VPN 6 - Configure SSL Remote Access VPN on Cisco ASA

What we will configure

Our goal is to create full access to the private corporate network using Remote Access full-tunnel Secure Sockets Layer (SSL) Virtual Private Network (VPN), simply put SSL VPN. We will use the Cisco Adaptive Security Appliance (ASA). We will perform almost the entire configuration using the Java application Cisco Adaptive Security Device Manager (ASDM).

Note: The description is based on Cisco ASA 5510 version 8.4(1) and ASDM version 7.1(5)100. The configuration should be similar for newer ASA versions, but may differ for older versions as various features have been added over time.

As a client, we will use the Cisco AnyConnect Secure Mobility Client, which is currently in version 3.1.05152. The client was originally called SSL VPN Client (SVC) and we will encounter the use of the SVC abbreviation in various events and error messages. The name using AnyConnect has also undergone several changes. Information about the client can be found in the Cisco AnyConnect Secure Mobility Client Data Sheet.

Cisco also has a mobile client for Apple iOS Cisco AnyConnect and selected phones with Google Android Samsung AnyConnect (you can find more apps for various devices on Google Play).

One of the features of SSL VPN is that you can connect to a web portal and it will automatically install the AnyConnect client, configure it, and connect you to the VPN. The detection and installation is done using ActiveX or Java.

In this description, we will assume that the users who will be connecting to the VPN are managed in the MS Active Directory directory. For authentication, we will use a RADIUS server, which has the important property of passing the Group Policy parameter, as in the previous parts. But it's not a problem to use another AAA group.

Licensing

I would describe the licensing on Cisco ASA as everything being licensed. We can look at the current licenses using the ASDM Configuration > Device Management > Licensing > Activation Key or the CLI command show version.

We won't go into the licenses in detail here, but will look at the ones that concern us most. For more information, I recommend the article Cisco ASA Licensing Quick Reference Guide or Managing Feature Licenses for Cisco ASA Version 9.1.

We automatically have IPsec licenses on the ASA, called Other VPN Peers. They cover Remote Access IPsec VPN with IKEv1 and Site to Site IPsec VPN IKEv1 and IKEv2. For SSL, we need AnyConnect Essentials or AnyConnect Premium, both of which cover Remote Access SSL VPN and Remote Access IPsec VPN with IKEv2.

Further, there are licenses for connecting special devices like Cisco phones or mobile clients (iOS, Android). This functionality is just enabled by the license and the AnyConnect licenses are consumed further. So for mobile clients, we need the Cisco AnyConnect Mobile License (L-ASA-AC-M-55xx=), which fortunately costs only a few thousand crowns.

The difference between AnyConnect Essentials and AnyConnect Premium is important. The Essentials license (L-ASA-AC-E-55xx=) is relatively cheap and we buy it for the maximum number of connections (Total VPN Peers) for a few thousand crowns. In contrast, Premium (L-ASA-SSL-yy=) costs more than a thousand crowns per license and we buy a certain number (the licenses are not additive and to expand the number of clients we have to buy a special upgrade license). Premium mainly adds the ability for Clientless SSL VPN and Cisco Secure Desktop (which also includes Host Scan - client checking before connection).

The complication is that we cannot use Essentials and Premium licenses simultaneously. Although both can be installed, AnyConnect Essentials will be the default functional one, we can turn it off to activate AnyConnect Premium.

ASA(config-webvpn)# no anyconnect-essentials

Or turn it back on.

ASA(config-webvpn)# anyconnect-essentials

We can also set the choice in the ASDM under Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Essentials. The CLI command and the ASDM item can only be used if we have the AnyConnect Essentials license installed. A more detailed description is in the article Understanding Cisco ASA AnyConnect Licensing.

License switching problem

In practice, I encountered an interesting situation. On the ASA, I had both the Essentials license (inactive) and the Premium. I was using various types of VPNs including Clientless. I added a new license that expanded the number of Premium users. After some time, someone wanted to use Clientless VPN, but got an error message that VPN access was not allowed. Also in the ASA log, it said that SVC not enabled for the user. It took me a while to figure out that when I added the new Premium license, the AnyConnect Essentials mode was reactivated and I had to switch it.

What the SSL VPN configuration on Cisco ASA consists of

To be able to configure SSL VPN, we need a Cisco ASA Appliance with the necessary license, an SSL certificate, perform basic ASA configuration (briefly mentioned in VPN 2 - Introduction to Cisco ASA and VPN Options), configure ASA communications (interfaces, NAT, etc., mentioned in VPN 3 - Configuration IPsec Remote Access VPN on Cisco ASA) and the actual configuration of SSL VPN on ASA.

Documentation

There are plenty of documents on the internet about setting up SSL VPN on ASA. The official materials are summarized at the address Cisco ASA 5510 Adaptive Security Appliance and the guide directly relevant to our topic is the Cisco ASA 5500 SSL VPN Deployment Guide, Version 8.x or the Book 3: Cisco ASA Series VPN ASDM Configuration Guide 7.1 - General VPN Setup. We can also look at a simple video tutorial Cisco ASA AnyConnect Remote Access VPN Configuration: Cisco ASA Training 101.

Recently, a friend pointed out some interesting Cisco documents that I had heard about before but never looked at. These are the older Design Zone for Smart Business Architecture (SBA) and the newer Cisco Validated Design Program (CVD). For SSL VPN configuration, there is the document Remote Access VPN - technology design guide. It is a very detailed description of the configuration. There is not much explanation, but as a configuration guide, it is not bad.

SSL vs. DTLS

Cisco SSL VPN typically uses SSL (Secure Sockets Layer) or TLS (Transport Layer Security), which run over TCP (Transmission Control Protocol). The exact protocol is negotiated based on the server settings and client capabilities. We can also enable the use of Datagram Transport Layer Security (DTLS), which runs over UDP (User Datagram Protocol). DTLS is based on TLS and has better properties, especially for applications that are sensitive to latency (such as voice and video).

Main configuration parts

The configuration of SSL VPN on Cisco ASA has a basic principle similar to IPsec VPN. But the security settings area, i.e. SSL vs. IPsec, is significantly simpler. Part of the configuration corresponds to Clientless SSL VPN and also mutually influences each other. Various related information can be found in the previous parts of this series, but I have tried to summarize everything essential here.

On the ASA, we can create all three VPN types at the same time and either distinguish them for different users using different Connection Profiles and Group Policies, or enable all of them together. If Clientless VPN and SSL VPN are enabled on the Connection Profile, then after connecting to the web page, a portal will be displayed that has a new item AnyConnect - Start AnyConnect. If we only have SSL VPN enabled, we can also use the portal page (or directly access with the client), but there the web-based client installation wizard will start immediately.

Main parts of SSL VPN configuration:

• AnyConnect Connection Profiles (formerly Tunnel Group) - profile - defines key values for session creation, such as authentication (we can also handle authorization and accounting), IP address assignment (Address Pool), set the default Group Policy, enable the use of the SSL, IPsec(IKEv2) protocols, assign DNS servers, set the Connection Alias and Group URL
• Group Policies - policy - determines the properties of network access after connecting to the VPN and contains authorization attributes, i.e. we restrict and manage client access, set the allowed protocols (SSL, IPsec IKEv2, IPsec IKEv1, L2TP/IPsec, Clientless SSL), we can add a welcome Banner, set address assignment (Address Pool), apply ACLs (access filtering), access restrictions (to certain VLANs, by time, NAC Policy, maximum connection time, inactivity), use only with a specific Connection Profile, assign DNS servers, Split Tunneling, AnyConnect client settings (enabling DTLS, SSL compression, assigning Client Profile, MTU, keepalive, portal page behavior, firewall settings, etc.)
• AnyConnect Client Profile - client profiles (XML files) that are downloaded after connecting to the VPN and configure client properties (we set behavior and whether the user can change them), associate with Group Policy
• AnyConnect Client Software - an optional feature that allows installing clients via the web, here we only add client packages for different OSes
• AnyConnect Customization/Localization - optionally, we can customize the client, such as adding a company logo or creating a custom translation

SSL VPN connection establishment process

If we use the AnyConnect application to establish the SSL VPN, multiple sessions are established:

• first the Parent-Session (Parent-Tunnel), which is the main session where authentication occurs, it is also used for reconnection, if we connect to Clientless VPN, it is called WebVPN-Session
• then the SSL-Tunnel is established - this session is used for data transfer, and depending on the settings, it may attempt to establish DTLS
• optionally, the DTLS-Tunnel is established - if it is established, the data is sent through this channel instead of SSL

The only information I found on this topic is the AnyConnect FAQ: Tunnels, Reconnect Behavior, and the Inactivity Timer.

Connection establishment process (of two sessions) is roughly as follows:

• Connection Profile is either chosen on the login dialog, or the default DefaultWEBVPNGroup is used
• start SSL handshake > establish SSL session
• AAA user authentication, e.g. RADIUS - allows setting user attributes, such as Group Policy
• the Dynamic Access Policy (DAP) to be used is selected, the DfltAccessPolicy is used by default, and the Group Policy is applied
• this establishes the Parent-Session and the data session establishment continues
• IP address assignment (IPAA) is performed according to the settings of the selected Connection Profile (tunnel-group) or elsewhere
• Group Policy and Dynamic Access Policy are applied
• the SVC session (SSL VPN Client) is established and an IP address is assigned to the session

Profile (Connection Profile) assignment

Connection Profile is the main object that covers the entire VPN connection. A Group Policy is assigned to it, and other properties are linked to it. Essentially, I only know of two ways we can choose the Connection Profile when connecting to SSL VPN. We can offer the user a choice of profiles when logging in (and nothing prevents them from selecting any of the offered ones). In the configuration of AnyConnect Connection Profiles, we enable the choice:

Allow user to select connection profile on the login page.

For the profiles we want to offer, we set the Connection Alias (Group Alias) and those are the items we choose when logging in.

Alternatively (or together), we can set a Group URL for some profiles. This is an address that we can provide to users and the given profile will be used automatically (even if selection is allowed, the list of profiles is not offered, and selection may not need to be allowed). We can use this URL in the browser (access through the portal) or in the client.

Probably the only other option is that we don't allow profile selection, and the default profile DefaultWEBVPNGroup is used automatically. Since we can override most properties using the Group Policy and we don't have to choose it from the profile (see next chapter), we can usually be satisfied with the default profile. The only restriction is that on the profile we choose the authentication method, so with a common profile we cannot have different login types (such as RADIUS and local users).

Policy (Group Policy) assignment

Almost all connection parameters and the connection itself can be controlled using Group Policy (including allowing the connection). So it is crucial how the policy is assigned to the established connection. We can assign the Group Policy from the Connection Profile or assign it to the user. Local users on the ASA have a policy choice option directly in their parameters. When using external authentication, we can pass the policy information. For example, with a RADIUS server, it's about using attribute 25, a brief description is in VPN 4 - Configuration Cisco Clientless SSL VPN on Cisco ASA. With an LDAP server, we can map certain LDAP attributes to authorization attributes (including policy assignment).

If we decide to use policy assignment and thus securely control access to the VPN (e.g. by grouping the user in AD and passing the parameter from the RADIUS server), we must also set the default policy DfltGrpPolicy well. If no other policy is assigned to the user, the default one may be applied. This could give VPN access to a user we didn't want to give it to. The parameters in the default policy also inherit into the other policies (where we choose Inherit).

For setting individual user authorization attributes (attribute-value pair - they are part of the Group Policy), we can also use the Dynamic Access Policy (DAP). We can compare various criteria during the session establishment and set values accordingly.

Because there are several places where the policy or even some attributes can be set, it is important to understand the evaluation order (Policy Enforcement). Settings from different places are combined, and if a conflict occurs, the newer ones overwrite the older ones.

1. default Group Policy (DfltGrpPolicy) - global settings for everyone
2. Group Policy assigned from Connection Profile - policy based on the connection profile
3. Group Policy assigned to the user - e.g. from the RADIUS server
4. user attributes from the AAA server - after user authentication, values can be received from the RADIUS or LDAP server
5. Dynamic Access Policy - has the highest priority, what is set here, wins

SSL VPN configuration process in practice

I did not have a clean ASA available, but used one where the configuration was already complete from the previous parts of the series (IPsec and Clientless SSL VPN). So I didn't have to perform all the steps, but I'll still try to mention them and hope I don't miss anything.

At the beginning, it's a good idea to draw a diagram with the used addresses and ranges. For example, we need to prepare (think through) the subnet from which VPN clients will get their addresses. The setup is the same as in the previous parts.

Note: In the following description, I always mention the path within ASDM where the configuration of the current property is located. Many minor configurations (such as the Address Pool) can be invoked from the configuration of the parent function (for addresses e.g. Connection Profile).

1. ASA device configuration

I described the ASA configuration from the communication point of view in the article VPN 3 - Configuration IPsec Remote Access VPN on Cisco ASA and with this configuration, the SSL VPN also worked for me. I will repeat it again here and change some things a bit, hopefully correctly.

Configuration > Device Setup > Device Name/Password

Hostname: ASA, domain: company.local, password for privileged mode.

Configuration > Device Setup > Interfaces

Security level - 0 (lowest) to 100 (internal network), divides networks, by default communication is not allowed from lower to higher, but the other way around is. We assign names to the interfaces that will be used later.

Ethernet0/0, name outside, security level 0, IP 86.55.13.15/24
Ethernet0/1, name inside, security level 100, IP 10.240.0.1/24
Management0/0, name management, IP 192.168.1.1/24

We can consider enabling two items at the bottom of the page:

Enable traffic between two or more interfaces which are configured with same security levels
Enable traffic between two or more hosts connected to the same interface

Configuration > Device Setup > Routing > Static Routes

Add a default gateway for clients (how VPN clients connect from the internet so that the response can be returned to them).

outside, any, 86.55.13.254, 1

Add a default gateway for clients inside the VPN (when they have an IP from this range, to get to the internal network).

inside, any, 10.240.0.254, 255, Tunneled

We may also need to add a route for access to the RADIUS servers (and others such as Syslog, NTP).

Configuration > Device Setup > System Time > NTP and Clock

Set the NTP server and time zone.

Configuration > Device Management > Logging > Logging Setup

It's a good idea to enable logging (Enable logging) and possibly configure more.

Configuration > Device Management > DHCP > DHCP Server

By default, DHCP is enabled on the management interface, if we don't need it, we can disable it. In our case, we only use ASA DHCP for clients inside the VPN, so it doesn't need to be enabled here.

Configuration > Firewall > Access Rules

For information only, we don't need to change anything here. At the bottom of the page, we choose IPv4 Only. In the Global section, there are rules that apply everywhere, by default there is a final deny any any rule. On the inside interface, we have an implicit rule that allows communication to networks with a lower security level.

Configuration > Firewall > NAT Rules

NAT on Cisco devices is a discipline in itself, the description is available in the Cisco article Information About NAT. If we have address translation (NAT) enabled on the ASA (if we only use the VPN functionality, we don't need to have it enabled), we need to set an exception so that the VPN traffic is not translated.

• from inside to outside, from any to VPN_subnet, both directions, static NAT - CLI command nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet

Network Objects - when setting up NAT, we create an object:

• VPN_subnet - 10.240.0.0/24

Note: At the top of the menu, we can use the Diagram button, which roughly outlines the schema of a particular rule, or the Packet Trace, which simulates communication.

2. SSL VPN configuration

We could use the wizard in the menu Wizards - VPN Wizards - AnyConnect VPN Wizard to configure it, but I prefer manual configuration, where I have an overview of what and where I'm configuring. It doesn't really differ much from the wizard and the wizard still won't set everything up.

Brief configuration

• choose the VPN protocol, its parameters and the certificate
• add the VPN client image (AnyConnect)
• set up authentication (AAA server group)
• create an address range for the VPN
• configure DHCP for remote clients
• configure DNS servers, NAT
• configure the AnyConnect Client Profile
• create a Group Policy
• create a Connection Profile

Configuration > Remote Access VPN > Certificate Management > CA Certificates

Install the Certificate Authority (CA) certificate, from which we have a certificate for the ASA (for SSL VPN), a file of type cer.

Configuration > Remote Access VPN > Certificate Management

Install the certificate for the ASA and SSL VPN (with the private key, a file of type pfx).

Tools > File Management

Upload (or verify that it exists) the AnyConnect image for web installation (AnyConnect web deployment packages - PKG files). For Windows, the latest is currently anyconnect-win-3.1.05152-k9.pkg

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Software

Add one or more client images (AnyConnect image) that we uploaded in the previous step. A record is created that the given image can be used.

Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups

Prepare an AAA Server Group for authentication, for example RADIUS, and insert the address into it.

Configuration > Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools

Prepare an address range for assigning to clients within the VPN, VPN_Pool - 10.240.0.100 to 10.240.0.200.

Configuration > Remote Access VPN > Network (Client) Access > Address Assignment > Assignment Policy

Verify that we have (only) Use internal address pools checked.

Configuration > Remote Access VPN > DNS

Enter the DNS servers and internal domain.

Configuration > Remote Access VPN > Advanced > SSL Settings

Add the allowed encryption algorithms (e.g. only AES and 3DES), we can require TLSv1 for the server. We also see the certificates assigned to the individual interfaces.

Configuration > Remote Access VPN > Network (Client) Access > Group Policies

We've already talked about policies. Now we need one that we will use for our connection. We can create one or more (and use them to control properties) or use the default DfltGrpPolicy. In our example, we will create a new policy AnyConnect_group and leave almost all the values Inherited from the default policy. Only in the General tab, we expand More Options and in the tunneling protocols we check SSL VPN Client (this option should later be checked automatically when assigning the policy to the profile, but it's safer to set it manually).

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile

Add a new profile for connecting, e.g. Client_profile. Choose Edit, switch to the Server List and add a new server (it is strictly recommended to have at least one server defined, the address is used for session matching). Fill in either just the Host Display Name, in which case we enter the DNS address of the VPN connection (FQDN, or IP address), e.g. vpn.company.com. Or enter an alias in the Host Display Name, and below enter the FQDN or IP Address. Finish editing, mark the profile and click Change Group Policy and assign one or more policies (i.e. AnyConnect_group) that should use this profile.

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles

At the top of the page, we enable the use of SSL VPN by checking Enable Cisco AnyConnect VPN Client Access on the Interfaces Selected in the Table Below. Then we enable SSL Access for a specific interface. Ours is called outside. Allow Access uses the HTTPS protocol, Enable DTLS additionally enables the DTLS protocol.

If we want to use a profile other than the default DefaultWEBVPNGroup, we need to enable the setting on the page that allows selecting the profile. Only profiles with the Aliases value set will appear in the selection. Of course, it's also possible to use the Group URL, all of which we described in the previous paragraphs.

Allow user to select connection profile on the login page.

We create a new profile or configure the default DefaultWEBVPNGroup. On the profile, we set:

• Method: AAA
• AAA Server Group: our AAA group
• Client Address Pools: VPN_Pool
• Default Group Policy: AnyConnect_group
• check Enable SSL VPN client protocol

If we want to enable profile selection or connection address, we switch to the Advanced > Group Alias/Group URL tab and add an Alias, e.g. AnyConnect, and a Group URL, e.g. https://vpn.company.com/AnyConnect.

If we use RADIUS for authentication and the MS-CHAPv2 protocol on it, we need to enable password management on the ASA (otherwise the authentication will fail and we'll get a Login failed.). It is described in more detail in the article on IPsec VPN, where the configuration was done using the CLI. In the current ASDM version, we can do it directly on the profile, switch to the Advanced > General tab and check Enable password management.

sysopt connection permit-vpn

When I studied the information on configuring SSL VPN, I also came across a mention that the above command sometimes needs to be used. This command should be enabled by default and should ensure that the VPN traffic bypasses the ACL on the interface. More information at Cisco Verify that sysopt Commands are Present (PIX/ASA Only). Checking if the command is set

ASA# show running-config all sysopt
sysopt connection permit-vpn

Error No address available for SVC connection

This error can occur in many cases after connecting to the VPN using the AnyConnect client. The error occurs when authentication has already been successful and the client is supposed to be assigned an IP address from the VPN range. Possible causes:

• We haven't set up an address range or allowed assignment
• We expect the client to use a specific AnyConnect Connection Profiles that we have set up, but in reality the default DefaultWEBVPNGroup is used, where we haven't set up address assignment. This may be because we haven't set Allow user to select connection profile on the login page.