1 - VPN Tip: How to Create VPN on ASA using Cisco Any Connect with Split-Tunnel: -

AnyConnect Remote Access VPN configurations with SPLIT-TUNNEL:


To make the concept and the working of the VPN I  used  the Cisco defined Image.

In this method the clients connected to the ASA through Cisco Any connect VPN can access the internal resources but will keep using own internet connection.


from router R ping 10.40.0.1 = success
Make sure the Firewall is reachable from remote client

To setup the Basic Firewall configurations please look into below article.



VPN Configurations on ASA :>

ciscoasa(config)#ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0

ciscoasa(config)#webvpn
ciscoasa(config-webvpn)#enable outside
ciscoasa(config-webvpn)#anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
ciscoasa(config-webvpn)#tunnel-group-list enable
ciscoasa(config-webvpn)#anyconnect enable

ciscoasa(config)#access-list REMOTE standard permit 192.168.1.0 255.255.255.0
ciscoasa(config)#access-list REMOTE standard permit 192.168.10.0 255.255.255.0

ciscoasa(config)#group-policy clientgroup internal
ciscoasa(config)#group-policy clientgroup attributes
ciscoasa(config-group-policy)#vpn-tunnel-protocol ssl-client
ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)#split-tunnel-network-list value REMOTE

ciscoasa(config)#username Babar password cisco

ciscoasa(config)#tunnel-group sslgroup type remote-access
ciscoasa(config)#tunnel-group sslgroup general-attributes
ciscoasa(config-tunnel-general)#address-pool vpnpool
ciscoasa(config-tunnel-general)#default-group-policy clientgroup
ciscoasa(config-tunnel-general)#exit
ciscoasa(config)#tunnel-group sslgroup webvpn-attributes
ciscoasa(config-tunnel-webvpn)#group-alias sslgroup_users enable

Now try connecting to 10.0.50.1 on client using AnyConnect and it should connect. But ping 192.168.1.2 from client will not work because we have not configured the NAT exception yet.


object network NET_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network NET_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) source static NET_OBJ_192.168.1.0_24 NET_OBJ_192.168.1.0_24 destination static NET_OBJ_192.168.10.0_24 NET_OBJ_192.168.10.0_24


Now the VPN is fully UP and ping is working from both sides.


on client if we do “tracert 192.168.1.2” reply is coming directly from the host through tunnel. and if we do “tracert 10.0.30.1” reply is coming via client’s own internet called split tunneling. 















Tips 
·      > Access-list is optional we just used it for security purpose so only the network specified in the ACL can communicate. it can be configured without ACL.
·      > " same-security-traffic permit (intra-interface,inter-interface )" is not required in this VPN.
·      > Make sure to not copy the commands directly from the webpage to firewall. First copy the commands on the notepad read the command and type it manually on the Firewall.


Note: I   personally configured and tested this lab and its working and the ASA version is 9.5(2). 
-------------------------------------------------The END----------------------------------------------------------

Location: I-8, Islamabad, Pakistan

Comments

Post a Comment