Basic Configuration of Remote Access VPN using AnyConnect.

In today’s interconnected world, remote access has become an essential component of many organizations’ operations. Remote Access Virtual Private Network (VPN) solutions provide secure and convenient access to corporate networks from remote locations. One such popular combination is Cisco AnyConnect VPN client and Cisco ASA firewall. In this blog, we will explore the basics of remote access VPN and how to set it up using AnyConnect and ASA firewall.

What is Remote Access VPN? Remote Access VPN allows users to connect securely to a corporate network over the internet. It establishes an encrypted tunnel between the remote user’s device and the corporate network, ensuring data confidentiality and integrity. With remote access VPN, employees can access internal resources such as files, applications, and services as if they were physically present in the office.

Remote VPN

In this example, I will be using an ASA Firewall to configure SSL/IPsec client-based VPN, and AnyConnect will be the software installed on remote client devices.

First and foremost, we need to ensure reachability to the VPN-configured Firewall. I have utilized the following topology to establish a secure connection to the internal network.

One of the primary objectives is to create a secure tunnel that allows access solely to the on-premises private network, while still enabling normal internet access through the ISP-provided network.

TOPOLOGY

I used following commands to establish reachability and to use Private Network it takes the Left Path and to use Internet it takes the Right Path.

Devices with IP
=================
ASA - Inside - 100.1.1.100
    - Outside - 10.10.10.100
    - Used ASDM and Cli to Configure.

WebServer - 100.1.1.10 and 1.1.1.1
Domain Name - Private.com

DNS-Server - 10.10.10.10

Client End Router - 10.10.10.1
           Sales - 172.16.2.100, Host - 172.16.2.1

Web_SERVER
=====
en
conf t
hostname WEB_SERVER
int g0/0
ip add 100.1.1.10 255.255.255.0 
no sh
int Loopback 1
ip add 1.1.1.1 255.255.255.0 
!
ip http server
!
ip http authentication local
!
username <name> privilage 15 password <password>
!
ip route 0.0.0.0 0.0.0.0 100.1.1.100
!
==================

ASA
====

hostname GW
int g0/1
nameif inside
sec 100
ip add 10.10.10.100 255.255.255.0
no sh
!
int g0/0
nameif outside
sec 0
ip add 100.1.1.100 255.255.255.0
no sh
!
int manag 0/1
nameif mgmt
sec 100
ip add dhcp 
no shut
!

http server enable
!
http 10.20.20.0 255.255.255.0 mgmt
!
username anand pass cisco priv 15

route outside 0.0.0.0 0.0.0.0 10.10.10.1
route inside 1.1.1.0 255.255.255.0 100.1.1.10

!!Creating Certificate

crypto key gen rsa label cciekey mod 1024

cry ca trustpoint ccie
enroll self
fqdn private.com
sub CN=private.com
keypair cciekey

cry ca enroll ccie

==========

!!DNS server

en
conf t
hostname DNS_SERVER
int g0/0
ip add 10.10.10.10 255.255.255.0 
no sh

!!!Router

en
conf t
int g 0/0
ip add 10.10.10.1 255.255.255.0
no shut

int g 0/1
ip add 172.16.1.100 255.255.255.0
no shut

int g 0/2
ip add 172.16.2.200 255.255.255.0
no shut

ip route 0.0.0.0 0.0.0.0 192.168.163.2

To access the firewall using ASDM Manager, follow these steps:

• Launch the ASDM Manager.
• Navigate to the VPN Wizard.
• Select SSL Client VPN.
• Proceed with the following steps.

Create Profile and Select Outside Interface.

Add the Created Certificate.

Add the Client Package Image.

Add Authentication Profile i.e, Users Credentials we can use Local DB or any AAA profile.

Create a pool of IP that is used to access private Servers.

These IP’s will be used to access the private Server. Private Server will only allow these IP.

Add DNS if any and Exempt NAT if configured.

Check if everything is properly configured.

Now go to configuration and SSL Client and go to Group Policy .

Add pool and Profile.

Configure Split tunnel to create tunnel only for private servers.

Configure Client options.

Go to Client Profile and Edit DNS.

Now We Configure Client Device.

Access the firewall using Browser.

Download and logon using credentials.

Split Tunnel showing secured and unsecured routes

We can see only 1.1.1.1 is creating a tunnel remaining traffic is using ISP path.

Trace route of Private Server and Google(Public Internet)

Private servers are reaching directly using tunnel and google is passing through ISP Path.

Private WebServer Traffic showing that Pool IP Accessing the Server.

So, we have Successfully Configured Remote Access VPN. In topology I have created another set of users like Finance. you can provide them with another pool of IP by Configuring another Client Profile by using same above Steps.

In conclusion, implementing a remote access VPN is a crucial step towards ensuring secure and efficient connectivity for remote users. By leveraging robust protocols like SSL/IPsec and utilizing reliable software such as AnyConnect, organizations can establish a strong layer of encryption and controlled access to their internal network. Remote access VPNs offer a seamless solution for remote workers, enabling them to securely access critical resources while working from anywhere in the world. In today’s era of increased remote work and flexible arrangements, a well-executed remote access VPN solution is a fundamental requirement for organizations to safeguard data privacy and maintain a high level of security. By embracing remote access VPN technology, businesses can empower their workforce while ensuring confidential information remains protected.