Nerdy Drunk

Drunk on technology

User Tools

Site Tools


cisco:asa-anyconnect

Cisco ASA AnyConnect with AD Authentication

ip local pool ADR-POOL-Company1 192.168.2.1-192.168.2.254
!
interface GigabitEthernet0/0
 description Provider Internet
 nameif INT-Provider-OUT
 security-level 0
 ip address 50.60.70.80 255.255.255.0
interface GigabitEthernet0/1
 description Company1
 nameif INT-Company1-INS
 security-level 50
 ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet0/3
 description Provider
 nameif INT-Provider-INS
 security-level 100
 ip address 172.16.1.1 255.255.255.0
!
same-security-traffic permit intra-interface
!
object network OBJ-Company1-Inside
 subnet 192.168.1.0 255.255.255.0
object network OBJ-Company1-SSLVPN
 subnet 192.168.2.0 255.255.255.0
object network OBJ-Company1-RemoteVPN1
 subnet 192.168.11.0 255.255.255.0
object network OBJ-Company1-RemoteVPN2
 subnet 192.168.12.0 255.255.255.0
!
access-list ACL-L2LVPN-Company1-RemoteVPN1 extended permit object OBJ-Company1-Inside object OBJ-Company1-RemoteVPN1
access-list ACL-L2LVPN-Company1-RemoteVPN1 extended permit object OBJ-Company1-SSLVPN object OBJ-Company1-RemoteVPN1
access-list ACL-L2LVPN-Company1-RemoteVPN2 extended permit object OBJ-Company1-Inside object OBJ-Company1-RemoteVPN2
access-list ACL-L2LVPN-Company1-RemoteVPN2 extended permit object OBJ-Company1-SSLVPN object OBJ-Company1-RemoteVPN2
!
access-list ACL-SSLVPN-Company1-GRP0 standard permit object OBJ-Company1-Inside
access-list ACL-SSLVPN-Company1-GRP1 standard permit object OBJ-Company1-Inside
access-list ACL-SSLVPN-Company1-GRP1 standard permit object OBJ-Company1-RemoteVPN1
access-list ACL-SSLVPN-Company1-GRP2 standard permit object OBJ-Company1-Inside
access-list ACL-SSLVPN-Company1-GRP2 standard permit object OBJ-Company1-RemoteVPN2
!
nat (INT-Company1-INS,INT-Provider-OUT) source static OBJ-Company1-Inside OBJ-Company1-Inside destination static OBJ-Company1-RemoteVPN1 OBJ-Company1-RemoteVPN1
nat (INT-Company1-INS,INT-Provider-OUT) source static OBJ-Company1-Inside OBJ-Company1-Inside destination static OBJ-Company1-RemoteVPN2 OBJ-Company1-RemoteVPN2
nat (INT-Company1-INS,INT-Provider-OUT) source static OBJ-Company1-Inside OBJ-Company1-Inside destination static OBJ-Company1-SSLVPN OBJ-Company1-SSLVPN
nat (INT-Provider-OUT,INT-Provider-OUT) source static OBJ-Company1-SSLVPN OBJ-Company1-SSLVPN destination static OBJ-Company1-RemoteVPN1 OBJ-Company1-RemoteVPN1
! nat (INT-Provider-OUT,INT-Provider-OUT) source static OBJ-Company1-RemoteVPN1 OBJ-Company1-RemoteVPN1 destination static OBJ-Company1-SSLVPN OBJ-Company1-SSLVPN
nat (INT-Provider-OUT,INT-Provider-OUT) source static OBJ-Company1-SSLVPN OBJ-Company1-SSLVPN destination static OBJ-Company1-RemoteVPN2 OBJ-Company1-RemoteVPN2
! nat (INT-Provider-OUT,INT-Provider-OUT) source static OBJ-Company1-RemoteVPN2 OBJ-Company1-RemoteVPN2 destination static OBJ-Company1-SSLVPN OBJ-Company1-SSLVPN
!
ldap attribute-map LDAP-MAP-Company1
  map-name  memberOf IETF-Radius-Class
  map-value memberOf "CN=VPN-USERS-GRP0,CN=Groups,DC=Company1,DC=com" GRP-POL-SSLVPN-Company1-GRP0
  map-value memberOf "CN=VPN-USERS-GRP1,CN=Groups,DC=Company1,DC=com" GRP-POL-SSLVPN-Company1-GRP1
  map-value memberOf "CN=VPN-USERS-GRP2,CN=Groups,DC=Company1,DC=com" GRP-POL-SSLVPN-Company1-GRP2
aaa-server AAA-SRV-LDAP-Company1 protocol ldap
aaa-server AAA-SRV-LDAP-Company1 (INT-Company1-INS) host 192.168.1.11
 ldap-base-dn DC=company1,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password SERVICEPASSWORD
 ldap-login-dn CN=SSLVPN-SERVICE,OU=ServiceUsers,DC=Company1,DC=com
 ldap-login-dn sslvpn-service@company1.com
 server-type microsoft
 ldap-attribute-map LDAP-MAP-Company1
aaa-server AAA-SRV-LDAP-Company1 (INT-Company1-INS) host 192.168.1.12
 ldap-base-dn DC=company1,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password SERVICEPASSWORD
 ldap-login-dn CN=SSLVPN-SERVICE,OU=ServiceUsers,DC=Company1,DC=com
 ldap-login-dn sslvpn-service@company1.com
 server-type microsoft
 ldap-attribute-map LDAP-MAP-Company1
!
crypto ca trustpoint TP-vpn.provider.com-2015-01-01
 keypair KP-vpn.provider.com-2015-01-01
 crl configure
crypto ca trustpool policy
crypto ca certificate chain TP-vpn.provider.com-2015-01-01
 certificate 111111
    12345678 12345678 12345678 12345678 12345678 12345678 12345678 12345678
 certificate 222222
    12345678 12345678 12345678 12345678 12345678 12345678 12345678 12345678
ssl trust-point TP-vpn.provider.com-2015-01-01 INT-Provider-OUT
!
webvpn
 enable INT-Provider-OUT
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-3.1.07021-k9.pkg 1
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.07021-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux-64-3.1.07021-k9.pkg 3
 anyconnect image disk0:/anyconnect-linux-3.1.07021-k9.pkg 4
 anyconnect enable
 tunnel-group-list enable
!
group-policy GRP-POL-SSLVPN-Company1-GRP0 internal
group-policy GRP-POL-SSLVPN-Company1-GRP0 attributes
 dns-server value 192.168.1.11 192.168.1.12
 vpn-idle-timeout 30
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL-SSLVPN-Company1-GRP0
 default-domain value Company1.com
 address-pools value ADR-POOL-Company1
group-policy GRP-POL-SSLVPN-Company1-GRP1 internal
group-policy GRP-POL-SSLVPN-Company1-GRP1 attributes
 dns-server value 192.168.1.11 192.168.1.12
 vpn-idle-timeout 30
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL-SSLVPN-Company1-GRP1
 default-domain value Company1.com
 address-pools value ADR-POOL-Company1
group-policy GRP-POL-SSLVPN-Company1-GRP2 internal
group-policy GRP-POL-SSLVPN-Company1-GRP2 attributes
 dns-server value 192.168.1.11 192.168.1.12
 vpn-idle-timeout 60
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL-SSLVPN-Company1-GRP2
 default-domain value Company1.com
 address-pools value ADR-POOL-Company1
!
tunnel-group TUN-GRP-SSLVPN-Company1 type remote-access
tunnel-group TUN-GRP-SSLVPN-Company1 general-attributes
 authentication-server-group AAA-SRV-LDAP-Company1
 ! default-group-policy can be removed to require memembership in an AD security group
 default-group-policy GRP-POL-SSLVPN-Company1-GRP0
tunnel-group TUN-GRP-SSLVPN-Company1 webvpn-attributes
 group-alias Company1 enable
 group-url https://vpn.provider.com/Company1 enable
 
cisco/asa-anyconnect.txt · Last modified: 2022/07/21 10:41 by 127.0.0.1