I did labs for AnyConnect VPN on a Cisco ASA firewall but I was asked in the real world to migrate a Cisco ASA 5510 acting as AnyConnect VPN server to an ASA 5525-X with FirePower module. I've deleted the old AnyConnect package files on the ASA's flash since the ASA 9.4 code is compatible with AnyConnect 3.1.x. I had a previous post regarding the transfer of AnyConnect package files and installing the AnyConnect Premium VPN license. Here's a Cisco guide and Lab Minutes video for configuring AnyConnect Remote Access (RA) VPN on a Cisco ASA firewall.
Here's a nice AnyConnect VPN troubleshooting guide from Cisco and a link regarding the steps for a successful firewall migration.
Verify first if the Cisco ASA firewall has the AnyConnect images for Windows, Mac and Linux clients.
ciscoasa# dir
Directory of disk0:/
11 drwx 4096 19:16:16 Sep 29 2014 log
22 drwx 4096 19:16:44 Sep 29 2014 crypto_archive
23 drwx 4096 19:16:52 Sep 29 2014 coredumpinfo
123 -rwx 37656576 19:25:02 Sep 29 2014 asa913-smp-k8.bin
124 -rwx 22658960 19:27:04 Sep 29 2014 asdm-714.bin
125 -rwx 73285632 00:38:08 Jun 06 2017 asa943-12-smp-k8.bin
137 -rwx 39032347 21:24:34 Jun 12 2017 anyconnect-win-3.1.14018-k9.pkg
126 -rwx 25819140 00:42:58 Jun 06 2017 asdm-761.bin
127 -rwx 12998641 19:51:42 Sep 29 2014 csd_3.5.2008-k9.pkg
128 drwx 4096 19:51:44 Sep 29 2014 sdesktop
138 -rwx 12895117 21:25:20 Jun 12 2017 anyconnect-macosx-i386-3.1.14018-k9.pkg
139 -rwx 12346898 21:26:06 Jun 12 2017 anyconnect-linux-3.1.14018-k9.pkg
140 -rwx 13115642 21:26:55 Jun 12 2017 anyconnect-linux-64-3.1.14018-k9.pkg
132 -rwx 100 22:45:26 Jun 05 2017 upgrade_startup_errors_201706052245.log
133 -rwx 41848832 18:55:08 Jun 08 2017 asasfr-5500x-boot-6.0.0-1005.img
There are several important pieces to configure a RA AnyConnect VPN on a Cisco ASA firewall:
1) Ensure there is enough AnyConnect Premium Peers installed on the new ASA. The ASA comes with only two AnyConnect Premium Peers so a maximum of two AnyConnect clients can connect at the same time. The total amount of AnyConnect Premium Peers is ASA platform dependent.
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.4(4)5
Device Manager Version 7.6(1)
Compiled on Thu 30-Mar-17 21:52 PDT by builders
System image file is "disk0:/asa944-5-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 3 days 5 hours
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is fc5b.39aa.5164, irq 11
1: Ext: GigabitEthernet0/0 : address is fc5b.39aa.5169, irq 5
2: Ext: GigabitEthernet0/1 : address is fc5b.39aa.5165, irq 5
3: Ext: GigabitEthernet0/2 : address is fc5b.39aa.516a, irq 10
4: Ext: GigabitEthernet0/3 : address is fc5b.39aa.5166, irq 10
5: Ext: GigabitEthernet0/4 : address is fc5b.39aa.516b, irq 5
6: Ext: GigabitEthernet0/5 : address is fc5b.39aa.5167, irq 5
7: Ext: GigabitEthernet0/6 : address is fc5b.39aa.516c, irq 10
8: Ext: GigabitEthernet0/7 : address is fc5b.39aa.5168, irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is fc5b.39aa.5164, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 750 perpetual // 750 IS THE MAXIMUM IN ASA 5525-X
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5525 VPN Premium license.
Serial Number: FCH1834JABC
Running Permanent Activation Key: 0x572bfd4a 0xb4f6583f 0x5d400123 0xcd308123 0xca20c456
Configuration register is 0x1
Image type : Release
Key version : A
2) Configure a local DHCP pool for RA VPN clients.
ciscoasa(config)# ip local pool VPN-POOL 172.20.7.50-172.20.7.245 mask 255.255.255.0
3) Create an object for the DHCP pool subnet and configure an Identity NAT to ensure the AnyConnect clients are prevented from being NAT'd on the outside interface (Internet).
ciscoasa(config)# object network OBJ-ANYCONNECT
ciscoasa(config-network-object)# subnet 172.20.7.0 255.255.255.0
ciscoasa(config)# nat (inside,outside) source static any any destination static OBJ-ANYCONNECT OBJ-ANYCONNECT no-proxy-arp route-lookup
4) Enable AnyConnect SSL connections on the ASA outside (Internet facing) interface.
webvpn
enable outside // IMPORTANT COMMAND
anyconnect image disk0:/anyconnect-linux-3.1.14018-k9.pkg 1 // THE NUMBERS ARE THE SEQUENCE NUMBER; YOU CAN RE-NUMBER PACKAGE NUMBER
anyconnect image disk0:/anyconnect-linux-64-3.1.14018-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-3.1.14018-k9.pkg 3
anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 4
anyconnect enable // IMPORTANT COMMAND
tunnel-group-list enable
cache
disable // DISABLES CACHING OF FREQUENTLY USED OBJECTS IN SYSTEM CACHE
5) Configure the AnyConnect Group Policy. You can optionally specify a split tunnel ACL which specify subnets that will directly access network resource such as the Internet.
group-policy GP-CORP internal
group-policy GP-CORP attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client // IMPORTANT COMMAND
default-domain value local.net
6) Configure a Tunnel Group which binds information from other config (like a crypto map).
tunnel-group CORP type remote-access // IMPORTANT COMMAND
tunnel-group CORP general-attributes
address-pool PN-POOL
authentication-server-group RADIUS // POINTS TO A RADIUS SERVER aaa-server protocol radius AND aaa-server host
default-group-policy GP-CORP
tunnel-group CORP webvpn-attributes
group-alias CORP enable
The following are some additional steps if you're migrating CA cert from an old ASA to a new ASA device. This will avoid Untrusted VPN Server Block error when connecting to AnyConnect VPN.
7) Export the CA certificate from old ASA device and import to the new ASA device.
5510-OLD# show crypto ca certificate
Certificate
Status: Available
Certificate Serial Number: 123456
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=RapidSSL CA
o=GeoTrust\, Inc.
c=US
Subject Name:
cn=*local.net
ou=Domain Control Validated - RapidSSL(R)
ou=See www.rapidssl.com/resources/cps (c)14
ou=GT02341234
serialNumber=ABC9uMV1vgWcrlFkJjw7pt-LVVFSwxyz
OCSP AIA:
URL: http://rapidssl-ocsp.geotrust.com
CRL Distribution Points:
[1] http://rapidssl-crl.geotrust.com/crls/rapidssl.crl
Validity Date:
start date: 22:34:33 UTC Jun 15 2016
end date: 05:13:51 UTC Jul 18 2020
Associated Trustpoints: ASDM_TrustPoint1
<OUTPUT TRUNCATED>
5510-OLD(config)# crypto ?
configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
engine Configure crypto engine
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map
exec mode commands/options:
ca Certification authority
5510-OLD(config)# crypto ca ?
configure mode commands/options:
authenticate Get the CA certificate
certificate Actions on certificates
crl Actions on certificate revocation lists
enroll Request a certificate from a CA
export Export a trustpoint configuration with all associated keys and
certificates in PKCS12 format, or export the identity
certificate in PEM format
import Import certificate or pkcs-12 data
server Define Local Certificate Server
trustpoint Define a CA trustpoint
trustpool Define CA trustpool
exec mode commands/options:
server Local Certificate Server commands
trustpool Trusted certificate pool
5510-OLD(config)# crypto ca export ?
configure mode commands/options:
WORD < 65 char Trustpoint label to associate keys and/or certs with
5510-OLD(config)# crypto ca export ASDM_TrustPoint1 ?
configure mode commands/options:
identity-certificate Export ID cert in PEM format
pkcs12 Export to PKCS12 format
5510-OLD(config)# crypto ca export ASDM_TrustPoint1 pkcs12 ?
configure mode commands/options:
WORD Passphrase used to protect the pkcs12 file // SAME PASSPHRASE FOR IMPORT
5510-OLD(config)# crypto ca export ASDM_TrustPoint1 pkcs12 cisco123
Exported pkcs12 follows:
-----BEGIN PKCS12-----
ABCDrwIBAzCCDWkGCSqGSIb3DQEHAaCCDVoEgg1WMIINUjCCDU4GCSqGSIb3DQEH
BqCCDT8wgg07AgEAMIINNAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQI8TJm
nN+U5TUCAQGAgg0I6uXZgqgd8GQX6Uzoxtwo7SpTBChK5JwHm4joiMtejnFwBd6q
<OUTPUT TRUNCATED>
Ovv9WbP2ABH7kjwQCXDTjTTjoGOiNs27KwAZ35h+LYTB36fTQXL5VqwwnPyxUp6o
PouLnTI1ztJJkLxQMsSXMPgpV5FMAi0LdAZfiTkWePUdwbwV4xYp+UYkTRHdk4Ez
Kx7OdFQ54E4IFu/HZVvWke509G3ROkHH+8yAHsJFaWExeQIiMD0wITAJBgUrDgMC
GgUABBTdNlD8PHam0stRBZK32os0BmrdQAQU99rJlI3qNx40t0AqZpijZ8RrqToC
WXYZ
-----END PKCS12-----
5525-NEW(config)# crypto ca import ASDM_TrustPoint1 pkcs12 cisco123
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:<ENTER>
ABCDrwIBAzCCDWkGCSqGSIb3DQEHAaCCDVoEgg1WMIINUjCCDU4GCSqGSIb3DQEH
BqCCDT8wgg07AgEAMIINNAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQI8TJm
nN+U5TUCAQGAgg0I6uXZgqgd8GQX6Uzoxtwo7SpTBChK5JwHm4joiMtejnFwBd6q
<OUTPUT TRUNCATED>
Ovv9WbP2ABH7kjwQCXDTjTTjoGOiNs27KwAZ35h+LYTB36fTQXL5VqwwnPyxUp6o
PouLnTI1ztJJkLxQMsSXMPgpV5FMAi0LdAZfiTkWePUdwbwV4xYp+UYkTRHdk4Ez
Kx7OdFQ54E4IFu/HZVvWke509G3ROkHH+8yAHsJFaWExeQIiMD0wITAJBgUrDgMC
GgUABBTdNlD8PHam0stRBZK32os0BmrdQAQU99rJlI3qNx40t0AqZpijZ8RrqToC
WXYZ<ENTER>
quit // TYPE quit
INFO: Import PKCS12 operation completed successfully
7) Configure a CA Trustpoint on the ASA. If you don't perform steps above you can configure a CA Trustpoint and an error is shown when you just copy/paste the config on the new ASA.
5525-NEW(config)# crypto ca trustpoint ASDM_TrustPoint1
5525-NEW(config-ca-trustpoint)# keypair ASDM_TrustPoint1
ERROR: Keypair ASDM_TrustPoint1 doesn't exist.
5525-NEW(config)# crypto ca certificate chain ASDM_TrustPoint1
5525-NEW(config-cert-chain)# certificate 123456
Enter the certificate in hexadecimal representation....5525-NEW(config-pubkey)# 30820521 30820409 a0030201 02020313 7a39300$
<OUTPUT TRUNCATED>
5525-NEW(config-pubkey)# quit
ERROR: Public key contained in the device certificate doesn't match the device's // YOU NEED TO IMPORT THE ASA PUBLIC KEY
5525-NEWconfig)# crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
ERROR: Trustpoint not enrolled. Please enroll trustpoint and try again.
Once the CA cert is imported on the new ASA, you can configure these commands:
5525-NEW(config)# crypto ca trustpoint ASDM_TrustPoint1
5525-NEW(config-ca-trustpoint)# keypair ASDM_TrustPoint1
5525-NEW(config-ca-trustpoint)# crl configure
5525-NEWconfig)# crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
5525-NEW(config)# ssl trust-point ASDM_TrustPoint1 outside
For FirePower traffic redirection, I've configured a deny ACL to ensure AnyConnect clients are prevented from hitting the inspection policy (although it is SSL encrypted traffic).
access-list FP-ACL extended deny ip 172.20.7.0 255.255.255.0 any
access-list FP-ACL extended deny ip any 172.20.7.0 255.255.255.0
access-list FP-ACL extended permit ip any any
class-map FP-CMAP
match access-list FP-ACL
policy-map global_policy
class FP-CMAP
sfr fail-open
I've tested AnyConnect VPN after the migration and it had to upgrade to AnyConnect 3.1 and got connected to the ASA VPN server afterwards.
There are also scenarios wherein AnyConnect VPN is established and you're able to access internal resources but there's NO Internet access. You'll need to create a NAT rule for VPN client going to the outside interface and permit VPN traffic coming from the outside and go out again (U-turn or hairpin) on the same outside interface.
nat (outside,outside) after-auto source dynamic OBJ-VPN-POOL interface
same-security-traffic permit intra-interface
Here's a nice AnyConnect VPN troubleshooting guide from Cisco and a link regarding the steps for a successful firewall migration.
Verify first if the Cisco ASA firewall has the AnyConnect images for Windows, Mac and Linux clients.
ciscoasa# dir
Directory of disk0:/
11 drwx 4096 19:16:16 Sep 29 2014 log
22 drwx 4096 19:16:44 Sep 29 2014 crypto_archive
23 drwx 4096 19:16:52 Sep 29 2014 coredumpinfo
123 -rwx 37656576 19:25:02 Sep 29 2014 asa913-smp-k8.bin
124 -rwx 22658960 19:27:04 Sep 29 2014 asdm-714.bin
125 -rwx 73285632 00:38:08 Jun 06 2017 asa943-12-smp-k8.bin
137 -rwx 39032347 21:24:34 Jun 12 2017 anyconnect-win-3.1.14018-k9.pkg
126 -rwx 25819140 00:42:58 Jun 06 2017 asdm-761.bin
127 -rwx 12998641 19:51:42 Sep 29 2014 csd_3.5.2008-k9.pkg
128 drwx 4096 19:51:44 Sep 29 2014 sdesktop
138 -rwx 12895117 21:25:20 Jun 12 2017 anyconnect-macosx-i386-3.1.14018-k9.pkg
139 -rwx 12346898 21:26:06 Jun 12 2017 anyconnect-linux-3.1.14018-k9.pkg
140 -rwx 13115642 21:26:55 Jun 12 2017 anyconnect-linux-64-3.1.14018-k9.pkg
132 -rwx 100 22:45:26 Jun 05 2017 upgrade_startup_errors_201706052245.log
133 -rwx 41848832 18:55:08 Jun 08 2017 asasfr-5500x-boot-6.0.0-1005.img
There are several important pieces to configure a RA AnyConnect VPN on a Cisco ASA firewall:
1) Ensure there is enough AnyConnect Premium Peers installed on the new ASA. The ASA comes with only two AnyConnect Premium Peers so a maximum of two AnyConnect clients can connect at the same time. The total amount of AnyConnect Premium Peers is ASA platform dependent.
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.4(4)5
Device Manager Version 7.6(1)
Compiled on Thu 30-Mar-17 21:52 PDT by builders
System image file is "disk0:/asa944-5-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 3 days 5 hours
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is fc5b.39aa.5164, irq 11
1: Ext: GigabitEthernet0/0 : address is fc5b.39aa.5169, irq 5
2: Ext: GigabitEthernet0/1 : address is fc5b.39aa.5165, irq 5
3: Ext: GigabitEthernet0/2 : address is fc5b.39aa.516a, irq 10
4: Ext: GigabitEthernet0/3 : address is fc5b.39aa.5166, irq 10
5: Ext: GigabitEthernet0/4 : address is fc5b.39aa.516b, irq 5
6: Ext: GigabitEthernet0/5 : address is fc5b.39aa.5167, irq 5
7: Ext: GigabitEthernet0/6 : address is fc5b.39aa.516c, irq 10
8: Ext: GigabitEthernet0/7 : address is fc5b.39aa.5168, irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is fc5b.39aa.5164, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 750 perpetual // 750 IS THE MAXIMUM IN ASA 5525-X
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5525 VPN Premium license.
Serial Number: FCH1834JABC
Running Permanent Activation Key: 0x572bfd4a 0xb4f6583f 0x5d400123 0xcd308123 0xca20c456
Configuration register is 0x1
Image type : Release
Key version : A
2) Configure a local DHCP pool for RA VPN clients.
ciscoasa(config)# ip local pool VPN-POOL 172.20.7.50-172.20.7.245 mask 255.255.255.0
3) Create an object for the DHCP pool subnet and configure an Identity NAT to ensure the AnyConnect clients are prevented from being NAT'd on the outside interface (Internet).
ciscoasa(config)# object network OBJ-ANYCONNECT
ciscoasa(config-network-object)# subnet 172.20.7.0 255.255.255.0
ciscoasa(config)# nat (inside,outside) source static any any destination static OBJ-ANYCONNECT OBJ-ANYCONNECT no-proxy-arp route-lookup
4) Enable AnyConnect SSL connections on the ASA outside (Internet facing) interface.
webvpn
enable outside // IMPORTANT COMMAND
anyconnect image disk0:/anyconnect-linux-3.1.14018-k9.pkg 1 // THE NUMBERS ARE THE SEQUENCE NUMBER; YOU CAN RE-NUMBER PACKAGE NUMBER
anyconnect image disk0:/anyconnect-linux-64-3.1.14018-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-3.1.14018-k9.pkg 3
anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 4
anyconnect enable // IMPORTANT COMMAND
tunnel-group-list enable
cache
disable // DISABLES CACHING OF FREQUENTLY USED OBJECTS IN SYSTEM CACHE
5) Configure the AnyConnect Group Policy. You can optionally specify a split tunnel ACL which specify subnets that will directly access network resource such as the Internet.
group-policy GP-CORP internal
group-policy GP-CORP attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client // IMPORTANT COMMAND
default-domain value local.net
6) Configure a Tunnel Group which binds information from other config (like a crypto map).
tunnel-group CORP type remote-access // IMPORTANT COMMAND
tunnel-group CORP general-attributes
address-pool PN-POOL
authentication-server-group RADIUS // POINTS TO A RADIUS SERVER aaa-server protocol radius AND aaa-server host
default-group-policy GP-CORP
tunnel-group CORP webvpn-attributes
group-alias CORP enable
The following are some additional steps if you're migrating CA cert from an old ASA to a new ASA device. This will avoid Untrusted VPN Server Block error when connecting to AnyConnect VPN.
7) Export the CA certificate from old ASA device and import to the new ASA device.
5510-OLD# show crypto ca certificate
Certificate
Status: Available
Certificate Serial Number: 123456
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=RapidSSL CA
o=GeoTrust\, Inc.
c=US
Subject Name:
cn=*local.net
ou=Domain Control Validated - RapidSSL(R)
ou=See www.rapidssl.com/resources/cps (c)14
ou=GT02341234
serialNumber=ABC9uMV1vgWcrlFkJjw7pt-LVVFSwxyz
OCSP AIA:
URL: http://rapidssl-ocsp.geotrust.com
CRL Distribution Points:
[1] http://rapidssl-crl.geotrust.com/crls/rapidssl.crl
Validity Date:
start date: 22:34:33 UTC Jun 15 2016
end date: 05:13:51 UTC Jul 18 2020
Associated Trustpoints: ASDM_TrustPoint1
<OUTPUT TRUNCATED>
5510-OLD(config)# crypto ?
configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
engine Configure crypto engine
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map
exec mode commands/options:
ca Certification authority
5510-OLD(config)# crypto ca ?
configure mode commands/options:
authenticate Get the CA certificate
certificate Actions on certificates
crl Actions on certificate revocation lists
enroll Request a certificate from a CA
export Export a trustpoint configuration with all associated keys and
certificates in PKCS12 format, or export the identity
certificate in PEM format
import Import certificate or pkcs-12 data
server Define Local Certificate Server
trustpoint Define a CA trustpoint
trustpool Define CA trustpool
exec mode commands/options:
server Local Certificate Server commands
trustpool Trusted certificate pool
5510-OLD(config)# crypto ca export ?
configure mode commands/options:
WORD < 65 char Trustpoint label to associate keys and/or certs with
5510-OLD(config)# crypto ca export ASDM_TrustPoint1 ?
configure mode commands/options:
identity-certificate Export ID cert in PEM format
pkcs12 Export to PKCS12 format
5510-OLD(config)# crypto ca export ASDM_TrustPoint1 pkcs12 ?
configure mode commands/options:
WORD Passphrase used to protect the pkcs12 file // SAME PASSPHRASE FOR IMPORT
5510-OLD(config)# crypto ca export ASDM_TrustPoint1 pkcs12 cisco123
Exported pkcs12 follows:
-----BEGIN PKCS12-----
ABCDrwIBAzCCDWkGCSqGSIb3DQEHAaCCDVoEgg1WMIINUjCCDU4GCSqGSIb3DQEH
BqCCDT8wgg07AgEAMIINNAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQI8TJm
nN+U5TUCAQGAgg0I6uXZgqgd8GQX6Uzoxtwo7SpTBChK5JwHm4joiMtejnFwBd6q
<OUTPUT TRUNCATED>
Ovv9WbP2ABH7kjwQCXDTjTTjoGOiNs27KwAZ35h+LYTB36fTQXL5VqwwnPyxUp6o
PouLnTI1ztJJkLxQMsSXMPgpV5FMAi0LdAZfiTkWePUdwbwV4xYp+UYkTRHdk4Ez
Kx7OdFQ54E4IFu/HZVvWke509G3ROkHH+8yAHsJFaWExeQIiMD0wITAJBgUrDgMC
GgUABBTdNlD8PHam0stRBZK32os0BmrdQAQU99rJlI3qNx40t0AqZpijZ8RrqToC
WXYZ
-----END PKCS12-----
5525-NEW(config)# crypto ca import ASDM_TrustPoint1 pkcs12 cisco123
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:<ENTER>
ABCDrwIBAzCCDWkGCSqGSIb3DQEHAaCCDVoEgg1WMIINUjCCDU4GCSqGSIb3DQEH
BqCCDT8wgg07AgEAMIINNAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQI8TJm
nN+U5TUCAQGAgg0I6uXZgqgd8GQX6Uzoxtwo7SpTBChK5JwHm4joiMtejnFwBd6q
<OUTPUT TRUNCATED>
Ovv9WbP2ABH7kjwQCXDTjTTjoGOiNs27KwAZ35h+LYTB36fTQXL5VqwwnPyxUp6o
PouLnTI1ztJJkLxQMsSXMPgpV5FMAi0LdAZfiTkWePUdwbwV4xYp+UYkTRHdk4Ez
Kx7OdFQ54E4IFu/HZVvWke509G3ROkHH+8yAHsJFaWExeQIiMD0wITAJBgUrDgMC
GgUABBTdNlD8PHam0stRBZK32os0BmrdQAQU99rJlI3qNx40t0AqZpijZ8RrqToC
WXYZ<ENTER>
quit // TYPE quit
INFO: Import PKCS12 operation completed successfully
7) Configure a CA Trustpoint on the ASA. If you don't perform steps above you can configure a CA Trustpoint and an error is shown when you just copy/paste the config on the new ASA.
5525-NEW(config)# crypto ca trustpoint ASDM_TrustPoint1
5525-NEW(config-ca-trustpoint)# keypair ASDM_TrustPoint1
ERROR: Keypair ASDM_TrustPoint1 doesn't exist.
5525-NEW(config)# crypto ca certificate chain ASDM_TrustPoint1
5525-NEW(config-cert-chain)# certificate 123456
Enter the certificate in hexadecimal representation....5525-NEW(config-pubkey)# 30820521 30820409 a0030201 02020313 7a39300$
<OUTPUT TRUNCATED>
5525-NEW(config-pubkey)# quit
ERROR: Public key contained in the device certificate doesn't match the device's // YOU NEED TO IMPORT THE ASA PUBLIC KEY
5525-NEWconfig)# crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
ERROR: Trustpoint not enrolled. Please enroll trustpoint and try again.
Once the CA cert is imported on the new ASA, you can configure these commands:
5525-NEW(config)# crypto ca trustpoint ASDM_TrustPoint1
5525-NEW(config-ca-trustpoint)# keypair ASDM_TrustPoint1
5525-NEW(config-ca-trustpoint)# crl configure
5525-NEWconfig)# crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
5525-NEW(config)# ssl trust-point ASDM_TrustPoint1 outside
For FirePower traffic redirection, I've configured a deny ACL to ensure AnyConnect clients are prevented from hitting the inspection policy (although it is SSL encrypted traffic).
access-list FP-ACL extended deny ip 172.20.7.0 255.255.255.0 any
access-list FP-ACL extended deny ip any 172.20.7.0 255.255.255.0
access-list FP-ACL extended permit ip any any
class-map FP-CMAP
match access-list FP-ACL
policy-map global_policy
class FP-CMAP
sfr fail-open
I've tested AnyConnect VPN after the migration and it had to upgrade to AnyConnect 3.1 and got connected to the ASA VPN server afterwards.
There are also scenarios wherein AnyConnect VPN is established and you're able to access internal resources but there's NO Internet access. You'll need to create a NAT rule for VPN client going to the outside interface and permit VPN traffic coming from the outside and go out again (U-turn or hairpin) on the same outside interface.
nat (outside,outside) after-auto source dynamic OBJ-VPN-POOL interface
same-security-traffic permit intra-interface