{"id":2832,"date":"2026-01-10T23:48:00","date_gmt":"2026-01-10T23:48:00","guid":{"rendered":"https:\/\/www.balajibandi.com\/?p=2832"},"modified":"2026-01-29T17:53:14","modified_gmt":"2026-01-29T17:53:14","slug":"93-days-to-ccie-sec-v6-1-lab","status":"publish","type":"post","link":"https:\/\/www.balajibandi.com\/?p=2832","title":{"rendered":"93 Days to CCIE SEC v6.1 Lab"},"content":{"rendered":"\n

AnyConnect Remote Access VPN on ASA1v \/ ASA11v<\/mark><\/h2>\n\n\n\n

ISE + Active Directory Authentication, ASA DHCP Pool, and ISE DACL-Based Authorization<\/h3>\n\n\n\n

Cisco Remote Access VPN<\/mark><\/strong><\/p>\n\n\n\n

A Remote Access VPN extends a private corporate network across a public infrastructure (the Internet). Unlike a Site-to-Site VPN, which connects two fixed locations, a Remote Access VPN allows\u00a0individual users<\/strong>\u00a0to establish a secure, encrypted “tunnel” from any location using a software client like\u00a0Cisco AnyConnect Secure Mobility Client.<\/p>\n\n\n\n

The VPN client (for example, Cisco AnyConnect) establishes an encrypted tunnel<\/strong> to a VPN headend (ASA, Firepower, or Secure Firewall), ensuring confidentiality, integrity, and user authentication.<\/p>\n\n\n\n

How Remote Access VPN Works (High-Level Flow)<\/mark><\/h2>\n\n\n\n
    \n
  1. User launches the VPN client (AnyConnect)<\/li>\n\n\n\n
  2. Client establishes a secure tunnel to the VPN gateway<\/li>\n\n\n\n
  3. User authenticates (credentials, certificates, or MFA)<\/li>\n\n\n\n
  4. VPN gateway assigns:\n
      \n
    • IP address<\/li>\n\n\n\n
    • DNS settings<\/li>\n\n\n\n
    • Security policies<\/li>\n<\/ul>\n<\/li>\n\n\n\n
    • User traffic is encrypted and forwarded into the enterprise network<\/li>\n<\/ol>\n\n\n\n

      From a networking perspective, the remote user becomes a logical extension of the internal network<\/strong>, subject to routing, NAT, and firewall policies.<\/p>\n\n\n\n

      VPN Tunnel Types Used in Remote Access<\/mark><\/h2>\n\n\n\n

      Cisco AnyConnect supports multiple tunnel mechanisms:<\/p>\n\n\n\n

      SSL\/TLS VPN<\/h3>\n\n\n\n
        \n
      • Uses TCP\/443<\/li>\n\n\n\n
      • Works through most firewalls<\/li>\n\n\n\n
      • Ideal for Internet-based access<\/li>\n<\/ul>\n\n\n\n

        IKEv2\/IPsec<\/h3>\n\n\n\n
          \n
        • Strong cryptography<\/li>\n\n\n\n
        • Efficient control plane<\/li>\n\n\n\n
        • Often combined with SSL for fallback<\/li>\n<\/ul>\n\n\n\n

          Modern deployments typically use: SSL + IKEv2 with DTLS for performance<\/strong><\/p>\n\n\n\n

          Control Plane vs Data Plane<\/mark> <\/h2>\n\n\n\n

          A Remote Access VPN consists of two logical planes:<\/p>\n\n\n\n

          Control Plane<\/h3>\n\n\n\n
            \n
          • User authentication<\/li>\n\n\n\n
          • Authorization decisions<\/li>\n\n\n\n
          • Tunnel establishment<\/li>\n<\/ul>\n\n\n\n

            Data Plane<\/h3>\n\n\n\n
              \n
            • Encrypted user traffic<\/li>\n\n\n\n
            • Policy enforcement (ACLs, DACLs)<\/li>\n\n\n\n
            • NAT and routing decisions<\/li>\n<\/ul>\n\n\n\n

              In advanced designs (like the one in this blog), authentication and authorisation are offloaded to Cisco ISE<\/strong>, while enforcement remains on the ASA<\/strong>.<\/p>\n\n\n\n

              Cisco AnyConnect Remote Access VPN remains a cornerstone technology in enterprise remote access designs. While modern Zero Trust solutions are evolving rapidly, ASA + AnyConnect + ISE + AD<\/strong> is still widely deployed and extremely relevant for CCIE Security\u2013level understanding<\/strong> of:<\/p>\n\n\n\n

                \n
              • Authentication vs Authorization separation<\/li>\n\n\n\n
              • AAA control-plane design<\/li>\n\n\n\n
              • Dynamic access enforcement using Downloadable ACLs (DACLs)<\/strong><\/li>\n\n\n\n
              • Real-world VPN policy enforcement<\/li>\n<\/ul>\n\n\n\n

                This blog walks through a complete deployment<\/strong> using:<\/p>\n\n\n\n

                  \n
                • ASA1v \/ ASA11v<\/strong> (enforcement)<\/li>\n\n\n\n
                • Cisco ISE<\/strong> for authentication and authorisation (policy brain)<\/li>\n\n\n\n
                • Microsoft Active Directory<\/strong> as the identity store<\/li>\n\n\n\n
                • DHCP address assignment from the ASA<\/strong><\/li>\n\n\n\n
                • ISE DACLs<\/strong> to allow access to only specific internal sites<\/strong><\/li>\n<\/ul>\n\n\n\n
                    \n
                  1. ASA Base Configuration<\/li>\n<\/ol>\n\n\n\n

                    interface GigabitEthernet0\/0
                    nameif outside
                    security-level 0
                    ip address 192.168.100.2 255.255.255.0<\/p>\n\n\n\n

                    interface GigabitEthernet0\/1
                    nameif inside
                    security-level 100
                    ip address 10.10.10.1 255.255.255.0<\/p>\n\n\n\n

                    2. Routing<\/p>\n\n\n\n

                    route outside 0.0.0.0 0.0.0.0 192.168.100.1<\/p>\n\n\n\n

                    3. AnyConnect WebVPN Configuration<\/p>\n\n\n\n

                    webvpn
                    enable outside
                    anyconnect image disk0:\/anyconnect-win-4.x.x-k9.pkg 1
                    anyconnect enable<\/p>\n\n\n\n

                    4. DHCP Pool on ASA (VPN Clients)<\/p>\n\n\n\n

                    The ASA acts as a DHCP server<\/strong> for VPN clients.<\/p>\n\n\n\n

                    ip local pool AC_POOL 10.20.20.10-10.20.20.100 mask 255.255.255.0<\/p>\n\n\n\n

                    5. Group Policy (Minimal \u2013 DACL Will Enforce Access)<\/p>\n\n\n\n

                    No split tunnel ACL<\/strong> \u2014 access will be controlled via ISE DACL<\/p>\n\n\n\n

                    group-policy GP_ANYCONNECT internal
                    group-policy GP_ANYCONNECT attributes
                    vpn-tunnel-protocol ssl-client ikev2<\/p>\n\n\n\n

                    6. Tunnel Group Configuration<\/p>\n\n\n\n

                    tunnel-group AC_VPN type remote-access<\/p>\n\n\n\n

                    tunnel-group AC_VPN general-attributes
                    address-pool AC_POOL
                    default-group-policy GP_ANYCONNECT
                    authentication-server-group ISE<\/p>\n\n\n\n

                    tunnel-group AC_VPN webvpn-attributes
                    group-alias AnyConnect enable<\/p>\n\n\n\n

                    ASA\u2013ISE Integration<\/p>\n\n\n\n

                    aaa-server ISE protocol radius
                    aaa-server ISE (inside) host 10.10.10.50
                    key radius123<\/p>\n\n\n\n

                    Join ISE to Active Directory<\/mark><\/h3>\n\n\n\n
                      \n
                    • Administration \u2192 Identity Management \u2192 External Identity Sources \u2192 AD<\/li>\n\n\n\n
                    • Join domain (e.g. lab.local<\/code>)<\/li>\n\n\n\n
                    • Verify successful join<\/li>\n<\/ul>\n\n\n\n

                      Add ASA as Network Device<\/h3>\n\n\n\n
                        \n
                      • Administration \u2192 Network Devices<\/li>\n\n\n\n
                      • Add ASA IP<\/li>\n\n\n\n
                      • Enable RADIUS Authentication Settings<\/strong><\/li>\n\n\n\n
                      • Configure shared secret<\/li>\n<\/ul>\n\n\n\n

                        ISE Downloadable ACL (DACL)<\/mark><\/h2>\n\n\n\n

                        Example Requirement<\/h3>\n\n\n\n

                        Allow VPN users to access only<\/strong>:<\/p>\n\n\n\n

                          \n
                        • Internal Web Server: 10.10.10.100<\/code><\/li>\n\n\n\n
                        • Internal DNS: 10.10.10.10<\/code><\/li>\n<\/ul>\n\n\n\n

                          DACL Configuration<\/h3>\n\n\n\n

                          Policy \u2192 Policy Elements \u2192 Results \u2192 Authorization \u2192 Downloadable ACLs<\/strong><\/p>\n\n\n\n

                          permit tcp any host 10.10.10.100 eq 443\npermit udp any host 10.10.10.10 eq 53\npermit tcp any host 10.10.10.10 eq 53\ndeny ip any any<\/code><\/pre>\n\n\n\n
                          ISE Authorization Policy<\/mark><\/h2>\n\n\n\n
                          IF\n  AD-Group = VPN_Users_Limited\nTHEN\n  PermitAccess\n  Apply DACL = VPN_LIMITED_DACL\n<\/code><\/pre>\n\n\n\n
                          💡 Authentication still succeeds, but access is restricted dynamically<\/strong>.<\/p>\n\n\n\n
                          NAT Configuration (Critical)<\/mark><\/h2>\n\n\n\n
                          NAT Exemption (Inside ↔ VPN Pool)<\/h3>\n\n\n\n
                          object network INSIDE_NET\n subnet 10.10.10.0 255.255.255.0\n\nobject network VPN_POOL\n subnet 10.20.20.0 255.255.255.0\n\nnat (inside,outside) source static INSIDE_NET INSIDE_NET destination static VPN_POOL VPN_POOL<\/code><\/pre>\n\n\n\n
                          Outside Interface ACL<\/mark><\/h2>\n\n\n\n
                          access-list OUTSIDE_IN permit tcp any host 203.0.113.10 eq 443\naccess-group OUTSIDE_IN in interface outside\n\nEnd-to-End Connection Flow (Deep Dive)\n\nAnyConnect client connects to ASA\n\nASA forwards credentials to ISE\n\nISE authenticates user against AD\n\nISE returns:\n\nAccess-Accept\n\nDACL name\n\nASA:\n\nAssigns IP from DHCP pool\n\nApplies DACL dynamically\n\nTraffic is filtered per-user<\/code><\/pre>\n\n\n\n
                          Validation & Testing<\/mark><\/h2>\n\n\n\n
                          On ASA<\/h3>\n\n\n\n
                          show vpn-sessiondb anyconnect\nshow aaa-server ISE\nshow access-list\n\nLook for:<\/code><\/pre>\n\n\n\n
                            \n
                          • DACL applied to session<\/li>\n\n\n\n
                          • Correct IP assignment<\/li>\n<\/ul>\n\n\n\n
                            On ISE<\/h3>\n\n\n\n
                              \n
                            • Operations \u2192 RADIUS \u2192 Live Logs<\/li>\n\n\n\n
                            • Confirm:\n
                                \n
                              • Authentication = AD<\/li>\n\n\n\n
                              • Authorization Profile = DACL<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
                                Troubleshooting <\/mark><\/h2>\n\n\n\n
                                ASA Debugs<\/h3>\n\n\n\n
                                debug webvpn 255\ndebug radius 255\ndebug aaa authentication\n\nHappy Labinggggggggggggggggggggggg !<\/strong><\/code><\/pre>\n\n\n\n
                                <\/p>\n","protected":false},"excerpt":{"rendered":"
                                AnyConnect Remote Access VPN on ASA1v \/ ASA11v ISE + Active Directory Authentication, ASA DHCP Pool, and ISE DACL-Based Authorization Cisco Remote Access VPN A Remote Access VPN extends a private corporate network across a public infrastructure (the Internet). Unlike a Site-to-Site VPN, which connects two fixed locations, a Remote Access VPN allows\u00a0individual users\u00a0to establish […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,2],"tags":[],"class_list":["post-2832","post","type-post","status-publish","format-standard","hentry","category-ccie-sec","category-cisco"],"_links":{"self":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2832","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2832"}],"version-history":[{"count":2,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2832\/revisions"}],"predecessor-version":[{"id":2834,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2832\/revisions\/2834"}],"wp:attachment":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2832"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2832"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2832"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}