Remote Access VPN Deployment Guide

February 2013 Series

Preface
Who Should Read This Guide
This Cisco® Smart Business Architecture (SBA) guide is for people who fill a variety of roles: • Systems engineers who need standard procedures for implementing solutions • Project managers who create statements of work for Cisco SBA implementations • Sales partners who sell new technology or who create implementation documentation • Trainers who need material for classroom instruction or on-the-job training In general, you can also use Cisco SBA guides to improve consistency among engineers and deployments, as well as to improve scoping and costing of deployment jobs.

How to Read Commands
Many Cisco SBA guides provide specific details about how to configure Cisco network devices that run Cisco IOS, Cisco NX-OS, or other operating systems that you configure at a command-line interface (CLI). This section describes the conventions used to specify commands that you must enter. Commands to enter at a CLI appear as follows: Commands that specify a value for a variable appear as follows: Commands with variables that you must define appear as follows: Commands shown in an interactive example, such as a script or when the command prompt is included, appear as follows: Long commands that line wrap are underlined. Enter them as one command: wrr-queue random-detect max-threshold 1 100 100 100 100 100 100 100 100 Router# enable class-map [highest class name] ntp server 10.10.48.17 configure terminal

Release Series
Cisco strives to update and enhance SBA guides on a regular basis. As we develop a series of SBA guides, we test them together, as a complete system. To ensure the mutual compatibility of designs in Cisco SBA guides, you should use guides that belong to the same series. The Release Notes for a series provides a summary of additions and changes made in the series. All Cisco SBA guides include the series name on the cover and at the bottom left of each page. We name the series for the month and year that we release them, as follows: month year Series For example, the series of guides that we released in February 2013 is the “February Series”. You can find the most recent series of SBA guides at the following sites: Customer access: http://www.cisco.com/go/sba Partner access: http://www.cisco.com/go/sbachannel

Noteworthy parts of system output or device configuration files appear highlighted, as follows: interface Vlan64 ip address 10.5.204.5 255.255.255.0

Comments and Questions
If you would like to comment on a guide or ask questions, please use the SBA feedback form. If you would like to be notified when new comments are posted, an RSS feed is available from the SBA customer and partner pages.

February 2013 Series

Preface

Table of Contents
What’s In This SBA Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Cisco SBA Borderless Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Route to Success. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Related Reading. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Design Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Remote Access VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Business Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Technology Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Deployment Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Configuring Cisco Secure ACS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Configuring the Standalone RA VPN Firewall. . . . . . . . . . . . . . . . . . . . . . . 12 Configuring the Remote-Access VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Appendix A: Product List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Appendix B: Configuration Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Appendix C: Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

February 2013 Series

Table of Contents

What’s In This SBA Guide
Cisco SBA Borderless Networks
Cisco SBA helps you design and quickly deploy a full-service business network. A Cisco SBA deployment is prescriptive, out-of-the-box, scalable, and flexible. Cisco SBA incorporates LAN, WAN, wireless, security, data center, application optimization, and unified communication technologies—tested together as a complete system. This component-level approach simplifies system integration of multiple technologies, allowing you to select solutions that solve your organization’s problems—without worrying about the technical complexity. Cisco SBA Borderless Networks is a comprehensive network design targeted at organizations with up to 10,000 connected users. The SBA Borderless Network architecture incorporates wired and wireless local area network (LAN) access, wide-area network (WAN) connectivity, WAN application optimization, and Internet edge security infrastructure.

About This Guide
This deployment guide contains one or more deployment chapters, which each include the following sections: • Business Overview—Describes the business use case for the design. Business decision makers may find this section especially useful. • Technology Overview—Describes the technical design for the business use case, including an introduction to the Cisco products that make up the design. Technical decision makers can use this section to understand how the design works. • Deployment Details —Provides step-by-step instructions for deploying and configuring the design. Systems engineers can use this section to get the design up and running quickly and reliably. You can find the most recent series of Cisco SBA guides at the following sites: Customer access: http://www.cisco.com/go/sba Partner access: http://www.cisco.com/go/sbachannel

Route to Success
To ensure your success when implementing the designs in this guide, you should first read any guides that this guide depends upon—shown to the left of this guide on the route below. As you read this guide, specific prerequisites are cited where they are applicable.

Prerequisite Guides

You Are Here

Dependent Guides

BORDERLESS NETWORKS
Internet Edge Design Overview Firewall and IPS Deployment Guide Remote Access VPN Deployment Guide Additional Deployment Guides

February 2013 Series

What’s In This SBA Guide

1

Introduction
Cisco SBA Borderless Networks is a solid network foundation designed to provide networks with up to 10,000 connected users the flexibility to support new users and network services without re-engineering the network. We created a prescriptive, out-of-the-box deployment guide that is based on best-practice design principles and that delivers flexibility and scalability. The Cisco SBA—Borderless Networks Remote Access VPN Deployment Guide supports the remote user with secure remote access (RA). This guide covers the deployment of RA VPN services to either the primary Internet edge firewall or to a standalone RA VPN-specific device.

Related Reading
The Cisco SBA—Borderless Networks Internet Edge Design Overview orients you to the overall Cisco SBA design and explains the requirements that were considered when selecting specific products. The Cisco SBA—Borderless Networks Firewall and IPS Deployment Guide focuses on the Internet edge firewall and intrusion prevention system (IPS) security services that protect your organization’s gateway to the Internet. The Cisco SBA—Borderless Networks Remote Mobile Access Deployment Guide extends the remote access solution for mobile devices, such as phones and tablets, and for traditional devices, it offers expanded connection options, such as Cisco Cloud Web Security, Always-on VPN, and other features.

Design Goals
This architecture is based on requirements gathered from customers, partners, and Cisco field personnel for organizations with up to 10,000 connected users. When designing the architecture, we considered the gathered requirements and the following design goals.

February 2013 Series

Introduction

2

Figure 1 .Borderless Networks overview Headquarters WAAS Access Switches V V Voice Routers V UCS Rack-mount Servers PSTN WAAS Central Manager Storage Nexus 2000 UCS Rack-mount Server UCS Blade Chassis Distribution Switches Access Switches Wireless LAN Controller WAN Routers Internet Edge Internet Routers Cisco ACE Nexus 5500 Communications Managers Regional Site Data Center Firewalls V Internet RA-VPN Firewall Wireless LAN Controllers Guest Wireless LAN Controller Data Center Access Switch WAN Router Web Security Appliance Remote Site DMZ Switch Core Switches DMZ Servers Email Security Appliance Teleworker / Mobile Worker Hardware and Software VPN MPLS WANs W ww W ww Access Switch Stack WAN Routers V VPN WAN Routers PSTN WAAS Distribution Switches V User Access Layers WAAS February 2013 Series Introduction 3 2189 Remote Site WAN Aggregation Remote Site Wireless LAN Controllers .

Securing the network not only helps keep the network safe from attacks but is also a key component to network-wide resiliency. The modular design of the architecture means that technologies can be added when the organization is ready to deploy them. and Scalability Organizations with up to 10. With the addition of a significant amount of delay-sensitive and dropsensitive traffic such as voice and video conferencing. implement. and support the network more effectively. and we ensure that they are as secure as possible without making the network too difficult to use. providing IP telephony over 802. resiliency. However. These modules follow standard core-distribution-access network design models and use layer separation to ensure that interfaces between the plug-ins are well defined.Ease of Deployment. we also place a strong emphasis on recovery times. there are many entry points. scalability.000 users are often spread out among different geographical locations. is eased because the architecture includes products and configurations that are ready to support collaboration from day one. support staff is able to design services for. • The wireless network is preconfigured for devices that send voice over the wireless LAN. as well as via Network Management System (NMS). such as Secure Shell (SSH) Protocol and HTTPS. as well as traditional hard or desk phones. The configuration of the NMS is not covered in this guide. the deployment of advanced technologies. making flexibility and scalability a critical requirement of the network. Choosing designs that reduce the time between failure detection and recovery is important for ensuring that the network stays available even in the face of a minor component failure. the design takes next-phase management and operation into consideration. In a large network. For example: • Access switches provide Power over Ethernet (PoE) for phone deployments without the need for a local power outlet • The entire network is preconfigured with quality of service (QoS) to support high-quality voice. Flexibility. Ease of Management While this guide focuses on the deployment of the network foundation. This design uses several methods to create and maintain a scalable network: • By keeping a small number of standard designs for common portions of the network. The redundancy in our architecture is carefully balanced with the complexity inherent in redundant systems. and security all are characteristics of an advanced technology-ready network. February 2013 Series Introduction 4 . such as collaboration. • Many of the plug-in modules look identical for several service areas. we can assemble a scalable network to meet requirements. Resiliency and Security One of the keys to maintaining a highly available network is building appropriate redundancy in order to guard against failure in the network. Advanced Technology–Ready Flexibility. • Our modular design approach enhances scalability. • Multicast is configured in the network to support efficient voice and broadcast-video delivery. global building blocks. The configurations in the deployment guides are designed to allow the devices to be managed via normal device-management connections. Network security is also a strong component of the architecture.11 Wi-Fi (referred to as mobility) at all locations. Beginning with a set of standard. The Internet edge is ready to provide soft phones via VPN. this common look provides consistency and scalability in that the same support methods can be used to maintain multiple areas of the network.

This document describes the configuration for remote-access VPN via Cisco AnyConnect for SSL connections. This ensures that VPN access is available when the Cisco Secure ACS or Microsoft Active Directory server is unavailable. Administrative users have full access to the entire network. Configurations for both the integrated and standalone design models offer identical functionality and capability so that regardless of the design chosen. Cisco SBA Borderless Networks offer two different remote-access VPN designs: • Remote-access (RA) VPN integrated with Cisco ASA Series firewall. • Authentication and policy control that integrates with the authentication resources in use by the organization. Unless specifically noted. This section describes the basic configuration of SSL VPNs for remote access. in the standalone design model —This design offers greater operational flexibility and scalability while providing a simple migration path from an existing RA VPN installation. Hardware applied in this design is selected based on the following performance values. although they use a tunnel-all VPN policy.Remote Access VPN Business Overview Many organizations need to offer network connectivity to their data resources for users. SSL access can be more flexible and is likely to be accessible from more locations than IPsec. and it begins with a configuration that is common to all of the access methods. Employees. Cisco ASA family product Cisco ASA 5512-X Cisco ASA 5515-X Cisco ASA 5525-X Cisco ASA 5545-X Maximum SSL VPN sessions 250 250 750 2500 A different VPN group is required for each remote-access policy. web portal. • Employees —These users are authenticated by Cisco Secure ACS and have open access to the entire network • Partners —These users are authenticated by Cisco Secure ACS and. This design includes three VPN groups: • Administrative users —These users are authenticated by Cisco Secure Access Control System (ACS) using the RADIUS protocol and also have a local username and password fallback option. the configuration described in this document is common to both the integrated and standalone designs. and partners may need to access the network when traveling or working from home or from other off-site locations. and IPsec for site-to-site VPN. The Cisco AnyConnect Secure Mobility Client is recommended for remote users who require full network connectivity. • Cryptographic security to prevent the exposure of sensitive data to unauthorized parties who accidentally or intentionally intercept the data. February 2013 Series Remote Access VPN 5 . regardless of the user’s location. there is an access-list applied to the tunnels in order to restrict access to specific hosts. contractors. The configuration is broken into sections for each of the various access methods. • Remote-access VPN deployed on a pair of standalone Cisco ASAs. as few companies block HTTPS access out of their networks. Table 1 . The Cisco AnyConnect client uses SSL and is designed for automated download and installation. in the integrated design model —This integration offers lower capital investment and reduces the number of devices the network engineering staff must manage. full-tunnel Secure Sockets Layer (SSL) VPNs for client-based remote access.Hardware performance Technology Overview The Cisco ASA family supports IP Security (IPsec). the user experience is unchanged from one design to the other. The remote-access connectivity should support: • A wide variety of endpoint devices. • Seamless access to networked data resources.

along with the success or failure of the login. Cisco ASA uses the group policy name in order to assign the user to the appropriate VPN group policy. and then click OK . Cisco Secure ACS gives an organization enhanced ability to control the Step 5: In the Active Directory pane. Step 4: In the External User Groups pane.Deployment Details Reader Tip For more information about the baseline configuration of the appliance (including availability. click Save Changes . Create the device-type group 3. Active Directory is the primary directory container for user credentials and group membership. your Active Directory must have three groups defined: vpn-administrator. routing. (Example: https://acs. Configure the access service 6. In this process. February 2013 Series Remote Access VPN 6 . Cisco ASDM provides a guided step-bystep approach to the configuration of RA VPN and reduces the likelihood of configuration errors. Create the network device 4. and vpn-partner. Create authorization profiles 5. select the three vpn groups. Cisco Secure ACS sends back a group policy name to the appliance. vpnemployee. Cisco Smart Business Architecture designs use either Cisco Secure ACS or Microsoft Active Directory for authentication of remote access VPN users. Microsoft Active Directory by itself will be used. Internet and inside connectivity. Create authorization rules Step 1: Navigate to the Cisco Secure ACS Administration Page. Process (Optional) Procedure 1 Define external groups Configuring Cisco Secure ACS 1. see the Cisco SBA—Borderless Networks Firewall and IPS Deployment Guide. Step 3: Click Select . and management or administration access). that Cisco Secure ACS may use when making an authorization decision. Cisco Secure ACS also retrieves other Active Directory attributes. click the Directory Groups tab. For those organizations not interested in using Cisco Secure ACS. such as group membership. Authentication is the portion of the configuration that verifies that users’ credentials (username and password) match those stored within the organization’s database of users that are allowed to access electronic resources. and this process can be skipped. access that VPN users receive. Based on the group membership. These groups map users to the respective VPN access policies.local) Step 2: In Users and Identity Stores > External Identity Stores > Active Directory. Cisco ASA’s remote-access VPN termination capabilities can be configured from the command line or from the graphical user interface Cisco Adaptive Security Device Manager (ASDM). When the Cisco ASA firewall queries the Cisco Secure ACS server (which then proxies the request to the Active Directory database) to determine whether a user’s name and password is valid. Define external groups 2. Before you begin this process.cisco.

(Example SecretKey) Step 1: In Network Resources > Network Device Groups > Device Type. February 2013 Series Remote Access VPN 7 . (Example: IE-ASA5545X) Step 3: In the Network Device Groups section. Step 1: In Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles . in the Device Type row. enter a name for the authorization profile. click Create. enter the device hostname. Step 2: In the Name box. enter the inside interface IP address of the Cisco ASA appliance. click Create. or vpn-partner groups in Active Directory.Procedure 2 Create the device-type group Step 8: Enter the RADIUS shared secret key. create a network device entry in Cisco Secure ACS. Step 2: In the Name box. Procedure 4 Create authorization profiles Create three different authorization profiles to identify users that belong to the vpn-administrator. Step 1: In Network Resources > Network Devices and AAA Clients . and then in the RADIUS Attribute row click Select . click Create.30) Step 5: Select TACACS+. and then click Submit . select All Device Types . (Example: ASA) Step 3: In the Parent box. Step 4: In the IP box. click on Select . (Example: 10.24. vpn-employee.4. Step 6: Enter the TACACS+ shared secret key. and then click Submit . (Example: VPN-Administrator) Step 3: Click the RADIUS Attributes tab. Step 2: In the Name box. (Example: SecretKey) Step 7: Select RADIUS. enter a name for the group. select All Device Types:ASA then click OK. Procedure 3 Create the network device For the Cisco ASA firewall. In the Network Device Groups dialog box.

and then click Add ^ . Step 1: In Access Policies > Access Services . February 2013 Series Remote Access VPN 8 . Step 2: On the General tab. select Class and then click OK . (Example: GroupPolicy_Administrator).Step 4: In the RADIUS Dictionary dialog box. Procedure 5 Configure the access service Create a policy to inspect for group membership in the return traffic from the Active Directory server. Step 6: Click Submit . Next. you must configure the attribute value to match the group policy that you will configure on the Cisco ASA appliance. Step 7: Repeat this procedure to build authorization profiles for vpnemployee and vpn-partner. pane. using the group policy GroupPolicy_Employee and GroupPolicy_Partner values. enter the group policy name. enter the name Remote Access VPN . Step 5: In the Attribute Value box. click Create.

select match . Step 10: In the list at right. Step 4: On the Allowed Protocols tab. Step 14: Under Current Condition Set.Step 3: Select User Selected Service Type. click Customize. select Device Type. and then click OK . Step 7: In the Service Selection Rules pane. The information is added to the Current Condition Set. and then click Next . February 2013 Series Remote Access VPN 9 . enter Remote Access VPN . Step 8: On the dialog box. Step 6: In the Customize Conditions pane. and then in the Dictionary list. select Allow MS-CHAPv2. Step 9: Select Protocol. click Create. for the name of the rule. move Compound Condition from Available to Selected . click Add V. enter Radius . Step 5: In Access Policies > Access Services > Service Selection Rules . Step 12: For Attribute. and then click Finish . Step 11: Select Compound Condition . select All Device Types: ASA . Step 13: For Value. and then in the box. choose NDG .

Step 4: In the condition definition box. February 2013 Series Remote Access VPN 10 . select AD1:ExternalGroups . enter a rule name. move AD1:ExternalGroups from Available to Selected . Step 17: In the Identity Source box. (Example: cisco. Step 2: In the Name box. Step 3: Under Conditions.local/Users/vpn-administrator). click Create. and then click Save Changes . select AD1. Procedure 6 Create authorization rules Step 1: In Access Policies > Access Services > Remote Access VPN > Authorization . choose Remote Access VPN . Step 18: In Access Policies > Access Services > Remote Access VPN > Authorization . (Example: VPN-Administrator) Step 16: Navigate to Access Policies > Access Services > Remote Access VPN > Identity. click Customize. and then click OK . select the Active Directory group. and then click OK.Step 15: In the Results Service list. Step 19: In the Customize Conditions pane.

Step 5: Under Results. Once the remote-access services have been created. Step 7: In the Authorization pane. and then use the up arrow button to move it above the default policies Rule-1 and Rule-2. and then click OK. Step 6: Repeat Step 1 through Step 5 for the VPN-Employee and VPNPartner rules. you can change the order. Step 9: In Access Policies > Access Services > Service Selection Rule s . February 2013 Series Remote Access VPN 11 . click the Default rule. (Example: VPN-Administrator) Step 8: Select DenyAccess as the authorization profile. select the authorization profile. and then click Select . select the rule Remote Access VPN .

hostname VPN-ASA5525X February 2013 Series Remote Access VPN 12 . Configure resilient Internet routing Step 1: Configure the interfaces that are connected to the RA VPN-specific firewalls. Configure the outside switch 10.Process Reader Tip This procedure assumes that the distribution switch has already been configured following the guidance in the Cisco SBA— Borderless Networks LAN Deployment Guide. Step 1: Configure the appliance host name. Only the procedures required to support the integration of the firewall into the deployment are included in this guide. Configuring the Standalone RA VPN Firewall 1. this process is not needed. A unique VLAN supports the Internet edge devices. Configure the LAN distribution switch 2. then continue with this process. Configure HA on the primary Cisco ASA 8. and the routing protocol peers with the appliances across this network. GigabitEthernet2/0/23 switchport access vlan 300 switchport host macro apply EgressQoS logging event link-status no shutdown Procedure 2 Apply Cisco ASA initial configuration If you are using an integrated deployment model where RA VPN services reside on the primary set of Internet edge firewalls. Configure NTP and logging 6. Configure standby firewall for resilience 9. Apply Cisco ASA initial configuration 3. and you can skip to “Configuring the Remote Access VPN. Procedure 1 Configure the LAN distribution switch The LAN distribution switch is the path to the organization’s internal network. C onfigure Internet interfaces 11. This procedure configures connectivity to the appliance from the internal network in order to enable management access. Configure user authentication 5.” If you are using standalone RA VPN devices. Configure device-management protocols 7. Configure internal routing 4. interface GigabitEthernet1/0/23 description VPN-ASA5525Xa Gig0/0 ! interface GigabitEthernet2/0/23 description VPN-ASA5525Xb Gig0/0 ! interface range GigabitEthernet1/0/23.

username admin password [password] privilege 15 Caution Default route advertisement from the RA VPN firewall will result in multiple conflicting default routes on the distribution layer switch. and numbers. February 2013 Series Remote Access VPN 13 . access-list ALL_BUT_DEFAULT standard deny host 0.255.252. a distribute list must be used to filter out the default route from EIGRP updates to other devices. router eigrp 100 Step 3: Configure the appliance to advertise its statically defined routes including the RA VPN client address pool but not default routes and connected networks that are inside the Internet edge network range. no auto-summary network 10. Because the RA VPN Cisco ASA device is not the default route for the inside network to get to the Internet. Step 1: Create an access list to block default routes and permit all other routes. or if no policy exists. A summary route matching the RA VPN client address pool is advertised after the first RA VPN client is connected to the RA VPN firewall.0 redistribute static distribute-list ALL_BUT_DEFAULT out Step 4: Configure EIGRP to peer with neighbors across the inside interface only. interface Management0/0 no ip address shutdown Step 4: Configure an administrative username and password. You must block the advertisement of the default route in order to avoid conflicting default routes.255.28. interface GigabitEthernet0/0 no shutdown ! interface GigabitEthernet0/0 nameif inside ip address 10.0 255.254.0 access-list ALL_BUT_DEFAULT standard permit any Step 2: Enable Enhanced Interior Gateway Routing Protocol (EIGRP) on the appliance.224 Step 3: Disable the dedicated management interface.0. Follow your company’s policy.255. lowercase. Procedure 3 Configure internal routing passive-interface default no passive-interface inside Step 5: Summarize the remote access host routes in order to keep routing tables small. create a password using a minimum of 8 characters with a combination of uppercase.24 255.0 255. Tech Tip All passwords in this document are examples and should not be used in production configurations.4.0 5 A dynamic routing protocol is used to easily configure reachability between networks connected to the appliance and those that are internal to the organization.0.4. interface GigabitEthernet0/0 summary-address eigrp 100 10.0.Step 2: Configure the appliance interface that is connected to the internal LAN distribution switch.24.0. The summary route suppresses the advertisement of individual host routes.4.

Informationallevel logging provides the ideal balance between detail and log-message volume. authorization. such as a radio clock or an atomic clock attached to a time server. A local AAA user database was defined already to provide a fallback authentication source in case the centralized TACACS+ server is unavailable. aaa authorization exec authentication-server February 2013 Series Remote Access VPN 14 . Step 1: Configure the NTP server. but they do not produce enough detail to effectively audit network activity. NTP then distributes this time across the organization’s network. aaa aaa aaa aaa authentication authentication authentication authentication enable console AAA-SERVER LOCAL ssh console AAA-SERVER LOCAL http console AAA-SERVER LOCAL serial console AAA-SERVER LOCAL Logging and monitoring are critical aspects of network security devices in order to support troubleshooting and policy-compliance auditing. all management access to the network infrastructure devices (SSH and HTTPS) is controlled by AAA. and accounting (AAA) service reduces operational tasks per device and provides an audit log of user access for security compliance and root cause analysis.Procedure 4 (Optional) Configure user authentication Tech Tip User authorization on the Cisco ASA firewall does not automatically present the user with the enable prompt if they have a privilege level of 15.17 Step 2: Configure the time zone.4. Network devices should be programmed to synchronize to a local NTP server in the network. Procedure 5 Configure NTP and logging Reader Tip The AAA server used in this architecture is the Cisco Secure ACS. The Network Time Protocol (NTP) is designed to synchronize time across a network of devices. logging enable logging buffered informational Step 3: Configure the appliance to use AAA to authorize management users. Higher log levels produce a larger volume of messages but do not add sufficient value to justify the number of messages logged. clock timezone PST -8 clock summer-time PDT recurring Step 3: Configure which logs to store on the appliance. Configuration of Cisco Secure ACS is discussed in the Cisco SBA—Borderless Networks Device Management Using ACS Deployment Guide. unlike Cisco IOS devices. As networks scale in the number of devices to maintain.4.48. An NTP network usually gets its time from an authoritative time source. TACACS+ is the primary protocol used to authenticate management logins on the infrastructure devices to the AAA server.48. ntp server 10.15 SecretKey Step 2: Configure the appliance’s management authentication to use the TACACS+ server first and then the local user database if the TACACS+ server is unavailable. There is a range of detail that can be logged on the appliance. When AAA is enabled for access control. The local NTP server typically references a more accurate clock feed from an outside source. Step 1: Configure the TACACS+ server. A centralized authentication. aaa-server AAA-SERVER protocol tacacs+ aaa-server AAA-SERVER (inside) host 10. Lower log levels produce fewer messages. it poses an operational burden to maintain local user accounts on every device.

This minimizes the downtime experienced during failover.0 255. interface GigabitEthernet0/0 ip address 10.24.255.255. 10.255.0/24).4. are turned off. SNMPv2c is configured for a read-only community string. snmp-server host inside 10.24.4. which enables the Cisco ASA pair to maintain service for existing connections in the event of a failover. Simple Network Management Protocol (SNMP) is enabled to allow the network infrastructure devices to be managed by a Network Management System (NMS). the appliance can offer controlled Cisco ASDM access for a single address or management subnet (in this case. failover polltime unit msec 200 holdtime msec 800 failover polltime interface msec 500 holdtime 5 Step 5: Configure the failover interface IP address. Step 1: Allow internal administrators to remotely manage the appliance over HTTPS and SSH.4. HTTPS and Secure Shell (SSH) Protocol are more secure replacements for the HTTP and Telnet protocols. and to secure state synchronization messages between the devices.98 Step 6: Enable the failover interface.255.4. and the non-secure protocols.local http server enable http 10.48. failover Step 2: Configure the Cisco ASA as the primary appliance of the high availability pair.4.23 monitor-interface inside February 2013 Series Remote Access VPN 15 .248 standby 10.0 inside ssh 10.4.48.48. failover failover failover failover lan interface failover GigabitEthernet0/2 key FailoverKey replication http link failover GigabitEthernet0/2 Step 4: Tune the failover poll timers.24 255.0 255. Step 1: On the primary Cisco ASA. enable failover. The failover key value must match on both devices in an active/standby pair. This key is used for two purposes: to authenticate the two devices to each other. interface GigabitEthernet0/2 no shutdown Step 7: Configure the standby IP address and monitoring of the inside interface. They use Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to provide device authentication and data encryption. Both protocols are encrypted for privacy.255.48. Be sure that the configuration includes networks where administrative staff has access to the device through Cisco ASDM.35 community cisco snmp-server community cisco This procedure describes how to configure active/standby failover for the primary RA VPN Cisco ASA.97 255. failover lan unit primary Step 3: Configure the failover interface.24.224 standby 10.Procedure 6 Configure device-management protocols Procedure 7 Configure HA on the primary Cisco ASA Cisco ASDM requires that the appliance’s HTTPS server be available.0 inside ssh version 2 Step 2: Specify the list of supported SSL encryption algorithms for ASDM. failover interface ip failover 10. Use SSH and HTTPS protocols in order to more securely manage the device.255. ssl encryption aes256-sha1 aes128-sha1 3des-sha1 Step 3: Configure the appliance to allow SNMP polling from the NMS.255.4.24.255.4. Telnet and HTTP. domain-name cisco.

issue the show failover state command. VPN-ASA525X# show failover state This host State Primary Active Secondary Standby Ready Last Failure Reason None None Date/Time Other host - February 2013 Series Remote Access VPN 16 .98 Step 6: Enable the failover interface. This minimizes the downtime experienced during failover.24. failover lan unit secondary Step 3: Configure the failover interface.Procedure 8 Configure standby firewall for resilience Step 1: On the secondary Cisco ASA appliance. failover polltime unit msec 200 holdtime msec 800 failover polltime interface msec 500 holdtime 5 Step 5: Configure the failover interface IP address.17 switchport mode trunk spanning-tree portfast trunk macro apply EgressQoS logging event link-status logging event trunk-status no shutdown Step 4: Tune the failover poll timers.255. interface GigabitEthernet1/0/20 description VPN-ASA5525Xa Gig0/3 ! interface GigabitEthernet2/0/20 description VPN-ASA5525Xb Gig0/3 ! interface range GigabitEthernet1/0/20. failover interface ip failover 10.4. enable failover.255. GigabitEthernet2/0/20 switchport trunk allowed vlan 16.4. on the command-line interface of the primary appliance.97 255. failover failover failover failover lan interface failover GigabitEthernet0/2 key FailoverKey replication http link failover GigabitEthernet0/2 ====Configuration State=== Sync Done ====Communication State=== Mac set Procedure 9 Configure the outside switch In this procedure. It also assumes the outside switch is already configured with a base installation and that the only changes required are to allow the RA VPN devices to connect. If this is not the case. This deployment assumes a dual ISP design.248 standby 10. please follow the steps in the Cisco SBA— Borderless Networks Firewall and IPS Configuration Files Guide. you configure the outside switch connection of the RA VPN Cisco ASA firewall. starting at the “Configuring the Firewall Internet Edge” process. interface GigabitEthernet0/2 no shutdown Step 7: If you want to verify standby synchronization between the Cisco ASA devices. Step 1: Configure the interfaces that connect to the appliances.24. failover Step 2: Configure the appliance as the secondary appliance of the high availability pair.

click the interface that is connected to the outside switch. and then launch the Cisco ASA Security Device Manager.130.24.121) February 2013 Series Remote Access VPN 17 . choose the interface enabled in Step 4. Step 15: Navigate to Configuration > Device Management > High Availability > Failover. 172. in the Standby IP Address column. Step 5: In the Interface pane. Step 1: From a client on the internal network. click Apply. (Example: GigabitEthernet0/3) Step 7: In the VLAN ID box.24) Step 2: In Configuration > Device Setup > Interfaces .Procedure 10 Configure Internet interfaces Step 12: Enter the interface Subnet Mask .4. (Example: 16) Step 9: Enter an Interface Name.16.16. This deployment assumes a dual ISP design.255. and then click OK . (Example: https://10. Step 4: On the Edit Interface dialog box.130. you configure the outside interfaces of the RA VPN Cisco ASA firewalls. enter the IP addresses of the standby unit for the interfaces you just created. enter the VLAN number for the primary Internet VLAN. select Enable Interface. Step 14: Repeat Step 5 through Step 13 for the resilient Internet VLAN. navigate to the firewall’s inside IP address.0) In this procedure. please follow the steps in the Cisco SBA—Borderless Networks Firewall and IPS Configuration Files Guide.255. (Example: 172.130. enter a value of 0.17. click Add > Interface. (Example: GigabitEthernet0/3) Step 3: Click Edit . Step 6: On the Add Interface dialog box. enter the VLAN number for the primary Internet VLAN. (Example: 255.122) Step 13: In the Interface pane. (Example: outside-16) Step 10: In the Security Level box. starting at the “Configuring the Firewall Internet Edge” process. (Example: 172. (Example: 16) Step 8: In the Subinterface ID box. Step 16: On the Interfaces tab.121. in the Hardware Port list. and then click OK . If this is not the case. Step 11: Enter the interface IP Address .

you create the secondary default route to the resilient Internet CPE’s address. Step 7: In the Track ID box.1) Step 9: In the SLA ID box. The point of tracking an object in the primary ISP’s network is because if reachability to this object is available.Step 17: Select Monitored for each. The target destination must be able to respond to an ICMP echo request. Step 4: In the Gateway IP box. and then click Apply. enter the primary Internet CPE’s IP address. (Example: outside-16) Procedure 11 Configure resilient Internet routing In this procedure. the WAN connection. click Tracked. it is likely that the path to the primary ISP is down. enter an IP address in the ISP’s cloud. Each route uses a different metric. you configure a pair of static default routes through the primary and secondary Internet interfaces. choose the primary Internet connection interface. (Example: 172. (Example: 172. select any4. Step 2: On the Add Static Route dialog box.18. The route-tracking configuration defines a target reachable through the primary ISP’s network to which the appliance sends Internet Control Message Protocol (ICMP) probes (pings) in order to determine if the network connection is active.1. (Example: outside-16) Next.130. If the tracked object is unavailable. making the route preferred.16. Step 3: In the Network box. click Add. the primary route’s availability is determined by the state of the ‘track 1’ object that is appended to the primary route. Step 6: In the Options pane. Step 8: In the Track IP Address box. February 2013 Series Remote Access VPN 18 . chose the interface created in the previous procedure’s Step 9. enter 1. in the Interface list. Step 10: In the Target Interface list. including the appliance’s connection to the customer premise router. and then click OK . then all connectivity to that point is working. The tracked object should be in the primary ISP’s network. enter 16. enter 1. Step 1: In Configuration > Device Setup > Routing > Static Routes. and the appliance should prefer the secondary ISP’s route.126) Step 5: In the Metric box. The primary route carries a metric of 1. and most routing inside the ISP’s network.

choose the resilient Internet connection interface. This assures that probes to the tracked object will always use the primary ISP connection.1/32) Step 20: In the Gateway IP box. Step 17: In Configuration > Device Setup > Routing > Static Routes . enter the IP address used for tracking in the primary default route. click Apply. click Add. choose the primary Internet connection interface.1. Step 16: In the Static Routes pane.130. February 2013 Series Remote Access VPN 19 . click Add.126) Step 15: In the Metric box.16.126) Step 21: In the Static Routes pane. (Example: 172. Step 18: In the Add Static Route dialog box. (Example: outside-16) Step 19: In the Network box. enter the primary Internet CPE’s IP address.18.17. you add a host route for the tracked object via the Internet-CPE-1 address.Step 11: In Configuration > Device Setup > Routing > Static Routes . and then click OK . and then click OK . in the Interface list. Next.130. click Apply. enter 50. select any4. Step 12: On the Add Static Route dialog box. in the Interface list. enter the primary Internet CPE’s IP address. (Example: 172. (Example: outside-17) Step 13: In the Network box. Step 14: In the Gateway IP box. (Example: 172.

Configure remote access 3. click Close. Load AnyConnect client images 2. Configure the group-URL 9. Enable SSL for additional interface 10. Configure remote access routing 8.Process The images then need to be uploaded to both the primary and secondary RA VPN Cisco ASAs. Configure DNS and certificates 6. The majority of the VPN configuration tasks are addressed in the Cisco AnyConnect VPN Connection Setup Wizard. There are separate images for Windows. Configure the connection profile 12. additional work might need to be completed after the wizard. Configure the admin policy 15. After completing the file transfers for all client images. only the images that are required by your organization must be downloaded. Procedure 1 Load AnyConnect client images Download the Cisco AnyConnect Secure Mobility Client images from cisco. C onfigure the partner policy 14. Step 4: Repeat Step 3 for each client image. Create the AAA server group 4. C onfigure additional NAT exemption 11. C onfigure Cisco AnyConnect Client Profile Step 2: Click File Transfer. Step 3: Browse to the location on your local file system and copy each image to the Cisco ASA flash memory by selecting the image and then clicking the right arrow. Configuring the Remote-Access VPN 1. Depending on requirements. Apple OS X. Define the VPN address pool 5. February 2013 Series Remote Access VPN 20 . Configure the employee policy 13. Step 1: Navigate to Tools > File Management. com to the computer you use to run ASDM. Configure default tunnel gateway 7. and Linux. and then select Between Local PC and Flash .

select SSL . (Example: outside-16) Tech Tip Because the certificate in this example is self-signed. choose the primary Internet connection. and then launch ASDM. February 2013 Series Remote Access VPN 21 . Step 7: On the Manage Identity Certificates dialog box. Step 3: In the Connection Profile Name box. (Example: AnyConnect) Step 4: In the VPN Access Interface list. Step 1: Navigate to Wizards > VPN Wizards > AnyConnect VPN Wizard. Step 2: In the AnyConnect VPN Connection Setup Wizard dialog box. Step 6: In the Device Certificate pane. Procedure 2 Configure remote access Next.4. (Example: https://10. enter a name. Tech Tip Do not attempt to modify the firewall configuration on the standby appliance. and then click Next . clear IPsec. navigate to the secondary RA VPN Cisco ASA’s inside IP address. click Add. From a client on the internal network. generate a self-signed identity certificate and install it on the appliance. click Next .23) Step 5: Under VPN Protocols. clients generate a security warning until they accept the certificate. You should make configuration changes only to the primary appliance.24.Step 5: Repeat Step 1 through Step 4 for the secondary RA VPN Cisco ASA. click Manage.

(Example: VPN-ASA5525X-Keypair) Step 11: Click Generate Now. Step 14: In the Manage Identity Certificates dialog box. Step 13: Select Generate self-signed certificate and Act as Local certifi cate authority and issue dynamic certificates to TLS-Proxy. Step 10: On the Add Key Pair dialog box.cisco. Step 9: For Key Pair. and then in the box. The Enrollment Status dialog box shows that the enrollment succeeded. select RSA and Enter new key pair name. and then click Add Certificate. Tech Tip Entering a new key pair name prevents the certificate from becoming invalid if an administrator accidentally regenerates the default RSA key pair. enter a new Trustpoint Name (Example: VPN-ASA5525X-Trustpoint). enter the fully qualified domain name used to access the appliance on the outside interface. select New. in Certificate Subject DN. click OK . Click OK . Step 12: On the Add Identity Certificate dialog box. enter a name.local) February 2013 Series Remote Access VPN 22 .Step 8: On the Add Identity Certificate dialog box. (Example: CN=VPN-ASA5525X. and then select Add a new identity certificate.

and then click Next . Step 22: On the Client Images page. If the authentication process uses Cisco Secure ACS. reorder the list of images so that the most commonly used image is listed first and least commonly used images are listed last. February 2013 Series Remote Access VPN 23 . complete Option 2 of this procedure. macosx. complete Option 1 of this procedure. if necessary. you point Cisco ASA to either the Cisco Secure ACS you configured earlier or to the organization’s Active Directory server. Step 20: Repeat Step 17 through Step 19 for all the required Cisco AnyConnect client images. Step 19: On the Add AnyConnect Client Image dialog box. Step 18: On the Browse Flash dialog box. Step 16: On the Client Images page. select the appropriate AnyConnect client image to support your user community (linux. Remaining in the wizard. To authenticate users. click Add. and then click the up or down arrows to reorder the image. and then click OK . Next. or win). Step 21: Click the image you want to move. verify that the IPsec check box is cleared and the certificate you created is reflected in the Device Certificate box. If the authentication process authenticates directly to Active Directory. click OK . Step 17: On the Add AnyConnect Client Image dialog box. you now create a new AAA server group to authenticate remote-access users. Procedure 3 Create the AAA server group For VPN user authentication. click Browse Flash. the server group uses either NT LAN Manager (NTLM) to the Active Directory server or RADIUS to the Cisco Secure ACS server.Step 15: On the VPN Protocols page. click Next .

10 • Interface— inside • NT Domain Controller Name— AD-1 Step 3: On the Authentication Methods page. and then click OK : • Server Group Name— AAA-RADIUS • Authentication Protocol— RADIUS • Server IP Address—10. Use Active Directory for AAA Step 1: On the Authentication Methods page. Step 2: On the New Authentication Server Group dialog box. Option 2. and then click OK : • Server Group Name: AD • Authentication Protocol— NT • Server IP Address—10. next to AAA Server Group. click New. click New.4. Step 2: On the New Authentication Server Group dialog box.48.4. enter the following values. click Next . enter the following values.48.15 (IP address of the Cisco Secure ACS server) • Interface— inside • Server Secret Key— SecretKey • Confirm Server Secret Key— SecretKey February 2013 Series Remote Access VPN 24 . Use Cisco Secure ACS for AAA Step 1: On the Authentication Methods page. next to AAA Server Group.Option 1.

4.28. Next. February 2013 Series Remote Access VPN 25 . Step 1: On the Client Address Assignment page.252.0 Step 3: On the Authentication Methods page. click Next .31. enter the following values.Procedure 4 Define the VPN address pool You need to decide on an appropriate address space for your RA VPN address pool. in the IPv4 Address Pool tab.255.4. click New. you define the remote-access VPN address pool that will be assigned to users when they connect to the VPN service. In this example you use 4 class-C address ranges (~1000 addresses) as the pool.1 • Ending IP Address—10.254 • Subnet Mask—255. Step 2: On the Add IP Pool dialog box. and then click OK : • Name— RA-pool • Starting IP Address—10.

skip to Step 8. choose inside. February 2013 Series Remote Access VPN 26 . click Finish . Step 5: If you are implementing a standalone VPN design. on the NAT Exempt page.48. changing the source address of the traffic and making it impossible for clients to receive traffic correctly from servers with which they communicate.10) and the organization’s Domain Name (Example: cisco. and then click Next . verify that the pool you just created is selected. Step 4: On the Network Name Resolution Servers page. NAT exemption must be configured for traffic from the LAN that is going to the remote-access clients.local). click Next.Step 3: On the Client Address Assignment page. in the wizard.4. Step 8: On the AnyConnect Client Deployment page. enter any4. enter the organization’s DNS Servers (Example: 10. If you are using RA VPN integrated with Cisco ASA Series firewalls. If you are implementing an integrated VPN design. Step 7: In the Local Network box. select Exempt VPN traffic from network address translation . traffic to clients would be translated. and then click Next . and then click Next . Step 9: On the Summary page. If this were not configured. Step 6: In the Inside Interface list.

” is used only for the primary outside interface.16. enter the FQDN used to access the appliance on the secondary outside interface. click OK .Procedure 5 Configure DNS and certificates Step 8: Select the Generate self-signed certificate and Act as local certificate authority and issue dynamic certificates to TLS-Proxy check boxes. (Example: VPN-ASA5525X-Keypair) Step 7: On the Add Identity Certificate dialog box. enter a new Trustpoint Name (example: VPN-ASA5525X-FO-Trustpoint).130. and then click Add Certificate. and then select Add a new identity certificate. and then click Edit .122 FQDN VPN-ASA5525X-FO. Step 5: On the Add Identity Certificate dialog box. select the previously created key pair.local Secondary outside-17 Step 3: Using the values in Table 2. Step 2: The IP addresses assigned to each of the outside interfaces correspond to a fully qualified domain name (FQDN) that can be resolved using an external DNS server. Step 1: In this procedure. The certificate that was generated in the AnyConnect Wizard in Step 8 of Procedure 2. Table 2 . Step 4: Generate an identity certificate for the secondary interface. you generate an additional identity certificate for the secondary outside interface of the RA VPN Cisco ASA firewall.cisco. on your DNS server create DNS records for both the primary and secondary address on the RA VPN Cisco ASA appliance.local) Step 9: When the Enrollment Status dialog box that shows that the enrollment has succeeded appears.cisco. Step 6: For Key Pair.local 172. “Configure remote access. select the secondary outside interface (Example: outside-17).cisco.130. (Example: CN=VPN-ASA5525X-FO. click Add. Step 10: In Configuration Management > Device Management > Advanced > SSL Settings . in the Certificates pane. in Certificate Subject DN .122 VPN-ASA5525X. February 2013 Series Remote Access VPN 27 . In Configuration > Remote Access VPN > Certificate Management > Identity Certificates .17.DNS names for external IP addresses Usage Primary Interface name outside-16 IP address 172.

Step 17: Repeat Step 11 through Step 14 for the secondary identity certificate. VPN-ASA5525X# write standby Step 16: Repeat the export in PEM format. and then click Export .Step 11: On the Select SSL Certificate dialog box. in the Primary Enrolled Certificate list. export the primary identity certificates for backup and distribution. Step 15: Enter a secure passphrase (Example: c1sco123). issue the write standby command from the primary RA VPN appliance. A secure passphrase is not used with the PEM format. Step 13: Navigate to Configuration > Remote Access VPN > Certificate Management > Identify Certificates . This format is used for distribution to VPN client devices when using self-signed certificates. February 2013 Series Remote Access VPN 28 . Step 12: Force certificate replication to the secondary RA VPN appliance. select the certificate for backup. and then click OK and then click Apply. This format is used for restoring a certificate to a new device. Next. From the command prompt. Step 14: Select the PKCS12 format (Certificates(s) + Private Key) certificate format. choose the additional identity certificate that was created in Step 6. and then click Export Certificate.

1 • Options—Tunneled (Default tunnel gateway for VPN traffic) Procedure 7 Configure remote access routing Cisco ASA advertises each connected user to the rest of the network as individual host routes. Step 2: On the Add EIGRP Summary Address Entry dialog box.24. and then click OK .252. and then click OK . To accomplish this. so that the Cisco ASA firewall and IPS has the visibility to handle the traffic correctly. • Interface— inside • Network—any4 • Gateway IP—10.4.28. configure the following values.” Traffic from remote-access VPN clients to and from the Internet must be inspected by the organization’s firewall and IPS. Summarizing the address pool reduces the IP route table size for easier troubleshooting and faster recovery from failures. This procedure is only required when configuring a standalone RA VPN device. • EIGRP AS —100 • Interface — GigabitEthernet0/0 • IP Address —10. Step 1: In Configuration > Device Setup > Routing > EIGRP > Summary Address .0 (Enter the remote-access pool’s summary network address. “Configure remote access routing.255.Procedure 6 Configure default tunnel gateway Step 3: Verify the configuration. and then click Apply. click Add.) • Netmask—255. configure the following values. all traffic to and from the VPN clients must be routed toward the LAN distribution switch. If you are using an integrated deployment model. Step 1: In Configuration > Device Setup > Routing > Static Routes . Step 2: On the Add Static Route dialog box. click Add. skip to Procedure 7. regardless of the traffic’s destination.4.0 • Administrative Distance — 5 February 2013 Series Remote Access VPN 29 .

select the profile created in the previous procedure (Example: AnyConnect). and be sure to provide group-urls for the IP address or host names for both ISPs.130. Step 1: Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles . and the name of the VPN group to which they are assigned. enter the URL containing the firewall’s primary Internet connection IP address and a user group string. Step 1: Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles . After the client is installed on a user’s computer. (Example: https://172.16. subsequent connections can be established through the web browser again or directly through the Cisco AnyConnect client. Next. which has a resilient Internet connection. Step 4: Navigate to Configuration > Device Setup > Interfaces . (Example: https://172. allow intra-interface traffic. The Cisco AnyConnect client’s initial connection is typically launched with a web browser. This is critical for allowing VPN users (specifically remote workers with Cisco Unified Communications software clients) to communicate with each other.122/ AnyConnect) Procedure 8 Configure the group-URL If you are using the single ISP design. If using the Dual ISP design. and then click Edit . which is now installed on the user’s computer. a username and password. click Add. Step 2: In the Connection Profiles pane. The user needs the IP address or DNS name of the appliance. February 2013 Series Remote Access VPN 30 .122/AnyConnect) Step 6: If you are using the dual ISP design.17. advance to the next procedure. Step 5: Select Enable traffic between two or more hosts connected to the same interface. Step 4: In the Group URLs pane. and then click Apply. Procedure 9 (Optional) Enable SSL for additional interface This procedure is required only when using the dual ISP design. after which they need to provide their username and password. Alternatively.130. and then click OK . the user can directly access the VPN group with the group-url. repeat Step 1 through Step 5. using the firewall’s resilient Internet connection IP address. navigate to Advanced > Group Alias/Group URL . click Apply.Step 3: In the Summary Address pane. expect to offer VPN connectivity through both ISP connections. Step 3: On the Edit AnyConnect Connect Profile dialog box. Step 5: In the URL box.

select the interface attached to the resilient Internet connection. February 2013 Series Remote Access VPN 31 . (Example: Source Intf: inside. (Example: outside-17) Step 3: Under SSL Access. and then click Copy.0_22) Right-click this rule.28. in the Access Interfaces pane.Step 2: In the Configuration window. and then click Paste.4. select Allow Access . Procedure 10 (Optional) Configure additional NAT exemption This procedure is required only when using the dual ISP design with the integrated VPN design. Step 1: Navigate to Configuration > Firewall > NAT Rules . Step 3: Change the Destination Interface to the resilient interface (example: outside-17). Dest Intf: outside-16. and then click Apply. A previous NAT exemption rule already exists from an earlier procedure. Step 2: Right-click after the original rule. and then click OK . The new rule is opened for editing. Destination: NETWORK_OBJ_10.

The MS-CHAPv2 authentication protocol requires that password management is enabled on the RA VPN Cisco ASA appliance. click Add. select the profile that created previously using the AnyConnect VPN Wizard (Example: AnyConnect). Step 2: On the Add Internal Group Policy dialog box. Step 2: On the Add Internal Group Policy dialog box.) Complete this procedure when using Cisco Secure ACS as a proxy to Active Directory for authentication. select Enable password management . in the Password Management pane. click Add. and then enter a banner message for the employee policy. clear the Inherit check box. Procedure 13 Configure the partner policy Step 1: In Configuration > Remote Access VPN > Network (Client) Access > Group Policies . enter a Name. Step 1: Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles . (Example: GroupPolicy_Partner) Procedure 12 Configure the employee policy Step 1: In Configuration > Remote Access VPN > Network (Client) Access > Group Policies . and then click Edit .Procedure 11 Configure the connection profile Step 3: For Banner. (Example: GroupPolicy_Employee) February 2013 Series Remote Access VPN 32 . In the Connection Profiles pane. Step 2: In Advanced > General . This procedure is recommended but not required when using Active Directory by itself. enter a Name. (Example: Group “vpn-employee” allows for unrestricted access with a tunnel all policy.

Step 3: For Banner. Step 10: In the Address box. (Example: 10. The More Options pane expands.4. and then click OK . and then click Manage. Step 5: For Filter. Step 4: Click the two down arrows.48. and then enter a banner message for the partner policy. clear the Inherit check box. clear the Inherit check box. enter an ACL Name. then click Add > Add ACL . (Example RA_PartnerACL) Step 8: Click Add > Add ACE . February 2013 Series Remote Access VPN 33 . Step 7: On the Add ACL dialog box. Step 6: On the ACL Manager dialog box.) Step 9: On the Add ACE dialog box. select Permit . (Example: Group “vpn-partner” allows for access control list (ACL) restricted access with a tunnel all policy. click OK .35/32) Step 11: On the ACL Manager dialog box. enter the IP address and netmask that the partner is allowed to access. click the Standard ACL tab. and then click OK . for Action.

and then enter a banner message for the administrator policy. click Advanced > Split Tunneling. Step 6: For Network List. Step 3: For Banner. Step 1: In Configuration > Remote Access VPN > Network (Client) Access > Group Policies . clear the Inherit check box. and then click Add > Add ACL . click Add. Step 2: On the Add Internal Group Policy dialog box. and then select Tunnel Network List Below. clear the Inherit check box. clear the Inherit check box. (Example: GroupPolicy_Administrator) February 2013 Series Remote Access VPN 34 . click OK . and then click Manage. enter a Name. Procedure 14 Configure the admin policy Step 5: For Policy. click the Standard ACL tab. (Example: Group “vpn-administrator” allows for unrestricted access with a split tunnel policy. Step 7: On the ACL Manager dialog box. Step 4: In the navigation tree. click Apply.Step 12: On the Add Internal Group Policy dialog box.) Step 13: In the Group Policies pane.

enter the DMZ summary IP address and netmask. for Action. enter an ACL Name. enter the internal summary IP address and netmask.0. select Permit . and then click OK . for Action. February 2013 Series Remote Access VPN 35 . and then click OK . click OK . select Permit . and then click OK . Step 12: Click Add > Add ACE .Step 8: On the Add ACL dialog box. click OK . Step 13: On the Add ACE dialog box. click Apply. (Example: 192.0/21) Step 9: Click Add > Add ACE . Step 16: On the Add Internal Group Policy dialog box. (Example: 10.4.16. (Example RA_SplitTunnelACL) Step 14: In the Address box. Step 11: In the Address box. Step 17: In the Group Policies pane.0/15) Step 15: On the ACL Manager dialog box. Step 10: On the Add ACE dialog box.168.

in the Host Display Name box.local) Cisco AnyConnect Client Profile is the location where the newer configuration of the Cisco AnyConnect client is defined. do so now. Cisco AnyConnect 2. and then click Apply.cisco. the AnyConnect client profile must be manually replicated to the secondary Cisco ASA firewall. Step 7: In the Backup Server List pane. Step 2: On the Add AnyConnect Client Profile dialog box. If you have not updated your DNS to include the primary and secondary FQDNs as listed in Table 2. The AnyConnect Client Profile Editor closes.local). click Add. and then click Edit .5 and later use the configuration in this section. Tech Tip The entry used for the Host Display Name must be listed in your organization’s DNS database. The Server List panel opens. and then click OK . Step 8: Click OK . click Add . When running a RA VPN Cisco ASA firewall pair. February 2013 Series Remote Access VPN 36 . including many of the newest features added to the Cisco AnyConnect client. This launches the AnyConnect Client Profile Editor. Step 1: In Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile.Procedure 15 Configure Cisco AnyConnect Client Profile Step 6: On the Server List Entry dialog box. Step 3: In the AnyConnect Client Profile pane. Step 4: Click Server List . in the Profile Name box. click OK . enter the secondary FQDN of the remote-access firewall (Example: VPNASA5525X-FO. in the Host Address box. select the RA-Profile you just built. Step 5: C lick Add. The Server List panel allows you to enter names and addresses for the appliances to which the Cisco AnyConnect Client is allowed to connect. enter the primary FQDN of the remote-access firewall. enter RA-Profile. (Example: VPNASA5545X.cisco.

Step 14: Click File Transfer. and then select Between Local PC and Flash . Step 16: Close ASDM on the secondary RA VPN Cisco ASA appliance. click File Transfer. Step 13: Navigate to Tools > File Management. Step 19: In the AnyConnect Client Profile pane. Step 18: In the Change Group Policy for Profile dialog box. Step 15: Browse to a destination on your local filesystem and copy the AnyConnect client profile file from to the secondary Cisco ASA disk (Example: ra-profile. in the Available Group Policies list. click Close. in the AnyConnect Client Profile pane. Step 12: Navigate to the secondary RA VPN Cisco ASA’s inside IP address. Step 10: Browse to a destination on your local file system and copy the AnyConnect client profile file from the Cisco ASA disk (Example: ra-profile. and then select Between Local PC and Flash . click Close. Step 11: After a successful file transfer. and then launch ASDM. click the right arrow. choose the three group policies you just created.xml) by selecting the profile and then clicking on the right arrow. After a successful file transfer.23) Tech Tip Do not attempt to modify the firewall configuration on the standby appliance. xml) by selecting the profile and then clicking the left arrow. and then click Change Group Policy.Step 9: Navigate to Tools > File Management. click Apply. February 2013 Series Remote Access VPN 37 .24.4. Step 17: On the primary RA VPN Cisco ASA appliance. and then click OK . You should make configuration changes only on the primary appliance. select the AnyConnect VPN profile (Example: RA-Profile). (Example: https://10.

Summary This deployment guide is a reference design for Cisco customers and partners.cisco. please refer to the Cisco Validated Designs (CVD) for larger deployment models. It covers the Internet edge remote access VPN component of Borderless Networks and is meant to be used in conjunction with the Cisco SBA—Borderless Networks Firewall and IPS Deployment Guide in addition to the MPLS WAN Deployment Guide. February 2013 Series Summary 38 . CVDs can be found on Cisco.com. The specific products are listed at the end of this document for your convenience. The Cisco products used in this design were tested in a network lab at Cisco. which can be found here: http://www.com/go/sba/ If your network is beyond the scale of this design.

security appliance Cisco ASA 5515-X IPS Edition .ASA 5545-X (2500 Users) AnyConnect Essentials VPN License .security appliance Cisco ASA 5515-X Firewall Edition .0(1) Software ASA 9.security appliance Cisco ASA 5512-X Security Plus license Firewall Management AnyConnect License AnyConnect Essentials VPN License .ASA 5525-X (750 Users) AnyConnect Essentials VPN License .0(1)SE2 LAN Base license February 2013 Series Appendix A: Product List 39 .security appliance Cisco ASA 5525-X IPS Edition .security appliance Cisco ASA 5512-X Firewall Edition .ASA 5515-X (250 Users) AnyConnect Essentials VPN License .Appendix A: Product List Internet Edge Functional Area Firewall Product Description Cisco ASA 5545-X IPS Edition .security appliance Cisco ASA 5512-X IPS Edition .0(2) — 7.security appliance Cisco ASA 5525-X Firewall Edition .1(6)E4 Internet Edge LAN Functional Area Outside Switch Product Description Cisco Catalyst 2960-S Series 24 Ethernet 10/100/1000 ports and Four GbE SFP Uplink ports Part Numbers WS-C2960S-24TS-L Software 15.0(2) ASA 9.ASA 5512-X (250 Users) Part Numbers ASA5545-IPS-K9 ASA5525-IPS-K9 ASA5515-IPS-K9 ASA5512-IPS-K9 ASA5512-SEC-PL ASDM ASA5545-K9 ASA5525-K9 ASA5515-K9 ASA5512-K9 ASA5512-SEC-PL ASDM L-ASA-AC-E-5545 L-ASA-AC-E-5525 L-ASA-AC-E-5515 L-ASA-AC-E-5512 7.0(1) IPS 7.security appliance Cisco ASA5512-X Security Plus license Firewall Management RA VPN Firewall Cisco ASA 5545-X Firewall Edition .

0.00495 Access Control Functional Area Authentication Services Product Description ACS 5.VPN Client Functional Area VPN Client Product Description Cisco AnyConnect Secure Mobility Client (Windows) Cisco AnyConnect Secure Mobility Client (Mac OS X) Cisco AnyConnect Secure Mobility Client (Linux) Part Numbers Cisco AnyConnect Secure Mobility Client Cisco AnyConnect Secure Mobility Client Cisco AnyConnect Secure Mobility Client Software 3.1-1SG) Enterprise Services license Software 15.3 LAN Distribution Layer Functional Area Modular Distribution Layer Virtual Switch Pair Product Description Cisco Catalyst 6500 E-Series 6-Slot Chassis Cisco Catalyst 6500 VSS Supervisor 2T with 2 ports 10GbE and PFC4 Cisco Catalyst 6500 16-port 10GbE Fiber Module w/DFC4 Cisco Catalyst 6500 24-port GbE SFP Fiber Module w/DFC4 Cisco Catalyst 6500 4-port 40GbE/16-port 10GbE Fiber Module w/DFC4 Cisco Catalyst 6500 4-port 10GbE SFP+ adapter for WX-X6904-40G module Modular Distribution Layer Switch Cisco Catalyst 4507R+E 7-slot Chassis with 48Gbps per slot Cisco Catalyst 4500 E-Series Supervisor Engine 7-E.3.1.3-VM-K9 Software 5.0(2)SE IP Services license 3.SG(15.3 VMware Software and Base License Part Numbers CSACS-5.0(1)SY1 IP Services license February 2013 Series Appendix A: Product List 40 . 848Gbps Cisco Catalyst 4500 E-Series 24-port GbE SFP Fiber Module Cisco Catalyst 4500 E-Series 12-port 10GbE SFP+ Fiber Module Stackable Distribution Layer Cisco Catalyst 3750-X Series Stackable 12 GbE SFP ports Switch Cisco Catalyst 3750-X Series Two 10GbE SFP+ and Two GbE SFP ports network module Cisco Catalyst 3750-X Series Four GbE SFP ports network module Part Numbers WS-C6506-E VS-S2T-10G WS-X6816-10G-2T WS-X6824-SFP-2T WS-X6904-40G-2T CVR-CFP-4SFP10G WS-C4507R+E WS-X45-SUP7-E WS-X4624-SFP-E WS-X4712-SFP+E WS-C3750X-12S-E C3KX-NM-10G C3KX-NM-1G 15.

1-10.224 standby 10.4.0 255.2KYOU encrypted names ip local pool RA-pool 10.252.130.17 vlan 17 nameif outside-17 security-level 0 ip address 172.17.255.28.254 mask 255.4.23 summary-address eigrp 100 10.255.255.0 5 ! interface GigabitEthernet0/1 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/2 description LAN/STATE Failover Interface ! interface GigabitEthernet0/3 no nameif no security-level no ip address ! interface GigabitEthernet0/3.Appendix B: Configuration Example RA VPN ASA5525X ASA Version 9.4.0 ! interface GigabitEthernet0/3.255.252.0(1) ! hostname VPN-ASA5525X domain-name cisco.24.24 255.28.16.24.130.122 255.255.4.local enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.31.255.16 vlan 16 nameif outside-16 security-level 0 ip address 172.4.0 ! interface GigabitEthernet0/0 nameif inside security-level 100 ip address 10.122 255.255.0 ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/7 shutdown February 2013 Series Appendix B: Configuration Example 41 .255.

0 pager lines 24 logging enable logging buffered informational logging asdm informational mtu inside 1500 mtu outside-16 1500 mtu outside-17 1500 failover failover lan unit secondary failover lan interface failover GigabitEthernet0/2 failover polltime unit msec 200 holdtime msec 800 failover polltime interface msec 500 holdtime 5 failover key FailoverKey failover replication http failover link failover GigabitEthernet0/2 failover interface ip failover 10.97 255.0 255.28.0.4.no nameif no security-level no ip address ! interface Management0/0 management-only shutdown no nameif no security-level no ip address ! boot system disk0:/asa901-smp-k8.0_22 NETWORK_OBJ_10.0 description Internal Network access-list ALL_BUT_DEFAULT standard deny host 0.0_22 subnet 10.48.126 1 track 1 February 2013 Series Appendix B: Configuration Example 42 .0_22 NETWORK_OBJ_10.0.0.255.254.16.0.4.0_22 no-proxy-arp route-lookup nat (inside.254.0.130.0 passive-interface default no passive-interface inside redistribute static ! route outside-16 0.28.16.outside-16) source static any any destination static NETWORK_OBJ_10.255.28.0.0 255.0.24.98 monitor-interface outside-16 monitor-interface outside-17 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-702.0.0 255.0.outside-17) source static any any destination static NETWORK_OBJ_10.bin ftp mode passive clock timezone PST -8 clock summer-time PDT recurring dns server-group DefaultDNS domain-name cisco.0.168.0 access-list ALL_BUT_DEFAULT standard permit any4 access-list RA_PartnerACL remark Partners can access this internal host only! access-list RA_PartnerACL standard permit host 10.0 255.0 0.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside.35 access-list RA_SplitTunnelACL remark Internal Networks access-list RA_SplitTunnelACL standard permit 10.0_22 no-proxy-arp route-lookup ! router eigrp 100 no auto-summary distribute-list ALL_BUT_DEFAULT out network 10.0.28.4.4.4.255.248.28.0 object network internal-network subnet 10.248 standby 10.255.0.252.4.4.0 255.24.4.local same-security-traffic permit intra-interface object network NETWORK_OBJ_10.0 access-list RA_SplitTunnelACL remark DMZ Networks access-list RA_SplitTunnelACL standard permit 192.254.4.4.4.4.28.0 172.

0.48.24.0 10.4.0 255.35 community cisco no snmp-server location no snmp-server contact snmp-server community cisco snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart sla monitor 16 type echo protocol ipIcmpEcho 172.130.4.0 0.0 inside snmp-server host inside 10.4.15 key SecretKey aaa-server AAA-RADIUS protocol radius aaa-server AAA-RADIUS (inside) host 10.255 172.route outside-17 0.0.0.0.126 50 route outside-16 172.48.cisco.0.0.1.1 interface outside-16 sla monitor schedule 16 life forever start-time now crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 espmd5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-shahmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 espmd5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 espsha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-shahmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 espsha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5hmac crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverseroute crypto map outside-16_map 65535 ipsec-isakmp dynamic SYSTEM_ DEFAULT_CRYPTO_MAP crypto map outside-16_map interface outside-16 crypto ca trustpoint VPN-ASA5525X-Trustpoint enrollment self subject-name CN=VPN-ASA5525X.18.48.4.1.15 timeout 5 key SecretKey user-identity default-domain LOCAL aaa authentication enable console AAA-SERVER LOCAL aaa authentication ssh console AAA-SERVER LOCAL aaa authentication http console AAA-SERVER LOCAL aaa authentication serial console AAA-SERVER LOCAL aaa authorization exec authentication-server http server enable http 10.16.48.255.local keypair VPN-ASA5525X-Keypair proxy-ldc-issuer crl configure crypto ca trustpoint VPN-ASA5525X-FO-Trustpoint enrollment self February 2013 Series Appendix B: Configuration Example 43 .255.1 tunneled timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sipdisconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server AAA-SERVER protocol tacacs+ aaa-server AAA-SERVER (inside) host 10.255.130.17.18.126 1 route inside 0.0.255.0 0.1 255.0.4.0 172.

cisco.local keypair VPN-ASA5525X-Keypair proxy-ldc-issuer crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=VPN-ASA5525X keypair foobar proxy-ldc-issuer crl configure crypto ca trustpool policy crypto ca certificate chain VPN-ASA5525X-Trustpoint certificate 196dbd50 30820379 30820261 a0030201 02020419 6dbd5030 0d06092a 864886f7 0d010105 0500304c 3121301f 06035504 03131856 504e2d41 53413535 3235582e 63697363 6f2e6c6f 63616c31 27302506 092a8648 86f70d01 09021618 56504e2d 41534135 35323558 2e636973 636f2e6c 6f63616c 301e170d 31323132 31373232 34353131 5a170d32 32313231 35323234 3531315a 304c3121 301f0603 55040313 1856504e 2d415341 35353235 582e6369 73636f2e 6c6f6361 6c312730 2506092a 864886f7 0d010902 16185650 4e2d4153 41353532 35582e63 6973636f 2e6c6f63 616c3082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100be b40a3916 c07f0a5a ca49459f 1ff0fde1 18fdd1d3 1549f412 591ea3da d0fdc925 e590bd9f ddb0a47b 488cfbcc 0a8245de 2c1bba6c b63c12d4 9378e952 c3146de5 5cbaa719 c6cbc071 8ad5b3c1 fa3f9aaa f382b256 8518fa3b 0f4674d9 c973ec60 b78a92a9 ccaeca0a bf55510d 1dd0e6b9 19c8d200 ae13aa37 aed1dae8 f06cd971 9db5a13e ef9fab17 e2ada507 000d0161 56c3c3b5 dddb1010 d16bd4af e744c3ec ca686421 21ec21aa 015fc2a4 bd5a4f36 ccfe7a2e 78c20b1b 113c52db 58a27b02 03010001 a3633061 ff300e06 03551d0f 0101ff04 04030201 731ddd16 be77e390 7c3543cb 6fcfbeba 1ddd16be 77e3907c 3543cb6f cfbeba47 03820101 001f3f41 c292da00 7b7a5435 950e84d2 fcc1608f 4c198baa 76c7e40a bf465d4a 31c45abc 42da8ed6 88721355 fbdd0142 92ec9dc2 f82927e6 2cb3de0e 21a08fec 22da19d3 ded3c076 76540ade a26d455f 678030ac 012ec360 fcab84d3 89e014cc 740cc939 be773a31 640b7dec 33cce6b9 b16a63ca 2d541dc2 79ed0483 9af9e717 36 quit crypto ca certificate certificate 1a6dbd50 3082037f 30820267 864886f7 0d010105 a66f1745 973ed31b 80cc10fc 27e7159b 2db93953 7bea683e 5d15e0e0 ec616cf1 e05121c5 6dcc6c77 68638f87 2cee1f57 f0e5f5fa 01b82783 2fbf0748 1df74d18 300f0603 551d1301 01ff0405 30030101 86301f06 03551d23 04183016 80142836 47d7301d 0603551d 0e041604 14283673 d7300d06 092a8648 86f70d01 01050500 387b60fd 169ed55d 5a8634f9 1981a26b 36922ed3 ef561037 a1ed3dee 49c9e7b1 6e10c417 71a14481 6f379edf 7052500f 948f690b 9aa2d831 88c27c0c bbd11fa1 d9e996ab 7dc26518 ea1b999c fe8d54c9 9271d88c e46e3def 45d6fa34 293d6bc6 8f5b32f2 db785864 b89a68ae bb5d8bc5 3f9afc1c 3060aa60 0ecd97c5 6f1b0a1a chain VPN-ASA5525X-FO-Trustpoint a0030201 0202041a 6dbd5030 0d06092a February 2013 Series Appendix B: Configuration Example 44 .subject-name CN=VPN-ASA5525X-FO.

0500304f 31243022 3235582d 464f2e63 6973636f 2e6c6f63 02161856 504e2d41 53413535 3235582e 32313231 37323234 3535355a 170d3232 22060355 0403131b 56504e2d 41534135 63616c31 27302506 092a8648 86f70d01 2e636973 636f2e6c 6f63616c 30820122 82010f00 3082010a 02820101 00beb40a d1d31549 f412591e a3dad0fd c925e590 ba6cb63c 12d49378 e952c314 6de55cba b2568518 fa3b0f46 74d9c973 ec60b78a d200ae13 aa37aed1 dae8f06c d9719db5 10fc27e7 159be2ad a507000d 016156c3 e0e0ec61 6cf1d16b d4afe744 c3ecca68 8f872cee 1f57015f c2a4bd5a 4f36ccfe 07481df7 4d18113c 52db58a2 7b020301 04053003 0101ff30 0e060355 1d0f0101 30168014 2836731d dd16be77 e3907c35 16041428 36731ddd 06035504 03131b56 504e2d41 53413535 616c3127 30250609 2a864886 f70d0109 63697363 6f2e6c6f 63616c30 1e170d31 31323135 32323435 35355a30 4f312430 35323558 2d464f2e 63697363 6f2e6c6f 09021618 56504e2d 41534135 35323558 300d0609 2a864886 f70d0101 01050003 3916c07f 0a5aca49 459f1ff0 fde118fd bd9fddb0 a47b488c fbcc0a82 45de2c1b a719c6cb c0718ad5 b3c1fa3f 9aaaf382 92a9ccae ca0abf55 510d1dd0 e6b919c8 a13eef9f ab17a66f 1745973e d31b80cc c3b5dddb 10102db9 39537bea 683e5d15 642121ec 21aae051 21c56dcc 6c776863 7a2e78c2 0b1bf0e5 f5fa01b8 27832fbf 0001a363 3061300f 0603551d 130101ff ff040403 02018630 1f060355 1d230418 43cb6fcf beba47d7 301d0603 551d0e04 16be77e3 907c3543 cb6fcfbe 0d010105 05000382 0101001f 5a3e2fcc c384ca51 72fba6fa ce0251dc 274e59e8 664c0119 c42ae064 cdd9ac8a 968f69d3 ebd48f27 c1ede1f6 63169317 59cb71cb bf8492fe ff8f8072 defb92eb 5d50b97c b824b132 11970758 e0a8b8f9 75b0a458 90bdefdb 26f894db 02632a6d 5b6c534b 77344868 10b4c4c3 8eae3e4c 10d0a269 6f500e65 fbf99d3b 5f06061f 930a4636 959afbfd 27e01065 d3730911 08eb3c6b 79dd62a6 67d77785 e88d11 quit crypto ikev1 enable outside-16 crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha ba47d730 0d06092a 864886f7 7519a55b 15d16c77 9a23ed00 1956a610 a9f08787 3df62168 bf070a22 f321d4b9 b6157593 24fd0c60 cd6ad778 afa18e73 324a6eb0 547a703c 0eb1d205 811c073e e0193ddf bfcb3e0d 241a1679 4fb0cb00 f07a01da c7494ff5 df273d77 adc52e75 February 2013 Series Appendix B: Configuration Example 45 .

group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 February 2013 Series Appendix B: Configuration Example 46 .

0 inside ssh timeout 5 ssh version 2 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 10. split-tunnel-policy tunnelspecified split-tunnel-network-list value RA_SplitTunnelACL webvpn anyconnect profiles value RA-Profile type user username admin password 7KKG/zg/Wo8c.1.1.4.130.130.pkg 2 anyconnect image disk0:/anyconnect-linux-3.0 255.xml anyconnect enable tunnel-group-list enable group-policy GroupPolicy_Employee internal group-policy GroupPolicy_Employee attributes banner value Group “vpn-employee” allows for unrestricted access with a tunnel all policy.pkg 3 anyconnect profiles RA-Profile disk0:/ra-profile.1.00495-k9.00495-k9.16.17.48.4.122/AnyConnect enable group-url https://172.00495-k9.48.255.wso type websecurity always-on-vpn profile-setting group-policy GroupPolicy_AnyConnect internal group-policy GroupPolicy_AnyConnect attributes wins-server none dns-server value 10.! track 1 rtr 16 reachability telnet timeout 5 ssh 10. vpn-filter value RA_PartnerACL webvpn anyconnect profiles value RA-Profile type user group-policy GroupPolicy_Administrator internal group-policy GroupPolicy_Administrator attributes banner value Group “vpn-administrator” allows for unrestricted access with a split tunnel policy.local group-policy GroupPolicy_Partner internal group-policy GroupPolicy_Partner attributes banner value Group “vpn-partner” allows for access control list (ACL) restricted access with a tunnel all policy.255.pkg 1 anyconnect image disk0:/anyconnect-macosx-i386-3.YfN encrypted privilege 15 tunnel-group AnyConnect type remote-access tunnel-group AnyConnect general-attributes address-pool RA-pool authentication-server-group AAA-RADIUS default-group-policy GroupPolicy_AnyConnect password-management tunnel-group AnyConnect webvpn-attributes group-alias AnyConnect enable group-url https://172.4.122/AnyConnect enable ! class-map inspection_default match default-inspection-traffic ! ! February 2013 Series Appendix B: Configuration Example 47 . vpn-filter value Block_Trusted_Host split-tunnel-policy excludespecified split-tunnel-network-list value CWS_Tower_Exclude webvpn anyconnect modules value websecurity anyconnect profiles value RA-Profile type user anyconnect profiles value RA-WebSecurityProfile.10 vpn-tunnel-protocol ssl-client default-domain value cisco.17 ssl encryption aes256-sha1 aes128-sha1 3des-sha1 ssl trust-point VPN-ASA5525X-FO-Trustpoint outside-17 ssl trust-point VPN-ASA5525X-Trustpoint outside-16 webvpn enable outside-16 enable outside-17 anyconnect-essentials anyconnect image disk0:/anyconnect-win-3.48.

policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context : end February 2013 Series Appendix B: Configuration Example 48 .

• We made minor updates to improve the usability of the guide.0(2) • We updated various screenshots to reflect the new software versions. February 2013 Series Appendix C: Changes 49 .Appendix C: Changes This appendix summarizes the changes to this guide since the previous Cisco SBA series. • We updated the Cisco ASA firewall software to 9.0(1) with ASDM 7.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT. THE WARRANTY OF MERCHANTABILITY. The use of the word partner does not imply a partnership relationship between Cisco and any other company. ITS SUPPLIERS OR PARTNERS. The Netherlands Cisco has more than 200 offices worldwide. All rights reserved. OR INCIDENTAL DAMAGES. Inc. To view a list of Cisco trademarks. FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING. Any use of actual IP addresses in illustrative content is unintentional and coincidental. USAGE. and other countries. San Jose.cisco. (1110R) B-0000285-1 1/13 . WITHOUT LIMITATION. phone numbers. go to this URL: www. Inc. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO. Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. CA Asia Pacific Headquarters Cisco Systems (USA) Pte. INFORMATION. Third-party trademarks mentioned are the property of their respective owners. “DESIGNS”) IN THIS MANUAL ARE PRESENTED “AS IS. CONSEQUENTIAL.com/go/offices. CISCO AND ITS SUPPLiERS DISCLAIM ALL WARRANTIES. © 2013 Cisco Systems. and fax numbers are listed on the Cisco Website at www. LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. Any examples.” WITH ALL FAULTS. AND RECOMMENDATIONS (COLLECTIVELY. INCLUDING. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U. Addresses. Singapore Europe Headquarters Cisco Systems International BV Amsterdam. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. Ltd. SMART BUSINESS ARCHITECTURE Americas Headquarters Cisco Systems. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. INCLUDING. SPECIFICATIONS. OR TRADE PRACTICE. WITHOUT LIMITATION. and figures included in the document are shown for illustrative purposes only.S. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO.com/go/trademarks. SPECIAL. command display output. ALL DESIGNS.cisco. EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. STATEMENTS.Feedback Please use the feedback form to send comments and suggestions about this guide.

Sign up to vote on this title
UsefulNot useful