Skip to content

azghari-med/Lab-AnyConnect-SSL-VPN-SecureAccess-Financial-Remote-Work-Solution

Repository files navigation

Lab: AnyConnect SSL VPN — SecureAccess Financial Remote Work Solution

Platform: Cisco ASA | AnyConnect SSL VPN | Split Tunneling | Local AAA | ASDM

🏦 Scenario

Company: SecureAccess Financial Services Situation: SecureAccess Financial has employees working from home. They need secure remote access to internal servers — file server, web application, and database — from their laptops at home.

The security team requires:

  • Remote employees authenticate with username and password
  • All traffic to internal resources encrypted
  • Internet traffic NOT through the VPN (split tunneling)
  • Remote employees get IPs from a dedicated VPN pool
  • ASA managed via ASDM from internal network

Your job: Deploy Cisco AnyConnect SSL VPN on ASA to give remote employees secure encrypted access to internal resources.

✅ STATUS: COMPLETED AND WORKING Remote client connected, assigned VPN IP 192.168.200.10, authenticated with local credentials, full access to DMZ servers.

---

🗺️ Topology Diagram

╔══════════════════════════════════════════════════════════════╗
║              ENGINEER PHYSICAL PC                            ║
║   VMnet1: 192.168.81.x   ← ASDM management                   ║
║   VMnet2: 192.168.91.204 ← AnyConnect client (remote user)   ║
║                                                              ║
║   Browser → https://192.168.91.11 → AnyConnect portal        ║
║   Download client → connect → get 192.168.200.10             ║
╚══════════════════════════════════════════════════════════════╝
         |                        |
     \[Cloud-VMnet1]          \[Cloud-VMnet2]
     Management              Simulated Internet
         |                        |
     Eth1 INSIDE             Eth0 OUTSIDE
     192.168.81.11           192.168.91.11
          \[         ASA-GW          ]
               Eth2 DMZ
             192.168.10.1
                   |
            \[INT-SWITCH]
           /      |      \\
    \[FILE-SRV] \[WEB-SRV] \[DB-SRV]
   192.168.10.10 .20      .30

VPN Pool: 192.168.200.0/24
  Remote employees get IP from this pool
  (verified: client received 192.168.200.10 ✅)

---

📋 IP Addressing Table

Device Interface IP Address Purpose
ASA-GW Eth0 192.168.91.11/24 Outside (WAN/VPN)
ASA-GW Eth1 192.168.81.11/24 Inside (Management)
ASA-GW Eth2 192.168.10.1/24 DMZ (Servers)
FILE-SRV Eth0/0 192.168.10.10/24 File server
WEB-SRV Eth0/0 192.168.10.20/24 Web application
DB-SRV Eth0/0 192.168.10.30/24 Database server
Engineer PC VMnet1 192.168.81.50 ASDM management
Engineer PC VMnet2 192.168.91.204 AnyConnect client
VPN Pool 192.168.200.10-100 Remote employee IPs

---

🖥️ ASDM Access

URL Username Password
https://192.168.81.11 admin Admin@123

🔐 AnyConnect Portal Access

URL Users Password
https://192.168.91.11 employee1/2/3 Emp@2024

---

⚙️ PNetLab Build Steps

Step 1 — Add devices:
  1x Cisco ASAv (minimum 2048 MB RAM)
  1x Ethernet Switch (INT-SWITCH)
  3x Cisco IOSv Router (FILE-SRV, WEB-SRV, DB-SRV)
  2x Cloud nodes (Cloud-VMnet1, Cloud-VMnet2)

Step 2 — Connect cables:
  OUTSIDE:  ASA Eth0 ──► Cloud-VMnet2 (VMnet2 adapter)
  INSIDE:   ASA Eth1 ──► Cloud-VMnet1 (VMnet1 adapter)
  DMZ:      ASA Eth2 ──► INT-SWITCH
  INT-SWITCH ──► FILE-SRV / WEB-SRV / DB-SRV

Step 3 — Configure Cloud nodes:
  Cloud-VMnet1 → select VMnet1 adapter
  Cloud-VMnet2 → select VMnet2 adapter
  CRITICAL: each cloud uses a DIFFERENT adapter

Step 4 — Verify engineer PC VMnet IPs:
  ipconfig
  VMnet1 → 192.168.81.x ✅
  VMnet2 → 192.168.91.204 ✅

Step 5 — AnyConnect package already on ASA disk0:
  anyconnect-win-4.5.04029-webdeploy-k9.pkg ✅
  anyconnect-macos-4.5.04029-webdeploy-k9.pkg ✅
  anyconnect-linux64-4.5.04029-webdeploy-k9.pkg ✅

Step 6 — Follow tasks in order

---

⚙️ Server Devices Config

! FILE-SRV
hostname FILE-SRV
interface Ethernet0/0
 ip address 192.168.10.10 255.255.255.0
 no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1

! WEB-SRV
hostname WEB-SRV
interface Ethernet0/0
 ip address 192.168.10.20 255.255.255.0
 no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1

! DB-SRV
hostname DB-SRV
interface Ethernet0/0
 ip address 192.168.10.30 255.255.255.0
 no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1

---

🎯 Tasks

---

Task 1 — Configure ASA Basic Settings

hostname ASA-GW

! Outside — faces simulated internet (VMnet2)
interface Ethernet0
 nameif outside
 security-level 0
 ip address 192.168.91.11 255.255.255.0
 no shutdown

! Inside — management via VMnet1
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.81.11 255.255.255.0
 no shutdown

! DMZ — internal servers
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 192.168.10.1 255.255.255.0
 no shutdown

! Default route toward simulated internet (engineer PC)
route outside 0.0.0.0 0.0.0.0 192.168.91.204

---

Task 2 — Configure ASDM Access

http server enable
http 192.168.81.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
username admin password Admin@123 privilege 15
aaa authentication http console LOCAL
ssh 192.168.81.0 255.255.255.0 inside
ssh version 2
crypto key generate rsa modulus 2048

---

Task 3 — Create VPN Users

username employee1 password Emp@2024 privilege 0
username employee2 password Emp@2024 privilege 0
username employee3 password Emp@2024 privilege 0
username vpnadmin  password VPN@2024 privilege 15

---

Task 4 — Configure NAT

object network VPN-POOL
 subnet 192.168.200.0 255.255.255.0
object network DMZ-SERVERS
 subnet 192.168.10.0 255.255.255.0

! VPN to DMZ — no translation
nat (outside,dmz) source static VPN-POOL VPN-POOL
                  destination static DMZ-SERVERS DMZ-SERVERS

! DMZ to internet — PAT
object network DMZ-INSIDE
 subnet 192.168.10.0 255.255.255.0
 nat (dmz,outside) dynamic interface

---

Task 5 — Generate SSL Certificate (CRITICAL!)

This step was the FIRST major blocker. Without an SSL certificate on the outside interface, the AnyConnect portal returns SSL handshake failed and never loads.

! Generate RSA key
crypto key generate rsa modulus 2048 noconfirm

! Create self-signed trustpoint
crypto ca trustpoint SSL-CERT
 enrollment self
 subject-name CN=192.168.91.11
 keypair SSL-CERT
 crl configure

! Enroll the certificate
crypto ca enroll SSL-CERT noconfirm

! Apply certificate to outside interface
ssl trust-point SSL-CERT outside

! Verify
show ssl
→ outside interface: SSL-CERT ✅

---

Task 6 — Force TLS for Modern Browsers (CRITICAL!)

This was the SECOND major blocker. The old ASA defaults to SSLv3 which modern browsers (Edge, Chrome, Firefox) reject with "connection reset" / INET_E_DOWNLOAD_FAILURE.

! Allow older TLS so portal loads in browser
ssl server-version tlsv1
ssl encryption des-sha1 3des-sha1 aes128-sha1 aes256-sha1 rc4-sha1

! In the browser, if it still blocks:
!   Firefox about:config → security.tls.version.min = 1
!   OR Edge → enable older TLS in settings

---

Task 7 — Upload and Enable AnyConnect Package

! Package already on disk0 — just reference it
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.5.04029-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-macos-4.5.04029-webdeploy-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux64-4.5.04029-webdeploy-k9.pkg 3
 anyconnect enable

! Verify
show webvpn anyconnect image
→ all 3 packages listed and active ✅

---

Task 8 — Configure VPN Pool and Group Policy

! VPN IP pool
ip local pool VPN-POOL 192.168.200.10-192.168.200.100
 mask 255.255.255.0

! Group policy with split tunnel
group-policy SECUREACCESS-POLICY internal
group-policy SECUREACCESS-POLICY attributes
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-ACL
 dns-server value 8.8.8.8
 vpn-idle-timeout 30
 vpn-session-timeout 480

! Split tunnel ACL — only DMZ traffic through VPN
access-list SPLIT-ACL standard permit 192.168.10.0 255.255.255.0

---

Task 9 — Configure Tunnel Group with LOCAL Authentication (CRITICAL!)

This was the THIRD major blocker. The portal loaded and the client downloaded, but login looped asking for the password again. Cause: tunnel-group had no authentication-server-group, so it never checked the local user database.

tunnel-group SECUREACCESS-VPN type remote-access
tunnel-group SECUREACCESS-VPN general-attributes
 address-pool VPN-POOL
 default-group-policy SECUREACCESS-POLICY
 authentication-server-group LOCAL        ← THE FIX ✅
tunnel-group SECUREACCESS-VPN webvpn-attributes
 group-alias SECUREACCESS-VPN enable
 group-url https://192.168.91.11/secureaccess enable

! Also set default group so any connection authenticates
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group LOCAL
 default-group-policy SECUREACCESS-POLICY
 address-pool VPN-POOL

In ASDM the same fix is: Configuration → Remote Access VPN → Network (Client) Access → AnyConnect Connection Profiles → SECUREACCESS-VPN → Edit → Basic → Authentication → Method: AAA → Server Group: LOCAL

---

Task 10 — Enable AnyConnect SSL Access in ASDM (CRITICAL!)

FOURTH blocker. AnyConnect Connection Profiles must have SSL access enabled on the outside interface, otherwise the SSL client cannot launch.

In ASDM:
Configuration → Remote Access VPN
→ Network (Client) Access → AnyConnect Connection Profiles

Access Interfaces table:
  ✅ Enable Cisco AnyConnect VPN Client access
  outside → SSL Access → Allow Access ✅
  outside → Enable DTLS ✅
  ✅ Bypass interface access lists for inbound VPN sessions

Click Apply

---

Task 11 — Allow HTTPS on Outside Interface

access-list OUTSIDE-IN extended permit tcp any any eq 443
access-group OUTSIDE-IN in interface outside

---

Task 12 — Connect and Verify (SUCCESS!)

! Step 1 — Engineer PC browser (Firefox with TLS lowered)
https://192.168.91.11
→ Accept certificate warning → Advanced → Proceed
→ Portal loaded ✅

! Step 2 — Login
Username: employee1
Password: Emp@2024
→ Authenticated ✅

! Step 3 — Download AnyConnect client → install ✅

! Step 4 — Open AnyConnect client
Server: 192.168.91.11
→ Connect Anyway (untrusted cert)
Username: employee1
Password: Emp@2024
→ CONNECTED ✅

! Step 5 — Verify IP assignment
ipconfig
→ AnyConnect adapter: 192.168.200.10 ✅

! Step 6 — Verify on ASA
show vpn-sessiondb anyconnect
→ employee1 connected, IP 192.168.200.10 ✅

---

Task 13 — ⭐ Test Access to Internal Servers

! While connected:
ping 192.168.10.10  ← FILE-SRV ✅
ping 192.168.10.20  ← WEB-SRV  ✅
ping 192.168.10.30  ← DB-SRV   ✅

---

Task 14 — ⭐ Test Split Tunneling

tracert 192.168.10.10
→ through VPN (192.168.200.x gateway) ✅

tracert 8.8.8.8
→ direct from PC, bypasses VPN ✅

---

Task 15 — ⭐ Monitor and Disconnect

! Monitor in ASDM
Monitoring → VPN → VPN Statistics → Sessions
→ employee1 session, bytes Tx/Rx ✅

! Force disconnect a user
vpn-sessiondb logoff name employee1

---

✅ Final Verification Output

ASA-GW# show vpn-sessiondb anyconnect
Session Type: AnyConnect
Username     : employee1
Index        : 1
Assigned IP  : 192.168.200.10        ← VPN IP ✅
Protocol     : AnyConnect-Parent SSL-Tunnel
Encryption   : AES                   ← encrypted ✅
Bytes Tx     : 5240  Bytes Rx: 3120  ✅
Login Time   : UTC
Duration     : 0h:05m:10s

Engineer PC CMD:
ipconfig
  AnyConnect adapter: 192.168.200.10 ✅
ping 192.168.10.10
  !!!!! ✅

---

🐛 Troubleshooting Log — THE REAL JOURNEY

Blocker 1 — Portal Not Loading (SSL Handshake Failed)

Symptom : https://192.168.91.11 → connection reset
          show asp drop → ssl-handshake-failed counter rising
Cause    : No SSL certificate on outside interface
Fix      : Generated self-signed cert SSL-CERT
           ssl trust-point SSL-CERT outside
Lesson   : AnyConnect is SSL VPN — needs a cert on the
           interface before the portal can do HTTPS

Blocker 2 — Browser Connection Reset (INET_E_DOWNLOAD_FAILURE)

Symptom : Edge and Firefox both reset the connection
          even after cert applied
Cause    : Old ASA defaults to SSLv3; modern browsers
           refuse SSLv3 outright
Fix      : ssl server-version tlsv1
           Firefox about:config → security.tls.version.min = 1
Lesson   : Old ASA images and modern browsers disagree on
           TLS — lower the floor on both sides to connect

Blocker 3 — Login Loops Asking Password

Symptom : Portal loads, client downloads, but login keeps
          re-prompting for the password
Cause    : tunnel-group had no authentication-server-group
           so it never checked the local user database
Fix      : tunnel-group SECUREACCESS-VPN general-attributes
            authentication-server-group LOCAL
           (also added to DefaultWEBVPNGroup)
Lesson   : A tunnel group without an auth server silently
           fails every login — always bind it to LOCAL

Blocker 4 — Connection Profile Empty / SSL Not Enabled

Symptom : AnyConnect Connection Profiles empty in ASDM,
          or SSL Enabled column unchecked
Cause    : AnyConnect client access not enabled on the
           outside interface
Fix      : ASDM → AnyConnect Connection Profiles
           ✅ Enable Cisco AnyConnect VPN Client access
           outside → SSL Access → Allow Access
Lesson   : The profile can exist in CLI but the client
           won't launch until SSL access is enabled per
           interface in the access table

Blocker 5 — VMnet2 Path Not Reaching ASA

Symptom : Could ping ASA on VMnet1 (inside) but not
          VMnet2 (outside)
Cause    : Cloud-VMnet2 node pointing at the wrong VMware
           adapter / cable to wrong ASA port
Fix      : Cloud-VMnet2 → select VMnet2 adapter,
           cable to ASA Eth0 (outside)
Lesson   : Each Cloud node must map to a distinct VMnet,
           and connect to the correct ASA interface

---

📚 Key Concepts Learned

AnyConnect SSL VPN vs Site-to-Site IPsec

Site-to-Site IPsec:
  Fixed site to site, always on, no user login
  crypto map, for branch offices

AnyConnect SSL VPN:
  Remote access, any location, per-user login
  HTTPS port 443 (works through any firewall)
  webvpn + tunnel-group, for remote employees ✅

Two Different Certificates

ASA SSL certificate (used here):
  Encrypts the HTTPS portal connection
  Required for the portal to load at all

User authentication certificate (NOT used here):
  Installed on the employee's PC
  For certificate-based login instead of password
  This lab uses username + password (local AAA)

Split Tunneling

Without split tunnel → ALL traffic through VPN (slow)
With split tunnel    → only 192.168.10.0/24 through VPN
                       internet goes direct from PC ✅

VPN Pool

Remote users can't use internal IPs
They get a dedicated pool: 192.168.200.0/24
ASA tracks which user has which IP for auditing
Verified: client received 192.168.200.10 ✅

Security Levels and DMZ

outside = 0   untrusted (internet / VPN clients)
dmz     = 50  semi-trusted (servers)
inside  = 100 trusted (management)
VPN clients come in at level 0, need NAT exemption
and ACL to reach DMZ servers at level 50

---

About

AnyConnect SSL VPN on Cisco ASA for remote employee access from home to HQ servers. Documents a full real troubleshooting journey: SSL certificate, browser TLS compatibility, local AAA auth loop, and DMZ access. Split tunneling, VPN pool, ASDM managed. PNetLab simulation.

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors