Cisco CCNP Security 300-730 SVPN – Remote Access VPN Part 8
9. Anyconnect IPSEC, Anyconnect SSL VPNS, Client SSL VPN, and FlexVPN Spoke to Spo
Hello guys, welcome to a new video and in this video we are going to configure four types of VPN. So we are going to configure a clientless SSL VPN which is going to be on this side over here and then we are going to configure a any connect SSL VPN on this side and then on this side we are also going to be configuring a client list SSL any connect IPsec VPN. And then we are going to go ahead and configure flexvpn on this side right here with router one, router two and this hub right here. So let’s go ahead and start with the client list SSL VPN which is going to be on this side.
So let’s go ahead and do that. I already have opened my ASDM for this ASA two. So let’s go ahead and start configuring this. So the first thing that we want to configure for the client that’s also VPN connection is going to be a connection profile and this is the pre login policies. Let’s go ahead and click on add we are going to name this client less connection. You can name it whatever you want. Connection. There we go. The alias totally the client list. That’s good. The default DNS we are going to do the default. That’s fine. And we want to enable clientless VPN protocol. We are going to choose a group policy and a group policy is the post login policy over here we’re going to call it Clientless Group.
The banner is going to say welcome to clientless SSL VPN more options. So we want to enable the clientless SSL VPN and that should be good. Tunneling protocols. All the rest let me verify here. Well on the portal we want to go ahead and create a bookmark because we want to get into this website so we want to bookmark that website. So we’re going to uncheck on inherit. That’s going to manage. We are going to add a new one. Let’s go ahead and add one and this one is going to be called a website and we are going to go to 170 216 two.
That’s the website over here inside behind the ASA. Let’s go ahead and click okay bookmark name. You’re just going to call this BOOKMARKS right? There we go. We created that bookmark called BOOKMARKS you can imagine whatever you want. There we go. And this URL entry we can just enable file entry. I know that is also going to be enabled. Click OK to assign it to the group policy and there it is. So let’s go ahead and click okay, are you sure about this? Just go ahead and press OK. Then we are going to go into the group policies and the current group policy that we created from the connection profile. We are going to assign a user Oscar apply and save it. Now we are going to go ahead and log in into this ASA via SSL clientless VPN.
And we are going to use a browser. You can use Edge, Internet Explorer, Firefox and Chrome. Whatever you have. We are going to go to http https 31 which is the Isa the IP address of this ASA 31 details go to the web page we are going to log into the clientless. Welcome to clientless as I said VPN remember we configure that banner and here is the website and there we go we were able to get into the website so that is good. So we are done with one VPN so one VPN is done. Now we are going to configure any connect SSL and then any connect IPsec. So this is going to be from this Windows device because we are going to configure for this side now. So let’s go ahead and open this ASDM there we go we are here already so what we want to do is we are just going to use a wizard. Let’s go to wizard VPN any connect VPN next. Let’s go ahead and call this SSL any connect just going to copy this VPN interface. The outside this is the outside 21 uncheck IPsec configure SSL. We are going to use the image that we already loaded. We are going to use username Askr.
And for this we are going to create a new one. And we are going to use code. This. AnyConnect SSL, AnyConnect pool starting. IP address 170 216, 100 all the way to 170 216 1110 something mass 24 you can do whatever you want and whenever we connect to this ASA using that SSL VPN we are going to get an IP address from this range and I’m going to show you guys, we are not going to configure any DNS. Click next. Next and finish. That’s good. Verified that this connection profile has been enabled. SSL enable allowed to the outside. We are going to go into the group policy and this group policy that we created this one right here SSL interconnect let’s go ahead and assign a user to it apply it we are going to go into this group policy. We are going to go advance, split tunneling we are going to inherit, we are going to tunnel all networks and we want to add this local network and it just says to permit any IP four address. So any IP four address is going to go inside this ASA, apply it, save it. So now let’s see now, the any connect SSL has been configured. Now let’s go out into this Windows device over here and from this Windows device we are going to open, you need to have any connect already configure. So we are going to connect to 21 connect anyway. And before we do that, let’s go ahead and do CMD IP config. And as you can see, we only have one IP address configure, which is a local one. And as soon as we connect it, we are going to get another IP address which is going to be one 7216 dot, one dot 100 and there we go. I have been authenticated. It is establishing a VPN connection and there we go. Now we are connected. Let’s do another IP config and there it is 172 16 1100.
Now we should be able to ping 172 16 one three which is the IP address of this router right here inside we are able to do that. Now what I want to do is I want to see if I’m able to tonet into it. So let’s go ahead and open put it and I have configure tonet, that’s why I’m doing that. 172 that 16 one three. There we go and get the password and there we go we are inside this router right here. So it is working and it’s doing good. So now we have configure SSL. Any connect SSL VPN? Now we are going to configure any connect IPsec with IQB two. So we are going to go into the ASA using the azm again we are right here. We are going to go into wizards any connect to wizards. They’re going to call this IPsec any connect. They’re going to enable IPsec next. Any connect is good method. We are going to use the local Oscar. We’re going to use the same username for this pool. We are going to create a new one. We’re going to call it pool. This one’s going to 172 16 1200 all the way to 170, 216, 1210 something that mask slash 24. There we go.
Next next we’re not configure any DNS next allow what launch whatever you want to do finish. There we go. Now we have two connection profiles. So we have the SSL interconnect and the IPsec AnyConnect SSL AnyConnect has the SSL enable IPsec has IPsec enabled. Let’s go ahead and go into the group policy. Let’s go ahead into any connect IPsec. Let’s go ahead actually this is the connection profile for IP one. We want to go into the group policy. Sorry for that. And this side of this group policy we want to actually go ahead and assign ask her to it there we go. So we are able to authenticate with the username ask her and let’s go ahead and apply it save it. Let’s go ahead and do this IPsec and connect. Let’s go and do the split tunneling. We are going to do the same tunnel all networks inherit the local to allow any IP address save it that has been saved.
Now let’s go into the windows device. We need to actually create a profile so we can connect to ICB two so we have to put that inside the link this so we have to put it inside the way that you get to that is by going into your C drive program data Cisco and connect profile. So let’s go ahead and do the VPN editor VPN profile editor. We are going to go to server list we are going to add a new one name. Let’s just call it IPsec. IP address 21 which is the Isa. We want to enable IPsec and that should be good. Let’s go ahead and save it. We are going to save it to the desktop and it’s going to be called just IPsec. There we go. Now I saved it to my desktop right here and I want to move it to the profiles continue saved. Now let’s go ahead and go into Any connect and let’s go ahead and open any connect. Let’s connect to the 21 or actually we are going to do the drop down and we’re going to select that IPsec profile that we created. It is contacting IPsec. There we go, connect.
Anyway we are going to connect to the IPsec AnyConnect same username and password. Welcome. Now the any connect downloader is performing an update checks. There we go, connect in a way again start a VPN connection. Let’s go into CMD. Now we should have an IP address of 170 216 1200 Ipconfay. There it is 172 16 1200. Let’s go ahead and go into CMD. Again, let’s go ahead and ping 172 16 one three. See if we are able to ping it. There we go, we got a reply from it so that’s good. That means that we are just fully connected into this inside network. So now let’s go ahead and open pretty. We are going to turn it into this inside router. There we go, password. And there it is. We have remoted in into this inside router so that is good. So we have configured three remote VPNs which was climas SSL, any connect SSL and any connect IPsec. Now what we are going to be doing is that we are going to configure flexvpn from this hub router one and router two. And let’s go ahead and do that guys. And this is a site to site basically VPN. The other threes that we configured before are remote access VPN. So let’s go ahead and go into this hub. Open it. We also need to open water one and router two. Looking good. Let’s go ahead and go into the hub and let’s go ahead and have fun with the CLI. Let’s go ahead and config t for now. Here the first step that you need to do.
You want to enable a new model, a authorization network flex list using the local and since I’m going to be copying and pasting because it is a lot of configuration I’m just going to it’s going to be almost identical for router one and router two. So I just want to copy and paste everything or most of it and then I’m going to edit what I need. After that is done we need to go ahead and do an IP access list and it’s going to be standard access list. We are going to be calling this Flex ACL and inside here we want to permit any that’s good. After we do that, let’s go ahead and capture this access list. Open leaf pad, paste it over here. And for permit, this is going to be for router two, for router one because that’s the first one that I’m going to do. I want to permit 1111 1111 to provide the two for five two five actually two or 55225. Okay. So that’s going to advertise my loopback for router one whenever I configure it. So that is good for the hub. After we do that, we need to go ahead and do a crypto IQB two and policy. You are going to configure the default policy.
And inside this policy we need to set route set interface and then we’re going to do route set access list and we need to add that access list that we created flexibility in. Good. Now let’s go ahead and copy this command because we are going to say for router one and router two, paste setting to lift that or whatever editor you are going to be using for this copy and paste. There we go. After that we need to go ahead and configure the curing. So we’re going to do a crypto ICB two curing. You’re going to call it curing actually. ICB two caring. There it is. Inside right here we want to peer any the address is going to be there we go. So we can connect to any of them. Pressure key, CMP security. Good. We are going to exit. Exit. Now we are going to configure crypto IQB two profile. We are going to record this IQB two profile. And inside here we want to do a match identity remote address to anyone.
Then we want to do authentication remote is going to be some picture key and also the local is going to be using a picture key. Then after we do that, we want to add the keyring local and we need to attach that keyring that we configure to the aggregate profile. Then we’re going to do a virtual template, virtual template eight. We are going to create that in a little bit. Then we’re going to do AAA authorization group using prejudice, the list which we name that list, flex list, okay? Flex list and then contribution to default. Then we are going to configure it with two phase two, which means we are going to configure IPsec. So crypto IPsec transform set Tseet. They’re going to be using ESP as two, five six ESP sha with H mac exit. Now we’re going to configure crypto IPsec profile. IPsec profile. Good. Inside this profile we need to attach the transform set which we named TSET and we also need to set the IQB two profile. Wish me name IQB two profile. Now let’s go ahead and to interface virtual template eight type tunnel which is the one that we configure that we added to the IB two profile, virtual H. And inside here we need to do the tunnel source. Tonal source was keygame. It is specifying right here IP or number. You’re going to say look back zero, right? If we do it to show IP interface breathe, we can see that that’s the correct one. So that is good. Then after that we want to do IP NSRP redirect IP NSRP network ID one, tunnel protection IPsec profile, IPsec profile.
There we go. Isaac amp is now on. So now we want to copy everything we have configured in Showrun section Crypto and we want to copy all of this. Let’s go ahead and go to Crypto Authorization. I think I copied that, but let me verify it. Yes, I copy it. So we don’t need this. We need this. And this one is going to be for the Hub. And for the Hub it’s going to have an IP address of 81. Then the rest is history. It’s going to be the same. And then for the spokes you can just go ahead and say spokes. It’s going to be any IP address. There we go, just like that. Then over here we need to change this to one remote address. All of that is going to be the same. Good. So after we do that, let’s go ahead and do interface tonal. Let me verify that this is correct. Yes, that’s good. Tunnel or interface tonal one. And from that tonal what we need to do is we need to do a tonal mode GRE over IP tonal source. Let me verify which one is the source for router one. It’s going to go into router one, show IP the face breathe. So the source is gigabyte or two.
Then we do a ton of dusty nation which is 81, which is the Hub IP address. 81 one. Good. Then we’re going to do IP address and this IP address is going to be loopbag loopback zero. We do IP in SRP shortcut and we’re going to point this to virtual template one. After we do that we are going to do the Ipnsrp network ID one needs to match the same as the Hub. Then we do a ton of protection IPsec profile. IPsec profile. Now we need to go ahead and configure that virtual template interface tunnel virtual template Oops needs to be right here. Virtual template one type tunnel. So it needs to be interface virtual template one. It’s pointing right here and it’s pointing in the IGR two. So that’s the one that we are going to configure right here. We need to do an IP.
Actually this one needs to be IP on number ipnsrp network ID one, ipnsrp short shortcut, virtual template one and then tonal protection IPsec profile. We name that IPsec profile and I believe that should be it. So now let’s go ahead and copy and paste everything we have configured into other one config g. First it’s going to be this section AAA and Authorization and all that good stuff. Good. Let’s go ahead and copy it and paste the IQB two. Good. Let’s go ahead and do IQB two profile. Oops, what happened over here? Some error. Let’s go ahead and paste it right here. Still not working. Oh, that’s because I didn’t copy everything I forgot to see. There we go. Then we do IPsec. Good. Then we do the tunnel. Good. Isaac templates on interface is up. You can see that the hub has been configured. So that’s good. Let’s go ahead and do the virtual template, which is going to enable spoke to spoke communication. I have an error with a number or number.
There we go. So everything is configured. If you go to the hub, you do a Show IP interface breathe and for some reason that network went down. And why did it go down? So let me see why did it go down? Let’s go ahead and do a debug debug crypto. I agree. Two. Let’s also do a show crypto IG two s a. We do have one. Okay, I know why this went down. So if you do a show IP route static, I have a static route, a default static route. So we need to go ahead and save that no IP 80. That one, the one two, no IP route. And then we do IP route 211 10, send it to 80 dot one, dot two and then for 22 also send it over there. Then if we go into interface tonal one, shut it down and then do no shut down. Let’s do it on all the interface came up. Let’s see if it came up over here. So IP interface brief and now it is up. You can see right here or you can see right here. So it is good. Now it is working. So since now that it’s working, if you do a show crypto aggregate USA, we have that SA. The remote is eleven one, which is what I want. That’s good. If you do a show crypto IPsec essay, we have it right here. Current peer por 500. So that’s good. Also if you want to see more information, you can do a Show IP and SRP. There’s no NSRP. Okay, that’s good. I believe that’s actually for the spoke to spoke communication. So let’s just leave it like that and let’s go ahead and configure router two. Config and we just want to change this to template two. This is going to be all the same. This one’s going to be loop back at dress off router two, which is 2022 dot 22 22 22, right. Also if you go to the hub, if you do a Show IP route, you should see a route to eleven 1111 directly connected into virtual access one.
So that means it is going through the VPN. But we don’t have one for 22 and two and two because we are going to configure it now. There we go. Foxbn IB two carrying the same IB two profile. We just need to change this to virtual template two. This one is to be two. Look back on number. Look back on number. This is going to be two template two and this all template two. Verify. There we go on number. Let’s go ahead and copy everything and paste it into router two. And I saw one error. Which was the last one or another last one. This one virtual template two. Good. If we go to the hub I did not see a connection for the hub. Let’s see if we got another error. I believe the source is wrong. So let’s go ahead and even right here we can see it. It is gigabit zero one. So let’s go ahead and go into the interface tonal two and do a tonal source gigabit zero one. And that should bring it up. And there we go. So if you do a show IP interface breathe, you can see that we have two virtual access one for router one, virtual access two for router two. Let’s go ahead and move this so you guys can see it.
Router one and router two semip. If you do a show IP route, say static, you’re going to see now that we have a route to two and two and 222, we have her to access two and one for 1111, we have her to access one, which is router one. Order two. If you do show crypto, I could be two SA. You should see a couple of tunnels. Good. That means that it is working. So now what we want to do is we have a help to spot communication, but we want to have the spoke to spoke communication. So if you go to router one, let me do a show IP and SRP. We don’t have any. Let’s go ahead and do a trace route to 22. 22. 22. And there we go. So the first time it went to the hub but the hub is going to be like hey, look silly, you don’t have to go through me to get two router two. Since I’m the hub, I’m telling you to go straight to router two for now on. So here’s a route, an easier route or a faster route to get to router two. And that’s going to form a spoke to spoke communication whenever the hub sends that to router one. So let’s go and do a trace route.
Again, seems like it’s still going to the hub. It shouldn’t have. That’s going to show it b. There has to be an issue with the virtual template. So it’s going to show. IP MSRP So we have one ton of created for 22 one. But it looks like it’s still going through the hub. If you do a trace route, you’re still sending it to the hub and then the hub is sending it to router too. Let’s see what’s going on. It says that it is down show IP interface brief. Okay, so we are having some issues with the spoke to spoke communication. Let’s go ahead and see if we can fix that. Let’s go ahead and do show run 80 good. Look back. Tunnel two is good. It’s pointing to virtual template two. Where is that virtual template? Right here. Virtual template two shortcut and we added that shortcut over here to virtual template two. Let’s go into this virtual template type tonal and let’s say two config t. What if we specify the tonal source gigabit one source gigabit. Let’s see if that fixes that issue. It looks like he has not let’s do a good debug crypto. Thank you. To see what I get from here. Let’s do the same from here. Let’s do a show crypto. I’d be two essays. We only have one essay. We don’t have the one for router two for some reason. Let’s go ahead and do a show. So if we don’t have an IB two essay, we won’t have an IPsec essay. Because the IB two essay establishes first and then after that it’s established. The IPsec comes up. So did I get any debugging over here? Nothing. Okay, that’s interesting.
Let’s see if we do. Let’s go ahead and go into this one. If we go into this flexvpn config and do a permit, I want to permit 1111. 1111 and I believe I did this flexibility in Ron anyways, but supposed to be like this. Access will be configured higher seconds number. Let’s go ahead and show run section access list. So router two, it is saying to permit any flags will be in let’s go into router one show run section section access list. This one is also saying to permit any okay, let’s go ahead and do this access place config g paste no permit any permit 11110. Just going to do it like this. Let’s go ahead over here as well config and then let’s go ahead and also permit it on water one and let’s permit this one show IP interface. We still don’t see that spoke to spoke communication config t. Let’s go ahead interface virtual template tool type tonal apnhrp redirect. Maybe that would do it.
I don’t think so. Let’s go ahead and go to other one SRP redirect and show run. Let’s go and do a pipe section virtual shall run look back where the template one IPsec tunnel 81. That’s good for this one. Router one is good. Network ID loopback. I don’t think I’m missing anything, but I guess I’m missing something. Let’s go ahead and go into router two show run and it has to be from that virtual template somehow. Okay, let’s see this one has one. Yeah, it does. It’s going to see we have the source right here. We don’t have that source for let’s go and specify the source just because that is on water two config tonal source kick over to is that what I was missing? Doesn’t seem like it. Let’s go ahead and go to letter one n trace route 2222-2222 still going through the hub. I mean we have communication but we don’t have spoke to spoke communication like I want it. So IP and HRB we have one dynamic. It is shown by here an MBMA address 22 one show IB and SRP. It is showing this tonal tool right here. What is the flag is negative flag is router NHRB. So the NHRB tunnels has been created but the virtual template for some reason is not working. But I’m going to have to leave this reader right here.
Interesting posts
The Growing Demand for IT Certifications in the Fintech Industry
The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »
CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared
In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »
The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?
If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »
SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification
As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »
CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?
The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »
Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?
The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »