=====Cisco ASA AnyConnect with AD Authentication===== {{tag>Cisco ASA}} ip local pool ADR-POOL-Company1 192.168.2.1-192.168.2.254 ! interface GigabitEthernet0/0 description Provider Internet nameif INT-Provider-OUT security-level 0 ip address 50.60.70.80 255.255.255.0 interface GigabitEthernet0/1 description Company1 nameif INT-Company1-INS security-level 50 ip address 192.168.1.1 255.255.255.0 interface GigabitEthernet0/3 description Provider nameif INT-Provider-INS security-level 100 ip address 172.16.1.1 255.255.255.0 ! same-security-traffic permit intra-interface ! object network OBJ-Company1-Inside subnet 192.168.1.0 255.255.255.0 object network OBJ-Company1-SSLVPN subnet 192.168.2.0 255.255.255.0 object network OBJ-Company1-RemoteVPN1 subnet 192.168.11.0 255.255.255.0 object network OBJ-Company1-RemoteVPN2 subnet 192.168.12.0 255.255.255.0 ! access-list ACL-L2LVPN-Company1-RemoteVPN1 extended permit object OBJ-Company1-Inside object OBJ-Company1-RemoteVPN1 access-list ACL-L2LVPN-Company1-RemoteVPN1 extended permit object OBJ-Company1-SSLVPN object OBJ-Company1-RemoteVPN1 access-list ACL-L2LVPN-Company1-RemoteVPN2 extended permit object OBJ-Company1-Inside object OBJ-Company1-RemoteVPN2 access-list ACL-L2LVPN-Company1-RemoteVPN2 extended permit object OBJ-Company1-SSLVPN object OBJ-Company1-RemoteVPN2 ! access-list ACL-SSLVPN-Company1-GRP0 standard permit object OBJ-Company1-Inside access-list ACL-SSLVPN-Company1-GRP1 standard permit object OBJ-Company1-Inside access-list ACL-SSLVPN-Company1-GRP1 standard permit object OBJ-Company1-RemoteVPN1 access-list ACL-SSLVPN-Company1-GRP2 standard permit object OBJ-Company1-Inside access-list ACL-SSLVPN-Company1-GRP2 standard permit object OBJ-Company1-RemoteVPN2 ! nat (INT-Company1-INS,INT-Provider-OUT) source static OBJ-Company1-Inside OBJ-Company1-Inside destination static OBJ-Company1-RemoteVPN1 OBJ-Company1-RemoteVPN1 nat (INT-Company1-INS,INT-Provider-OUT) source static OBJ-Company1-Inside OBJ-Company1-Inside destination static OBJ-Company1-RemoteVPN2 OBJ-Company1-RemoteVPN2 nat (INT-Company1-INS,INT-Provider-OUT) source static OBJ-Company1-Inside OBJ-Company1-Inside destination static OBJ-Company1-SSLVPN OBJ-Company1-SSLVPN nat (INT-Provider-OUT,INT-Provider-OUT) source static OBJ-Company1-SSLVPN OBJ-Company1-SSLVPN destination static OBJ-Company1-RemoteVPN1 OBJ-Company1-RemoteVPN1 ! nat (INT-Provider-OUT,INT-Provider-OUT) source static OBJ-Company1-RemoteVPN1 OBJ-Company1-RemoteVPN1 destination static OBJ-Company1-SSLVPN OBJ-Company1-SSLVPN nat (INT-Provider-OUT,INT-Provider-OUT) source static OBJ-Company1-SSLVPN OBJ-Company1-SSLVPN destination static OBJ-Company1-RemoteVPN2 OBJ-Company1-RemoteVPN2 ! nat (INT-Provider-OUT,INT-Provider-OUT) source static OBJ-Company1-RemoteVPN2 OBJ-Company1-RemoteVPN2 destination static OBJ-Company1-SSLVPN OBJ-Company1-SSLVPN ! ldap attribute-map LDAP-MAP-Company1 map-name memberOf IETF-Radius-Class map-value memberOf "CN=VPN-USERS-GRP0,CN=Groups,DC=Company1,DC=com" GRP-POL-SSLVPN-Company1-GRP0 map-value memberOf "CN=VPN-USERS-GRP1,CN=Groups,DC=Company1,DC=com" GRP-POL-SSLVPN-Company1-GRP1 map-value memberOf "CN=VPN-USERS-GRP2,CN=Groups,DC=Company1,DC=com" GRP-POL-SSLVPN-Company1-GRP2 aaa-server AAA-SRV-LDAP-Company1 protocol ldap aaa-server AAA-SRV-LDAP-Company1 (INT-Company1-INS) host 192.168.1.11 ldap-base-dn DC=company1,DC=com ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password SERVICEPASSWORD ldap-login-dn CN=SSLVPN-SERVICE,OU=ServiceUsers,DC=Company1,DC=com ldap-login-dn sslvpn-service@company1.com server-type microsoft ldap-attribute-map LDAP-MAP-Company1 aaa-server AAA-SRV-LDAP-Company1 (INT-Company1-INS) host 192.168.1.12 ldap-base-dn DC=company1,DC=com ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password SERVICEPASSWORD ldap-login-dn CN=SSLVPN-SERVICE,OU=ServiceUsers,DC=Company1,DC=com ldap-login-dn sslvpn-service@company1.com server-type microsoft ldap-attribute-map LDAP-MAP-Company1 ! crypto ca trustpoint TP-vpn.provider.com-2015-01-01 keypair KP-vpn.provider.com-2015-01-01 crl configure crypto ca trustpool policy crypto ca certificate chain TP-vpn.provider.com-2015-01-01 certificate 111111 12345678 12345678 12345678 12345678 12345678 12345678 12345678 12345678 certificate 222222 12345678 12345678 12345678 12345678 12345678 12345678 12345678 12345678 ssl trust-point TP-vpn.provider.com-2015-01-01 INT-Provider-OUT ! webvpn enable INT-Provider-OUT anyconnect-essentials anyconnect image disk0:/anyconnect-win-3.1.07021-k9.pkg 1 anyconnect image disk0:/anyconnect-macosx-i386-3.1.07021-k9.pkg 2 anyconnect image disk0:/anyconnect-linux-64-3.1.07021-k9.pkg 3 anyconnect image disk0:/anyconnect-linux-3.1.07021-k9.pkg 4 anyconnect enable tunnel-group-list enable ! group-policy GRP-POL-SSLVPN-Company1-GRP0 internal group-policy GRP-POL-SSLVPN-Company1-GRP0 attributes dns-server value 192.168.1.11 192.168.1.12 vpn-idle-timeout 30 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value ACL-SSLVPN-Company1-GRP0 default-domain value Company1.com address-pools value ADR-POOL-Company1 group-policy GRP-POL-SSLVPN-Company1-GRP1 internal group-policy GRP-POL-SSLVPN-Company1-GRP1 attributes dns-server value 192.168.1.11 192.168.1.12 vpn-idle-timeout 30 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value ACL-SSLVPN-Company1-GRP1 default-domain value Company1.com address-pools value ADR-POOL-Company1 group-policy GRP-POL-SSLVPN-Company1-GRP2 internal group-policy GRP-POL-SSLVPN-Company1-GRP2 attributes dns-server value 192.168.1.11 192.168.1.12 vpn-idle-timeout 60 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value ACL-SSLVPN-Company1-GRP2 default-domain value Company1.com address-pools value ADR-POOL-Company1 ! tunnel-group TUN-GRP-SSLVPN-Company1 type remote-access tunnel-group TUN-GRP-SSLVPN-Company1 general-attributes authentication-server-group AAA-SRV-LDAP-Company1 ! default-group-policy can be removed to require memembership in an AD security group default-group-policy GRP-POL-SSLVPN-Company1-GRP0 tunnel-group TUN-GRP-SSLVPN-Company1 webvpn-attributes group-alias Company1 enable group-url https://vpn.provider.com/Company1 enable