Anyconnect CLI config on ASA
upload .pkg file to asa
You can ASDM to ASA and put .pkg file to your disk0.
or you can copy fro your TFTP
copy tftp flash
enter source IP
enter source file name anyconnect-win-3.1.05152-k9
destination file name , let it be same just hit enter
! Here is the scenario
!
! Create a 'pool' of IP addresses that the ASA will allocate to the remote clients.
!
ip local pool MYANYCONNECTPOOL 10.10.10.10-10.10.10.60 mask 255.255.255.0
!
!
! Enable webvpn, set the package to the one you uploaded earlier, then turn on AnyConnect. we are doing this so that if a user doesnt have anyconnect software he can connect to web VPN and then download the installation package.
!
webvpn
enable outside
tunnel-group-list enable ********** this command enables your tunnel-group drop down list option on the WebVPN Login page from webvpn mode
anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
anyconnect enable
!
! create a local username and password, you may choose to use RADIUS or Kerberos AAA. also create an ACL that we will use for split tunneling in a minute.
!
username raj password cisco123
!
access-list SPLIT-TUNNEL standard permit 20.20.20.0 255.255.255.0
!
! Create a group policy and define the tunnel protocol as ssl-client also define what you want to do with your split tunnel.
!
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
!
! Create a matching tunnel-group that ties everything together. A tunnel group should have atleast three attributes : Type - Remote access, Pool & authentication method
!
tunnel-group Bangalore type remote-access
! Bangalore is the name of the profile that we will connect to.
tunnel-group Bangalore general-attributes
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
address-pool MYANYCONNECTPOOL
tunnel-group Bangalore webvpn-attributes
! now when you will connect to VPN it will by default fall on default-webvpn tunnel group and you will get all drop down options to select your tunnel group/profile. But if you want to have direct connection to your profile then this can be done using "Group URL". you need to add this command additionally. I am not going to use it so I am just putting the command here :
! group-url https://10.197.226.101/Bangalore enable
group-alias Bangalore enable
2-factor authentication example:
==========================
We can enable 2- factor authentication and it will ask for 2 local user name and passwords if local authentication is enabled. Normally this Secondary authentication is done either using certificate or AD in association with a softoken software.
Here is how we can just test it using local authentication:
Using CLI :
============
source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/vpn_asdm_setup.html
You can ASDM to ASA and put .pkg file to your disk0.
or you can copy fro your TFTP
copy tftp flash
enter source IP
enter source file name anyconnect-win-3.1.05152-k9
destination file name , let it be same just hit enter
! Here is the scenario
!
! Create a 'pool' of IP addresses that the ASA will allocate to the remote clients.
!
ip local pool MYANYCONNECTPOOL 10.10.10.10-10.10.10.60 mask 255.255.255.0
!
!
! Enable webvpn, set the package to the one you uploaded earlier, then turn on AnyConnect. we are doing this so that if a user doesnt have anyconnect software he can connect to web VPN and then download the installation package.
!
webvpn
enable outside
tunnel-group-list enable ********** this command enables your tunnel-group drop down list option on the WebVPN Login page from webvpn mode
anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
anyconnect enable
!
! create a local username and password, you may choose to use RADIUS or Kerberos AAA. also create an ACL that we will use for split tunneling in a minute.
!
username raj password cisco123
!
access-list SPLIT-TUNNEL standard permit 20.20.20.0 255.255.255.0
!
! Create a group policy and define the tunnel protocol as ssl-client also define what you want to do with your split tunnel.
!
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
!
! Create a matching tunnel-group that ties everything together. A tunnel group should have atleast three attributes : Type - Remote access, Pool & authentication method
!
tunnel-group Bangalore type remote-access
! Bangalore is the name of the profile that we will connect to.
tunnel-group Bangalore general-attributes
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
address-pool MYANYCONNECTPOOL
tunnel-group Bangalore webvpn-attributes
! now when you will connect to VPN it will by default fall on default-webvpn tunnel group and you will get all drop down options to select your tunnel group/profile. But if you want to have direct connection to your profile then this can be done using "Group URL". you need to add this command additionally. I am not going to use it so I am just putting the command here :
! group-url https://10.197.226.101/Bangalore enable
group-alias Bangalore enable
2-factor authentication example:
==========================
We can enable 2- factor authentication and it will ask for 2 local user name and passwords if local authentication is enabled. Normally this Secondary authentication is done either using certificate or AD in association with a softoken software.
Here is how we can just test it using local authentication:
Using CLI :
============
tunnel-group Bangalore general-attributes
authentication-attr-from-server secondary
authenticated-session-username secondary
secondary-authentication-server-group LOCAL
Using ASDM:
============
source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/vpn_asdm_setup.html
0 comments:
Post a Comment