Cisco asa anyconnect with AD group based access (#1 of 2)

For my study i replaced my PFsense VM for an cisco ASA 5506 to gain more experience configuring these kind of firewalls, this also makes it easier to try and test new things without having ask permissions of our customers and plan maintenance windows.

Before i was using openvpn on PFsense to give access to a couple of friends who are using my server as their homelab and for school. To limit their access and still give me access to my own servers i created multiple openvpn server with access to different networks in my homelab. Now that i have a Cisco asa i wanted to use their anyconnect vpn instead, after a little searching i found out that you can limit access to networks based on group membership in AD. That said i now have multiple AD groups each with their own network access which has been working better than my PFsense deployment i had before. With that said in this post i will show the configuration i did on my ASA to get this working.

First we will start with setting up our certificate, this can either be an selfsigned certificate or you can order one from a CA. As this deployment is for my homelab i will use a selfsigned certificate for now.

  1. The following commands will create a selfsigned certificate for the domain: sample.net. Change this to the domain that you will be using.
crypto key generate rsa label sslvpnkey
crypto ca trustpoint localtrust
 enrollment self
 fqdn sample.net
 subject-name CN=sample.net
 keypair sslvpnkey
 crypto ca enroll localtrust noconfirm
ssl trust-point localtrust outside
  1. Copy the latest anyconnect package to your ASA, you can find the download link at cisco.com.

  2. Configure RADIUS authentication and point it to the server running NAP.

aaa-server STLB-RADIUS protocol radius
aaa-server STLB-RADIUS (inside) host <IP Address NAP server>
 key 12345
 radius-common-pw 12345
  1. Create ip pool for your anyconnect clients.
ip local pool ANYCONNECT-POOL 172.16.0.1-172.16.0.100 mask 255.255.255.0
  1. Create an object for the above created pool and for each of the groups that need access to a specified network.
object network ANYCONNECT-OBJ
 subnet 172.16.0.0 255.255.255.0

object-group network LAN-ACCESS-OBJ
 description Networks that can be accessed by VPN-LAN-ACCESS AD Group
 network-object 172.16.10.0 255.255.255.0

object-group network DMZ-ACCESS-OBJ
 description Networks that can be accessed by VPN-DMZ-ACCESS AD Group
 network-object 172.16.29.0 255.255.255.0
  1. Enable webvpn, anyconnect and specify your anyconnect image copied in step 2.
webvpn
  enable outside
  no tunnel-group-list enable
  anyconnect image disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg 1
  anyconnect image disk0:/anyconnect-macos-4.7.02036-webdeploy-k9.pkg 2
  anyconnect enable
  1. Create access-lists for every AD groups that you are going to use.
access-list LAN-ACCESS-ACL extended permit ip object-group LAN-ACCESS-OBJ object ANYCONNECT-OBJ
access-list DMZ-ACCESS-ACL extended permit ip object-group DMZ-ACCESS-OBJ object ANYCONNECT-OBJ
  1. Create an nat-exempt rule to prevent NAT being performed on the anyconnect traffic.
nat (any,outside) 1 source static any any destination static ANYCONNECT-OBJ ANYCONNECT-OBJ no-proxy-arp route-lookup
  1. As we are going to use RADIUS for authentication together with AD security groups we only have to create a single tunnel-group. The access to our networks will be specified in later group-policies.
tunnel-group ANYCONNECT-TUNNELGROUP general-attributes 
 authentication-server-group STLB-RADIUS
 address-pool ANYCONNECT_POOL
  1. The complete the cisco configuration we are going to create 2 group-policies which will grant access to one of our internal networks. Remember the names of the group-policies as we are going to need them later when we are configuring the NAP server.
group-policy LAN-ACCESS-GP internal
group-policy LAN-ACCESS-GP attributes
 dns-server value 172.16.1.10
 vpn-idle-timeout 30
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value LAN-ACCESS-ACL
 default-domain value lan.net

group-policy DMZ-ACCESS-GP internal
group-policy DMZ-ACCESS-GP attributes
 dns-server value 172.16.2.10
 vpn-idle-timeout 30
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DMZ-ACCESS-ACL
 default-domain value dmz.net

Related Articles, References, Credits or External Links

Cisco AnyConnect With Server 2016 NPAS (RADIUS) Different Groups