Cisco CCNP Security 300-730 SVPN – Remote Access VPN Part 3

  • By
  • January 26, 2023
0 Comment

4. Implement AnyConnect SSLVPN on routers

So here my topology. What’s happening is right now I have a Windows device right here. I’m able to ping this server right here, which has this IP address, but I’m unable to ping this computer right here. So what’s going to happen is I’m going to have a VPN connection to this router and then it’s going to allow me to ping this computer over here or it should allow me to. So let’s go ahead and start with this configuration. And also I have configured everything so I’m able to ping and have all those IP addresses in here. So let’s go ahead and start with the configuration. All the configuration is going to be on this MD server, MD Miss Maryland and NY New York. So let’s go ahead and start with this. So the first thing that I need to have is if you do a show Flash, you need to have any connect in your Cisco iOS router. Because if you do not have it, this is not going to work. And I’m going to show you where mine is. Mine is call any connect, windows 4. 5, blah, blah blah, web deployment, Pkg. So you need to import that into your router, otherwise it’s not going to work.

So let’s go and start with this configuration. And the first thing that we need to do is we need to install that any connect. So if we do a crypto VPN, any connect, and we need to install it from this location where it is located, flash, let’s go ahead and copy it, paste it. So let’s go ahead and do actually do a sequence one. Please try after removing the old package, I need to remove the old package. So let’s see if we do a no and then do it again. Okay, let’s see if I do a crypto. I have it installed already. Let’s see if you do a crypto and connect a crypto VPN. Yeah. So that’s the command that you need to run. Let me show you right now. I have it installed. That’s why it is giving me that error. So you need to run the crypto VPN any connect, Flash. And then you need to go inside of that any connect file and then do a sequence one. Okay, so that’s how you do it. And then after that is done, let’s go ahead and make this a little bit bigger so we can see all my commands. There we go. Maybe if we make the let’s go ahead and I just want to zoom in a little bit. Let me zoom in view. Okay, it’s not going to let me zoom in.

I thought you can zoom in, but you should be able to see all my commands. Then after that, we need to do an IP Http server and we need to turn on the Http server, and we also need to turn on the Https server by doing secure server. Done. Here we go. After that is done. What we need to do is we need to generate an RSA key pair and the way that you do that is we need to do first crypto key generate and we’re going to generate an RSA and we’re going to label this SSL VPN on the score, key pair, everything just like that. And the modulus is going to be 2048.

There we go, that is done. After that you want to do a show? Actually let’s do a do show crypto, crypto key, my pub key, RSA, I forgot to put the RSA. There we go. And you can see the crypto key that we generated. Okay, that’s good. After that we need to do a trust point. So you do a crypto PKI trust point and this is going to be SSL. We’re going to call it trust point. SSL VPN underscore Search for Certification and in here we need to do an enrollment and the enrollment is going to be a self sign key, a cell sign. And if you want to do a subject name, you can do a subject name CNN for the name and let’s just call this FDNA. You want to call whatever you want. So if you do SSLVPN Ccdt. com you can go ahead and do that. That’s what I want to name it. And then RSA keeper. I want to use the Keeper that I created which is this one right here. So we need to attach it to the trust point. There we go. So that’s done.

So after the trust point has been correctly defined, the router must generate the certificate by using the so we need to generate or enroll the crypto PKI. So if you do exit and you do a crypto PKI enroll and we want to enroll the SSN VPN certificate. There we go. And what you want to do right here, do you want to continue generating a new self signed certificate? We say yes. Do you want to include a serial number? We say no. And then the IP address, you say no and then after that it’s going to ask if you want to generate the self sign. You say yes. There we go. So that is done. After that is done, if you want to see the self sign certificate, you can do show crypto, do show crypto PKI certificates, certificates SSL VPN underscore search and there it is. It was created. So we are good. After that is done, we need to go ahead and turn on AAA because we need to go ahead and create an authorization, an authentication login and we are going to be using SSLVPN, right? SSL VPN underscore AAA and we’re going to use the local account. And now since we’re going to be using the local account, you need to go ahead and create a username and password. You’re going to be called the username. Just call VPN user and the password is going to be called just Cisco on capital just remember that. Then after that is done we need to define the address pool and also the split tunnel access list to be used by the clients.

So let’s go and do the IP local pool and we’re going to be calling this SSL VPN underscore pool and we’re going to say that whenever somebody connects to this VPN we are going to provide it with an IP address in this range. Okay? And then we need to go ahead and create an access list. One, we are going to permit access to 192, that one, just eight dot 10, which is my inside network. That’s what I want to permit access to and then we’re going to say two, five. Okay so that is good. After that is done we need to go ahead and configure a virtual template interface. And what those virtual template interface does, it provides an OnDemand separate virtual access interface for each VPN session that allows highly secure and scalable connectivity for remote access VPNs. So let’s go ahead and do that. First you need to go ahead and configure a loop back address loopback zero, IP address let’s say 1010 and then after that is done then we can go ahead and configure my virtual interface or the virtual template one. And we need to do an IP or number because we’re going to be using the IP address of that loop pack address and it is a number loopback zero.

And after that is done you can do do show IP interface brief and you can see that my virtual template has an IP address of ten to ten to ten because it is using the same IP address as a loop back because we did that IPO number loopback zero. Let’s go ahead and exit. So after that is configured we need to configure the web VPN gateway and the web VPN gateway is what defines the IP address imports which will be used by the interconnect and as well as the SSL encryption algorithm and PKI certificate which will be presented to the clients. And by default the gateway will support all possible encryption algorithms which vary depending on the iOS version of the router. So let’s go ahead and do that. We’re going to say a web VPN gateway, SSL VPN underscore gateway done. And inside here we need to configure the IP address that we’re going to be using for this tunnel and it’s going to be 21 this one right here. So let’s go ahead and put it right here, 21 one. And the port number is going to be four, four, three because we are going to be using Https and then we do an Http redirect port 80.

So if somebody connects to Http it’s going to send you back to four, four three. Done. And then we need to do the SSL trust point and the trust point is going to be SSL VPN and we need to add that certificate that we created that we call Cert. Right? Let’s go ahead and verify that. Yes. SSL VPN Cert. SSL VPN cert. Okay. And then we need to go ahead and turn it on and we say in service and that turns it on. So after that is done we need to go ahead and configure the Web VPN context. And in the Web VPN context we are going to be adding a lot of stuff and I’m going to tell you what each one of them does. So we need to go into web VPN context. SSL this is what we’re going to call it context enter. So inside here, the first thing that we need to do, we need to add that gateway that we created which we call SSLVPN Gateway. Done. After that is done we need to go ahead and add that virtual interface that we created. Done. And after that is done we need to go ahead and turn it on and say in service and then we need to go ahead and create a policy.

And the policy group you’re going to be calling this SSL policy. And inside this policy the first thing that we need to do actually let’s go ahead and do exit. And before we do that we need to add the authentication list and we call that authentication list if you remember from AAA was SSL VPN underscore AAA and then we can go ahead to the policy group SSL VPN. And the first command that we need to do is we need to do a functions SVC Enable and we need to enable SVC and SVC Enable command is a piece of configuration which allows users to connect with the any connect SSL VPN client rather than just using the Web VPN through a browser. All right, so after that is done we need to do an SVC address pool and we’ll need to go ahead and enter that address pool that we configure earlier which we call SSL VPN underscore pool and we need to give it a netmass of 2524-5250 done. And then we’ll do the SVC split tonal and I want to include the ACL one. And remember, this is what is going to provide access to the Access List One. If we do show IP access list one. Actually I forgot to remove it. Let’s go ahead and do a no IP address or no access list one. I forgot to let’s go ahead and just exit because this is from my previous configuration.

So we are going to go back to it in a little bit and let’s go ahead and do IP Access List One and let’s just go ahead and remove this IP Access List One recognize or just do no IP Access. Let’s just do Access List One and let’s just remove it. There we go. And now we can go ahead and go back into what would be in Contacts and then we can go into Policy Group as a self rep policy. Actually before we do that, we need to go ahead and configure that access list one more time. So if you do access list one, and I want to just permit 1921-6810, which is access to this. So whenever we connect, the only way that we’re going to have access to it is whenever we go to the inside network. Okay, that’s what I’m telling right now. Let’s go ahead and go back to web context policy group SSL and then let’s just go ahead and add that access list and it’s going to be SVC split tunnel or split include ACO one.

And what this is saying that whenever my computer, whenever it’s connected to the server and whenever this computer tries to go to 192168, that one does their network. This one right here, it is going to send the via the tunnel. If it’s going to another IP address, it’s going to send that out another way. So it’s not going to send all the traffic through the tunnel. Okay, done. And then we do SVC. If you want to do a DNS server, you can do it at primary eight for Google. And then we’re going to do the and then we go ahead and access out of here. We’re going to do the default group policy and we’re going to say that we’re going to use the SSL policy that we just created, which is this one right here. Done. So we are done with this, we are done with the configuration. So now what we need to do is we need to go into my Windows device. So let’s go into my Windows device which I have right here. And what we want to do is we want to go ahead and go into this MD server which is 21. And there we go. It’s going to say that this site is not secure. That’s fine. Let’s go ahead and go into the page. There we go. So now we have access to the SSL VPN service.

And for over here, what we’re going to do is if you do a show run, I forgot what the username that we gave and the username I remember the password but I don’t remember the username that we configure. It should be around here on the top. Do we configure username and password? I thought we did. There we go. It’s VPN user. It’s going to do over here. VPN. VPN. User. And the password was Cisco Owen capital never save your password. There we go. So now we are inside this web VPN and what we want to do is you want to get that toner connection with any connect. So we’re going to hit start and it’s going to open another website. We are going to click on details, go to the page anyways. And what we’re going to do from right here is that we are going to download that any connect, secure, mobility client and then we’re going to download it and after we download it, we are going to do a connection to this router right here and it’s going to allow me access to this network inside network. Here we go. Let’s go ahead and click right here that’s going to download that interconnect. What we want to do is we want to save it as to the desktop, it’s going to download it from the server into my desktop.

Let’s give it 24 seconds. So let’s just wait 24 seconds and after it is downloaded we are going to install that any connect secure mobility client and then we are going to connect or create that VPN tunnel using the end connect. So let’s give it a second. And also if you want to do let’s go and do some debug commands that I want to run and the first one is going to be just debug and we want to debug WebVPN triple A and then debug webpn tunnel, debug webpn tunnel events and web errors as well. Just want to turn all of them on. The download has finished. So let’s go ahead and put it down. Put it down. And here it is, the interconnect. So now we can also run anyways. We can also go ahead and close all this because we don’t need it anymore. And close this one as well or log out. Yes. And as you can see right here, you already sent me a debug message saying that the SSL VPN, the VPN user has logged out out of the gateway. So that’s good. Let’s go ahead and go back to my Windows UI, click Next, accept the agreement, install it. Yes.

Finish. Let’s go ahead and see if it is right here it is now right here. Let’s go ahead and turn it on. Any connect the app here’s the app running and I want to connect to Tony, the one that one, which is the IP address of the server right here of the router. It is contacting connect anyways. And here we go. The username is VPN user and the password is Cisco on capital. At least for me, I don’t know for you guys. There we go. And you can see the authentication has passed for the user VPN. It logged in from my IP address, which is this IP address of the Windows device. If you do a CMD IP config, you’re going to see that that’s my IP address. There we go. Okay. And let’s go ahead and see right here. It is still establishing that VPN connection. It should work. And when we get that connection we should get a show IP, show IP local pool. We should get an IP address from this range that we specify. So it is still trying to connect. It should connect. Not sure why it’s taking two so long. It’s still trying to connect. Let’s go ahead and do YP config. We still only got one IP address pool. We haven’t assigned anything.

Comments
* The most recent comment are at the top

Interesting posts

The Growing Demand for IT Certifications in the Fintech Industry

The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »

CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared

In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »

The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?

If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »

SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification

As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »

CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?

The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »

Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?

The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »

img