Setting ASA

How to configure LDAP access for an ASA 5505
Assumptions:

ASDM is already installed
You know the password to the ASA
Launch ASDM and select Configuration from the top bar. On the left hand bard, select Remote Access VPN. You then should see a heading that says AAA/Local Users. After clicking the + sign, select AAA Server Groups. You should now see an add button on the right hand side of the screen. Click add and make up a name for the server group. This can be anything. Also set the settings below.

Reactivation Mode: Depletion
Dead Time: 10 Minutes (this was the default setting)
Max Failed Attempts: 3 (this was the default setting)

Click Ok. You should now see that in the AAA Server Group box at the top of the page. Highlight the newly created group and click add button beside the servers in the selected group box. This is what it should be set to:


Interface Name: Inside
Servername or IP Address: Your active directory server IP
Timeout: 10 seconds
Enable LDAP over SSL: Unchecked (this is up to your current setup)
Server Port: 389
Server Type: Microsoft
Base DN: dc=example,dc=com (see note below on how to find this and your user name)
Naming Attribute(s): sAMAccountName
Login DN: CN=John Doe,OU=Custom Users,DC=example,dc=com
Login Password: Type the password to the user
LDAP Attribute Map: None

Everything else was just left as default. Click ok, then click apply. Highlight the server IP in the box and click the test button. You will see a box pop up. You will want to choose the Authentication button and type your active directory username and password. If everything is configured correctly, you should get a message saying "Authentication test to host ip is successful."

***Note:*** Now I had some problems when configuring this. The first problem I felt deserved its own post. It's here.

The second problem was getting the right syntax for the LDAP part of it. You can refer to my post that talks about dsquery more in depth. It could help you. It is here. The two commands that will help you the most are:

dsquery user (This lists every single user. I only have maybe 20 users so if you have alot more then this, you can use some more specific switches to narrow it down).

dsquery computer (This will show you all the computers. Same possible problem with dsquery user. The big thing here is all you need is the dc part of the results).








Eight easy steps to Cisco ASA remote access setup
By Lori Hyde
March 19, 2009, 12:28 PM PDT
Takeaway: Lori Hyde shows you a simple eight-step process to setting up remote access for users with the Cisco ASA.

There are eight basic steps in setting up remote access for users with the Cisco ASA.

Step 1. Configure an Identity Certificate
Step 2. Upload the SSL VPN Client Image to the ASA
Step 3. Enable AnyConnect VPN Access
Step 4. Create a Group Policy
Step 5. Configure Access List Bypass
Step 6. Create a Connection Profile and Tunnel Group
Step 7. Configure NAT Exemption
Step 8. Configure User Accounts
So let’s get started!

Step 1. Configure an Identity Certificate

Here I am creating a general purpose, self-signed, identity certificate named sslvpnkey and applying that certificate to the “outside” interface. You can purchase a certificate through a vendor such as Verisign, if you choose.

corpasa(config)#crypto key generate rsa label sslvpnkey
corpasa(config)#crypto ca trustpoint localtrust
corpasa(config-ca-trustpoint)#enrollment self
corpasa(config-ca-trustpoint)#fqdn sslvpn. mycompany.com
corpasa(config-ca-trustpoint)#subject-name CN=sslvpn.mycompany.com
corpasa(config-ca-trustpoint)#keypair sslvpnkey
corpasa(config-ca-trustpoint)#crypto ca enroll localtrust noconfirm
corpasa(config)# ssl trust-point localtrust outside
Step 2. Upload the SSL VPN Client Image to the ASA

You can obtain the client image at Cisco.com. As you choose which image to download to your tftp server, remember that you will need a separate image for each OS that your users have. After you select and download your client software, you can tftp it to your ASA.

corpasa(config)#copy tftp://192.168.81.50/anyconnect-win-2.0.0343-k9.pkg flash
After the file has been uploaded to the ASA, configure this file to be used for webvpn sessions. Note that if you have more than one client, configure the most commonly used client to have the highest priority. In this case, we’re using only one client and giving it a priority of 1.

corpasa(config)#webvpn
corpasa(config-webvpn)#svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
Step 3. Enable AnyConnect VPN Access

corpasa(config)#webvpn
corpasa(config-webvpn)#enable outside
corpasa(config-webvpn)#svc enable
Step 4. Create a Group Policy

Group Policies are used to specify the parameters that are applied to clients when they connect. In this case, we’ll create a group policy named SSLClient. The remote access clients will need to be assigned an IP address during login, so we’ll also set up a DHCP pool for them, but you could also use a DHCP server if you have one.

corpasa(config)#ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0
corpasa(config)#group-policy SSLCLient internal
corpasa(config)#group-policy SSLCLient attributes
corpasa(config-group-policy)#dns-server value 192.168.200.5
corpasa(config-group-policy)#vpn-tunnel-protocol svc
corpasa(config-group-policy)#default-domain value mysite.com
corpasa(config-group-policy)#address-pools value SSLClientPool
Step 5. Configure Access List ByPass

By using the sysopt connect command we tell the ASA to allow the SSL/IPsec clients to bypass the interface access lists.

corpasa(config)#sysopt connection permit-vpn
Step 6. Create a Connection Profile and Tunnel Group

As remote access clients connect to the ASA, they connect to a connection profile, which is also known as a tunnel group. We’ll use this tunnel group to define the specific connection parameters we want them to use. In our case, we’re configuring these remote access clients to use the Cisco AnyConnect SSL client, but you can also configure the tunnel groups to use IPsec, L2L, etc.

First, let’s create the tunnel group SSL Client:

corpasa(config)#tunnel-group SSLClient type remote-access
Next, we’ll assign the specific attributes:

corpasa(config)#tunnel-group SSLClient general-attributes
corpasa(config-tunnel-general)#default-group-policy SSLCLient
corpasa(config-tunnel-general)#tunnel-group SSLClient webvpn-attributes
corpasa(config-tunnel-webvpn)#group-alias MY_RA enable
corpasa(config-tunnel-webvpn)#webvpn
corpasa(config-webvpn)#tunnel-group-list enable
Note that the alias MY_RA is the group that your users will see when they are prompted for login authentication.

Step 7. Configure NAT Exemption

Now we need to tell the ASA not to NAT the traffic between the remote access clients and the internal network they will be accessing. First we’ll create an access list that defines the traffic, and then we’ll apply this list to the nat statement for our interface.

corpasa(config)#access-list no_nat extended permit
ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0
corpasa(config)#nat (inside) 0 access-list no_nat
Step 8. Configure User Accounts

Now we’re ready for some user accounts. Here we’ll create a user and assign this user to our remote access vpn.

corpasa(config)#username hyde password l3tm3in
corpasa(config)#username hyde attributes
corpasa(config-username)#service-type remote-access
Finishing up

Don’t forget to save your configuration to memory.

corpasa#write memory
Verify your configuration by establishing a remote access session and use the following show command to view session details.

corpasa #show vpn-sessiondb svc
This guide should help you to get your remote access users up and running in no time. If you run into any difficulties, use the debug webvpn commands to diagnose the problem.

Good luck and have fun out there!