ASA 5510 for Easy VPN help

[Hamper19]

I need to get some 64 bit machines able to use the Cisco Easy VPN Client, but am unsure how to do it.

I already have a RA VPN setup where i can use the regular cisco vpn client. Is there a way to "add" easy vpn access to that same tunnel? If so can someone point me in the right direction? I believe i m running 7.2(3) right now.

 

[Hamper19]

Sorry I meant Any Connect VPN, i've never used that.

 

[digimahn]

Clientless SSL VPN (WebVPN) on ASA Configuration Example

If you have a pair of ASA's in failover, be careful, SSL VPN disables failover configuration in ASDM. It may still work but configuration changes become impossible without disabling SSL VPN. May still work from the CLI if failover is already enabled, I don't know.

If you are like most looking for 64-bit options with limited complexity and you are using the Cisco VPN Client already with your IPSEC, 3DES/AES, RADIUS/LDAP integrated config you are out of luck. It would seem Cisco is leaning towards the more trusted and secured SSL VPN, but this requires additional licencing for any more than 2 simultaneous SSL VPN connections (5510 can do up to 250 IPSEC or SSL VPN Connections).

From Cisco quoted from:

For x64 (64-bit) Windows support, you must utilize Cisco's next-generation Cisco AnyConnect VPN Client.

Easy VPN is a bit different than your current config and I don't think you can share too many components from your existing config with an Easy VPN config (maybe the VPN IP address pools and possibly the tunnel groups).

Here are some others talking about 64-bit IPSEC options:
Windows 7 and XP Mode
Not free, but supports IPSEC gateway access
A nice discussion with some hints to clients that may help you

I hope this helps you.
DigiMahn

 

[Hamper19]

What about creating a new SSL VPN tunnel via CLI? Do you know of any links to that? I see stuff for 8.0 and mostly ASDM on Cisco site. I don't have a problem with creating a whole new VPN tunnel as it is just for a few of us internally. We are a small company at the moment and only have one ASA 5510, no failover yet

 

[digimahn]

Many docs point to the ASDM because, quite frankly, it's easier for MOST to understand. I for one have trouble remembering the order in which VPN configs need to be done, but I end up getting it done and I try not to cripple myself by using the GUI's for Cisco's products. Sometimes it's good to look at it though...some things show up clearly as an "uh oh"

Some of these show both ASDM and applicable CLI commands...

Look for the sections labeled "Remote Access VPN", "Easy VPN", "SSL VPN/Web VPN". "Miscellaneous" and "Troubleshooting" sections have some good VPN stuff too...
Cisco ASA 5500 Series Adaptive Security Appliances - Configuration Examples and TechNotes

Not quite what you were after, but good info none the less

For your windows mobile devices - L2P Client (could use with XP and Vista too I imagine)

Cisco Wiki can be very helpful, but like Walmart...don't go if you are in a hurry!

Do you have Smartnet? You can call for help , may I suggest a call after 5PM PST? I never believed it, but the support from Austrailia (Asia team) is pretty outstanding - WAKE UP SAN JOSE!

 

[digimahn]

I think this one may be just up your alley...

Cisco Security Appliance Command Line Configuration Guide, Version 7.1 - Configuring SSL VPN Client

My fingers are crossed for you...I know what it's like when the idea is clearly in your head and you have half of what it takes to get it done...good luck.

 

[digimahn]

If you give me until later tonight (keeping fingers crossed). I have a down and dirty SSL connection you can host on a router (need advanced security IOS) and the ASA will simply direct SSL to the router for Easy VPN connections and you won't have to dink with licensing.

I have a thing or two to hammer out, but think this will help you. If you have a cisco logon you can get the IOS you will need.

 

[Hamper19]

Thanks! That should do the trick, the only person that "needs" it is my boss, the CIO. I have 64 bit windows xp, but i just RDP to another box i built that has regular xp on it and vpn out from there. Licensing shouldn't be an issue, and if it is , they can buy the licenses lol. If I see anyone here with Vista, that computer is going out the window lol.

Thanks for your help, that config seems to be what i was after.

 

[digimahn]

Well it's 12:00 AM PST and I am still working it's been a long day and I got this done, but I have an issue I am dealing with.

I promised tonight (which is now last night), so I popped in here to ask you to hang tight...I got it and it's sweet! I just need to take care of business first

 

[digimahn]

This config assumes you are using the ASA to static nat and ACL http/https traffic to the router that will be hosting the SSL VPN (WebVPN). The router will need an Advanced IP Service IOS (I am using c3825-advipservicesk9-mz.124-22.T1.bin).

This configuration will create a persistent self-signed SSL certificate. If your router is configured with a hostname of ROUTER and configured with a default domain of MYDOMAIN.COM the cert will include an alternate DNS name entry of ROUTER.MYDOMAIN.COM -- add a hosts file line to your system like...

<Public IP>     ROUTER.MYDOMAIN.COM     #Company VPN Address

...and you can just browse to "router.mydomain.com" without http:// or https:// (because my config redirects from 80 to 443), import the cert to the Trusted Root Certification Authorities certificate store (requires admin rights) and every user of the system will not be nagged by the untrusted cert.

This is a down and dirty working solution and can be made much more elegant with AD/RADIUS authentication and group membership to limit who can authenticate through the WebVPN.

Be careful, the things that will trip you up are the names - you may not be able to use the ASA "access-list outside..." line if your access list for outside traffic coming in is called "outside_to_inside" -or- if your router already has "loopback0" configured, then you have to use "loopback1", etc. you will have to find these and change them. I hope that makes sense as I did not <> those entries.

ASA Configuration - remember, we have to forward both http and https to the router for the redirect to work and make it easy on the user):

access-list outside extended permit tcp any host <Public IP> eq http
access-list outside extended permit tcp any host <Public IP> eq https
static (inside,outside) <Public IP> <Router SSL Gateway IP - 10.10.20.1> netmask 255.255.255.255

Before you begin configuring the router you will need to get the WebVPN package copied to flash. This can be downloaded from (here...) Cisco's website (requires a logon). Review of the code below tells you where to put the package once you get it.

Lines below that contain entries like <Name - something here> indicate something YOU must provide make this work. To the left of the "-" is the description of what's needed and to the right is an example for you. If you just see <SOMETHING> without a "-" it means I thought it was self explanatory.

ROUTER Configuration:

aaa authentication login VPN-XAUTH local

ip local pool SSLVPN-POOL <Start IP - 10.10.10.200> <End IP - 10.10.10.254>

interface Loopback0
 description <SSLVPN INTERFACE>
 ip address <Subnet IP - 10.10.10.1> <Subnet Mask - 255.255.255.0>
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress

webvpn gateway <Name - GW-SSLVPN>
 ip address <ASA NAT IP - 10.10.20.1) port 443
 !---below, so users do not have to remember [URL unfurl="true"]https://!!![/URL]
 http-redirect port 80

 inservice
 !
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
 !
webvpn context vpn
 ssl authenticate verify all
 !
 !
 policy group SSLVPN_POLICY
   functions svc-required
   svc address-pool "SSLVPN-POOL"
   svc default-domain "<your FQDN - mydomain.com>"
   svc keep-client-installed
   svc split dns "<default-domain from above>"
   !---below, access all internal networks (adjust to your needs, of course)
   svc split include 10.0.0.0 255.0.0.0
   svc split include 172.16.0.0 255.240.0.0
   svc split include 192.168.0.0 255.240.0.0

   svc dns-server primary <Primary Internal DNS IP> 
   svc dns-server secondary <Secondary Internal DNS IP>
   svc wins-server primary <Internal WINS IP - if needed>
 default-group-policy SSLVPN_POLICY
 aaa authentication list VPN-XAUTH
 gateway <Name (same as web gateway above) - GW-SSLVPN>
 inservice
!
ip http secure-server
ip http server

Here is a link to something (here...) I thought may help you but it is a little different since it is using a REAL SSL certificate instead of a persistent self-signed one like in my example. Look for the dropdown menu to take you to the following sections, page 2 has the good stuff!

As promised, I hope this helps you and I hope even more it helps you understand what I did. I LOVE it when people take the time to not only help (or just point you to a link, leaving you to figure it out), but TEACH. If not, I am sorry I missed the mark.

DigiMahn

 

[Hamper19]

Awesome DigiMahn, thanks so much for you persistence and help! I really appreciate your time and effort.

cheers

Kris

 

[digimahn]

Remember...just add the configs just as I showed you...don't change the order...everything should work...it did for me.