Cisco CCNP Security 300-730 SVPN – Remote Access VPN Part 6

  • By
  • January 26, 2023
0 Comment

7. Implement basic AnyConnect SSL VPN using ASDM

Have a GNS topology where I have configured the router. The Windows device app has its own IP address and all that good stuff and the only thing that I need to configure is Cisco ASA. So let’s go and configure that guys. And we have to go into the router. The first thing I want to do, I just want to configured the house name just ASA. That’s what I want to give it. Let’s go ahead to IP or to the interface gigabyte which is going to be the inside network or the local side. And the IP address for this is going to be 1021 and then we’re going to give it a name if and this is going to apply a security level and we’re going to just leave it as inside. And the security level for inside it says by 100 by default. So we’re going to leave it like that. Just give a no shut down. And then after that let’s go ahead and configure the DMZ zone which is interface and the IP address for this is one on the 2168 is going to be DMZ and the DMC but the DMZ by default is set to zero.

So we’re going to look at that as well. Let’s see no showdown. Now it’s going to interface one and this one is going to be the internet or the outside public on trusted network and this one’s going to be 145. That one, the one that 124 as well. Now shut down name f internet and the Internet is also set by set to zero by default. So let’s just do not shut down. That’s fine. So now let’s go ahead and end it and let’s try to ping 1022 which is the ASDM. So we’re able to pin the ASDM. Let’s see if we’re able to pin the Tatax GUI. We’re able to pin the tatax GUI. Let’s see if we’re able to pin the router. We are able to pin the router. So that’s good. So we have connectivity to all of these devices. Now let’s go ahead and configure. We need to configure the Http server first server, let’s enable it and then let’s do Http. And I want any IP address coming from the inside network to be able to connect to the Http and it’s going to allow us to launch the ASDM from over here. So then after that I want to configure a route and this route is going to be going to the Internet. So any network that we don’t know, we are going to reach out to the router. Okay, so what I’m saying is any network that I don’t know, just send it to the router to the 14512.

So this is good, it looks like we are done. So you can go ahead and save your configuration. So after that is done I want to go ahead and verify that my Windows device is able to ping. There we go. So we’re able to pin the ASA from my Windows device which is all over here behind router one. So now what we need to do, we can just leave it like that. We are done for now from here. So now let’s go ahead and launch the ASDM. I’m going to open up this ASDM over here and from here let’s go ahead and go to ASDM launcher. Now let’s go ahead and launch it to 1010 20. That one, which is this one right here. Let’s go ahead and always trust the content from this publisher. Yes. And we are going to log in without the username and password because we did not configure that on the ASA. If you’re going to be on a if this is just for Labven, you don’t really have to so that’s why I leave it like that. So now what we need to go ahead go ahead to wizards, VPN, Any Connect wizard. So let’s go ahead and click Next. Let’s go ahead and click on the profile. It’s going to call any connect.

That’s what I’m going to call it. And then after that we are going to pick a VPN access interface and the interface that we are going to pick right here is going to be the Internet. Because we want people from the Internet from the outside network to be able to connect to this profile. Click on next. We are going to use SSL or IPsec, right? So if the Windows device going to use IPsec they’re going to be able to do that. Or if they want to use SSL, we are a web browser, they’re going to be able to do that as well. So now what we’re going to do is we are going to add a device certificate. So let’s go ahead and manage and we’re going to actually create our own. So we’re going to add a new identity certificate and we’re going to go and generate self signed certificate. We’re going to add it. Here we go. Let’s go click OK and then let’s click Next. And now we need to add the image that the Windows device is going to download and install to the device. The one that I’m going to use is going to be this one and connect Windows 4. 04. 4. So let’s go ahead I think this one right here 4. 3.

That’s the one that we are going to use. Okay. Okay, then click on next. Now we’re going to add a username and password. This is going to be on the local device. So we’re not going to be using Tagax or Radius. We are going to configure that on a different video. But for now we are going to just add a new local username and we are going to use that username to log in with the Any Connect. So now we’re here, we need to add a new pool so we can just name this new pool and this one is going to be using it for the app. This is going to connect connection. So whenever we connect, we’re going to get one of these IP addresses. So let’s go ahead. 109, 216821 and it’s going to go all the way to 192 one 6820. And we’re going to have a certain mask of 24. There we go. And if you didn’t want to type it, you can always click on the drop down menu and select it. Select that 24th. Okay, there we go. We have a new pool. Let’s go ahead and click Next. We’re not going to configure any DNS server or Wind server or domain name because we do not have any set up right now. So when you click Next it’s going to yell at you. But you can just click no and that’s going to move on.

So now we want to accept VPN traffic from the network address translation. And what this means is if the network address translation is enabled on the ASA, the VPN traffic must be accepted from this translation. Because if it’s not exempt, then we are going to get a VPN error because that breaks VPNs. Just remember that. So remember to accept that the inside interface, right? And then you want to say any IPV four connection. So let’s click on Next and then how we’re going to download the image is going to be through a web launch. So that’s good. And here at the end it just gives you a summary. We can just click on finish and there we go. Everything is good. And let’s see, we have configured the Internet with SSL and also IPsec. So this is good. And one other thing that we need to do is we need to go to remote access VPN and then from here we need to go to group policies. And you’re going to see the policy that we created, but it does not have a username assigned to us. So let’s go ahead and click Assign and we’re going to assign the local username that we just created. There we go.

Then click on Apply and then you want to save it. Okay. So then after that, all we need to do I believe is we have to go to the Windows device and we are going to install any connect and connect to the VPN. So let’s go ahead and do that VMware exit. Let’s go ahead. You’re going to use Internet Explorer. Sorry guys, we do not have Google Chrome and it’s 145 one. And that should connect to the ASA. And then once we connect to the ASA or to the firewall, it’s going to say that it’s not secure because we do not have a certificate. But that’s fine. You can just click on more information and just go on to the website. And now the group policy that we created was or the profile that we created was any connect. We are going to log in with Escrow password 123456 or whatever the password you gave to your username. There you go. And we’re not going to store that. We’re not going to save that password. As you can see, it’s going to take us to the installation.

So what’s going to happen now is that it’s going to take us, as you can see to this, any kind of secure mobility client, and it’s going to ask us to install it. So let’s go ahead and install it and click yes. And as you can see, it’s running all the gift stuff over here. And we are installing Cisco any connect. As you can see right here, the anticonnect download is analyzing this computer. So it is also analyzing the computer to make sure that it does have space and that it is in good health. Okay, so let’s go ahead and say it is telling you that it is risky because it is untrusted server certificate. We can just click on connect anyway. And as you can see, it is downloading any connect so it can install on my computer. So after that is download, download is going to install it and then it’s going to let me connect to the ASA. There you go. So it’s installed because it is running the Clipper mode and cannot install, the security must be added. That’s fine.

Let’s see. Do we have Cisco install here? Let’s see if we are able to find it somewhere Cisco and Connect. There it is. It was installed, but let me see. Okay, so they’re still doing a lot more stuff. So let’s just give it a couple of seconds. Let’s see if we’re able to escrow it to files this PC. And it looks like it didn’t install attempting the song, which is so it looks like it did not install it. But I can see it over here if you go Cisco and it Connect desktop client. Let’s go ahead and try it from http. Let’s try and do it from Edge. See what happens from Edge login to ask her 123456 login. Let’s try and do it from here now one more time, because it should work. I mean, I tested it already and it should be working. So the security warning attempt launch Java, which is make sure to click yes. There we go. So now it is going to let’s go ahead and just click over here. Yes, go ahead and run it.

There we go. So it is going to work with Edge. I don’t know why Internet Explorer did not work. So it is downloaded right now. So after we download that and you can see it is coming from 145 one, which is our ASA, the IP address of our ASA. Let’s see. It is running security scans. Let’s give it a moment. There we go. We can just run it and there we go. That looks better than before. So Ie is not working on Ie for some reason that I did not know. There we go. Running that package that we added finish and now we should be able to open it. Cisco there we go. So now there was like a DNS failure but we need to just connect to 145. That was the one. Go ahead and connect. And I do know it’s going to give me an error because it’s going to say that it’s not trusted.

So what we could do is there we go, connect anyway and then it’s going to ask me to log in. We’re going to log in with the username of Ascra and password 123456 and the group is going to be any connect. That’s the only one that we have there. Login fail. Let’s try it again. 123456 and that should connect. Let’s see. Still asking me for it. Let’s see what’s going on over here. If we come down over here. Unable to create any connect parent session. Let’s see if we take a look at the log messages. Session limit to reach login fail. Let’s go ahead and close this. 123456 still saying login fail. Let’s go ahead to block connection to untrusted servers now. That’s good. Let’s go ahead and try to connect again. It’s not letting me connect and the error that I’m getting it is because unable to create any connect parent session to in use eight most connect anyway. Let’s see if it lets me log in oscar 123456 and it’s saying login fell unable to create session cannot be established. Session limit of two reached the maximum session load. So they’re saying that we have a session open. Let’s go ahead and see what we could do from here. That’s too big. Let’s go ahead and just do a system reload and save compared. Let’s do it now. Reload without saving? Yes store right now and it is shutting down everything. So I’m just going to reload my ASA and let’s just cancel this and go to the ASA and see it is rebooting. So let’s just give it a couple of minutes. Not even a couple of minutes.

It should take like about 30 seconds. I believe it is. There we go. Let’s go ahead to windows device CMD let’s try to ping 145. I want the one to one see if we’re able to ping. So whenever this comes up or whenever I’m able to ping, I should be able to connect to the ASA. There we go. We are getting replies from the server. So now let’s go ahead and try to connect. And also we can just close this session now. Connect. Now we can also launch the ASDM which is right here. There we go. Connect. Anyway username is Askr 123456 and there we go. Checking profiles. So it looks like it is going to work now. It did not work before connect anyway. You see that any connect downloaded updates have been completed. So it was not connected before because I had a session that was hanging there and the limit, the max limit it was, I think it’s set to two.

So I had a couple of sessions there that was hanging and it was not disconnected from it. So when I tried to do it, I believe it did not let me connect to it. So now it is still trying to connect. So let’s give it a couple of seconds and it should connect to the VPN. There you go. So it’s going to connect. Is now connected. Great. There you go. Connected to 145. One. Let’s see if we are able to do a CMD. Let’s do a ping 192. Okay. So we’re not able to connect to the Tachex Google. Let’s see if we’re able to ping 1022. So we’re able to connect or to ping 1022. Let’s see if we can what I’m going to do is enable configt now and let’s run this app connection and let’s do VPN or what is it? Question mark permit to VPN. Let’s go ahead and do that and see if we’re able to ping this DMZ. Oops. It’s not a DMC. This one. We’re still not able to ping the DMZ. So what I want to do now, since I want to connect to the Takax GUI, I want to connect the Takax GUI to the inside. And probably after we connect to the inside we should be able to connect to the Takas GUI because what are we doing right now we are actually connecting to the inside network. So if we configure if config ethan 1020.

Let’s see ten net mask is 245-245-2450. And then we do a route add default gate weight. It’s going to be 10 10 21. Let’s see if we’re able to paint our default gateway now. 1010 21. So we are able to paint that default gateway now. Let’s see if we have to do. Let’s go ahead and launch this ASDM now. 1021. Always trust. Yes, log in. So now what I want to do, let’s see if from the computer were able to ping 1020. Whether I set it to I forgot already. So 10 10 20 10 20 10 so I don’t forget. Let’s see if we are able to ping that from our VMware. Let’s go and close that on a Windows device. Ten. There we go. So now we should be able to connect to this tagx GUI https 1010 2010 as you can see right here, we are able to get into the TechX GUI. The reason that we’re getting into Takasui is because we are connected to the VPN. So if we disconnect from the VPN we shouldn’t be able to connect to the tech exclui or even ping the Takasui or ping this HDM device over here. It is still loading. Try to load it again. So since it’s taking too long, let’s go ahead and see. Let’s go ahead and ping.

And what I want to do is I want to disconnect from this VPN. Let’s see if we’re able to ping. There you go. So whenever we get disconnected from the cisco interconnect, we are not able to ping the tagax GUI. But if we connect connect to the VPN, we are able to ping the tagax GUI. So let’s just give it a couple of seconds for Cisco and connect to work. And the reason why it’s taking too long is because I do not have a license yet for the firewall. And since I do not have a license, the speed is really slow, and that’s why it’s taking too long. But if you have a license and you’re doing this, you’re going to see that it is a lot faster than what I’m doing right now. So as you can see, we’re establishing a VPN connection. And then after that connection is established, we should be able to ping the attack at SchoolI, because we are going to be inside this network right here inside the local network. So there we go. We are now connected. Now we should be able to ping 1010 2010. Okay, guys, so this is it for this video, guys. I hope you guys enjoyed I hope you guys enjoyed my troubleshooting whenever I had a connection error or whenever I was trying to actually reach reach this DMC, because it wasn’t supposed to be in the DMC. It was supposed to be inside. So thank you guys for watching.

Comments
* The most recent comment are at the top

Interesting posts

The Growing Demand for IT Certifications in the Fintech Industry

The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »

CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared

In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »

The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?

If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »

SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification

As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »

CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?

The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »

Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?

The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »

img