Example below details how to configure a remote access SSL VPN on your ASA. For the exam you may be asked to complete a similar task
Firstly, we need to define the authenitcation server. In this example i'm using an ISE node with ip address 192.168.20.1 and shared secret ISEc0ld.
aaa-server ISE protocol radius
dynamic-authorization
interim-accounting-update periodic 24
aaa-server ISE (management) host 192.168.20.1
timeout 5
key ISEc0ldWe then need to define the pool of IP addresses from which the remote device will be allocated their internal IP address. Along with this we can also define the access-list that will be used on the split tunnel. In this example a remotely connecting device will recieve an address from the 10.1.30.1-50 pool with subnet mask /24. They will also only be able to access 10.0.0.0/8 across the tunnel.
ip local pool VPN-POOL-1 10.1.30.1-10.1.30.50 mask 255.255.255.0
!
access-list LAN standard permit 10.0.0.0 255.0.0.0As the remote users will be accessing the network via an outside interface that may be used for internet connectivity, this configuration includes a no-nat rule that has been inputted to the top of the nat rules. For this an object was created and then the nat rule was applied.
object network NET_OBJ_10.1.30.0
subnet 10.1.30.0 255.255.255.0
!
nat (INSIDE,OUTSIDE) 1 source static any any destination static NET_OBJ_10.1.30.0 NET_OBJ_10.1.30.0 no-proxy-arp route-lookupBelow, webvpn is enabled on the interface named OUTSIDE and the anyconnect image is linked to this from the local ASA disk. Tunnel group list is also enabled, this presents a list of availble VPNs via anyconnect when they connect. If a remote user web-browses to the OUTSIDE address and does not have anyconnect installed then the .pkg file is used to deploy AnyConnect to the client.
webvpn
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-4.10.0.4071-webdeploy-k9.pkg
anyconnect enable
enable OUTSIDEA new policy (GP-AC-VPN) is created and settings are applied. For the exam it is worth knowing what options are availble here and where to configure them in the ASDM GUI as well. The group policy is then tied to the tunnel group, where the aaa server created at the start is referenced. At the end a group alias is defined for the tunnel group, this is the name that appears in the tunnel list presented to the user via AnyConnect.
group-policy GP-AC-VPN internal
group-policy GP-AC-VPN attributes
vpn-tunnel-protocol ssl-client
dns-server value 192.168.100.1
wins-server none
default-domain value lab.local
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LAN
banner value WELCOME TO THE CCIE REMOTE ACCESS VPN
!
tunnel-group TG-AC-VPN type remote-access
tunnel-group TG-AC-VPN general-attributes
default-group-policy GP-AC-VPN
authentication-server-group ISE
address-pool VPN-POOL-1
!
tunnel-group TG-AC-VPN webvpn-attributes
group-alias AC-VPN enable Final full configuration applied to device
aaa-server ISE protocol radius
dynamic-authorization
interim-accounting-update periodic 24
aaa-server ISE (management) host 192.168.20.1
timeout 5
key ISEc0ld
!
ip local pool VPN-POOL-1 10.1.30.1-10.1.30.50 mask 255.255.255.0
!
access-list LAN standard permit 10.0.0.0 255.0.0.0
!
object network NET_OBJ_10.1.30.0
subnet 10.1.30.0 255.255.255.0
!
nat (INSIDE,OUTSIDE) 1 source static any any destination static NET_OBJ_10.1.30.0 NET_OBJ_10.1.30.0 no-proxy-arp route-lookup
!
webvpn
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-4.10.0.4071-webdeploy-k9.pkg
anyconnect enable
enable OUTSIDE
!
group-policy GP-AC-VPN internal
group-policy GP-AC-VPN attributes
vpn-tunnel-protocol ssl-client
dns-server value 192.168.100.1
wins-server none
default-domain value lab.local
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LAN
banner value WELCOME TO THE CCIE REMOTE ACCESS VPN
!
tunnel-group TG-AC-VPN type remote-access
tunnel-group TG-AC-VPN general-attributes
default-group-policy GP-AC-VPN
authentication-server-group ISE
address-pool VPN-POOL-1
!
tunnel-group TG-AC-VPN webvpn-attributes
group-alias AC-VPN enable