Cisco ASA 8.2 WebVPN + IPSEC RoadWarrior VPN config

1. Interface setup: interface Vlan2 ip address a.b.97.190 255.255.255.192 nameif outside security-level 0 interface Vlan1 nameif inside security-level 100 ip address 192.168.100.1 255.255.255.0 2. VPN IP Pool setup This is the pool of ip addresses that the ssl and vpn clients will share: ip local pool vpnpool 192.168.101.10-192.168.101.250 mask 255.255.255.0 3. NAT / No-Nat setup This cmd is needed to pass vpn client traffic thru to the inside servers: same-security-traffic permit intra-interface Disable nat for traffic from an internal addr to another internal addr: access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 nat (inside) 0 access-list nonat 4. Split tunnel acl setup This is the split tunnel access list that both vpn setups will share: access-list split_tun_acl standard permit 192.168.100.0 255.255.255.0 Split tunnel policy uses a standard acl (not extended). The networks that the split tunnel acl matches are the the destination networks, not the source networks. The split tunnel tells the ASA that all traffic matched by the acl will go via the ipsec tunnel, all other traffic (i.e. internet traffic) will go out default route on client. This is a good thing (split tunnel) if you are worried about internet performance. Split tunnel is viewed by some admins as BAD policy since you are not capturing all inet traffic and enforcing a web proxy, or web filter, for example that keeps the end users pcs more safe. 5. SSL VPN Setup Configure the ssl ciphers used: ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5 rc4-sha1 Generate the RSA key that will be used to sign the certs. crypto key generate rsa label sslvpnkeypair crypto ca trustpoint localtrust enrollment self fqdn vpn.thisdomain.local subject-name CN=vpn.thisdomain.local keypair sslvpnkeypair crypto ca enroll localtrust noconfirm The "crypto ca enroll localtrust noconfirm" creates the local self-signed cert. ASA may pause for a few seconds while the cert is generated and signed. These last 2 commands finish this part of the configuration: crl configure ssl trust-point localtrust outside webvpn enable outside svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1 svc enable tunnel-group-list enable Note: the tunnel-group-list enable command sends the list of vpn groups to the anyconnect client for display in the dropdown. The image file: anyconnect-win-2.2.0140-k9.pkg or relevant updated copy must be uploaded to the local ASA flash (disk0:) first. Change the config below to match your internal DNS servers and DNS domain name: group-policy SSLVPN internal group-policy SSLVPN attributes banner value My SSL VPN banner value Unauthorized access prohibited dns-server value 192.168.100.10 192.168.100.20 vpn-tunnel-protocol svc split-tunnel-policy tunnelspecified split-tunnel-network-list value split_tun_acl default-domain value mydomain.local address-pools value sslvpnpool tunnel-group SSLClientProfile type remote-access tunnel-group SSLClientProfile general-attributes default-group-policy SSLVPN tunnel-group SSLClientProfile webvpn-attributes group-alias SSLVPNClient enable The group-alias string will be what your anyconnect clients see in the dropdown. You should change this to your company/organization identifier - e.x ACME_IT_SSL_VPN The last step for the SSL vpn; add a local username username this_vpn_user attributes password-storage enable service-type remote-access username outside password mypass123456 The password-storage enable setting allow the end users to store their passwords inside the clients if desired. It is not required; leave it off for additional security. Download the anyconnect client and you should be able to vpn in at this point. You may have to reboot the ASA to enable the web vpn. 6. IPSEC Client setup ! Enable IKE, set IKE Policies: crypto isakmp enable outside crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 ! Phase 2 IPSEC policies / transforms: crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 ! Build the crypto map and bind it to the outside interface: crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside ! Build the vpn group policy: group-policy IPSECVPNPolicy internal group-policy IPSECVPNPolicy attributes banner value MY_IPSEC_VPN Unauthorized Access is prohibited. dns-server value 192.168.100.10 192.168.100.20 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value split_tun_acl default-domain value mydomain.local address-pools value vpnpool ! Bind the policy to the tunnel group: tunnel-group IPSECVPN type remote-access tunnel-group IPSECVPN general-attributes ! is this setting below needed - we map the address pool as part of the policy? address-pool vpnpool default-group-policy IPSECVPNPolicy tunnel-group IPSECVPN ipsec-attributes pre-shared-key abc123test Note that when the vpn client connects the group name will be IPSECVPN, and the group secret will be the abc123test. It will then show the banner, and you will then connect as the username this_vpn_user - i.e. the one configured for SSL VPN access.