Configure SSL VPN settings under Group Policy mode

Configure SSL VPN settings under Group Policy mode

For the Keep Installer on Client System option, uncheck the Inherit check box, and click the Yes radio button.

This action allows the SVC software to remain on the client machine. Therefore, the ASA is not required to download the SVC software to the client each time a connection is made. This option is a good choice for remote users who often access the corporate network.

Click Login Setting in order to set the Post Login Setting and Default Post Login Selection as shown.

For the Renegotiation Interval option, uncheck the Inherit box, uncheck the Unlimited check box, and enter the number of minutes until rekey.

Security is enhanced by setting limits on the length of time a key is valid.

For the Renegotiation Method option, uncheck the Inherit check box, and click the SSL radio button.

Renegotiation can use the present SSL tunnel or a new tunnel created expressly for renegotiation.

Click OK and then Apply.
Equivalent CLI Configuration:

ciscoasa(config)#access-list split-tunnel standard permit 10.77.241.128 255.255.255.1922
ciscoasa(config)#group-policy clientgroup internal
ciscoasa(config)#group-policyclientgroup attributes
ciscoasa(config-group-policy)#vpn-tunnel-protocol webvpn
ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)#split-tunnel-network-list value split-tunnel
ciscoasa(config-group-policy)#webvpn
ciscoasa(config-group-webvpn)#svc ask none default svc
ciscoasa(config-group-webvpn)#svc keep-installer installed
ciscoasa(config-group-webvpn)#svc rekey time 30
ciscoasa(config-group-webvpn)#svc rekey method ssl

Choose Configuration > Remote Access VPN > AAA Setup > Local Users > Add in order to create a new user account ssluser1. Click OK and then Apply.

Choose Configuration > Remote Access VPN > AAA Setup > AAA Servers Groups > Edit in order to modify the default server group LOCAL by checking the Enable Local User Lockout check box with maximum attempts value as 16.

Click OK and then Apply.
Equivalent CLI Configuration:

ciscoasa(config)#aaa local authentication attempts max-fail 16

Configure Tunnel Group.

Choose Configuration > Remote Access VPN > Network (Client) Access > SSL VPN Connection Profiles Connection Profiles > Add in order to create a new tunnel group sslgroup.

In the Basic tab, you can perform the list of configurations as shown:

Name the Tunnel group as sslgroup.

Under Client Address Assignment, choose the address pool vpnpool from the drop down list.

Under Default Group Policy, choose the group policy clientgroup from the drop down list.

Under the SSL VPN > Connection Aliases tab, specify the group alias name as sslgroup_users and click OK.

Click OK and then Apply.
Equivalent CLI Configuration:

ciscoasa(config)#tunnel-group sslgroup type remote-access
ciscoasa(config)#tunnel-group sslgroup general-attributes
ciscoasa(config-tunnel-general)#address-pool vpnpool
ciscoasa(config-tunnel-general)#default-group-policy clientgroup
ciscoasa(config-tunnel-general)#exit
ciscoasa(config)#tunnel-group sslgroup webvpn-attributes
ciscoasa(config-tunnel-webvpn)#group-alias sslgroup_users enable

Configure NAT.

Choose Configuration > Firewall > NAT Rules > Add Dynamic NAT Rule so the traffic that comes from the inside network can be translated with outside IP address 172.16.1.5.

Click OK.

Click OK.

Click Apply.

Equivalent CLI Configuration:

ciscoasa(config)#global (outside) 1 172.16.1.5
ciscoasa(config)#nat (inside) 1 0.0.0.0 0.0.0.0

Configure the nat-exemption for the return-traffic from inside network to the VPN client.

ciscoasa(config)#access-list nonat permit ip 10.77.241.0 192.168.10.0
ciscoasa(config)#access-list nonat permit ip 192.168.10.0 10.77.241.0
ciscoasa(config)#nat (inside) 0 access-list nonat

About the author: admin