Part 3: Configuring AnyConnect SSL VPN Remote Access Using ASDM
- Start the VPN wizard. On the ASDM main menu, click Wizards > VPN Wizards > AnyConnect VPN Wizard. ...
- Configure the SSL VPN interface connection profile. On the Connection Profile Identification screen, enter AnyConnect-SSL-VPN as the Connection Profile Name and specify the outside interface as the VPN ...
- Specify the VPN encryption protocol. ...
Full Answer
What protocol does AnyConnect use?
02-26-201408:36 AM Mahesh By default the AnyConnect client will use TCP 443. But the AnyConnect client may also use DTLS (which provides the same type of authentication and encryption as SSL but uses UDP to do it).
Does all AnyConnect VPN need certificate?
Since Anyconnect is based on SSL VPN, so the first time you try to connect , you get prompted with certificate on the ASA. If you have a dedicated certificate installed on the outside interface, then that will be shown to client else ASA randomly generates a certificate and sends it to the client.
What VPN protocol does Cisco AnyConnect use?
Anyconnect based on SSL protocol is called Anyconnect SSL VPN and if you deploy Anyconnect with IPSec protocol ,it is called IKev2. Anyconnect (using IKEv2 or SSLVPN) doesn't use a pre-shared-key to authenticate the user. A certificate will be used to authenticate the ASA and either/both user+pass and certificate is used to authenticate the user.
How to enable Cisco AnyConnect VPN through remote desktop?
To enable Cisco Anyconnect VPN through a remote desktop you must first create an Anyconnect Client Profile. The client profile is basically a XML file that gets pushed out to the client upon VPN establishment. This XML file can be created using a text editor or ASDM. I wouldn’t recommend using anything but the ASDM to create this file as you will see.
How to install AnyConnect package?
When you install the AnyConnect package, it will also move it to the flash:/webvpn/ directory if it was not copied there initially.
What operating system is AnyConnect?
AnyConnect packages are currently available for these operating system platforms: Windows, Mac OS X, Linux (32-bit), and Linux 64-bit.
What is a webvpn gateway?
The WebVPN Gateway is what defines the IP address and port ( s) which will be used by the AnyConnect headend, as well as the SSL encryption algorithm and PKI certificate which will be presented to the clients. By default, the Gateway will support all possible encryption algorithms, which vary depending on the Cisco IOS version on the router.
What is the first step when AnyConnect is configured on an IOS router headend?
The first step when AnyConnect is configured on an IOS Router headend is to confirm that the license has been correctly installed (if applicable) and enabled. Refer to the licensing information in the previous section for the licensing specifics on different versions. It depends on the version of code and platform whether the show license lists an SSL_VPN or securityk9 license. Regardless of the version and license, the EULA will need to be accepted and the license will show as Active.
How to generate a certificate for a trustpoint?
After the trustpoint has been correctly defined, the router must generate the certificate by using the crypto pki enroll command. With this process, it is possible to specify a few other parameters such as the serial number and IP address. However, this is not required. The certificate generation can be confirmed with the show crypto pki certificates command.
What is securityk9?
The securityk9 feature set is required to use the SSL VPN features, regardless of which Cisco IOS version is used.
Where is the gear icon in AnyConnect?
When the connection completes negotiation, click on the gear icon in the lower-left of AnyConnect, it will display some advanced information about the connection. On this page, it is possible to view some connection statistics and route details attained from the split tunnel ACL in the Group Policy configuration.
How to continue AnyConnect deployment?
On the AnyConnect Client Deployment screen, read the text describing the options, and then click Nextto continue.
What happens if you download AnyConnect?
If the AnyConnect client must be downloaded, a security warning will display on the remote host. The ASA will detect whether ActiveX is available on the host system. In order for ActiveX to operate properly with the Cisco ASA, it is important that the security appliance is added as a trusted network site.
How to test HTTPS access to ASA?
a. Open a browser on PC-B and test the HTTPS access to the ASA by entering https://192.168.1.1. After entering the https://192.168.1.1 URL, you should see a security warning about the website security certificate. Click Continue to this website. Click Yesfor any other security warnings.
What command to use to save RSA keys?
d. At the privileged EXEC mode prompt, issue the write mem(or copy run start) command to save the running configuration to the startup configuration and the RSA keys to non-volatile memory.
Can you ping from PC-C to R1?
Note: If you can ping from PC-C to R1 G0/0 and S0/0/0 , you have demonstrated that static routing is configured and functioning correctly.
Can PC-C ping R1?
The ASA is the focal point for the network zones, and it has not yet been configured. Therefore, there will be no connectivity between devices that are connected to it. However, PC-C should be able to ping the R1 interface G0/0. From PC-C, ping the R1 G0/0 IP address (209.165.200.225). If these pings are unsuccessful, troubleshoot the basic device configurations before continuing.
Is erase startup-configIOS supported on ASA?
Note: The erase startup-configIOS command is not supported on the ASA. b. Use the reloadcommand to restart the ASA. This causes the ASA to display in CLI Setup mode. If you see the System config has been modified. Save? [Y]es/[N]o: message, type n, and press Enter.
How to get AnyConnect client software?
The first step is to obtain the AnyConnect client software from the Cisco Software Download Website. You will need to download the appropriate software version according to the Operating System that your users have on their computers.
What IP address does AnyConnect use?
The remote users, after successful authentication, will receive an IP address from local ASA pool 192.168.100.1-50. The internal ASA network will use subnet range 192.168.5.0/24
What version of Cisco AnyConnect is supported?
The Cisco AnyConnect VPN is supported on the new ASA 8.x software and later version and provides remote access to users with just a secure Web Browser (https).
What happens when SSL is stopped?
When the SSL connection is stopped, the SSL client either uninstalls itself or remains on the user’s PC (depending on the configuration of the ASA).
What is the address of a remote host?
Address or name of remote host ? 192.168.5.10
Is Cisco ASA Firewall Fundamentals self published?
He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available on Amazon and on this website as well.
Does SSL VPN provide full network visibility?
That is, the Web SSL VPN does not provide full network visibility to the remote user. The user has access only to specific applications (like internal email, internal files etc). Both IPSec VPNs and SSL VPNs are supported by Cisco ASA 5500 firewalls.
What is AnyConnect VPN?
Anyconnect is the replacement for the old Cisco VPN client and supports SSL and IKEv2 IPsec. When it comes to SSL, the ASA offers two SSL VPN modes: Clientless WebVPN. AnyConnect VPN. The clientless WebVPN method does not require a VPN client to be installed on the user’s computer. You just open your web browser, ...
What is the IP address of AnyConnect?
You can see that we received IP address 192.168.10.100 (the first IP address from the VPN pool). Anyconnect creates an additional interface, just like the legacy Cisco VPN client does.
What happens when a VPN user terminates a session?
Normally when the remote VPN user terminates the session, the anyconnect installer will be uninstalled. The anyconnect keep-installer installed command leaves it installed on the user’s computer.
What happens when you have an inbound access list?
When you have an inbound access-list on the outside interface then all your decrypted traffic from the SSL WebVPN has to match the inbound access-list. You can either create some permit statements for the decrypted traffic or you can just tell the ASA to let this traffic bypass the access-list:
Why does my client tries to download AnyConnect?
The client tries to download the Anyconnect automatically, this is because of the anyconnect ask none default anyconnect command that we used. Since we are using a self-signed certificate you will get the following error message:
When remote users connect to our WebVPN, do they have to use HTTPS?
The following option is not required but useful, whenever someone accesses the ASA through HTTP then they will be redirected to HTTPS:
What is an ayconnECT_policy?
The group policy is called “ANYCONNECT_POLICY” and it’s an internal group policy which means that we configure it locally on the ASA. An external group policy could be on a RADIUS server.
Chapter Description
This chapter shows how to deploy and manage client-based Secure Sockets Layer (SSL) virtual private networks (VPN) on Cisco Adaptive Security Appliance (ASA) as the VPN gateway using AnyConnect Secure Mobility Client software.
From the Book
As you’ll see, you can initiate a client-based SSL VPN session from a broad range of devices and operating systems that support the install of AnyConnect Client (desktops, laptops, mobile devices), as shown in Figure 3-1.
Configuring Basic Cisco ASA SSL VPN Gateway Features
To initially prepare the ASA for SSL VPN termination, complete the following steps:
Introduction
Requirements
- Cisco recommends that you have knowledge of these topics: 1. Basic VPN, TLS and IKEv2 knowledge 2. Basic Authentication, Authorization, and Accounting (AAA) and RADIUS knowledge 3. Experience with Firepower Management Center
Components Used
- The information in this document is based on these software and hardware versions: 1. Cisco FTD 6.2.2 2. AnyConnect 4.5
Connection
- To connect to FTD you need to open a browser, type DNS name or IP address pointing to the outside interface, in this example https://vpn.cisco.com. Youwill then have to login using credentials stored in RADIUS server and follow instructions on the screen. Once AnyConnect installs, you then need to put the same address in AnyConnect window and click Connect.
Limitations
- Currently unsupported on FTD, but available on ASA: 1. Double AAA Authentication 2. Dynamic Access Policy 3. Host Scan 4. ISE posture 5. RADIUS CoA 6. VPN load-balancer 7. Local authentication (Enhancement: CSCvf92680 ) 8. LDAP attribute map 9. AnyConnect customization 10. AnyConnect scripts 11. AnyConnect localization 12. Per-app VPN 13. SCEP proxy 14. WSA in…
Security Considerations
- You need to remember that by default, sysopt connection permit-vpn option is disabled. This means, that you need to allow traffic coming from pool of addresses on outside interface via Access Control Policy. Although the pre-filter or access-control rule is added intending to allow VPN traffic only, if clear-text traffic happens to match the rule criteria, it is erroneously permitted…