plambrechtsen/Cisco ASAv Quick Setup SSLVPN.md

## Cisco ASAv Quick Setup SSLVPN.md

      
    Raw
  

              Cisco ASAv Quick Setup SSLVPN.md
            
          
    Setting up Cisco ASAv with AnyConnect

Software Required from Cisco:


ASAv

https://software.cisco.com/download/home/286119613/type/280775065/release/9.18.3
There may be newer releases out, but this has been built with 9.18(3) using the VMWare Package.
asav9-18-3.zip


Cisco AnyConnect Bundle

https://software.cisco.com/download/home/286281283/type/282364313/release/4.10.07062
As above there may be newer releases out, but you really need to download the webdeploy.pkg file but the predeploy.zip is handy as then you have the MSI installers
anyconnect-win-4.10.07062-predeploy-k9.zip
anyconnect-win-4.10.07062-webdeploy-k9.pkg

Files included in the gist
day0-config - This is the custom config file that is put into day0.iso
genday1iso.sh - Script to regenerate day0.iso with day0-config and then update asav-esxi.mf with the new sha1 hash of the iso file

Credentials

Username/Passwords included in the image.
The enable password is ciscoasa
ciscoasa/ciscoasa - Level 15 admin
testuser/anotherlongpassword - Standard remote VPN only access user

Deployment Steps


 Unzip asav9-18-3.zip and add the 2 files in the gist to the same folder.
 Optionally update the day0-config with the IP addressing you want if it isn't right.
 Run genday0iso.sh to generate new day0.iso that should overwrite existing day0.iso and update asav-esxi.mf with the new SHA1 hash.
 Deploy asav-esxi.ovf into VMWare Workstation 16 or higher or ESXi 6 or 7, had issues with ESXi 8 so YMMV.
 Remove all but 3 network adapters, as you don't need all of them.
 Before powering on configure networking.

Network Adapter 1 = Management - 192.168.252.10/24 - Management interface to configure ASA
Network Adapter 2 = Inside - 192.168.10.1/24 - Inside network
Network Adapter 3 = Outside - 192.168.28.10/24 - Outside / Internet network

Default route on outside via 192.168.28.2


When running on VMWare Workstation assign Network 1 & 2 to Host Only, and Network 3 to NAT for internet access

 Power on VM and wait 2-3 mins for it to configure itself and boot. You can issue commands from here or via SSH.
 Setup a desktop on Management Network 1 - 192.168.252.x/24 to be able to ssh to 192.168.252.10. You should be able to ping it first.

SCP copy across the webdeploy package scp anyconnect-win-4.10.07062-webdeploy-k9.pkg ciscoasa@192.168.252.10:
SSH to the ASAv and run the post deploy setup commands as shown below. The username, password and enable password are all ciscoasa.


login as: ciscoasa
ciscoasa@192.168.252.10's password: ciscoasa
User ciscoasa logged in to ciscoasa
Logins over the last 1 days: 1.
Type help or '?' for a list of available commands.
ciscoasa> enable
Password: ciscoasa
ciscoasa# config term
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.10.07062-webdeploy-k9.pkg 1
ciscoasa(config-webvpn)# svc enable
ciscoasa(config-webvpn)# exit
ciscoasa(config)# exit
ciscoasa#

The reason why this needs to be done is the webdeploy package needs to be uploaded after the image has been deployed for SSL VPN to work.
Now the ASAv is setup and ready to accept a SSL VPN session.

 Connect client workstation with AnyConnect client installed onto the Network 3 on the 192.168.28.x/24 network
 Assuming you have already installed the AnyConnect client MSI then attempt to connect to the ASAv from AnyConnect to 192.168.28.10. This will most likely give you an error about not being allowed to connect to untrusted connections. On the client side main screen, select the cog down the bottom left, under VPN -> Preferences and untick the "Block connections to untrusted servers" checkbox and try again.


## day0-config
ASA Version 9.18(3)
!
hostname ciscoasa
domain-name vpn.cisco.local
enable password ciscoasa
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
names
no mac-address auto
ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0

!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 192.168.28.10 255.255.255.0
!
interface Management0/0
 no management-only
 nameif management
 security-level 100
 ip address 192.168.252.10 255.255.255.0
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup management
dns server-group DefaultDNS
 name-server 8.8.8.8 outside
 domain-name vpn.cisco.local
same-security-traffic permit intra-interface
no object-group-search access-control
object network obj-inside
 subnet 192.168.10.0 255.255.255.0
object network obj-AnyconnectPool
 subnet 192.168.100.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object ip
 protocol-object icmp
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
access-list global_access extended permit object-group DM_INLINE_PROTOCOL_3 any any
access-list global_access extended permit ip object obj-AnyconnectPool any
no pager
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static obj-inside obj-inside destination static obj-AnyconnectPool obj-AnyconnectPool
nat (outside,outside) source static obj-AnyconnectPool obj-AnyconnectPool destination static obj-AnyconnectPool obj-AnyconnectPool
!
object network obj-AnyconnectPool
 nat (outside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.28.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http server idle-timeout 60
http 192.168.252.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto key generate rsa modulus 2048
crypto key generate rsa label sslvpnkey
crypto ca trustpoint sslvpn
 enrollment self
 fqdn sslvpn.cisco.local
 subject-name CN=sslvpn.cisco.local
 keypair sslvpnkey
 crypto ca enroll sslvpn noconfirm
crypto ca trustpool policy
 auto-import
telnet timeout 5
no ssh stack ciscossh
ssh scopy enable
ssh stricthostkeycheck
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha256
ssh 192.168.252.0 255.255.255.0 management
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point sslvpn outside
webvpn
 enable outside
 http-headers
  hsts-server
   enable
   max-age 31536000
   include-sub-domains
   no preload
  hsts-client
   enable
  x-content-type-options
  x-xss-protection
  content-security-policy
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy SSLClient internal
group-policy SSLClient attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client
 default-domain value cisco.local
 address-pools value SSLClientPool
dynamic-access-policy-record DfltAccessPolicy
username testuser password anotherlongpassword
username testuser attributes
 service-type remote-access
username ciscoasa password ciscoasa privilege 15
username ciscoasa attributes
 service-type admin
tunnel-group SSLClient type remote-access
tunnel-group SSLClient general-attributes
 default-group-policy SSLClient
tunnel-group SSLClient webvpn-attributes
 group-alias RA enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect ip-options
  inspect netbios
  inspect rtsp
  inspect sunrpc
  inspect tftp
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect esmtp
  inspect sqlnet
  inspect sip
  inspect skinny
policy-map type inspect dns migrated_dns_map_2
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

## genday0iso.sh
#!/bin/bash
genisoimage -r -o day0.iso day0-config
sha=$(sha1sum day0.iso | awk '{print $1}')
echo "day0 sha1: $sha"
sed s"/SHA1(day0.iso)= .*/SHA1(day0.iso)= $sha/" asav-esxi.mf > asav-esxi.mf.new
mv asav-esxi.mf.new asav-esxi.mf
	ASA Version 9.18(3)
	!
	hostname ciscoasa
	domain-name vpn.cisco.local
	enable password ciscoasa
	service-module 0 keepalive-timeout 4
	service-module 0 keepalive-counter 6
	names
	no mac-address auto
	ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0

	!
	interface GigabitEthernet0/0
	nameif inside
	security-level 100
	ip address 192.168.10.1 255.255.255.0
	!
	interface GigabitEthernet0/1
	nameif outside
	security-level 0
	ip address 192.168.28.10 255.255.255.0
	!
	interface Management0/0
	no management-only
	nameif management
	security-level 100
	ip address 192.168.252.10 255.255.255.0
	!
	ftp mode passive
	dns domain-lookup inside
	dns domain-lookup outside
	dns domain-lookup management
	dns server-group DefaultDNS
	name-server 8.8.8.8 outside
	domain-name vpn.cisco.local
	same-security-traffic permit intra-interface
	no object-group-search access-control
	object network obj-inside
	subnet 192.168.10.0 255.255.255.0
	object network obj-AnyconnectPool
	subnet 192.168.100.0 255.255.255.0
	object-group protocol DM_INLINE_PROTOCOL_1
	protocol-object ip
	protocol-object icmp
	object-group protocol DM_INLINE_PROTOCOL_2
	protocol-object ip
	protocol-object icmp
	object-group protocol DM_INLINE_PROTOCOL_3
	protocol-object ip
	protocol-object icmp
	access-group inside_access_in in interface inside
	access-group outside_access_in in interface outside
	access-group global_access global
	access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
	access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
	access-list global_access extended permit object-group DM_INLINE_PROTOCOL_3 any any
	access-list global_access extended permit ip object obj-AnyconnectPool any
	no pager
	logging enable
	logging asdm informational
	mtu inside 1500
	mtu outside 1500
	mtu management 1500
	no failover
	no failover wait-disable
	no monitor-interface service-module
	icmp unreachable rate-limit 1 burst-size 1
	no asdm history enable
	arp timeout 14400
	no arp permit-nonconnected
	arp rate-limit 8192
	nat (inside,outside) source dynamic any interface
	nat (inside,outside) source static obj-inside obj-inside destination static obj-AnyconnectPool obj-AnyconnectPool
	nat (outside,outside) source static obj-AnyconnectPool obj-AnyconnectPool destination static obj-AnyconnectPool obj-AnyconnectPool
	!
	object network obj-AnyconnectPool
	nat (outside,outside) dynamic interface
	route outside 0.0.0.0 0.0.0.0 192.168.28.2 1
	timeout xlate 3:00:00
	timeout pat-xlate 0:00:30
	timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
	timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
	timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
	timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
	timeout tcp-proxy-reassembly 0:01:00
	timeout floating-conn 0:00:00
	timeout conn-holddown 0:00:15
	timeout igp stale-route 0:01:10
	user-identity default-domain LOCAL
	aaa authentication ssh console LOCAL
	aaa authentication login-history
	http server enable
	http server idle-timeout 60
	http 192.168.252.0 255.255.255.0 management
	no snmp-server location
	no snmp-server contact
	crypto ipsec security-association pmtu-aging infinite
	crypto key generate rsa modulus 2048
	crypto key generate rsa label sslvpnkey
	crypto ca trustpoint sslvpn
	enrollment self
	fqdn sslvpn.cisco.local
	subject-name CN=sslvpn.cisco.local
	keypair sslvpnkey
	crypto ca enroll sslvpn noconfirm
	crypto ca trustpool policy
	auto-import
	telnet timeout 5
	no ssh stack ciscossh
	ssh scopy enable
	ssh stricthostkeycheck
	ssh timeout 60
	ssh version 2
	ssh key-exchange group dh-group14-sha256
	ssh 192.168.252.0 255.255.255.0 management
	console timeout 0
	threat-detection basic-threat
	threat-detection statistics access-list
	no threat-detection statistics tcp-intercept
	ssl trust-point sslvpn outside
	webvpn
	enable outside
	http-headers
	hsts-server
	enable
	max-age 31536000
	include-sub-domains
	no preload
	hsts-client
	enable
	x-content-type-options
	x-xss-protection
	content-security-policy
	tunnel-group-list enable
	cache
	disable
	error-recovery disable
	group-policy SSLClient internal
	group-policy SSLClient attributes
	dns-server value 8.8.8.8
	vpn-tunnel-protocol ssl-client
	default-domain value cisco.local
	address-pools value SSLClientPool
	dynamic-access-policy-record DfltAccessPolicy
	username testuser password anotherlongpassword
	username testuser attributes
	service-type remote-access
	username ciscoasa password ciscoasa privilege 15
	username ciscoasa attributes
	service-type admin
	tunnel-group SSLClient type remote-access
	tunnel-group SSLClient general-attributes
	default-group-policy SSLClient
	tunnel-group SSLClient webvpn-attributes
	group-alias RA enable
	!
	class-map inspection_default
	match default-inspection-traffic
	!
	!
	policy-map type inspect dns preset_dns_map
	parameters
	message-length maximum client auto
	message-length maximum 512
	no tcp-inspection
	policy-map global_policy
	class inspection_default
	inspect ip-options
	inspect netbios
	inspect rtsp
	inspect sunrpc
	inspect tftp
	inspect dns preset_dns_map
	inspect ftp
	inspect h323 h225
	inspect h323 ras
	inspect rsh
	inspect esmtp
	inspect sqlnet
	inspect sip
	inspect skinny
	policy-map type inspect dns migrated_dns_map_2
	parameters
	message-length maximum client auto
	message-length maximum 512
	no tcp-inspection
	policy-map type inspect dns migrated_dns_map_1
	parameters
	message-length maximum client auto
	message-length maximum 512
	no tcp-inspection
	!
	service-policy global_policy global
	prompt hostname context
	no call-home reporting anonymous
	#!/bin/bash
	genisoimage -r -o day0.iso day0-config
	sha=$(sha1sum day0.iso \| awk '{print $1}')
	echo "day0 sha1: $sha"
	sed s"/SHA1(day0.iso)= .*/SHA1(day0.iso)= $sha/" asav-esxi.mf > asav-esxi.mf.new
	mv asav-esxi.mf.new asav-esxi.mf