This is certainly not the first article on "Quick Guide to building a VPN using Cisco devices, however, we still hope that this guide will become an all-in-one guide for users who use ASA 5505 devices to set up VPN and connect to the Internet.
The ASA itself has a setup wizard, but this wizard does not cover all aspects of work required by the user, and some steps are vague, making it difficult for the user to adapt. In fact, our work can be divided into four steps: Set SSL authentication, configure VPN, then set the correct NAT rules, and finally enable split-tunneling if necessary. SSL Authentication allows users to access intranet resources from the Internet through an encrypted tunnel. In the following illustration, the self-signed authentication method is used for testing. If it is a practical application, you should obtain the SSL certificate through a third-party certification authority. VPN settings are relatively simple. Then we will introduce in detail the content and configuration steps of the wizard. The last step allows users to access both Intranet and Internet information. The following are the configuration steps for the experiment environment. The test environment can be connected to the Intranet and Internet, and DMZ is configured, and Cisco ASDM and CLI are installed.
Set SSL Certificate
Click the Configuration button at the top and select Remote Access VPN
Click Certificate Management and then click Identity Certificates
Click Add and select Add a new identity certificate.
Click New and enter a New VPN name (such as VPN)
Click Generate Now.
You need to enter FQDN (full name domain name), such as CN = vpn.domain.com, and then click OK.
Select Generate Self Signed Certificate and click Add Certificate.
Click OK.
Set AnyConnect Remote Access VPN:
Click Wizards and enter the VPN wizard interface.
Select AnyConnect ssl vpn Client (AnyConnect VPN Client)
Select a connection name (such as VPN)
Make sure that the Outside interface is selected.
Select the certificate we just created from the certificate drop-down menu.
Note the ip address used to access the VPN from the client (for example, ip. add. re. ss: 444)
Click Next
You can use a local database user (several users created by yourself) or LDAP information (for example, your active directory user)
Click Next
Create a new policy and name it (for example, AnyConnect). Then click Next
Click New to create an address pool for the user. Do not use the same subnet as the Intranet. For example, if the Intranet uses 192.168.100.0/24, the VPN address pool can use 192.168.104.0/24. If you only want 20 IP addresses in the address pool, you can set the starting IP address to 192.168.104.20 and ending IP address to 192.168.104.40.
Select the address pool you just created from the drop-down menu. If Ipv6 is not used in the Intranet, you do not need to consider the Ipv6 address pool.
For AnyConnect images, you can browse your local computer or log on to the Cisco website using a SMARTnet account to download the images and upload them here.
Click Finish. You can also click Apply to save the settings.
Create a NAT exemption rule (for quick use of CLI)
Connect to the CLI of the firewall
In configuration mode, enter the following command:
Access-list NAT-EXEMPT extended permit ip 192.168.100.0 255.255.255.0 192.168.104.0 255.255.255.0
Tunnel-group VPN general-attributes
Address-pool AnyConnect (this is the name of the address pool we created earlier)
Now you can connect to the Intranet environment through VPN. However, users may encounter restrictions when connecting to the Internet. Therefore, we will configure split-tunneling to allow these VPN users to access the Internet. If you need to be extremely secure, do not configure split-tunnel. This is a trade-off between practicality and security. You can make a decision after making a trade-off. Because VPN users do not want to log out of the VPN just to search resources on google or to check their own private mailbox.
Configure split-tunnel:
Return to the ASDM interface and click Configure, then Remote Access VPN, and then select Network Access. select Group Policies.
Click the Group Policy we created in the wizard and select Edit.
Expand Advanced and click Split Tunneling.
Cancel the Inherit Policy and select Tunnel Network List Below from the drop-down List.
Cancel the Network List and Click Manage.
Click Add and then Add ACL
Name the ACL, click Add again, and select Add ACE.
Click Permit in the Add ACE window and select the Intranet address (192.168.100.0)
Click OK and make sure the new ACL exists in the Network List.
Click OK again.
Click Apply and then Save.
In this way, your VPN can run normally, and VPN customers can directly access the Internet through the VPN connection.