Cisco CCNP Security 300-730 SVPN – Remote Access VPN Part 9
10. 3 remote access vpn types configuration
Hello guys, welcome to a new video and in this video we are going to be configuring three remote access VPN types. The first one is going to be the client SSL VPN. The other one is going to be an any connect SSL VPN and then we are going to configure any connect IPsec VPN. So let’s go and start be those configurations. So you have to launch the asvm and the way that we are going to verify that it is working is I have my Windows device right here. So the way that we are going to verify that it’s working is that we are going to access this website right here behind this firewall.
So we are going to connect to this firewall either via client list or with any connect and then we are going to connect to this website and let’s see how fast I’m able to configure this. So let’s go ahead and go into configuration and we are going to go into remote access to be in. The first one that we want to configure is going to be a let’s see we want to go into network client. That’s going to make this bigger so you guys can see there we go. So we have the network. We’re not going to do that. We want to do the clientless SSR VPN first. So let’s go ahead and do that. The first step that we need to do is that we want to configure the connection profile which is a pre login policy and then we are going to do a group policy which is the post login.
So let’s go ahead and create the connection profile. For this we are going to be calling this profile clientless and for the alias we’re going to just do client client list over here we are going to be using AAA local so that’s good. The default policy, we’re not going to use the default or this group policy. We’re going to create a new policy for this one. So we’re not going to be using the default group policy. Let’s go ahead and create our own policy and this one is going to be called Group clientless. There we go. We’re going to put our banner right here welcome to clients less SSL VPN. Click. OK. Towing protocol. We also want to let’s see if that gives us the option.
Welcome more options. There we go. All we want to for this group is just to have access to clients. That’s all we PN okay so everything is good. Click okay you should want to do this yes apply and yes I want to enable it. Apply it and do we give it an alias? I want to get an alias or client list. That’s good. Yes, because I want to allow you to select connection profile on the login page. Let’s go ahead and go into group policy. We already created that group. It’s over here. So now what I want to do is I want to assign a new user.
So we want to create a local user for that. And we want to call this client. Client less password is going to be Cisco. Cisco. It doesn’t need to have full access. So let’s just say no SDM as a cell tone or council access. I just want access to login into the VPN, apply it. So now let’s go ahead and go into the group policy. And in that group policy, we are going to assign that user to this group policy. Click okay, apply it and save it. Good. So now this should be well, not yet. We want to do a post login policy. So we need to go into group policy. Let’s go into client’s policy.
Let’s go into the portal. And we want to add some BOOKMARKS. And we already have one. So if I go into manage and go into Edit, yes, that’s the correct website. So I want to reach this website. And if you want to add one, you can just go ahead and add a bookmark over here and then do the rest. So since I have one, I’m going to have that same one. Save it. So now let’s go ahead into my Windows device, which is all the way up here. And the first thing I want to do is I want to see if I have connectivity.
So let’s go ahead and paint that ASA. And I’m able to paint the ASA, that means that I have connection. Let’s go ahead and open Edge and let’s go to https 21. There you go. It said it’s not secure. Let’s go ahead and go into the web page. Anyways, so right now I have the group policies of all the connection profile, say clientless or the default one, I want to have the client list. And this one, the user was Clientless and the password was Cisco. And there we go. Welcome to clientless. As I saw PN continue. And we have this website. So let’s see and test to see if we have access to it. It’s going to give me access to this website right here. And there we go. And not workers toolkit. That’s what the website is called. So that works. So we have one remote access VPN. Done. Now the next one that I want to do, it is not a client list. The difference between the client list or why will you choose a client list is whenever a user does not have if they’re not an admin on their website or on their computer, if they’re not an admin and they are unable to install any connect, then you want to do this clientless SSL VPN, right?
Because you can reach any internal website from the browser and therefore it doesn’t need to install anything. And since they are unable to install an application like any connect, then they can use the browser via client VPN. So now we are going to assume that the user is able to install Cisco Any Connect, which I have it installed already. If I go to any connect I have it installed. So since now I’m going to configure a VPN connection for a user who is an admin in the computer and has any connect install. And there’s two options that we’re going to have. We are going to have the SSL Any connect option and then we have the IPsec Any connect option. So we are going to configure both. The first one is going to be the SSL VPN. So let’s go ahead and do that. Now we are done with client list. So we’re not going to reconfigure client list. We are going to configure the network client access and for that I’m going to use the wizard VPN AnyConnect. Let’s go ahead and click Next. This connection profile is going to be SSL Any connect and it’s going to be to the outside. We are going to say SSL. Click Next. We are going to select the any connect image. Click Next. The authentication method we want to use another one for this one is going to be called SSL. Let’s just call it SSL. Any connect password is going to be Cisco. Cisco. That’s fine. Added over here. Go ahead and click Next.
Now we need to select an address pool. So whenever this Windows device connect is going to get an IP address from this pool, we are going to say SSL pool and it’s going to be five five one, all the way to five six something four. Let’s go ahead and just say six because I already have a pool in five. So let’s go ahead and say six that I forgot to delete. So let’s go ahead and say six. Six. Click on next. We’re not going to configure any DNS server or domain name or anything like that. But if you have a DNS server you can just go ahead and put it right here. I don’t have one. Let’s go ahead and say no net exempt. We are not using network translation on the ASA so we don’t have to accept if you’re using or if you were doing network agile translation, then you want to check this right here and tell it which one to do.
The net exempt. But since we don’t have network addression, we don’t have to do that. AnyConnect line good gives you a summary. Let’s go ahead and click Finish. So now we want to verify that that is enabled and as you can see right here, the SSL interconnect is enabled for the outside interface. So that’s good. Let’s go ahead and go into the client profile. We don’t have anything software good. So let’s go ahead and go into the group policy which is the post login. So after the login so over here we want to actually assign we want to do our own banner which is going to be say welcome to SSL. And connect more options. We just want to enable SSL repeat and client okay service. You don’t want to do that. Advanced split tunneling. You can do split tunneling. You can do any connect client over here as well and IPsec we won but we don’t want to do any of that. Let’s go ahead and go apply it. Save it. We did not add the user. Let’s go and click cancel.
Let’s go ahead and click on assign and we want to assign the SSL any connect user apply save it. Now let’s see if we are able to connect from our Windows device. So we want to open any connect and we want to connect to 21. There we go. And this is via SSL connection. So the group for this one is not going to be Clientless. If we do Clientless we won’t be able to log in because clientless is only for the web SSL VPN. So we want to do SSL any connect and the user was SSL AnyConnect the password was Cisco. Here we go, it tells you right now welcome to SSL any connect accept and that’s going to establish a connection. There we go. It has been connected to 21. So if you do now a CMD and if you do an IP config, you’re going to be able that we have now an IP address of six six at at six one. And that was the address that we configured over here. So that means that we are connected to the ASA firewall. So now we should be able to go straight into this website at 170 216 one 2172, 16 one, two and there we go. So we have successfully configured SSL client VPN connection and clients being any connect and it was SSL.
So now another one that we want to do and it’s going to be the last one. And for that one is going to be let’s go ahead and just go ahead and disconnect. And if you disconnect, and if you go into the browser and if you try to go to 172 the 16, that one, that two you won’t. It is still letting me on it and we are disconnected. Let’s go ahead and do a CMD IP config. Now our IP address is 18212 but it is slowing me into this one and that’s because I believe I configure MPF before this video and it is allowing me to go into this website because MPF is allowing that traffic to come in and I believe I also configure an ACL. So let me go device firewall let’s go ahead into ACO rule outside it is allowing all the connections on the outside. Let’s go ahead and apply this if we are able to get to it, you’re still able to get to it. That’s funny that is doing that 122 it still allows me that in here. Let’s go ahead and save this. That’s interesting. It’s probably has to do because of the NPF but that’s fine. We can just verify by doing the IP four address. So the next one that we want to configure is the if you got a wizard we’re going to configure any connect with IPsec. So let’s go ahead and click next. Let’s just go ahead and call this IPsec. It’s going to be to the VPN access interface. Going to be the outside. Go ahead and click next we are going to unselect SSL. We only want IPsec. We’re going to use the same for this one. This one is going to be called IPsec for the user cisco and Cisco. Let’s go ahead and add it.
Next the pool that we want to add, we named this. Let’s go ahead and name it. Ibsec pool. It’s already at eight one. I think I put a space right here by accident. Mass 24 next. We don’t want to do that say no, not the same thing that I talked about earlier. If you want to do web launch you can also go ahead and do that finish and finish. So now let’s verify that IPsec is enabled for that IPsec connection profile and it is let’s go ahead and go into client profile. We have a client’s IPsec profile right now. Let’s go ahead and go to any connect software. It is their group policy. Let’s go ahead and do this IPsec and it is using IC version two and the connection profile that is using is IPsec. So that is good. Let’s go ahead and assign a username and we’re going to assign username IPsec, apply it and save it. Let’s see. And after we do that we want to create a connection profile and the way that you can create a connection profile is by having the VPN profile editor. You can go ahead and server list. Let’s go ahead and add a new one. This one we’re just going to call IPsec connect IP address only the one that one. Okay, let’s go ahead and save it. We’re going to save it as IPsec. IPsec any connect that’s fine. We’re just going to send it to the desktop save. So now it is right here on the desktop.
So now we want to put it into this any connect application we go to program data Cisco, any connect profile and we are going to just drag it over here. Continue. Now let’s go ahead and go into we’re not going to use let’s go ahead and just close this quote it and we are going to open it in. And now we have the IBASE interconnect option that we put in here. That profile that we created and that’s going to connect to this ASA using IPsec and I version two. And we are now going to select this because if we select that it won’t let us connect to it. So if you say it is going to let us connect to it because that’s the one that is supposed to be in here. But if we connect to the IPsec one and we say Cisco it did let me in with that profile and let’s go ahead and go into this IPsec and we don’t want to inherit that. So what we want to do when it comes back it froze. Let’s go ahead and put right here welcome to IPsec. We don’t want to inherit. We just want to have IPsec IP two.
I just go ahead and say no advanced. You can do split tunneling browsing, proxy, any connect client and all that good stuff. Let’s go ahead and apply it. So let’s go ahead and do a CMD IP config and we have the eight one. That’s good. I just want to disconnect and we want to lock it to only let’s go ahead and just lock it and only allow IPsec to connect to it. Apply it and save it. Let’s go and connect anyway. Let’s just use the IPsec user and the Cisco password and it’s saying that this user is not allowed and we’re using IPsec IPsec. Let’s go ahead and go into the user local users IPsec VPN it is using the IPsec policy. I don’t want to inherit. I want to have IPsec apply it and save it. Let’s go and try it again. Cisco. It will still not allow me to connect to that IPsec. Let’s go and make that connection one more time. That’s going to go to monitoring. Okay, let’s go into my Windows device. IPsec IPsec Cisco that is not letting me on. Go ahead to configuration IPsec and it is with IPsec policy. Let’s go ahead and check this one too. Maybe it’s an icration one. Let’s go ahead and do this one as well. Save it. Cisco connect to it again. Group policy IPsec connect anyway IPsec user IPSCO and it’s not letting me connect to it. Interesting enough.
What if you use SSL any connect user Cisco so it is loading me connect using the SSL user for some reason. So this is being inherited. Everything is being inherited. SSL VPN Client okay, well, it is loading me on with the SSL client or user. So let’s go and see the SSL any connect full access VPN SSL the tunneling it is inherent in the tunnels and all that good stuff. Well, for some reason it’s not letting me with that IPsec user that we created. But it is not letting me with the IPsec, but it is letting me with the SSL any connect for this video we are just going to leave it like that for now because I don’t have a lot of time to troubleshoot what the issue is.
But this is it for this video guys, I just wanted to show you guys how to configure three types of remote access VPN so I was able to do that. We configure SSL client list VPN and we configure that whenever, if somebody doesn’t have admin access to install the any connect application on their computer. So we can do SSL VPN. But if anybody SSL VPN client list. But if anybody has admin access to the computer and they are able to install any connect client, we can do SSL any connect or IPsec any connect. So this is it for this video, guys. I hope you guys enjoyed this video.
Interesting posts
The Growing Demand for IT Certifications in the Fintech Industry
The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »
CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared
In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »
The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?
If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »
SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification
As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »
CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?
The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »
Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?
The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »