to inside without the plus license.

I am getting confused with the OpenVPN solution and the licensing question.

Thanks.

lmalhoit · ‎09-06-2012

Okay, so you're saying I don't need another interface (network) for the VPN? It will terminate on the Outside interface and I should be able to get to the inside.

I tried setting it up and I used a pool of the already existing internal IPs. I could connect to the VPN successfully, however I couldn't access anything. I had the right IP, but no access to servers, etc on the internal network. I read in a forum that you cannot be on the same network as the inside network when coming in from the VPN and that's why I couldn't access anything. Is that true? If that is true then I would think I would need to create another network...which brings me back to my original issue, which is that I only have the base license and can't route any more networks.

My end goal is to just keep the 3 networks I have now and also have the AnyConnect VPN working. Perhaps I'm describing it poorly...I'm just looking for the best way to do that.

Thanks for your help!

Javier Portuguez · ‎09-06-2012

Hi Lauren,

Thanks for the heads up.

So you were able to connect but unable to reach any internal networks?

Did you add the NAT rules to allow the VPN traffic?

Could you please share the configuration of your ASA?

Thanks.

lmalhoit · ‎09-06-2012

Well, since it's using the same network as the internal network, would I really need more NAT rules?

Here's the running config. I've edited some of it for security reasons.

Result of the command: "show run"

: Saved

:

ASA Version 8.2(5)

!

hostname NSI-ASA

domain-name nsi.local

enable password 1jHVQf1AIEJ5mEz. encrypted

passwd .utzKrdFw5cnZJxP encrypted

names

name 192.168.200.0 Guest description Guest Access

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 32

switchport trunk allowed vlan 12,99

!

interface Ethernet0/3

switchport access vlan 99

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport trunk allowed vlan 1,60,70

switchport trunk native vlan 1

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

mac-address xxxx.xxxx.xxxx

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.252

!

interface Vlan32

no forward interface Vlan1

nameif Guest-Wireless

security-level 55

ip address 192.168.32.1 255.255.255.0

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server x.x.x.x (edited)

domain-name domain.local (edited)

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service View tcp-udp

description VMware View

port-object eq 4172

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network Guest_access

network-object Guest 255.255.255.0

access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_access_in extended permit tcp any host x.x.x.x eq https (edited)

access-list outside_access_in extended permit tcp any host x.x.x.x eq www (edited)

access-list outside_access_in extended permit object-group TCPUDP any host x.x.x.x object-group View (edited)

access-list outside_access_in extended permit icmp any any

access-list NAT-EXEMPT remark These will not be NAT'D

access-list NAT-EXEMPT extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 any

access-list inside_access_in extended permit icmp 192.168.0.0 255.255.255.0 any

access-list inside_access_in extended permit object-group TCPUDP 192.168.1.0 255.255.255.0 any

access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any

access-list inside_access_in extended permit object-group TCPUDP 192.168.32.0 255.255.255.0 interface outside

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu Guest-Wireless 1500

ip local pool default-vpn 192.168.1.90-192.168.1.99 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NAT-EXEMPT

nat (inside) 1 0.0.0.0 0.0.0.0

nat (Guest-Wireless) 1 192.168.32.0 255.255.255.0

static (inside,outside) tcp interface https 192.168.1.x https netmask 255.255.255.255

static (inside,outside) tcp interface 4172 192.168.1.x 4172 netmask 255.255.255.255

static (inside,outside) tcp interface www 192.168.1.x www netmask 255.255.255.255

static (inside,outside) udp interface 4172 192.168.1.x 4172 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 (edited)

route inside 192.168.x.0 255.255.255.0 192.168.1.x 1 (edited)

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server domain protocol nt

aaa-server domain (inside) host 192.168.1.250

nt-auth-domain-controller 192.168.1.250

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

....

EDITED

....

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.150 inside

dhcpd dns 192.168.1.x 192.168.1.x interface inside

dhcpd enable inside

!

dhcpd address 192.168.32.100-192.168.32.150 Guest-Wireless

dhcpd dns 8.8.8.8 8.8.4.4 interface Guest-Wireless

dhcpd enable Guest-Wireless

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint0 outside

webvpn

port 444

enable inside

enable outside

dtls port 444

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy SSLCLient internal

group-policy SSLCLient attributes

vpn-tunnel-protocol svc

group-policy SSLClient internal

group-policy DfltGrpPolicy attributes

dns-server value 192.168.1.x (edited)

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

default-domain value domain.local

address-pools value default-vpn

webvpn

url-list value Cisco_Switch

svc ask enable

group-policy GroupPolicy2 internal

group-policy GroupPolicy2 attributes

wins-server none

dns-server value 192.168.1.x

vpn-tunnel-protocol svc

default-domain value domain.local

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol IPSec

group-policy AnyConnect internal

group-policy AnyConnect attributes

wins-server none

dns-server value 192.168.1.x

vpn-tunnel-protocol svc

default-domain value domain.local

vpn-group-policy DfltGrpPolicy

username admin password I2Ray8VMBc1s4CWn encrypted privilege 15

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x general-attributes

default-group-policy GroupPolicy1

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *****

peer-id-validate nocheck

tunnel-group SSLClient type remote-access

tunnel-group default type remote-access

tunnel-group default general-attributes

address-pool default-vpn

dhcp-server x.x.x.x

tunnel-group default webvpn-attributes

group-alias Default enable

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

address-pool default-vpn

authentication-server-group domain

default-group-policy AnyConnect

tunnel-group VPN webvpn-attributes

group-alias VPN enable

group-url https://x.x.x.x:444/VPN enable

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:01ade93eef062bd59a12f27c1a5111e5

: end

Thanks!