When traveling to guest Wifis, e.g., at different customers sites, hotels, or public Wifis in general, I often have only IPv4 access to the Internet. Since I do not want to use IPv6 tunneling protocols such as Teredo, I decided to use the Cisco AnyConnect Secure Mobility Client to tunnel IPv6 between my test laboratory (Cisco ASA) and my computer. With a few changes on the ASA, my computer now gets a private IPv4 address and a global unicast IPv6 address out of my space at home. Since I am using a VPN tunnel to access the Internet from untrusted Wifis anyway, the overall process did not change that much.
When the AnyConnect client for macOS attempts to create an SSL connection to a gateway running IOS, or when the AnyConnect client attempts to create an IPsec connection to an ASA from behind certain types of routers (such as the Cisco Virtual Office (CVO) router), some web traffic may pass through the connection while other traffic drops. Free cisco ipsec vpn client download. Internet & Network tools downloads - Cisco VPN Client by Cisco Systems, Inc. And many more programs are available for instant and free download. The Cisco VPN client is the client side application used to encrypt traffic from an end user's computer to the company network. IPSec is used to encrypt the traffic. When using standard IPSec.
Anyconnect Ipsec
In the following I am showing a few screenshots but not a complete configuration guide for the AnyConnect Client.
(I assume that there is an AnyConnect Secure Mobility Client in place and running already. I also assume that native IPv6 is configured on the outside interface of the Cisco ASA as well.)
Full IPv4 and IPv6 Tunnel
If so, there are only two steps to activate IPv6 for the VPN tunnel: The creation of an IPv6 pool and the allocation of that pool in the connection profile:
If a connection is made to this connection profile (in many cases over an IPv4-only network), the AnyConnect client gets addresses from both protocols:
In the VPN monitoring section of the Cisco ASDM, both IPv4/IPv6 addresses are shown, too:
That’s it. ;) Works perfectly for me.
Split Tunnel IPv4 – Full Tunnel IPv6
I also configured another group policy which tunnels only my private IPv4 networks and the complete IPv6 space. I am using this policy when I reside on trusted networks that only have IPv4 access to the Internet. However, this lead to strange behaviours with Windows 7 since IPv6 was NOT preferred over IPv4 anymore and IPv6 domain lookups did not work anymore, too. The result was, that simple “ping ipv6-only-host” commands threw an error such as “unknown host”, PuTTY was not able to get the IPv6 address of IPv6 hosts in general, and web browsers used IPv4 per default. But IPv6 still worked if it was requested specifically such as “ping -6 ipv6-only-host”.
The AnyConnect route details looked quite ok:
But the system did not use IPv6 until the user triggered it explicitly:
Some troubleshooting with Wireshark revealed that in the first case (when pinging a host such as ping facebook.com ) Windows ONLY requested a type A record via DNS. But as I did a ping -6 facebook.com , it requested a type AAAA record. More interestingly, Windows did not use the configured DNS server in the group policy from the AnyConnect profile (in my case: 8.8.8.8), but the DNS server that is configured on the hardware interface. (Note the time gap between both DNS requests as a result from my two different pings above):
Solution: After I added the 8.8.8.8 IPv4 address to the tunneled network list in the group policy, Windows used this DNS server and requested both records (A and AAAA) directly. The following screenshot shows the DNS requests as I did a simple ping facebook.com without the “-6” option. (No time gap between both requests anymore):
Now, the Route Details pane from AnyConnect looks like that:
Short summary:
- If only the private IPv4 networks are tunneled, Windows initiates DNS queries from its hardware interface and sends these requests to the DNS server that is configured on that hardware interface. Furthermore, Windows only requests the type A record.
- If additionally the IPv4 DNS server address is tunneled (in my case the 8.8.8.8), Windows initiates DNS requests from the AnyConnect interface and sends the requests to the DNS server that is configured in the Cisco ASA group policy. In this case, Windows also requests the type AAAA records, since the initiating interface is capable of IPv6.
Featured image “East Side Access Progress: May 21, 2014” by Metropolitan Transportation Authority of the State of New York is licensed under CC BY 2.0.
Overview
When using a Cisco ASA with the AnyConnect VPN Client software in some instances it is useful to assign the same static IP address to a client whenever they connect to the VPN. Within Active Directory you can configure per user a static IP address and use this IP address whenever the user connects to the VPN. The RADIUS Server (in this instance Cisco ISE 2.0) can be configured to query the attribute in AD which is the” msRADIUSFramedIPAddress” value and assign to the client whenever they connect.
This post only describes configuring a static IP address on a Cisco AnyConnect Remote Access VPN. Refer to the following posts for more detail instructions on how to configure ASA Remote Access VPN and integrated with Cisco ISE for authentication:
ASA AnyConnect SSL-VPN
ASA AnyConnect IKEv2/IPSec VPN
Software/Hardware Used:
Anyconnect Ipsec Ikev1
Windows 7 SP1 (Client)
Windows 2008 R2 (Active Directory Domain Controller)
Cisco ISE 2.0 (RADIUS Server)
Cisco ASAv v9.6(1)
Cisco AnyConnect Client 4.2.01022
Cisco ASA Configuration
Anyconnect Ipsec Ikev2 Configuration
- Modify the existing IP Address Pool to decrease the number of IP addresses, leaving space at the end of the range (or beginning) to be used for statically assigned IP addresses.
AD Account Modification
- Select a test account within AD
- Modify the properties of the test account; select the “Dial-in” tab
- Tick the “Assign Static IP Address” box
- Click the “Static IP Address” button
- Tick “Assign a static IPv4 address” box and enter and IP address from within the IP address range defined on the Cisco ASA appliances
- Click “OK” to complete the configuration
Cisco ISE Configuration
Add AD Attribute
- Modify the configuration of the existing Active Directory External Identity Source and select Edit
- Click “Attributes” tab
- Click “Add” > “Select Attributes from Directory”
- Enter the name of the test user previously modified to add the Static IP address and select “Retrieve Attributes”
- Ensure you tick the box “msRADIUSFramedIPAddress” and click “Ok”
IMPORTANT – If you do not previously assign as static IP address to the user account you are using to query AD for the list of attributes the “msRADIUSFramedIPAddress” will not be in the list to select.
- Edit the attribute “msRADIUSFramedIPAddress” and change the “Type” value from STRING to IPv4
- Click “Save”
Create Authorization Profile
- Create a new “Authorization Profile” called “Static-VPN-IP-Address” – Policy > Policy Elements > Results > Authorization > Authorization Profiles
- In the Advanced Attributes Settings add a new value for “Radius:Framed-IP-Address” and equals the “msRADIUSFramedIPAddress” value previously added
NOTE – “LAB_AD” will equal the name of YOUR Active Directory
Modify Policy Set
- Modify the existing Policy and the “Static-VPN-IP-Address” Authorization Profile
Test AnyConnect VPN Client
- Log in to the VPN using the test client, once successfully authenticated you can check to see if the client has been assigned the correct IP address
- Within the RADIUS authentication logs double check to confirm the Framed-IP-Address value was used
Repeating the test for a user that does NOT have a static IP address assigned with in AD continues to work and an IP address is assigned from configured IP Address Pool on the ASA.