top of page

PART I: Client-based SSL VPN using ASDM and GNS3 Example

Introduction

IOS VPN versus ASA VPN

  • Both Cisco ISR and ASA provide IPsec and SSL VPN capabilities.

    • ISRs are capable of supporting as many as 200 concurrent users.

    • ASA can support from 10 to 10,000 sessions per device.

  • For this reason, the ASA is usually the choice when supporting a large remote networking deployment.

ASA Remote Access VPN Support
  • The ASA supports three types of remote-access VPNs:

    • Clientless SSL VPN Remote Access (using a web browser).

    • SSL or IPsec (IKEv2) VPN Remote Access (using Cisco AnyConnect client).

    • IPsec (IKEv1) VPN Remote Access (using Cisco VPN client).

Clientless versus Client-Based SSL VPN
  • Clientless SSL VPN (WebVPN):

    • Browser-based VPN that lets users establish a secure, remote-access VPN tunnel to the ASA using a web browser.

    • After authentication, users access a portal page and can access specific, supported internal resources.

  • Client-Based SSL VPN:

    • Provides full tunnel SSL VPN connection but requires a VPN client application to be installed on the remote host.

    • Requires Cisco AnyConnect VPN client to be installed on the host.

  • The AnyConnect client can be manually pre-installed on the host, or downloaded on-demand to a host via a browser.

 

NOTE Cisco VPN Client is End-of-Life, so is convenient to migrate to Cisco AnyConnect VPN Client.

My GNS3 example is:

 

GNS3 Example for Client-based SSL VPN

 

I´m going to configure a Cisco ASA device for SSL VPN Remote access using Cisco AnyConnect client.

GNS3 example

Normally, the remote client is connected through the ASA’s outside interface, but here it is connected through the administration interface.

NOTE In my case, the TFTP server and the remote client is the same, to make it more easy.

I am using asa842 in GNS3:

  • The remote client (TFTP in my example) does not have the Cisco AnyConnect client pre-installed, and it’s connected through interface e0.

    • Therefore, the remote user will have to initiate a clientless SSL VPN connection using a web browser, and then download and install the AnyConnect client on the remote host.

  • Once installed, the host can exchange traffic with the ASA using a full tunnel SSL VPN connection.

Here TFTP Server is my computer, linked to the switch using a loopback interface. You can also use your real network card.

NOTE You can not link directly to the ASA device from the loopback interface, so you have to use a layer 3 switch for this to work. May be you can use a layer 2 switch, but it has to be tested on your topology.

Open the ASA device.

By default, enable pasword is none (press intro; do not write anything).

Add the following activation key:

ciscoasa# activation-key 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5

Note Before start the VPN configuration, the interfaces must be configured.

The basic setting is:

enable password cisco

interface GigabitEthernet0

 nameif administracion

 security-level 100

 ip address 192.168.0.1 255.255.255.0

 no shutdown

!

username juantron password juantron privilege 15

!For https access (we will only allow access for 192.168.0.3, or the IP address of the TFTP Server)

http server enable

http 192.168.0.3 255.255.255.255 administracion

 

Do a show version command to see if asdm is loaded in flash. The answer will be no.

So, copy the following files to the flash (TFTP Solarwinds is installed and running on my computer):

 

ciscoasa# copy tftp:asdm-647.bin flash:asdm-647.bin

ciscoasa# copy tftp:anyconnect-win-2.5.3055-k9.pkg flash:anyconnect-win-2.5.3055-k9.pkg

 

NOTE Maybe you do not have to do this in a real device. Also, you can use other versions.

 

To tell the device which asdm image will be loaded  the next time the system is reloaded:

ciscoasa(config)# asdm image disk0:/asdm-647.bin              

 

Finally:

ciscoasa # copy run start

ciscoasa# reload

 

After restarting the asa device, we can see that ASDM is showed in the output of the show version command:

Configuring access to the ASA device from your computer

Open a web navigator and go to: https://192.168.0.1

Probably you will see:

Configuring access to the ASA

or

Use the username and password you created before.

Once the dm-launcher.msi file has been downloaded, double click to install it on your computer.

bottom of page