This blog is a follow-up to a previous post on CISCO ASAv in OCI. If you did not read it, I strongly encourage you to.
In the first blog, we focus on creating the Cisco ASAv in OCI and now we will configure it as a remote access VPN using the local AAA server from ASA to authenticate. Bellow, you can see the network diagram.
This blog has the following prerequisites:
Connect to Cisco's website and navigate to the AnyConnect software and download the .pkg for your operating system.
For Windows 10 i will use anyconnect-win-4.10.01075-webdeploy-k9.pkg.
Navigate to ASDM Wizards > VPN Wizards > Anyconnect VPN Wizard and start the config.
Fill in the profile name (dev) and the VPN Access Interface (Outside), select the protocols used (i will only use SSL).
In the Wizard, under Device Certificate, click Manage and add the Device Identity certificate.
Unfortunately, the certificate that I bought is in Pem format (certificate + private key, and was generated without a de-crypt password). ASDM accepts only PKCS12, so I will need to convert the certificate. Use a Linux shell (i am using the Windows Linux Subsystem) and convert the certificate and do the conversion. The resulted certificate can be uploaded to ASDM.
openssl pkcs12 -export -out /mnt/c/1/vpn/cert.p12 -in /mnt/c/1/vpn/vpn.ateam-oracle.tk.crt -inkey /mnt/c/1/vpn/vpn_ateam-oracle_tk_key.txt -passout pass:3}s$WWqBIMtUl
The uploaded certificate will show under the Identity Certificates.
Return to the VPN wizard and select from the drop-down the uploaded certificate.
Locate the client VPN that you downloaded from CISCO and upload it to the ASA.
After the upload, select the package from flash.
Under the authentication method, create a dev user and a password, add the user to the VPN.
Skip the SAML configuration and create the IP pools.
The next section mentions the DNS server that the clients will use. For this scenario, in the hub VCN, I created a private DNS Listener endpoint that will respond to queries from the users.
Under Networking > Virtual Cloud Networks > vcn1 > Private Resolver Details the IP address of the Listener can be obtained.
Return the ASDM wizard and fill in the Listener DNS IP address.
Select the "Exempt the VPN traffic from network address translation" and under the Local Network click the 3 dots from the right and an object manager will pop up.
Add a network object group called OCI-Internal that will contain the network objects for VCNs.
Return to the VPN wizard and under the Local Network, select the OCI-Internal.
At the end of the wizard, a summary is provided.
Please repeat the same steps and create a new VPN connection for prod.
Navigate under Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH and add HTTP access for Outside interface.
Navigate to "Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile" and edit the dev client profile. By default, it shows under the server config the IP address of the Outside interface and the Primary protocol as IPSEC.
Modify to reflect your FQDN and the primary protocol should be SSL.
For both connections (prod and dev) i will use the same GroupPolicy and the same client profile. Navigate to the Group Policies and assign the dev policy for both connections.
Make a NAT rule for the traffic towards the Internet.
Navigate to "Configuration > Firewall > NAT Rules" and add the following rule:
You will have two rules added by the VPN wizard that disables NAT from the VPN towards OCI and from OCI to the VPN.
Configure VCN1 routing to route 10.10.10.0/24 via the IP address of the Inside interface.
Add security rule under the security list for private subnet. Add the rule for both VPN pools (10.10.10.0/25)
12. Download and Install AnyConnect to the client
Connect to the Outside IP address of the ASA with a Browser. Fill in the username and password and login.
Download the AnyConnect client and install it.
Open the AnyConnect and fill in the FQDN of the ASA and click Connect.
After filling in the username and password the VPN will be initiated.
You can check the Ip address assigned from the pool.
You can check the DNS resolution over the tunnel:
I created a private DNS zone in OCI and I am doing a DNS lookup for a record that is only available within the VCN.
In a browser, I opened a website to check the public IP address.
In this blog, we focused on configuring the Remote Access VPN on CISCO ASA which uses Local authentication (credentials stored on the ASA).