Code ExchangeSearchRepository

ASA Static IP Tunnels published

Static IP Tunnel Configuration Generator for ASAs and AnyConnect VPN

This repo contains helper functions designed to generate static IP tunnel configurations for the ASA CLI.

High level design of static IP tunnels on the ASA in tandem with AnyConnect VPN:

  VPN Client "a"             VPN Client "b"
         |                          |
         v                          v
https://<vpn-device>/a     https://<vpn-device>/b
         |                          |
         v                          v
   tunnel-group a ----------- tunnel-group b ---> shared group-policy
         |                          |          -> shared DAP                                
         v                          v
     ip pool a  ->  10.0.0.1    ip pool b -> 10.0.0.2
         |                          |
         v                          v
     Connected!                 Connected!

Please take note of the DAP LUA configuration that goes along with this:

EVAL(cisco.aaa.username, "EQ", cisco.aaa.tunnelgroup)

This is a security necessity to ensure static IPs are taken by the users intended.

The original intent for this program was to satisfy India's VoIP exception for users with static IPs due to COVID-19.

Installation

This code requires Python 3 and has been tested with Python 3.7.7.

git clone git@github.com:CiscoDevNet/asa-static-ip-tunnels.git
cd asa-static-ip-tunnels/
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt

To Run

python asa_static_ip_tunnels.py

The following constants are declared in "__main__" of asa_static_ip_tunnels.py:

START_IP = '10.0.0.1'   # first IP address in IP pool, increments by 1 for each user
DEVICE = 'vpn-device'   # hostname of the VPN headend
AAA_SERVER = 'AAA_Server'   # name of the AAA server declared on the ASA
GROUP_POLICY = 'Default_Group_Policy'   # group policy shared by all static tunnels

The program starts by pulling users from users.txt:

cecId1
cecId2
cecId3
cecId4
cecId5

User IDs can be separated by or \n characters.

Based off the constants and users, CLI configuration is generated in the output/ folder.

filename: output/config.txt


ip local pool cecId1 10.0.0.1 mask 255.255.255.255   ! address pool with single IP
tunnel-group cecId1 type remote-access   ! unique tunnel group with same name as user ID
tunnel-group cecId1 general-attributes
  address-pool cecId1
  authentication-server-group AAA_Server
  default-group-policy Default_Group_Policy
tunnel-group cecId1 webvpn-attributes
  group-url https://vpn-device/cecId1 enable  ! connection URL for user


...

A file labeled clear_config.txt is also created, which contains ASA CLI configuration to undo the static IP tunnels created.

Running asa_static_ip_tunnels.py again overwrites the files in the output/ folder.

Technologies & Frameworks Used

Cisco Products & Services:

  • ASA OS Software
  • AnyConnect VPN Client

Tools & Frameworks:

  • Python 3.7
  • ipaddress module

File Structure

.
├── asa_static_ip_tunnels.py (where __main__ lies and a code explanation on how to use functions)
├── users.txt (input file for user IDs)
├── static_tunnels.py (configuration generation functions)
├── output (configuration output)
|   ├── config.txt (creation)
|   └── clear_config.txt (deletion)

Authors & Maintainers

Credits

License

This project is licensed to you under the terms of the Cisco Sample
Code License.

Use Case

Due to COVID-19, many companies are mandating work for home policies. Call center agents typically need to be located physically within the call center for security and traceability purposes. One example of this is in India. In light of COVID-19 and the conflicting requirement for people to work from home, an exception was made by the government to enable agents to use VoIP over VPN if they are allocated static IPs.

Cisco Adaptive Security Appliance (ASA) normally operates by assigning users IP addresses from an address pool stored on the ASA. This process is random and is a feature, rather than a bug, of using VPN.

In order to allocate static IPs per agent, we designed a simple solution that creates a unique address pool (of one IP address) and tunnel group per agent, using the username of the agent as the identifier for both the tunnel group and the URL.

Consequently, this allowed us to apply a Dynamic Access Policy that enforces the agent logging in through VPN matches the name of the tunnel group (and URL). This provides additional security on top of AAA by ensuring the agent taking an IP address on the ASA is the one intended.

Automating the configuration generation facilitates the management of these agents that require static IPs. In future iterations, this program could be hooked up to a database for its agents (rather than a trusty .txt file) along with their IP addresses and inserted into a configuration tool such as Network Services Orchestrator (NSO) or Ansible to do the insertion and clearing of ASA configuration.

Business Summary
Automate configuration generation using Python for the allocation and deallocation of static IP pools and tunnels for users on ASAs. Automation becomes more critical as the number of agents increases.

White Papers

https://blogs.cisco.com/developer/architecting-work-from-home

View code on GitHub
Related code repos

    Code Exchange Community

    Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
    Disclaimer:
    Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.