SSL VPN on ASA 5520
jude56g
Member Posts: 107 ■■■□□□□□□□
I have an ASA 5520 I plan to use for SSL VPN connections.
My plan is to have the trusted side of the FW trunk into a Cat3750s. There will be 2 vlans defined on the ASA, vlan 100 & vlan 200 on sub-interface g0/1.100 & g0/1.200.
Users will have a drop-down option when connecting to the VPN to connect to 1 of the 2 vlans. Once connected, users will be issued an IP in the appropriate vlan. My question is how do I route client traffic to the correct sub-interface?
I have got this semi-working with 1 VPN defined, users get the IP but I'm not sure how to route their traffic to the correct vlan. Also, the syntax for static routing is a little confusing. Any ideas?
//
ASA Version 8.4(3)
!
hostname LAB-ASA-5520
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.138 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.100
vlan 100
nameif inside-vlan-100
security-level 100
no ip address
!
interface GigabitEthernet0/1.200
vlan 200
nameif inside-vlan-200
security-level 100
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone GMT 0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside-vlan-100 1500
ip local pool pool-1 192.168.1.200-192.168.1.250 mask 255.255.255.0
ip local pool pool-trunk 192.168.50.50-192.168.50.60 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 x.x.x.137 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_security-cam internal
group-policy GroupPolicy_security-cam attributes
banner value Welcome to the Security Camera Network
wins-server none
dns-server value 192.168.1.1
vpn-tunnel-protocol ssl-client
default-domain value sec.cam.net
group-policy GroupPolicy_trunk-test internal
group-policy GroupPolicy_trunk-test attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
default-domain value trunk-test
tunnel-group security-cam type remote-access
tunnel-group security-cam general-attributes
address-pool pool-1
default-group-policy GroupPolicy_security-cam
tunnel-group security-cam webvpn-attributes
group-alias security-cam enable
tunnel-group trunk-test type remote-access
tunnel-group trunk-test general-attributes
address-pool pool-trunk
default-group-policy GroupPolicy_trunk-test
tunnel-group trunk-test webvpn-attributes
group-alias trunk-test enable
!
class-map inspection_default
match default-inspection-traffic
class-map default
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:247a1b5a9b74a08f8d49c4523a1018c9
: end
LAB-ASA-5520#
My plan is to have the trusted side of the FW trunk into a Cat3750s. There will be 2 vlans defined on the ASA, vlan 100 & vlan 200 on sub-interface g0/1.100 & g0/1.200.
Users will have a drop-down option when connecting to the VPN to connect to 1 of the 2 vlans. Once connected, users will be issued an IP in the appropriate vlan. My question is how do I route client traffic to the correct sub-interface?
I have got this semi-working with 1 VPN defined, users get the IP but I'm not sure how to route their traffic to the correct vlan. Also, the syntax for static routing is a little confusing. Any ideas?
//
ASA Version 8.4(3)
!
hostname LAB-ASA-5520
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.138 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.100
vlan 100
nameif inside-vlan-100
security-level 100
no ip address
!
interface GigabitEthernet0/1.200
vlan 200
nameif inside-vlan-200
security-level 100
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone GMT 0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside-vlan-100 1500
ip local pool pool-1 192.168.1.200-192.168.1.250 mask 255.255.255.0
ip local pool pool-trunk 192.168.50.50-192.168.50.60 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 x.x.x.137 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_security-cam internal
group-policy GroupPolicy_security-cam attributes
banner value Welcome to the Security Camera Network
wins-server none
dns-server value 192.168.1.1
vpn-tunnel-protocol ssl-client
default-domain value sec.cam.net
group-policy GroupPolicy_trunk-test internal
group-policy GroupPolicy_trunk-test attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
default-domain value trunk-test
tunnel-group security-cam type remote-access
tunnel-group security-cam general-attributes
address-pool pool-1
default-group-policy GroupPolicy_security-cam
tunnel-group security-cam webvpn-attributes
group-alias security-cam enable
tunnel-group trunk-test type remote-access
tunnel-group trunk-test general-attributes
address-pool pool-trunk
default-group-policy GroupPolicy_trunk-test
tunnel-group trunk-test webvpn-attributes
group-alias trunk-test enable
!
class-map inspection_default
match default-inspection-traffic
class-map default
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:247a1b5a9b74a08f8d49c4523a1018c9
: end
LAB-ASA-5520#
Comments
-
aaron0011
Member Posts: 330
The ACL used to define tunneled networks, which is specified in your group policy determines your secured routes for VPN clients. Create two policies, each with separate ACLs for tunneled network matching your VLANs. You'll need corresponding pools as well.
This document uses IPsec in the example but it works the same way with SSL.
PIX/ASA: Multiple VPN Group Clients to use Different VLANs after Connecting to a Security Appliance Configuration Example - Cisco Systems -
jude56g
Member Posts: 107 ■■■□□□□□□□
Thanks for the link! Would this apply to my scenario where I'm not terminating the vlan on the ASA's sub-interface (that is, no IP address on the sub-int)?
-
aaron0011
Member Posts: 330
You will need IP addresses on the inside sub-interfaces that correspond with the VLAN ranges.