Nerdy Drunk

Drunk on technology

User Tools

Site Tools

You are here: start » cisco » asa-anyconnect

Sidebar

Topics

Topic Search


Home Lab
About Me


Twitter @taingalls


Subject Matter Expert Specialty Advanced Networking Specialty Security Specialty Data Analytics Specialty Machine Learning Specialty Database Specialty SAP on AWS Specialty Solutions Architect Professional DevOps Engineer Professional SysOps Administrator Associate Solutions Architect Associate Developer Associate Cloud Practitioner

Mastodon twit.social/@taingalls
cisco:asa-anyconnect

Cisco ASA AnyConnect with AD Authentication

, 
ip local pool ADR-POOL-Company1 192.168.2.1-192.168.2.254
!
interface GigabitEthernet0/0
 description Provider Internet
 nameif INT-Provider-OUT
 security-level 0
 ip address 50.60.70.80 255.255.255.0
interface GigabitEthernet0/1
 description Company1
 nameif INT-Company1-INS
 security-level 50
 ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet0/3
 description Provider
 nameif INT-Provider-INS
 security-level 100
 ip address 172.16.1.1 255.255.255.0
!
same-security-traffic permit intra-interface
!
object network OBJ-Company1-Inside
 subnet 192.168.1.0 255.255.255.0
object network OBJ-Company1-SSLVPN
 subnet 192.168.2.0 255.255.255.0
object network OBJ-Company1-RemoteVPN1
 subnet 192.168.11.0 255.255.255.0
object network OBJ-Company1-RemoteVPN2
 subnet 192.168.12.0 255.255.255.0
!
access-list ACL-L2LVPN-Company1-RemoteVPN1 extended permit object OBJ-Company1-Inside object OBJ-Company1-RemoteVPN1
access-list ACL-L2LVPN-Company1-RemoteVPN1 extended permit object OBJ-Company1-SSLVPN object OBJ-Company1-RemoteVPN1
access-list ACL-L2LVPN-Company1-RemoteVPN2 extended permit object OBJ-Company1-Inside object OBJ-Company1-RemoteVPN2
access-list ACL-L2LVPN-Company1-RemoteVPN2 extended permit object OBJ-Company1-SSLVPN object OBJ-Company1-RemoteVPN2
!
access-list ACL-SSLVPN-Company1-GRP0 standard permit object OBJ-Company1-Inside
access-list ACL-SSLVPN-Company1-GRP1 standard permit object OBJ-Company1-Inside
access-list ACL-SSLVPN-Company1-GRP1 standard permit object OBJ-Company1-RemoteVPN1
access-list ACL-SSLVPN-Company1-GRP2 standard permit object OBJ-Company1-Inside
access-list ACL-SSLVPN-Company1-GRP2 standard permit object OBJ-Company1-RemoteVPN2
!
nat (INT-Company1-INS,INT-Provider-OUT) source static OBJ-Company1-Inside OBJ-Company1-Inside destination static OBJ-Company1-RemoteVPN1 OBJ-Company1-RemoteVPN1
nat (INT-Company1-INS,INT-Provider-OUT) source static OBJ-Company1-Inside OBJ-Company1-Inside destination static OBJ-Company1-RemoteVPN2 OBJ-Company1-RemoteVPN2
nat (INT-Company1-INS,INT-Provider-OUT) source static OBJ-Company1-Inside OBJ-Company1-Inside destination static OBJ-Company1-SSLVPN OBJ-Company1-SSLVPN
nat (INT-Provider-OUT,INT-Provider-OUT) source static OBJ-Company1-SSLVPN OBJ-Company1-SSLVPN destination static OBJ-Company1-RemoteVPN1 OBJ-Company1-RemoteVPN1
! nat (INT-Provider-OUT,INT-Provider-OUT) source static OBJ-Company1-RemoteVPN1 OBJ-Company1-RemoteVPN1 destination static OBJ-Company1-SSLVPN OBJ-Company1-SSLVPN
nat (INT-Provider-OUT,INT-Provider-OUT) source static OBJ-Company1-SSLVPN OBJ-Company1-SSLVPN destination static OBJ-Company1-RemoteVPN2 OBJ-Company1-RemoteVPN2
! nat (INT-Provider-OUT,INT-Provider-OUT) source static OBJ-Company1-RemoteVPN2 OBJ-Company1-RemoteVPN2 destination static OBJ-Company1-SSLVPN OBJ-Company1-SSLVPN
!
ldap attribute-map LDAP-MAP-Company1
  map-name  memberOf IETF-Radius-Class
  map-value memberOf "CN=VPN-USERS-GRP0,CN=Groups,DC=Company1,DC=com" GRP-POL-SSLVPN-Company1-GRP0
  map-value memberOf "CN=VPN-USERS-GRP1,CN=Groups,DC=Company1,DC=com" GRP-POL-SSLVPN-Company1-GRP1
  map-value memberOf "CN=VPN-USERS-GRP2,CN=Groups,DC=Company1,DC=com" GRP-POL-SSLVPN-Company1-GRP2
aaa-server AAA-SRV-LDAP-Company1 protocol ldap
aaa-server AAA-SRV-LDAP-Company1 (INT-Company1-INS) host 192.168.1.11
 ldap-base-dn DC=company1,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password SERVICEPASSWORD
 ldap-login-dn CN=SSLVPN-SERVICE,OU=ServiceUsers,DC=Company1,DC=com
 ldap-login-dn sslvpn-service@company1.com
 server-type microsoft
 ldap-attribute-map LDAP-MAP-Company1
aaa-server AAA-SRV-LDAP-Company1 (INT-Company1-INS) host 192.168.1.12
 ldap-base-dn DC=company1,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password SERVICEPASSWORD
 ldap-login-dn CN=SSLVPN-SERVICE,OU=ServiceUsers,DC=Company1,DC=com
 ldap-login-dn sslvpn-service@company1.com
 server-type microsoft
 ldap-attribute-map LDAP-MAP-Company1
!
crypto ca trustpoint TP-vpn.provider.com-2015-01-01
 keypair KP-vpn.provider.com-2015-01-01
 crl configure
crypto ca trustpool policy
crypto ca certificate chain TP-vpn.provider.com-2015-01-01
 certificate 111111
    12345678 12345678 12345678 12345678 12345678 12345678 12345678 12345678
 certificate 222222
    12345678 12345678 12345678 12345678 12345678 12345678 12345678 12345678
ssl trust-point TP-vpn.provider.com-2015-01-01 INT-Provider-OUT
!
webvpn
 enable INT-Provider-OUT
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-3.1.07021-k9.pkg 1
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.07021-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux-64-3.1.07021-k9.pkg 3
 anyconnect image disk0:/anyconnect-linux-3.1.07021-k9.pkg 4
 anyconnect enable
 tunnel-group-list enable
!
group-policy GRP-POL-SSLVPN-Company1-GRP0 internal
group-policy GRP-POL-SSLVPN-Company1-GRP0 attributes
 dns-server value 192.168.1.11 192.168.1.12
 vpn-idle-timeout 30
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL-SSLVPN-Company1-GRP0
 default-domain value Company1.com
 address-pools value ADR-POOL-Company1
group-policy GRP-POL-SSLVPN-Company1-GRP1 internal
group-policy GRP-POL-SSLVPN-Company1-GRP1 attributes
 dns-server value 192.168.1.11 192.168.1.12
 vpn-idle-timeout 30
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL-SSLVPN-Company1-GRP1
 default-domain value Company1.com
 address-pools value ADR-POOL-Company1
group-policy GRP-POL-SSLVPN-Company1-GRP2 internal
group-policy GRP-POL-SSLVPN-Company1-GRP2 attributes
 dns-server value 192.168.1.11 192.168.1.12
 vpn-idle-timeout 60
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL-SSLVPN-Company1-GRP2
 default-domain value Company1.com
 address-pools value ADR-POOL-Company1
!
tunnel-group TUN-GRP-SSLVPN-Company1 type remote-access
tunnel-group TUN-GRP-SSLVPN-Company1 general-attributes
 authentication-server-group AAA-SRV-LDAP-Company1
 ! default-group-policy can be removed to require memembership in an AD security group
 default-group-policy GRP-POL-SSLVPN-Company1-GRP0
tunnel-group TUN-GRP-SSLVPN-Company1 webvpn-attributes
 group-alias Company1 enable
 group-url https://vpn.provider.com/Company1 enable
cisco/asa-anyconnect.txt · Last modified: by 127.0.0.1

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki