I have an ASA 5506 running in my lab and I wanted to establish the basic configuration for it first before I jump into the TrustSec configuration. This post isn't much of a deep dive but more informational in the even someone is building a lab similar to mine.
Jumping into it, I'm going to start with the basic interface, IP, domain name and NAT configuration:
domain-name securitydemo.net
ssh version 2
hostname ASA-5506X
interface gigabit1/1
nameif inside
ip address 10.1.10.99 255.255.255.0
no shutdown
interface gigabit 1/2
nameif outside
ip address 10.99.99.2 255.255.255.0
no shut
route outside 0 0 10.99.99.1
interface management 1/1
no shutdown
management-only
object network obj_any
subnet 0 0
nat (any,outside) dynamic interface
management-access inside
http server enable
http 0 0 inside
ssh 0 0 inside
ssh timeout 60
username admin password networknode privilege 15
enable password networknode
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
logging asdm informational
fixup protocol icmp <- This is more for my labbing and not really a necessity
asdm image disk0:image
router eigrp 1
network 10.0.0.0
passive-interface outside
Since I have the Firepower module on this ASA, I'll go ahead and give that an IP address:
session sfr console
<login with the default username/password of Admin/Admin123>
configure network ipv4 manual 10.1.100.6 255.255.255.0 10.1.100.1
configure manager add 10.1.100.10 networknode
In the Layer 3 switch, I'll go ahead and configure the EIGRP process:
router eigrp 1
network 10.0.0.0 (Yes, I'm not being very neat with my routing - it's a lab)
passive-interface default
no passive-interface vlan 100
Next I'm going to swing over to the ASDM to make it easier for anyone following along to set up some basic setting. Navigate to the inside interface on your browser and the following should come up:
Install the ASDM Launcher and run it.
Configure basic remote access VPN using the wizard. To start, go to Wizards>VPN Wizards>AnyConnect VPN Wizards and click Next:
Give the connection profile a name and set it up for the outside interface:
On the next page, choose the SSL checkbox only and no device certificate:
On the next screen, you will need to add a client image which you can download off of the Cisco support page. Click the appropriate package to upload and click next.
On the next page, click next for now:
On the next page, pick an address pool that won't mess with the existing deployment or DHCP. In this lab, I have my switch using 10.1.100.100-200 so I'm going to use 10.1.100.201-250 to assign to VPN clients:
Fill in the necessary information and click next:
Check the box for NAT exception and click next:
Click next and finish.
Navigate to Configuration>Remote Access VPN>Network (Client) Access>Group Policies and open the group policy you just created. Under the Edit Internal Group Policy window, expand Advanced and highlight Split Tunnel. Uncheck the box next to the policy and choose Tunnel Network List Below. Uncheck the box next to Network List and then click Manage.
You'll need to create an ACL with all the internal subnets permitted. After doing so, click Ok and make sure that ACL is chosen in your Network List:
Click Ok and Apply the configuration.
Open up AnyConnect and connect to the outside interface. You should be able to access it now.