X

Best Practices from Oracle Development's A‑Team

Configure on ASAv the Remote Access VPN with local authentication

Catalin Andrei
Cloud Networking Solutions Architect

Introduction

This blog is a follow-up to a previous post on CISCO ASAv in OCI. If you did not read it, I strongly encourage you to.

In the first blog, we focus on creating the Cisco ASAv in OCI and now we will configure it as a remote access VPN using the local AAA server from ASA to authenticate. Bellow, you can see the network diagram.

Prerequisites

This blog has the following prerequisites:

  • We will use the previous blog as a prerequisite for this config.
  • A domain name for the vpn. I registered for this scenario ateam-oracle.tk. The record vpn.ateam-oracle.tk points to the Outside public IP address of the ASA.
  • A valid (not self-signed) SSL certificate for the FQDN of the ASA.

Configuration

1. Download the VPN Client

Connect to Cisco's website and navigate to the AnyConnect software and download the .pkg for your operating system.

For Windows 10 i will use anyconnect-win-4.10.01075-webdeploy-k9.pkg.

2. Start the VPN Wizard in ASDM

Navigate to ASDM Wizards > VPN Wizards > Anyconnect VPN Wizard and start the config.

 

Fill in the profile name (dev) and the VPN Access Interface (Outside), select the protocols used (i will only use SSL).

3. Upload Device certificate

In the Wizard, under Device Certificate, click Manage and add the Device Identity certificate.

  • Convert certificate

Unfortunately, the certificate that I bought is in Pem format (certificate + private key, and was generated without a de-crypt password). ASDM accepts only PKCS12, so I will need to convert the certificate. Use a Linux shell (i am using the Windows Linux Subsystem) and convert the certificate and do the conversion. The resulted certificate can be uploaded to ASDM.

openssl pkcs12 -export -out  /mnt/c/1/vpn/cert.p12 -in /mnt/c/1/vpn/vpn.ateam-oracle.tk.crt -inkey /mnt/c/1/vpn/vpn_ateam-oracle_tk_key.txt -passout pass:3}s$WWqBIMtUl

 

  • Upload certificate

 

The uploaded certificate will show under the Identity Certificates.

Return to the VPN wizard and select from the drop-down the uploaded certificate.

4. Upload the Annyconnect software

Locate the client VPN that you downloaded from CISCO and upload it to the ASA.

After the upload, select the package from flash.

5. Create a local username and password

Under the authentication method, create a dev user and a password, add the user to the VPN.

Skip the SAML configuration and create the IP pools.

6. Configure DNS

The next section mentions the DNS server that the clients will use. For this scenario, in the hub VCN, I created a private DNS Listener endpoint that will respond to queries from the users.

Under Networking > Virtual Cloud Networks > vcn1 > Private Resolver Details the IP address of the Listener can be obtained.

Return the ASDM wizard and fill in the Listener DNS IP address.

7. Configure NAT exemption for the VPN

Select the "Exempt the VPN traffic from network address translation" and under the Local Network click the 3 dots from the right and an object manager will pop up.

Add a network object group called OCI-Internal that will contain the network objects for VCNs.

Return to the VPN wizard and under the Local Network, select the OCI-Internal.

At the end of the wizard, a summary is provided.

Please repeat the same steps and create a new VPN connection for prod.

8. Activate HTTPS for the Outside Interface

Navigate under Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH and add HTTP access for Outside interface.

9. Edit the client profile

Navigate to "Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile" and edit the dev client profile. By default, it shows under the server config the IP address of the Outside interface and the Primary protocol as IPSEC.

Modify to reflect your FQDN and the primary protocol should be SSL.

For both connections (prod and dev) i will use the same GroupPolicy and the same client profile. Navigate to the Group Policies and assign the dev policy for both connections.

10. NAT rules

Make a NAT rule for the traffic towards the Internet.

Navigate to "Configuration > Firewall > NAT Rules" and  add the following rule:

You will have two rules added by the VPN wizard that disables NAT from the VPN towards OCI and from OCI to the VPN.

11. Edit the VCN1 routing

Configure VCN1 routing to route 10.10.10.0/24 via the IP address of the Inside interface.

Add security rule under the security list for private subnet. Add the rule for both VPN pools (10.10.10.0/25)

12. Download and Install AnyConnect to the client

Connect to the Outside IP address of the ASA with a Browser. Fill in the username and password and login.

Download the AnyConnect client and install it.

13. Configure the connection details

Open the AnyConnect and fill in the FQDN of the ASA and click Connect.

After filling in the username and password the VPN will be initiated.

14. Check VPN status

You can check the Ip address assigned from the pool.

You can check the DNS resolution over the tunnel:

I created a private DNS zone in OCI and I am doing a DNS lookup for a record that is only available within the VCN.

In a browser, I opened a website to check the public IP address.

Conclusion

In this blog, we focused on configuring the Remote Access VPN on CISCO ASA which uses Local authentication (credentials stored on the ASA).

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha