Cisco Labs – Network Security (13) – Easy VPN server on ASA, SW client – physical lab


During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul2 6.7.1 ASA task definition

Easy VPN server on ASA, SW client


  • Configure WebVPN server on ASA.
  • Inicialize tunnel.
  • Generate a test connection thru HTTP.
  • Use Anyconnect client in advanced task.
  • Do not forget to clear configuration before start.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.





ifconfig INT4 netmask
route add default gw dev INT4


R19@ostrava(config)#hostname SERVER
SERVER(config)#interface INT3
SERVER(config-if)#ip address
SERVER(config-if)#no shutdown
SERVER(config)#aaa new-model									;define authentication policy
SERVER(config)#aaa authentication login telnet local  						;authenticate locally
SERVER(config)#username cisco password cisco							;authenticate by this username and password                
SERVER(config)#enable password cisco								;set enable password for privileged mode
SERVER(config)#ip http server									;enable HTTP server
SERVER(config)#ftp-server enable								;enable FTP server
SERVER(config)#ftp-server topdir FLASH:/							;set top directory for FTP server
SERVER(config)#line vty 0 4									;enable tenlnet connections


1) Interface settings, Access lists

ciscoasa(config)# hostname ASA-GATE
ASA-GATE(config)# domain-name test
ASA-GATE(config)# interface INT1
ASA-GATE(config-if)# ip address
ASA-GATE(config-if)# nameif outside
ASA-GATE(config-if)# no shutdown

ASA-GATE(config)# interface INT2
ASA-GATE(config-if)# ip address
ASA-GATE(config-if)# nameif inside
ASA-GATE(config-if)# no shutdown

2) WebVPN configuration

ASA-GATE(config)# ip local pool VPNADDRESSPOOL				;set IP pool for webvpn clients
ASA-GATE(config)# route inside 1					;set default route
ASA-GATE(config)# webvpn									;configure WebVPN service
ASA-GATE(config-webvpn)# port-forward PORTFORWARD 2023 telnet			;configure port forwarding for thin Java client
ASA-GATE(config-webvpn)# port-forward PORTFORWARD 2024 ftp								
ASA-GATE(config-webvpn)# enable outside								;select interface on which VebWPN will be available

ASA-GATE(config)# group-policy MYPOLICY internal						;configure WebVPN policy
ASA-GATE(config)# group-policy MYPOLICY attributes
ASA-GATE(config-group-policy)# webvpn
ASA-GATE(config-group-webvpn)# port-forward auto-start PORTFORWARD				;enable port forwarding automatically
ASA-GATE(config-group-webvpn)# default-domain value test.vsb

ASA-GATE(config)# username VPNUSER password cisco						;configure WebVPN profile 
ASA-GATE(config)# tunnel-group WEBVPNGROUP type remote-access
ASA-GATE(config)# tunnel-group WEBVPNGROUP general-attributes
ASA-GATE(config-tunnel-general)# address-pool VPNADDRESSPOOL
ASA-GATE(config-tunnel-general)# default-group-policy MYPOLICY

Function test

F1) Turn on debugging

ASA-GATE(config)# debug crypto isakmp
ASA-GATE(config)# debug crypto engine
ASA-GATE(config)# debug crypto ipsec
ASA-GATE(config)# logging console debugging

F2) Generate test connection

Execute WEB browser and type to iys address bar.

Enter username and password to logon screen

See picture


Enter web address to https session and you will see its default web page, my example shows Linux Debian web page.


Check increasing number of SSL encrypted packets by issuing this command

ASA-GATE#sh crypto protocol statistics ssl


And finally check VPN sessions.

ASA-GATE(config)# sh vpn-sessiondb webvpn

F5) Delete tunnel and reinitialize new one

Tunnel could be deleted by pressing logout link in your web browser.

Optional tasks

  • Configure Anyconnect client part of configuration.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s