Solved: SSL VPN AnyConnect

Porfirio Alvarado · ‎10-17-2012

Currently my org is in the middle of moving from a ipsec vpn to a ssl vpn.

I have it setup where users can use the anyconnect client to get VPN access and they can access any internal servers or address but are not able to access the internet.

What would be the best solution toa apply to get users the fucntion to access external websites.

ip local pool SSL 10.x.x4.xx-10.x.x4.xx mask 255.255.255.0

Line 409: ip local pool SSL

10.x.x4.xx-10.x.x4.xx mask 255.255.255.0

Line 844: ssl trust-point ASDM_TrustPoint0 inside

Line 845: ssl trust-point ASDM_TrustPoint0 outside

Line 860: vpn-tunnel-protocol ssl-client ssl-clientless

Line 863: anyconnect ssl compression deflate

Line 874: vpn-tunnel-protocol ikev1 ssl-client ssl-clientless

Line 917: vpn-tunnel-protocol ikev1 ssl-client

Line 1072: address-pool SSL

Line 1076: default-group-policy SSL_VPN

Line 1077: tunnel-group SSLVPN webvpn-attributes

Line 1079: group-alias SSLVPN enable

Hans Juergen Guenter · ‎10-18-2012

Hi,

did you also try split-tunneling?

Her a sample:

asa5505(config)# access-list split-tunnel standard permit 192.168.1.0 255.255.255.0

asa5505(config)# group-policy SSLClientPolicy attributes

asa5505(config-group-policy)# split-tunnel-policy tunnelspecified

asa5505(config-group-policy)# split-tunnel-network-list value split-tunnel

asa5505(config-group-policy)# webvpn

asa5505(config-group-webvpn)# svc ask none default svc

asa5505(config-group-webvpn)# svc keep-installer installed

asa5505(config-group-webvpn)# svc rekey time 30

asa5505(config-group-webvpn)# svc rekey method ssl

BR

Hans-Juergen Guenter

View solution in original post

Julio Carvajal · ‎10-17-2012

Hello Porfirio,

You need to perform an Outside NAT and allow same-security traffic for intra-interface traffic and ofcourse tunnel all traffic.

Let me know if this answers your question or if you need something else

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Porfirio Alvarado · ‎10-17-2012

Julio,

This is what is in place now.

The only thing i do not see configured is allow same-security traffic for intra-interface traffic

Currerntly we have users using ipsec vpn and is configured to user split-tunneling is this something that could also be used in this ssl vpn setup.

Line 428: nat (inside,outside) source static any any destination static obj-10.x.x4.0 obj-10.x.x4.0 no-proxy-arp route-lookup

Sorry for all the questions. I was just given owner ship of all the ASA needs. So any help would be greatfull.

im thinkig all i need is in ths doc but not sure.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080972e4f.shtml

Julio Carvajal · ‎10-17-2012

Hello Porfirio,

What about the Outside NAT??

You need to do those 2 thing ( same security and outside NAT)

Object network VPN_Anyconnect_pool

subnet 192.168.10.0 255.255.255.0

nat (outside,outside) source dynamic VPN_Anyconnec_pool interface

same-security-traffic permit intra-interface

Regards