class-map type regex match-any DomainBlockList
match regex facebook
match regex myspace
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList

policy-map type inspect http Blockwebsites
parameters
  protocol-violation action drop-connection
class BlockDomainsClass
  reset log

policy-map Block_policy
class inspection_default
  inspect http Blockwebsites

service-policy Block_policy interface inside

aaa-server RADIUS protocol radius
aaa-server RADIUS host 192.168.200.156
   key cisco123

tunnel-group vpnclient general-attributes
   authentication-server-group RADIUS

Configure the Windows 2008 Server.

Note: Windows Server Standard will support up to 50 clients.

Add the “Network Policy and Access Services” role. Select “Network Policy Server”.

Configure a new RADIUS Client. Enter the IP address of the ASA/Pix and Shared secret key.

Configure the settings to match the screenshot below.

Create a New Network Policy. Configure the settings to match the screenshot below.

Add the Windows User Group that will be allowed VPN access.

Configure the Authentication Method to use “Unencrypted authentication”.

Remote the existing Standard Attributes. Attributes should be empty.

Set Encryption to “No Encryption”.

Accept the warning messages regarding Low/No encryption.

Main Location Internal Network – 10.0.0.0/8

Remote Location Internal Network – 192.168.2.0/24

Client VPN IP Network – 192.168.10.0/24

ASA 55xx (Main) – VPN Clients Terminate Here

!— Allow traffic to enter and leave the same interface

same-security-traffic permit intra-interface

!— Client VPN IP Pool

ip local pool IPPool 192.168.10.1-192.168.10.254

!— Split Tunnel for Client VPN and Remote Local Network

access-list SplitTunnel extended permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0

!— Access list for Client VPN and Remote Local Network

access-list RemoteVPN extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0

Pix/ASA (Remote) – VPN Clients need access to this network

!—No NAT for Remote Local Network and Client VPN

access-list NoNAT permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0

!— Access list for Remote Local Network and Client VPN

access-list Main permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0

Step 2 Power off the security appliance, and then power it on.

Step 3 During the startup messages, press the Escape key when prompted to enter ROMMON.

Step 4 To set the security appliance to ignore the startup configuration at reload, enter the following command:

rommon #1> confreg

The security appliance displays the current configuration register value, and asks if you want to change the value:

Current Configuration Register: 0×00000011

Configuration Summary: boot TFTP image, boot default image from Flash on netboot failure

Do you wish to change this configuration? y/n [n]:

Step 5 Record your current configuration register value, so you can restore it later.

Step 6 At the prompt, enter Y to change the value.

The security appliance prompts you for new values.

Step 7 Accept the default values for all settings, except for the “disable system configuration?” value; at that prompt, enter Y.

Step 8 Reload the security appliance by entering the following command:

rommon #2> boot

The security appliance loads a default configuration instead of the startup configuration.

Step 9 Enter privileged EXEC mode by entering the following command:

hostname> enable

Step 10 When prompted for the password, press Return.

The password is blank.

Step 11 Load the startup configuration by entering the following command:

hostname# copy startup-config running-config

Step 12 Enter global configuration mode by entering the following command:

hostname# configure terminal

Step 13 Change the passwords in the configuration by entering the following commands, as necessary:

hostname(config)# password password

hostname(config)# enable password password

hostname(config)# username name password password

Step 14 Change the configuration register to load the startup configuration at the next reload by entering the following command:

hostname(config)# config-register value

Where value is the configuration register value you noted in Step 5. 0×1 is the default configuration register. For more information about the configuration register, see the Cisco Security Appliance Command Reference.

Step 15 Save the new passwords to the startup configuration by entering the following command:

hostname(config)# copy running-config startup-config

*** Will configure the ASA to autorun the SSL vpn client

group-policy AnyConnectGroup internal
group-policy AnyConnectGroup attributes
wins-server value 10.0.0.10 10.0.0.11
dns-server value 10.0.0.10 10.0.0.11
 vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnel

OR

*** Will configure the ASA to direct clients to the AnyConnect Web Interface

group-policy AnyConnectGroup internal
group-policy AnyConnectGroup attributes
wins-server value 10.0.0.10 10.0.0.11
dns-server value 10.0.0.10 10.0.0.11
 vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnel

webvpn
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc ask none default svc

tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
address-pool IPPool
default-group-policy AnyConnectGroup
tunnel-group sslgroup webvpn-attributes
group-alias sslgroup_users enable

Ver 7.x – tunnel-group CLIENTVPNGROUPNAME general-attributes
                   authentication-server-group none

username cisco password *******

!— Binds the dynamic map to the IPsec/ISAKMP process.

crypto map myMAP 60 ipsec-isakmp dynamic myDYN-MAP

!— The tunnel-group commands bind the configurations
!— defined in this configuration to the tunnel that is
!— used for EasyVPN.  This tunnel name is the one specified on the remote side.

tunnel-group mytunnel type ipsec-ra
tunnel-group mytunnel general-attributes
 default-group-policy myGROUP
tunnel-group mytunnel ipsec-attributes

!— The pre-shared-key.

pre-shared-key *

ASA that is Acting as the VPN Client

!— Easy VPN Client Configuration.
!— Specify the IP address of the VPN server.

vpnclient server 10.20.20.1

!— This example uses network extension mode.

vpnclient mode network-extension-mode

!— Specify the group name and the pre-shared key.

vpnclient vpngroup mytunnel password ********

!— Specify the authentication username and password.

vpnclient username cisco password ********

!— In order to enable the device as hardware vpnclient, use this command.

vpnclient enable

global (inside) 1 interface

static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.255

Then the Backup route configuration

global (outside) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0
route inside 192.168.1.0 255.255.255.0 192.168.2.1 1 track 1 route outside 0.0.0.0 0.0.0.0 123.123.123.123 (External IP) track 2

sla monitor 123
type echo protocol ipIcmpEcho 192.168.2.1  interface inside num-packets 3 frequency 5 sla monitor schedule 123 life forever start-time now sla monitor

124 type echo protocol ipIcmpEcho 123.123.123.123 (External IP) interface outside num-packets 3 frequency 5 sla monitor schedule 124 life forever start-time now track 1

rtr 123 reachability track 2 rtr 124 reachability

same−security−traffic permit intra−interface

!−−− The address pool for the VPN Clients.

ip local pool vpnpool 192.168.10.1−192.168.10.254 mask 255.255.255.0

!−−− The global address for Internet access used by VPN Clients.
!−−− Apply an address from your public range provided by your ISP.

global (outside) 1 172.18.124.166

!−−− The NAT statement to define what to encrypt (the addresses from the vpn−pool).

nat (outside) 1 192.168.10.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0

!−−− Forces VPN Clients over the tunnel for Internet access. Configured under Client VPN group-policy.

split−tunnel−policy tunnelall

This feature is useful for VPN traffic that enters an interface but is then routed out of that same interface. For example, if you have a hub−and−spoke VPN network, where the security appliance is the hub, and the remote VPN networks are spokes, in order for one spoke to communicate with another spoke, traffic must go into the security appliance and then out again to the other spoke.

Use the same−security−traffic command to allow traffic to enter and exit the same interface.

securityappliance(config)#
same−security−traffic permit intra−interface

Note: Hairpinning or U−turn is applicable for VPN Client to VPN Client communication, as well.