Cisco CCNP Security 300-730 SVPN – Remote Access VPN Part 7

8. Anyconnect IPSEC SSL Deep Dive

Hello guys. Welcome to a new video. And in this new video, we are going to do a deep dive into any connect VPNs. So for any connect, there’s two types of VPNs that we can configure. Either SSL VPN and also IPsec VPN. So what we are going to be configuring is going to be a VPN or any connect SSR VPN and also any connect IPsec VPN from this Windows device into this ASA firewall. And after we connect to it, we are going to test to see if we are able to either turn it or ping this inside network. So let’s go ahead and start. I’m going to open the ASEAN for this ASA firewall right here. Here we go. So from here, the first thing that we want to do is we want to configure or on any connect SSL VPN. So we are going to go to any connect wizard. Let’s go ahead and click next. And by the way, if you did not know Cisco, AnyConnect or Cisco, the company also wants you to use the wizard because they don’t want you to make errors. So they want people to use the wizard.

Okay, I read that on their own Cisco website. They rather have you doing the wizard than just using the CLI or just putting everything together yourself, just for your information. Okay, so we are going to name a connection profile. Name the connection profile is a pre login policy. So pre login means before you log in, those are the policies that you configure on that connection profile. And we’re going to take a look at those connection profile policies later. And then over here it’s going to ask you which protocols you want to enable. I just want to enable SSL. Let’s go ahead and do that. The client image is going to ask you for image. I already have an image loaded right here which is coming from the disk zero or my Flash drive inside my ASA that I have the any connect windows 4. 2, blah blah blah. And over here it’s going to ask you if you want to use AAAA server group. We are going to use a local one. You can either add a new one if you want to, a radius one, Takash, SD, I-N-T Crebers or LDAP, whatever you want to add if you have it configured. But I don’t have anything configured. So I’m just going to use my local triple A server, which is the server for this ASA.

And I only have one username, which is ascor sophomore here, you want to create an IP before addressable or IPB six addressable. Whatever you want to do. We are going to do an IP B four, one. And we are going to name it just SSL pool. And it’s going to start at 172 dot, 16 dot one, one dot hundred, all the way to 170, 216, 110 something. That messed. Let’s just do this. 24. Let’s go ahead and click Next. And this IP address is going to be the ranges that it’s going to be using from whenever somebody connects to this connection profile. So if somebody connects with any connect application from a Windows device, or any device is going to get an IP address from this language and we’re going to see that from the Windows device. If you have a DNS server, a Wind server or domain name, you could do that. We don’t have one for that exemption. If you’re doing that translation, since we’re not doing that, we’re not going to configure that. So let’s go ahead and click next. If you want to do an InConnect client deployment lounge, you can also do that. Let’s go ahead and click and finish. And after that’s been configured, we want to verify connection profiles. It is enabled for SSL and it goes to have IPsec enable for that. You can see that the alias is SSL and the group policy that we’re using is the group policy, SSL group policy that was created whenever we did this whistler, okay? And you can see that we have enable SSL access on the outside interface, which is 21.

So we are going to connect from this Windows device to 21. So that’s good. Let’s go ahead and save this configuration. Let’s go ahead and go to group policy. Group policy is the post login policy. So after you connect to the ASA, after you connect, after that, the policies that you do after that, that’s what is a group policy. So if you want to allow access to a certain servers to send a server or to any protocol like Https, http, FTP, whatever, if you want to add a plug in, you can do that and a bunch of other stuff. So that’s what it is. And whenever you want to assign a local user, ask her, let’s assign Oscar to it. Let’s go ahead and apply it, save it. Good. Now let’s go ahead and connect from this Windows device to the ASA via it’s going to be an SSL connection. So let’s go ahead and do that. Let’s go ahead and bring up my Windows device over here. Let’s go ahead and open any connect that I have installed. So you need to have install Cisco AnyConnect and let’s go ahead and do a CMD. I’m going to do IP config, so I see my IP addresses configure, so I only have 102, one, CISC one two.

But when I connect, I’m going to get 170, 216, 100. And you guys are going to see that it’s got a 201, which is the outside interface of this ASA. We’re not going to use the default, we’re going to use SSL, the alias SSL. It says welcome to a default group policy. And I will tell you why that is happening. That is happening. If you go to group policy, you can see that the banner is being inherit and if it is being inherited, then it’s going to take this one right here, right? Whenever you inherit, you’re going to get it from the default group policy. But if you don’t want to inherit, what we can do, we can go over here, uncheck inherit, and say, welcome to SSL. Let’s say any connect SSL. Let’s go ahead and apply it and save it. Let’s go ahead and go to my Windows device. Go ahead and say disconnect. Open any connect connect to it again. SSL. There we go. Now it says, welcome to any connect SSL SSL. And also the alias. You can also change the alias, and that is for the post login. So before you log in and before you log in is the Connection profile policies, right? So if you want to change the alias and this alias is for the drop down, we can just say right here and connect SSL.

You can go ahead and just say, no, apply it. Okay, I don’t know why I got that error. Let’s go ahead and save it. Good. And if we go into my Windows device, let’s go ahead and disconnect and let’s go ahead and connect to it again. You’re going to see what the les is. Connect. So the les why did it say any connecting SSL? Why do we have three right now? Let’s go and go back into this ASDM did I configure something incorrectly? Oh, I put a comma. It shouldn’t have a comma. It should say just interconnect SSL. No. Why does it have a comma to it? Interesting. But over here is where you can change the alias for the SSL. So I think it was because I use the wizard and that’s why it is there. So that’s where you can change the alias. As you can see, this one is default. This one says SSL. Let’s go into my Windows device. We are just going to pick SSL. Cisco. Welcome to any connect SSL. So after we connect, we are going to do a show IP or not show IP. We’re going to do IP config.

And as you can see, now we have another IP address, which is 172. That’s 16, 100. So that means that we are connected into the ASA. And the way that you can see this IP addresses pool, you can either go over here to the Any Connect profile, and you can see right here that we’re using the SSL pool. You can select and it’s this one. And also if you go to Address Assignment and you go to Address Pool, it is right here. So you can edit and do whatever you want to it, but we are going to keep it the same. So as you can see, let’s go ahead and try and see we’re able to ping the inside router over here. 172. That’s 16. That one, three. There we go. We are able to ping the router and get a reply. So now we should also be able to tone it into it because I have configured tonet and it is 172 16 one three. There we go. And as you can see right here, we are inside the inside router.

So we were able to tone it and putty and do all that good stuff. You could go ahead and close that and if you want to see the session that is connect to it, you can go to Monitoring, you can go to VPN and for some reason it doesn’t work. But you can see that we have an SSL TLS DTLs and it is one active and also if you want to see more VPN and you can go into not client less any connect client. And from here you can see that session it doesn’t love for some reason for me it just gets stuck at 97%. But if you want to see it from the ASA, from the CLI command, you can go over here and open it and you can do a enable Show VPN session SNS show session what is it? Show crypto VPN let me see if I remember. It was a give me 1 second. I believe it is the so you can see it from here for us to be able to see it. Let me see if I remember. I think it is show VPN. There we go. Show VPN session database and we do connections or any Connect. There we go. So as you can see right here, we have one connection from the end connect. It was connected with the username Askr.

The IP address assigned to this connection was 172 16 100 which we saw from the Windows device. If we do a CMD IP config, there it is. We are using any connect parent SSL tunnel and detailers tunnel which uses UDP. You can see the encryption that we’re using. We are using our next gem encryption and you can see that we’re using Shaft for data integrity. This is Hashing algorithm for data integrity, Sha 384 and for data confidentiality which is encryption, we are using AES GCM two five Six. You can see the group policy that we’re using. Group policy underscore SSL you can see the Toner group that we are using and Tonal group means it is the connection profile which is called SSL and you can see the duration of this, the Inactivity and you can also see the logging time so what time this username was logged in into this SSL AnyConnect VPN. So you can see a lot of good stuff by using the Show VPN session DB AnyConnect. Okay, so also let’s go ahead and go to Configuration if you want to do more. So if you go to connection profiles and if we go into SSL, let’s go ahead and go to advanced say no, you can do a lot more stuff. As you can see over here, you can add an alias.

Let’s go ahead and delete this alias right here. Let’s go ahead and see if we are able to let’s go ahead and see if you let me edit any connect I think needs to be all together so if we do an underscore or let’s go say SSL any connect for the alias there we go, apply it, save it. So if you put a space that’s why it puts a comma and then it adds another connection profile. So if you go back and we disconnect would you see the new alias connect anyway? And there it is SSL AnyConnect and welcome to any connect SSL. So you can see that over there also. And this is for the post login or another post for the pre login policies. It’s any connect connection profile. So before you log in, those are the policies that are apply but after you log in, it is a group policies. Okay? And the connection profile is also called a toner group which we saw from over here. It is called toner group for the connection profile from the CLI for some reason it is called toner group. So if we go to the post login and if we go ahead and double click on it and we go to advance you can see the split tunneling over here.

You can add split tunneling and display tunneling lets you either encrypt all the data if you go ahead and uncheck, it says that you can either exclude the network list below and you can exclude some network. So let’s go ahead and add one. And I have a local one that it was configured a while ago, so manage. And it says Nappy Four. Let’s go ahead and edit and let’s just go ahead and say let’s go ahead and exclude 170 216. 10. Let’s go ahead and just deny deny traffic to inside router. So this is going to deny traffic to the inside. Or you can just specify to just one 7216 one three click. OK, so we are going to deny traffic to the inside router. So now if we click okay and apply it save it. Let’s go ahead and go to my workstation and I’m connected to it so once I see that 16 one three, it’s going to let me ping but what about redisconnect and connect to it again? Is it going to let me reach to this network? Let’s see that connected. Let’s try to ping again and it’s still automatic connect which is weird. Let’s go ahead and go group Policies advanced split Tunneling so it should be excluding the network list below but it still lets me do it actually let’s go ahead and turn on networks local I’m denying it but it’s still letting me do it. It’s kind of weird. Let’s just go ahead and hurry that.

Let’s go ahead and go back to it. Split Tunneling so split tunneling is what? What traffic do you want to encrypt and what traffic do you want to allow? So if let’s say we have a connection right here with the Windows device, right? So with split tunnel in, what you can do is you can either do a policy where it says toner or networks, which means if this Windows device wants to go to the inside network, it’s going to encrypt it. And also, if it wants to go outside of this inside network, let’s say to like Google. com or any other IP address that is not inside my network, what it’s going to do? It is also going to encrypt it. But if we specify and we say just turn out the network list below and we say inherit and we say that local and we apply a network list over here, what it’s going to do is it is only going to encrypt for the specify network below. Okay, so that’s how split tunneling works. Also you can just go ahead and configure any connect client from here if you want to do detail as compression, SSL compression, Fqdna, MTU always on VPN so you can do a lot of stuff client bypass protocol, keep installer on client system, datagram transport, layer security or details. If you want to enable that, you can do that as well from over here if you want to also do I version one.

I version one does not work anymore because it is a really old protocol and what we use now it is Ikev two, which is a lot more to configure, but it has better encryption because it uses NextGen encryption algorithms and it offers a lot more than Ike version one. Okay, cool. So I believe we are done with SSL. What we’re going to do is we are going to configure IPsec and we’re going to see that IPsec connection from the CLI. So let’s go ahead and do that. Let’s go ahead and go into wizards, go ahead and go to any connect. We are going to be calling this IPsec profile. We are going to enable it on the VPN access interface, going to be the outside which that’s good. We are going to disable SSL and just enable IPsec. The image is the same. This user is going to have access to it. We are going to add a new one, a new pool. This is going to be IPsec pool. This one is going to be from 170, 216, 1200, all the way to 172. That 16, that one dot 210 something mass slash 24.

OK, we are not going to do any DNS on it like that. We’re now using that finish. So that’s good. Now let’s go ahead and save it. So that’s good. You can see that for the IPsec profile only IPsec is enabled and from the SSL only SSL is enabled. So that’s good. You can see that the alias is IPsec profile. Let’s go ahead and go into the group policy. Let’s go ahead and remove ask her from the SSL and let’s go ahead and add it to the IPsec so we are able to log in with the username Askr, save it, let’s go ahead and go into my Windows device. Let’s go ahead and disconnect and then connect back to it. But we are going to connect with another alias which is going to be the IPsec profile alias because we’re now going to connect with IPsec instead of SSL. We are going to go drop down IPsec profile password Cisco. And this one says welcome to the default group policy. And that is because if we go into the asvm, we go to the group policy of the IPsec and the banner is inherit and it is inheriting from I can show right now from the default group policy which says welcome to default group policy. So let’s go ahead and just not inherit that and said welcome to IPsec. Just. Welcome to IPsec. That’s good. Okay, apply it, save it, go ahead and go back to my Windows device. We are going to open it, disconnect, and we are going to see that we are going to get the banner that we just configure connect anyway IPsec profile. That’s good. There we go. Welcome to IPsec. Good, there we go.

Connected to 21, the one. Now let’s go ahead and do IP configured over here. You’re going to see that we have a 170, 216, 1200, now 172, 16, 100. Because we’re not using the SSL, SSL is using the 100, IPsec is using the 1200. We should be able to ping 170, 216, one, three, here we go. We should also if we got a party, we should be able to turn it into it. There we go. We were able to turn it and ping that inside router. So now go ahead and close this as well. Let’s go ahead and go into the CLI and let’s go ahead and do a show VPN showvpn session DB AnyConnect as you can see this one, well, this one is using SSL tono details tonal. It’s also using SSL tone over here. And even though we’re using the group policy IPsec and we’re using the IPsec profile as well, let’s go ahead and go into the ASDM and let’s go ahead and go into the interconnect client profile. We have the IPsec client profile over here. Let’s see what’s going on. Let’s go ahead and go to the server list. Edit.

This one is saying IPsec. Let’s go ahead and see do IPsec gateway. So we only want to do or the primary is going to be IPsec. Save it, apply it. So this IPsec profile is the one that is downloaded into the Windows device whenever you connect with a new profile. So if you go into if you want to see that profile, you can go to the C drive program data Cisco, any connect profile and you can see it right here. You can even open it and you can see ask me later. You can see what it says right here you can see the primary, it is IPsec and all that good stuff and also you could see it from the CLI. So if you do a Show directory or Show disk, you can see it right here. IPsec Profile so if we copy this and we do a show, I think we live as a show more. Let’s see if I remember I think it show or more it’s not Show. If we do a more flash and we paste this right here, you can also see the the connection profile right here and the main protocol is using IPsec the hostname 21, which is this one right here. So since that is being downloaded and all that, let’s go ahead and try to reconnect to it.

Disconnect connect anyway, let’s see if now we connect with the IPsec instead of SSL connect it let’s go ahead and go ahead and do shell VPN section DB AnyConnect it’s still using SSL and DTLs but I want to use IPsec because I’m configuring IPsec. So let’s go ahead and go to the ASDM let’s go ahead and go into the connection profiles. Aka toner group. Okay, it is saying that it’s using IB two let’s go ahead and go into the group policies. Group policies. IPsec more options. And it’s also saying that it is only using IPsec with IP two, but for some reason it is not showing that it is shown. SSL. So let’s go ahead and cancel that. Let’s go ahead and save this. Let’s go ahead and go to monitoring VPN and it’s also saying that it’s using SSL TLS and DTLs. So what’s going on here guys? The connection profiles group policies I believe let’s go ahead and go to the any connect client go to any Connect profile only enable IPsec okay, edit IPsec pool group policy IPsec two no general okay, so for some reason it’s only letting me connect to SSL and not IPsec. So let’s go ahead and go ahead and go into profile preference good server list the backup is being inherited.

Let’s go and edit someone using IPsec negotiate using Connect so we don’t have an IC identity iOS gateway you can add a backup server right here if you want to. We don’t have one, so we’re not going to do that. Here’s the name of it. Let’s go ahead and just call it IPsec now let’s also go ahead and just I want to delete this SSL right here. Apply it. Go ahead and go to Group Policies and in group policies SSL is gone. Group Policy IPsec is still here. Let’s go ahead and go into okay, we don’t use IG version one, we use IG version two. You can see over here that it is enable group policy is inherit more option only using IGB Two okay, save it. Let’s go ahead and go into my Windows device disconnect let’s go ahead and go into the profile let’s go ahead and delete that one. Let’s go ahead and connect to it again. Connect anyway IPsec Profile connect anyways activating VPN let’s go ahead and open you can verify from here and you can see it’s still using DTLs. So it’s already allowed me to use SSL. So let’s go ahead and see if it is the user that is only allowed. So if we go into AAA local users thank you. Froze. Let’s give it a second. There we go. Local users. Let’s go ahead and go into Oscar VPN policy. It is using all of them. So let’s go ahead and unchecked uncheck all of this and let’s just go ahead and leave IPsec and IQB two and it’s using the group policy IPsec profile and everything is good.

Okay, apply it, save it. Let’s go ahead and go into my Windows device. Disconnect connect to it again. Connect anyway cisco so now it is now letting me connect. So it looks like it’s only letting me connect into SSL and since I disable SSL, it’s not letting me connect. Let’s go ahead and do a VPN editor and let’s create a new server list. Add score IPsec 21 Primary Protocol IPsec we’re going to use the ASA gateway for that. That’s fine. Click OK now let’s go ahead and save it. IPsec I’m just going to put it in my desktop. It is right here. Let’s go ahead and open the profiles. Remove this profile and let’s move that profile that we just created over here. Try to connect to it again. Actually, let’s go ahead and do cancel drop down. Let’s connect to the IPsec. So that’s what I was missing.

I needed to connect to the IPsec, so I needed to pick the profile that was created. I was just connecting to 21. So if we pick which profile we want to connect to, then it should let us on. And there we go. Welcome to IPsec. So that’s what I was missing. You can see the interconnect downloading blah blah solar VPN sorry for that. Now if we go into Cisco and you can see right here, the protocol now is IGU two IPsec using net t net transversal. So also if we go into the CLI, if we do a Show VPN session, you can see now that we are using IPsec over net transversal IPsec over not transversal and we’re not using SSL anymore. So what was going on? What I was doing is I was just connecting to 21 and that was just trying to connect to the SSL. But if you pick the profile on the drop down menu, then that’s going to let you connect with that connection profile that says that the primary protocol. If we go let’s go ahead and do a Show disk.

And what was the latest one created? It was this one right here. So if we do a more flash paste this right here, we can now see that one. Which one was that one? IPsec let’s go ahead and do this one then. There we go. So as you can see right here, let’s go ahead and go more. So now since we picked this connection profile that says that you’re going to connect to 21 and the primary protocol is IPsec, so now we are connecting with IPsec. Before we were just connecting to 21 with that same connection profile and not this connection profile that was specifying to just connect to IPsec. So if you don’t specify which connection profile you want to connect to, it is just going to throw you into the SSL API which we didn’t want to. Okay guys, this is it for this video.

• Category: Uncategorized