Sunday, December 6, 2020

Configure Cisco AnyConnect in ASA Multiple Context Mode

I tried the popular Beef Wellington (English meat pie) at Bread Street Kitchen Marina Bay Sands, which is owned by celebrity chef Gordon Ramsay. The dining experience was nice and had free bread while waiting for my order. The serving was generous and the meat was very tender (ordered medium rare). I strolled around Garden's By the Bay afterwards and noticed most of the attractions such as the Floral Fantasy, Flower Dome and Supertree Skyway would need pre-purchased online tickets (no more walk-ins) due to COVID-19 crowd control and physical distancing.

 




You'll need to apply first the AnyConnect Apex license SKU/part: L-AC-APX-LIC= under the System context, which is a term based of 1-, 3- or 5-year subscription. The Apex license would take effect immediately and doesn't require a reboot. Also note the Total VPN peers supported on the specific platform (in this case 2500 max VPN sessions).

 

You can't use the default AnyConnect Premium Peers as it will display an error requiring for an Apex license.

 

ciscoasa/pri/act(config)# class AnyConnect

ciscoasa/pri/act(config-class)# limit-resource VPN AnyConnect 4

WARNING: Multi-mode remote access VPN support requires an AnyConnect Apex license

 

ciscoasa/pri/act/admin# changeto system

ciscoasa/pri/act# show version

 

<OUTPUT TRUNCATED>

 

 

Licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 300            perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Active/Active  perpetual

Encryption-DES                    : Enabled        perpetual

Encryption-3DES-AES               : Enabled        perpetual

Security Contexts                 : 10             perpetual

Carrier                           : Disabled       perpetual

AnyConnect Premium Peers          : 2              perpetual   // ANYCONNECT APEX LICENSE

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 2500           perpetual  

Total VPN Peers                   : 2500           perpetual   // TOTAL VPN SESSION SUPPORTED ON THE PLATFORM

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

Shared License                    : Disabled       perpetual

Total TLS Proxy Sessions          : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

IPS Module                        : Disabled       perpetual

Cluster                           : Enabled        perpetual

Cluster Members                   : 2              perpetual

 

This platform has an ASA5545 VPN Premium license.

 

 

Failover cluster licensed features for this platform:   // ACTIVE-STANDBY FAILOVER PAIR

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 300            perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Active/Active  perpetual

Encryption-DES                    : Enabled        perpetual

Encryption-3DES-AES               : Enabled        perpetual

Security Contexts                 : 12             perpetual

Carrier                           : Disabled       perpetual

AnyConnect Premium Peers          : 4              perpetual   // 2x FROM ACTIVE FW + 2x FROM STANDBY FW

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 2500           perpetual

Total VPN Peers                   : 2500           perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

Shared License                    : Disabled       perpetual

Total TLS Proxy Sessions          : 4              perpetual

Botnet Traffic Filter             : Disabled       perpetual

IPS Module                        : Disabled       perpetual

Cluster                           : Enabled        perpetual

 

This platform has an ASA5545 VPN Premium license.

 

<OUTPUT TRUNCATED>

 

 

ciscoasa/pri/act# configure terminal

ciscoasa/pri/act(config)# activation-key 1c05d652 e83add97 3573e568 dcfc1234 07335678

Validating activation key. This may take a few minutes...

Both Running and Flash permanent activation key was updated with the requested key.

ciscoasa/pri/act(config)#

ciscoasa/pri/act(config)# show version

 

<OUTPUT TRUNCATED>

 

 

Licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 300            perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Active/Active  perpetual

Encryption-DES                    : Enabled        perpetual

Encryption-3DES-AES               : Enabled        perpetual

Security Contexts                 : 10             perpetual

Carrier                           : Disabled       perpetual

AnyConnect Premium Peers          : 2500           perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 2500           perpetual

Total VPN Peers                   : 2500           perpetual

AnyConnect for Mobile             : Enabled        perpetual

AnyConnect for Cisco VPN Phone    : Enabled        perpetual

Advanced Endpoint Assessment      : Enabled        perpetual

Shared License                    : Disabled       perpetual

Total TLS Proxy Sessions          : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

IPS Module                        : Disabled       perpetual

Cluster                           : Enabled        perpetual

Cluster Members                   : 2              perpetual

 

This platform has an ASA5545 VPN Premium license.

 

 

Failover cluster licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 300            perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Active/Active  perpetual

Encryption-DES                    : Enabled        perpetual

Encryption-3DES-AES               : Enabled        perpetual

Security Contexts                 : 12             perpetual

Carrier                           : Disabled       perpetual

AnyConnect Premium Peers          : 2500           perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 2500           perpetual

Total VPN Peers                   : 2500           perpetual

AnyConnect for Mobile             : Enabled        perpetual

AnyConnect for Cisco VPN Phone    : Enabled        perpetual

Advanced Endpoint Assessment      : Enabled        perpetual

Shared License                    : Disabled       perpetual

Total TLS Proxy Sessions          : 4              perpetual

Botnet Traffic Filter             : Disabled       perpetual

IPS Module                        : Disabled       perpetual

Cluster                           : Enabled        perpetual

 

This platform has an ASA5545 VPN Premium license.

 

<OUTPUT TRUNCATED>

 

 

Create a VPN Resource Class and allocate the number of AnyConnect license under System context. You can divide the AnyConnect resource to other Resource Class but make sure their total equals to the maximum VPN count the platform supports. Since this is the only context using AnyConnect, I gave it the full 2500 count with a burst of up to 1500.

 

ciscoasa/pri/act(config)# class AnyConnect 

ciscoasa/pri/act(config-class)# limit-resource VPN ?

 

class mode commands/options:

  AnyConnect  AnyConnect Premium license limit. These are guaranteed for a

              context and shouldn't exceed the system capacity when combined

              across all contexts.

  Burst       Burst limit over the configured limit. This burst limit is not

              guaranteed. The context may take this resource if it is available

              on the device at run time.

  Other       Other VPN sessions which include Site-to-Site, IKEv1 RA and L2tp

              Sessions. These are guaranteed for a context and shouldn't exceed

              the system capacity when combined across all contexts.

  ikev1       Configure IKEv1 specific resources.

 

ciscoasa/pri/act(config-class)# limit-resource VPN AnyConnect ?

 

class mode commands/options:

  WORD  Value of resource limit (in <value> or <value>%)

 

ciscoasa/pri/act(config-class)# limit-resource VPN AnyConnect 2500

ciscoasa/pri/act(config-class)# limit-resource VPN Burst AnyConnect 1500

 

 

Create a new directory (I named it shared). Configure the new context to use/point on this new storage and add the AnyConnect Resource Class under the System context.

 

ciscoasa/pri/act(config)# mkdir shared

 

Create directory filename [shared]?

 

Created dir disk0:/shared

ciscoasa/pri/act(config)# context RA-VPN

Creating context 'RA-VPN'... Done. (1)

ciscoasapri/act(config-ctx)# member AnyConnect

ciscoasa/pri/act(config-ctx)#  description FOR ANYCONNECT RA VPN

ciscoasa/pri/act(config-ctx)#  allocate-interface GigabitEthernet0/0

ciscoasa/pri/act(config-ctx)#  allocate-interface GigabitEthernet0/1.50

ciscoasa/pri/act(config-ctx)#  config-url disk0:/RA-VPN.cfg

 

WARNING: Could not fetch the URL disk0:/RA-VPN.cfg

INFO: Creating context with default config

ciscoasa/pri/act(config-ctx)# storage-url shared disk0:/shared shared

 

 

Transfer the AnyConnect image from the main flash/disk0 space to the new shared directory.

 

ciscoasa/pri/act(config)# copy disk0:/anyconnect-win-4.8.03052-webdeploy-k9.pkg disk0:/shared

 

Source filename [anyconnect-win-4.8.03052-webdeploy-k9.pkg]?

 

Destination filename [/shared/anyconnect-win-4.8.03052-webdeploy-k9.pkg]?

 

Copy in progress...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

 

<OUTPUT TRUNCATED>

 

 

ciscoasa/pri/act(config)# dir shared/

 

Directory of disk0:/shared/

 

107    -rwx  72771616     01:56:18 Oct 27 2020  anyconnect-win-4.8.03052-webdeploy-k9.pkg

 

 

Configure AnyConnect (webvpn) and the rest of the config in the new Context.

 

ciscoasa/pri/act(config)# changeto context RA-VPN

ciscoasa/pri/act/RA-VPN(config)# webvpn

ciscoasa/pri/act/RA-VPN(config-webvpn)# enable outside

ciscoasa/pri/act/RA-VPN(config-webvpn)# anyconnect enable

ciscoasa/pri/act/RA-VPN(config-webvpn)# anyconnect image shared:/anyconnect-win-4.8.03052-webdeploy-k9.pkg 1


No comments:

Post a Comment