cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1571
Views
0
Helpful
4
Replies

SSL VPN AnyConnect

Currently my org is in the middle of moving from a ipsec vpn to a ssl vpn.

I have it setup where users can use the anyconnect client to get VPN access and they can access any internal servers or address but are not able to access the internet.

What would be the best solution toa apply to get users the fucntion to access external websites.

ip local pool SSL 10.x.x4.xx-10.x.x4.xx mask 255.255.255.0

    Line 409: ip local pool SSL

10.x.x4.xx-10.x.x4.xx mask 255.255.255.0

    Line 844: ssl trust-point ASDM_TrustPoint0 inside

    Line 845: ssl trust-point ASDM_TrustPoint0 outside

    Line 860:  vpn-tunnel-protocol ssl-client ssl-clientless

    Line 860:  vpn-tunnel-protocol ssl-client ssl-clientless

    Line 863:   anyconnect ssl compression deflate

    Line 874:  vpn-tunnel-protocol ikev1 ssl-client ssl-clientless

    Line 874:  vpn-tunnel-protocol ikev1 ssl-client ssl-clientless

    Line 917:  vpn-tunnel-protocol ikev1 ssl-client

    Line 1072:  address-pool SSL

    Line 1076:  default-group-policy SSL_VPN

    Line 1077: tunnel-group SSLVPN webvpn-attributes

    Line 1079:  group-alias SSLVPN enable

1 Accepted Solution

Accepted Solutions

Hi,

did you also try split-tunneling?

Her a sample:

asa5505(config)# access-list split-tunnel standard permit 192.168.1.0 255.255.255.0

asa5505(config)# group-policy SSLClientPolicy attributes

asa5505(config-group-policy)# split-tunnel-policy tunnelspecified

asa5505(config-group-policy)# split-tunnel-network-list value split-tunnel

asa5505(config-group-policy)# webvpn

asa5505(config-group-webvpn)# svc ask none default svc

asa5505(config-group-webvpn)# svc keep-installer installed

asa5505(config-group-webvpn)# svc rekey time 30

asa5505(config-group-webvpn)# svc rekey method ssl

BR

Hans-Juergen Guenter

View solution in original post

4 Replies 4

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Porfirio,

You need to perform an Outside NAT and allow same-security traffic for intra-interface traffic and ofcourse tunnel all traffic.

Let me know if this answers your question or if you need something else

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio,

This is what is in place now.

The only thing i do not see configured is allow same-security traffic for intra-interface traffic

Currerntly we have users using ipsec vpn and is configured to user split-tunneling is this something that could also be used in this ssl vpn setup.

Line 428: nat (inside,outside) source static any any destination static obj-10.x.x4.0 obj-10.x.x4.0 no-proxy-arp route-lookup

Line 428: nat (inside,outside) source static any any destination static obj-10.x.x4.0 obj-10.x.x4.0 no-proxy-arp route-lookup

Sorry for all the questions. I was just given owner ship of all the ASA needs. So any help would be greatfull.

im thinkig all i need is in ths doc but not sure.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080972e4f.shtml

Hello Porfirio,

What about the Outside NAT??

You need to do those 2 thing ( same security and outside NAT)

Object network VPN_Anyconnect_pool

subnet 192.168.10.0 255.255.255.0

nat (outside,outside) source dynamic VPN_Anyconnec_pool interface

same-security-traffic permit intra-interface

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi,

did you also try split-tunneling?

Her a sample:

asa5505(config)# access-list split-tunnel standard permit 192.168.1.0 255.255.255.0

asa5505(config)# group-policy SSLClientPolicy attributes

asa5505(config-group-policy)# split-tunnel-policy tunnelspecified

asa5505(config-group-policy)# split-tunnel-network-list value split-tunnel

asa5505(config-group-policy)# webvpn

asa5505(config-group-webvpn)# svc ask none default svc

asa5505(config-group-webvpn)# svc keep-installer installed

asa5505(config-group-webvpn)# svc rekey time 30

asa5505(config-group-webvpn)# svc rekey method ssl

BR

Hans-Juergen Guenter