Sunday, February 11, 2018

Configuring AnyConnect Remote Access VPN on a Cisco ASA Firewall

I did labs for AnyConnect VPN on a Cisco ASA firewall but I was asked in the real world to migrate a Cisco ASA 5510 acting as AnyConnect VPN server to an ASA 5525-X with FirePower module. I've deleted the old AnyConnect package files on the ASA's flash since the ASA 9.4 code is compatible with AnyConnect 3.1.x. I had a previous post regarding the transfer of AnyConnect package files and installing the AnyConnect Premium VPN license. Here's a Cisco guide and Lab Minutes video for configuring AnyConnect Remote Access (RA) VPN on a Cisco ASA firewall.

Here's a nice AnyConnect VPN troubleshooting guide from Cisco and a link regarding the steps for a successful firewall migration.

Verify first if the Cisco ASA firewall has the AnyConnect images for Windows, Mac and Linux clients.

ciscoasa# dir

Directory of disk0:/

11     drwx  4096         19:16:16 Sep 29 2014  log
22     drwx  4096         19:16:44 Sep 29 2014  crypto_archive
23     drwx  4096         19:16:52 Sep 29 2014  coredumpinfo
123    -rwx  37656576     19:25:02 Sep 29 2014  asa913-smp-k8.bin
124    -rwx  22658960     19:27:04 Sep 29 2014  asdm-714.bin
125    -rwx  73285632     00:38:08 Jun 06 2017  asa943-12-smp-k8.bin
137    -rwx  39032347     21:24:34 Jun 12 2017  anyconnect-win-3.1.14018-k9.pkg
126    -rwx  25819140     00:42:58 Jun 06 2017  asdm-761.bin
127    -rwx  12998641     19:51:42 Sep 29 2014  csd_3.5.2008-k9.pkg
128    drwx  4096         19:51:44 Sep 29 2014  sdesktop
138    -rwx  12895117     21:25:20 Jun 12 2017  anyconnect-macosx-i386-3.1.14018-k9.pkg
139    -rwx  12346898     21:26:06 Jun 12 2017  anyconnect-linux-3.1.14018-k9.pkg
140    -rwx  13115642     21:26:55 Jun 12 2017  anyconnect-linux-64-3.1.14018-k9.pkg

132    -rwx  100          22:45:26 Jun 05 2017  upgrade_startup_errors_201706052245.log
133    -rwx  41848832     18:55:08 Jun 08 2017  asasfr-5500x-boot-6.0.0-1005.img


There are several important pieces to configure a RA AnyConnect VPN on a Cisco ASA firewall:

1) Ensure there is enough AnyConnect Premium Peers installed on the new ASA. The ASA comes with only two AnyConnect Premium Peers so a maximum of two AnyConnect clients can connect at the same time. The total amount of AnyConnect Premium Peers is ASA platform dependent.

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 9.4(4)5
Device Manager Version 7.6(1)

Compiled on Thu 30-Mar-17 21:52 PDT by builders
System image file is "disk0:/asa944-5-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 3 days 5 hours

Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
            ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-SB-PLUS-0005
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0026
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


 0: Int: Internal-Data0/0    : address is fc5b.39aa.5164, irq 11
 1: Ext: GigabitEthernet0/0  : address is fc5b.39aa.5169, irq 5  
 2: Ext: GigabitEthernet0/1  : address is fc5b.39aa.5165, irq 5
 3: Ext: GigabitEthernet0/2  : address is fc5b.39aa.516a, irq 10
 4: Ext: GigabitEthernet0/3  : address is fc5b.39aa.5166, irq 10
 5: Ext: GigabitEthernet0/4  : address is fc5b.39aa.516b, irq 5
 6: Ext: GigabitEthernet0/5  : address is fc5b.39aa.5167, irq 5
 7: Ext: GigabitEthernet0/6  : address is fc5b.39aa.516c, irq 10
 8: Ext: GigabitEthernet0/7  : address is fc5b.39aa.5168, irq 10
 9: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
12: Ext: Management0/0       : address is fc5b.39aa.5164, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 750        perpetual    // 750 IS THE MAXIMUM IN ASA 5525-X
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual          
Total VPN Peers                   : 750            perpetual

Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Enabled        perpetual
Advanced Endpoint Assessment      : Enabled        perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual

This platform has an ASA5525 VPN Premium license.

Serial Number: FCH1834JABC
Running Permanent Activation Key: 0x572bfd4a 0xb4f6583f 0x5d400123 0xcd308123 0xca20c456
Configuration register is 0x1

Image type          : Release
Key version         : A


2) Configure a local DHCP pool for RA VPN clients.

ciscoasa(config)# ip local pool VPN-POOL 172.20.7.50-172.20.7.245 mask 255.255.255.0


3) Create an object for the DHCP pool subnet and configure an Identity NAT to ensure the AnyConnect clients are prevented from being NAT'd on the outside interface (Internet).

ciscoasa(config)# object network OBJ-ANYCONNECT
ciscoasa(config-network-object)# subnet 172.20.7.0 255.255.255.0

ciscoasa(config)# nat (inside,outside) source static any any destination static OBJ-ANYCONNECT OBJ-ANYCONNECT no-proxy-arp route-lookup


4) Enable AnyConnect SSL connections on the ASA outside (Internet facing) interface.

webvpn   
 enable outside       // IMPORTANT COMMAND
 anyconnect image disk0:/anyconnect-linux-3.1.14018-k9.pkg 1      // THE NUMBERS ARE THE SEQUENCE NUMBER; YOU CAN RE-NUMBER PACKAGE NUMBER
 anyconnect image disk0:/anyconnect-linux-64-3.1.14018-k9.pkg 2
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.14018-k9.pkg 3
 anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 4   
 anyconnect enable       // IMPORTANT COMMAND
 tunnel-group-list enable
 cache
  disable       // DISABLES CACHING OF FREQUENTLY USED OBJECTS IN SYSTEM CACHE


5) Configure the AnyConnect Group Policy. You can optionally specify a split tunnel ACL which specify subnets that will directly access network resource such as the Internet.

group-policy GP-CORP internal
group-policy GP-CORP attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client      // IMPORTANT COMMAND
 default-domain value local.net


6) Configure a Tunnel Group which binds information from other config (like a crypto map).

tunnel-group CORP type remote-access     // IMPORTANT COMMAND
tunnel-group CORP general-attributes
 address-pool PN-POOL
 authentication-server-group RADIUS      // POINTS TO A RADIUS SERVER aaa-server protocol radius AND aaa-server host
 default-group-policy GP-CORP
 tunnel-group CORP webvpn-attributes
 group-alias CORP enable


The following are some additional steps if you're migrating CA cert from an old ASA to a new ASA device. This will avoid Untrusted VPN Server Block error when connecting to AnyConnect VPN.

7) Export the CA certificate from old ASA device and import to the new ASA device.

5510-OLD# show crypto ca certificate
Certificate
  Status: Available
  Certificate Serial Number: 123456
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name:
    cn=RapidSSL CA
    o=GeoTrust\, Inc.
    c=US
  Subject Name:
    cn=*local.net
    ou=Domain Control Validated - RapidSSL(R)
    ou=See www.rapidssl.com/resources/cps (c)14
    ou=GT02341234
    serialNumber=ABC9uMV1vgWcrlFkJjw7pt-LVVFSwxyz
  OCSP AIA:
    URL: http://rapidssl-ocsp.geotrust.com
  CRL Distribution Points:
    [1]  http://rapidssl-crl.geotrust.com/crls/rapidssl.crl
  Validity Date:
    start date: 22:34:33 UTC Jun 15 2016
    end   date: 05:13:51 UTC Jul 18 2020
  Associated Trustpoints: ASDM_TrustPoint1


<OUTPUT TRUNCATED>


5510-OLD(config)# crypto ?

configure mode commands/options:
  ca           Certification authority
  dynamic-map  Configure a dynamic crypto map
  engine       Configure crypto engine
  ikev1        Configure IKEv1 policy
  ikev2        Configure IKEv2 policy
  ipsec        Configure transform-set, IPSec SA lifetime, and fragmentation
  isakmp       Configure ISAKMP
  key          Long term key operations
  map          Configure a crypto map

exec mode commands/options:
  ca  Certification authority

5510-OLD(config)# crypto ca ?

configure mode commands/options:
  authenticate  Get the CA certificate
  certificate   Actions on certificates
  crl           Actions on certificate revocation lists
  enroll        Request a certificate from a CA
  export        Export a trustpoint configuration with all associated keys and
                certificates in PKCS12 format, or export the identity
                certificate in PEM format
  import        Import certificate or pkcs-12 data
  server        Define Local Certificate Server
  trustpoint    Define a CA trustpoint
  trustpool     Define CA trustpool

exec mode commands/options:
  server     Local Certificate Server commands
  trustpool  Trusted certificate pool

5510-OLD(config)# crypto ca export ?

configure mode commands/options:
  WORD < 65 char  Trustpoint label to associate keys and/or certs with

5510-OLD(config)# crypto ca export ASDM_TrustPoint1 ?

configure mode commands/options:
  identity-certificate  Export ID cert in PEM format
  pkcs12                Export to PKCS12 format

5510-OLD(config)# crypto ca export ASDM_TrustPoint1 pkcs12 ?

configure mode commands/options:
  WORD  Passphrase used to protect the pkcs12 file      // SAME PASSPHRASE FOR IMPORT

5510-OLD(config)# crypto ca export ASDM_TrustPoint1 pkcs12 cisco123

Exported pkcs12 follows:
-----BEGIN PKCS12-----
ABCDrwIBAzCCDWkGCSqGSIb3DQEHAaCCDVoEgg1WMIINUjCCDU4GCSqGSIb3DQEH
BqCCDT8wgg07AgEAMIINNAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQI8TJm
nN+U5TUCAQGAgg0I6uXZgqgd8GQX6Uzoxtwo7SpTBChK5JwHm4joiMtejnFwBd6q

<OUTPUT TRUNCATED>

Ovv9WbP2ABH7kjwQCXDTjTTjoGOiNs27KwAZ35h+LYTB36fTQXL5VqwwnPyxUp6o
PouLnTI1ztJJkLxQMsSXMPgpV5FMAi0LdAZfiTkWePUdwbwV4xYp+UYkTRHdk4Ez
Kx7OdFQ54E4IFu/HZVvWke509G3ROkHH+8yAHsJFaWExeQIiMD0wITAJBgUrDgMC
GgUABBTdNlD8PHam0stRBZK32os0BmrdQAQU99rJlI3qNx40t0AqZpijZ8RrqToC
WXYZ
-----END PKCS12-----


5525-NEW(config)# crypto ca import ASDM_TrustPoint1 pkcs12 cisco123

Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:<ENTER>
ABCDrwIBAzCCDWkGCSqGSIb3DQEHAaCCDVoEgg1WMIINUjCCDU4GCSqGSIb3DQEH
BqCCDT8wgg07AgEAMIINNAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQI8TJm
nN+U5TUCAQGAgg0I6uXZgqgd8GQX6Uzoxtwo7SpTBChK5JwHm4joiMtejnFwBd6q

<OUTPUT TRUNCATED>

Ovv9WbP2ABH7kjwQCXDTjTTjoGOiNs27KwAZ35h+LYTB36fTQXL5VqwwnPyxUp6o
PouLnTI1ztJJkLxQMsSXMPgpV5FMAi0LdAZfiTkWePUdwbwV4xYp+UYkTRHdk4Ez
Kx7OdFQ54E4IFu/HZVvWke509G3ROkHH+8yAHsJFaWExeQIiMD0wITAJBgUrDgMC
GgUABBTdNlD8PHam0stRBZK32os0BmrdQAQU99rJlI3qNx40t0AqZpijZ8RrqToC
WXYZ<ENTER>
quit          // TYPE quit
INFO: Import PKCS12 operation completed successfully


7) Configure a CA Trustpoint on the ASA. If you don't perform steps above you can configure a CA Trustpoint and an error is shown when you just copy/paste the config on the new ASA.

5525-NEW(config)# crypto ca trustpoint ASDM_TrustPoint1 
5525-NEW(config-ca-trustpoint)#  keypair ASDM_TrustPoint1
ERROR: Keypair ASDM_TrustPoint1 doesn't exist.


5525-NEW(config)# crypto ca certificate chain ASDM_TrustPoint1 
5525-NEW(config-cert-chain)#  certificate 123456
Enter the certificate in hexadecimal representation....
5525-NEW(config-pubkey)#     30820521 30820409 a0030201 02020313 7a39300$ 

<OUTPUT TRUNCATED>
 5525-NEW(config-pubkey)#   quit
ERROR: Public key contained in the device certificate doesn't match the device's     // YOU NEED TO IMPORT THE ASA PUBLIC KEY


5525-NEWconfig)# crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
ERROR: Trustpoint not enrolled.  Please enroll trustpoint and try again.


Once the CA cert is imported on the new ASA, you can configure these commands:

5525-NEW(config)# crypto ca trustpoint ASDM_TrustPoint1
5525-NEW(config-ca-trustpoint)#  keypair ASDM_TrustPoint1
5525-NEW(config-ca-trustpoint)#  crl configure

5525-NEWconfig)# crypto ikev2 remote-access trustpoint ASDM_TrustPoint1

5525-NEW(config)# ssl trust-point ASDM_TrustPoint1 outside


For FirePower traffic redirection, I've configured a deny ACL to ensure AnyConnect clients are prevented from hitting the inspection policy (although it is SSL encrypted traffic).

access-list FP-ACL extended deny ip 172.20.7.0 255.255.255.0 any 
access-list FP-ACL extended deny ip any 172.20.7.0 255.255.255.0
access-list FP-ACL extended permit ip any any

class-map FP-CMAP
 match access-list FP-ACL

policy-map global_policy
 class FP-CMAP
  sfr fail-open 


I've tested AnyConnect VPN after the migration and it had to upgrade to AnyConnect 3.1 and got connected to the ASA VPN server afterwards.


There are also scenarios wherein AnyConnect VPN is established and you're able to access internal resources but there's NO Internet access. You'll need to create a NAT rule for VPN client going to the outside interface and permit VPN traffic coming from the outside and go out again (U-turn or hairpin) on the same outside interface.

nat (outside,outside) after-auto source dynamic OBJ-VPN-POOL interface

same-security-traffic permit intra-interface


No comments:

Post a Comment