Solved: Remote access VPN behind existing router using ASA 5506-X???

J Russell · ‎08-29-2016

I have been tasked with setting up a remote access VPN on an existing network using an ASA 5506-X, there is already a Linksys router installed as the firewall/wireless router and I want to add this ASA behind it, making as few changes to the current network setup as possible. I have very little experience with Cisco products, so far I've only accessed ASDM and the ASA via console- I don't know where to go from there...I apologize in advance for my inexperience. I just hope someone can point me in the right direction, I will try to be as detailed as possible, if you need more info please just ask and I will do my best.

The setup I envision is as follows: WAN>(public IP)>Linksys Router>(private IP)>LAN>ASA

How do I configure the outside and inside interfaces (do I even need both?) in the ASA if I want to allow remote users to connect via the VPN and access resources on the LAN?

Can I configure it so only VPN traffic will be routed to the ASA? The current setup already has ports 80/443 forwarded to the web server, will that be a problem?

Can I assign a static IP from the Linksys as the outside interface on the ASA? I know more configuration will be required, but I don't know what.

Do I need a static IP pool? There will only be a max 10 users at any given time, so I wanted to make a pool of 10 IPs. I also see that I can make a user database in the ASA VPN config, I was going to do that so users can login with a username/password.

I realize that using an ASA for only a VPN is overkill, but I didn't choose the equipment, I just need to make it work. I want to make as few changes to the Linksys router as possible because it is in an office environment and other users have port forwarding setup for other various equipment, we also host a web server on our LAN.

pjain2 · ‎08-29-2016

Hi Russell,

you can do this:

lan------(inside)ASA(outside)---linksys router---isp

on the ASA:

interface gi0/1

security-level 0

nameif outside

ip address dhcp setroute >>> you can assign a static ip on the outside interface as well; if so, don't forget to add a default route pointing to the next hop

int gi0/2

security-level 100

nameif inside

ip address 192.168.10.1 255.255.255.0 (any private range subnet that does not overlap with your outside interface subnet)

if you plan to configure anyconnect (which uses ssl/tcp port 443), then it wont work as you have all the tcp 443 traffic being forwarded to the internal webserver.

you can setup anyconnect on a different port like 444

you need to configure a pool for 10 users to assign the users an ip to communicate to your internal network

ip local pool pool 10.10.10.1-10.10.10.10 mask 255.255.255.0

make sure you download and place an anyconnect image in the flash of the ASA. you can use the below link to download the anyconnect client. there are 2 version 3.x and 4.x available bot of which use a different licensing model.

https://software.cisco.com/download/release.html?mdfid=286281272&flowid=72042&softwareid=282364313&release=3.1.05187&relind=AVAILABLE&rellifecycle=&reltype=latest

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html

http://www.petenetlive.com/KB/Article/0000628

http://www.petenetlive.com/KB/Article/0001013

==================================================================

webvpn

port 444

enable outside

anyconnect enable

anyconnect image flash:/anyconnect-win-3.1.14018-k9.pkg >>>>>only for windows users

tunnel-group-list enable

configure a split-tunneling acl which defines which internal networks will be accessible through the tunnel:

======================================================

access-list split standard permit 192.168.10.0 255.255.255.0

=============================================

group-policy anyconnect internal

group-policy anyconnect attributes

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split

================================================

tunnel-group anyconnect type remote-access

tunnel-group anyconnect general-attributes

default-group-policy anyconnect

address-pool pool

tunnel-group anyconnect webvpn-attributes

group-alias anyconnect

====================================

create nat exemption for the vpn traffic:

=============================

object network pool

subnet 10.10.10.0 255.255.255.0

object network internal

subnet 192.168.10.0 255.255.255.0

nat (inside,outside) 1 source static pool pool destination static internal internal no-proxy-arp route-lookup

object network obj-0.0.0.0

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface >>>>>>for internet access to the internal users

===================================================

create username and password in the local database as:

username test password test123

=======================================================

to connect using anyconnect client, enter the public ip of the ASA with port 444:

http://x.x.x.x:444

you can use the below doc for further reference:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_anyconnect.html

View solution in original post

pjain2 · ‎08-30-2016

Hey Russell,

whichever internal subnets you need to access, you just have to add them to the split-tunneling acl and create nat-exemption for them.

if you plan to use the native client on windows, then you can connect using l2tp/ipsec.

View solution in original post

pjain2 · ‎08-29-2016

Hi Russell,

you can do this:

lan------(inside)ASA(outside)---linksys router---isp

on the ASA:

interface gi0/1

security-level 0

nameif outside

ip address dhcp setroute >>> you can assign a static ip on the outside interface as well; if so, don't forget to add a default route pointing to the next hop

int gi0/2

security-level 100

nameif inside

ip address 192.168.10.1 255.255.255.0 (any private range subnet that does not overlap with your outside interface subnet)

if you plan to configure anyconnect (which uses ssl/tcp port 443), then it wont work as you have all the tcp 443 traffic being forwarded to the internal webserver.

you can setup anyconnect on a different port like 444

you need to configure a pool for 10 users to assign the users an ip to communicate to your internal network

ip local pool pool 10.10.10.1-10.10.10.10 mask 255.255.255.0

make sure you download and place an anyconnect image in the flash of the ASA. you can use the below link to download the anyconnect client. there are 2 version 3.x and 4.x available bot of which use a different licensing model.

https://software.cisco.com/download/release.html?mdfid=286281272&flowid=72042&softwareid=282364313&release=3.1.05187&relind=AVAILABLE&rellifecycle=&reltype=latest

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html

http://www.petenetlive.com/KB/Article/0000628

http://www.petenetlive.com/KB/Article/0001013

==================================================================

webvpn

port 444

enable outside

anyconnect enable

anyconnect image flash:/anyconnect-win-3.1.14018-k9.pkg >>>>>only for windows users

tunnel-group-list enable

configure a split-tunneling acl which defines which internal networks will be accessible through the tunnel:

======================================================

access-list split standard permit 192.168.10.0 255.255.255.0

=============================================

group-policy anyconnect internal

group-policy anyconnect attributes

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split

================================================

tunnel-group anyconnect type remote-access

tunnel-group anyconnect general-attributes

default-group-policy anyconnect

address-pool pool

tunnel-group anyconnect webvpn-attributes

group-alias anyconnect

====================================

create nat exemption for the vpn traffic:

=============================

object network pool

subnet 10.10.10.0 255.255.255.0

object network internal

subnet 192.168.10.0 255.255.255.0

nat (inside,outside) 1 source static pool pool destination static internal internal no-proxy-arp route-lookup

object network obj-0.0.0.0

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface >>>>>>for internet access to the internal users

===================================================

create username and password in the local database as:

username test password test123

=======================================================

to connect using anyconnect client, enter the public ip of the ASA with port 444:

http://x.x.x.x:444

you can use the below doc for further reference:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_anyconnect.html

J Russell · ‎08-30-2016

Thank you very much for the info, that will help me out greatly- I was kinda on the right track I guess.

The only questions I have now are: If I make the inside interface another private range different than the current private subnet (which is 192.168.2.0/24), is there a way to allow the remote VPN users to access network locations on the current private range? I need to allow users to access VMs that are hosted on the same machine as the web server...

Also, it is possible to do this without AnyConnect right? I was just going to create a user database on the ASA and instruct the users to use the native VPN configuration built into windows.

Thank you again for the information.

pjain2 · ‎08-30-2016

Hey Russell,

whichever internal subnets you need to access, you just have to add them to the split-tunneling acl and create nat-exemption for them.

if you plan to use the native client on windows, then you can connect using l2tp/ipsec.

J Russell · ‎08-31-2016

I got it working yesterday evening, thank you again for the help.