Tuesday, January 9, 2018

Order of Policies for VPN Users on ASA

There are so many policies which can be configured for a one user on different places on ASA. But when the ASA is reading them, there is an order. It is crucial to understand how ASA takes the decision to assign policies for the particular user for troubleshooting.

Policies are ordered in 2 steps for a one user who is connected via a VPN.

1. Pre-Login Policy
2. Post-Login Policies

Pre-Login Policy

Connection Profile (Tunnel Group) controls the Pre Login Policy entirely.

When a user is going to connect via a VPN client like Cisco AnyConnect, he is asked to select a group. This group is actually the tunnel group or in ASA language it is called the Connection Profile..

In the capture you can see the group name is Anyconnect which really means there is a Connection Profile named Anyconnect on the ASA with a Group Policy bound with it which tells how the specific user should be authenticated, assign IP address if not a "Client Less SSL", DNS servers to use etc..
If a specific group policy is not bound, Default Connection Profiles will be used..

After the login is successful, Post-Login Policies will be applied for the same user..

Post-Login Policies

Post-Login Polices define the permissions, authorizations, restrictions etc for a particular user..

Dynamic Access Policies are the 1st to take care of after a user is authenticated. If no specific DAP is applied, default of DiftAccessPolicy will be applied.

Ex:- An example for a Dynamic Access Policy is that we can configure some access restrictions to a specific internal server resource if the authenticated user has or has not an active firewall on his machine.

For all unmatched items the order stated on the snap will be used.

Ex:- For a user, a connection timeout is configured with 2 values on his Connection Profile Group Policy and his User Group Policy. In this case the value configured on his User Group Policy will be used because it is more preferable in the order..

This means that the Connection Profile can have a different Group Policy than a User Profile has..

If no Group Policy is configured on ASA, Default Group Policies will be applied like in Pre-Login Policy.

There are 2 Default Group Policies for SSL and IPSec.
According to the connection type, a user will end up in a one group..

You can view these order of operation real time on Monitoring > VPN > VPN Statistics > Sessions tab on ASDM for VPN sessions users come in..

On CLI you can use show vpn-sessiondb command for similar output..

Monday, January 8, 2018

Configuring AnyConnect SSL VPNs on ASA

Anyconnect is used by many enterprises to allow their customers to connect to their internal network through internet via Cisco AnyConnect Monility Client. Here is the way how to configure it on ASA.

If you are going to practice this lab, you will need to go through following posts..

Basic Installation of Microsoft Windows Server 2012 R2 in VMware Workstation
Installing Active Directory, DNS and DHCP on Windows Server 2012 R2
Configuring LDAP Services on Windows Server 2012 R2
Configuring AAA on Cisco ASA for LDAP Users to Use with VPNs
How to Enable ASDM Access to ASA

Well, the easiest method is to go through the Wizard..
Here is the manual way..

Create a Group Policy

Go to Configuration > Remote Access VPN > Network (Client) Access > Group Policies
+Add, give a name give an address pool like below. You can create the address pool by clicking on the select tab and adding and assigning a new one. This address pool will be the addresses which will be assigned to the clients. In this topology I took it to be from to and named it as 11-pool.. (click on images to zoom)

Now collapse the Advanced and select Split Tunneling.. This configuration is required because when the users are connected to the VPN all the traffic will be directed to the VPN by default. With split tunneling we can tunnel only the traffic destined to a network list which is specified by the Firewall. Give the policy as Tunnel Network List Below and specify the Network List by hitting the Manage tab. You will hae to add the ACL, which is just the name of the ACL and add an ACE which is actually the statement of the ACL..

This standard ACL I created permits traffic only which actually means that only the traffic which is destined to subnet will be directed to the VPN..

Specify Client Software

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Software
Hit Add and Browse Flash for a an image.

Create a Connection Profile

Now go to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles

Add a new profile and configure it the following way..

Now tick the boxes like the following..

Now users can connect to the VPN from Cisco AnyConnect Mobility Client..

If users do not have the AnyConnect software, they can download it from accessing the IP from web browser..

Note:- If unable to reach internal servers after the VPN establishment you may need to issue the following command on ASA..
ASA(config)# sysopt connection permit-vpn

Some useful show commands on CLI;
ASA# show vpn-sessiondb

Configuring AAA on Cisco ASA for LDAP Users to Use with VPNs

Before reading this you may need to know how to configure LDAP for Windows server. If so click here and comeback.. This configuration is about using LDAP accounts for VPNs. Not for ASA administration..


1. Define the LDAP server group name and protocol
Server group name (tag) here is TACACS and the protocol is tacacs+

ASA(config)# aaa-server AD protocol ldap

2. Define the reachable interface, server IP address and other parameters.
In my setup AD server is reachable from INSIDE interface & the IP is
Domain is roshanznet.local
sAMAccountName is a default for Windows servers I guess..
Password is administrator password of AD..

ASA(config)# aaa-server AD (INSIDE) host
ASA(config-aaa-server-host)# ldap-base-dn DC=roshanznet,DC=local
ASA(config-aaa-server-host)# ldap-scope subtree
ASA(config-aaa-server-host)# ldap-naming-attribute sAMAccountName
ASA(config-aaa-server-host)# ldap-login-password roshan123#
ASA(config-aaa-server-host)# ldap-login-dn CN=administrator,CN=Users,DC=roshanznet,DC=local
ASA(config-aaa-server-host)# server-type microsoft

You can test the authentication like following..
ASA# test aaa authentication AD host username roshan password C1sc0#adm

roshan is a username I created on AD and it's password is C1sc0#adm.. Following results will be displayed if everything works fine..