Cisco ASA 5580 Getting Started Guide, 8.2 - Scenario: Configuring Connections for a Cisco AnyConnect VPN Client [Cisco ASA 5500 Series Adaptive Security Appliances]

Table Of Contents

Scenario: Configuring Connections for a Cisco AnyConnect VPN Client

About SSL VPN Client Connections

Obtaining the Cisco AnyConnect VPN Client Software

Example Topology Using AnyConnect SSL VPN Clients

Implementing the Cisco SSL VPN Scenario

Information to Have Available

Configuring the Adaptive Security Appliance for the Cisco AnyConnect VPN Client

Specifying the SSL VPN Interface

Specifying a User Authentication Method

Specifying a Group Policy

Configuring the Cisco AnyConnect VPN Client

Verifying the Remote-Access VPN Configuration

What to Do Next

Scenario: Configuring Connections for a Cisco AnyConnect VPN Client

This chapter describes how to configure the adaptive security appliance so that remote users can establish SSL connections using a Cisco AnyConnect VPN client.

This chapter includes the following sections:

•About SSL VPN Client Connections

•Obtaining the Cisco AnyConnect VPN Client Software

•Example Topology Using AnyConnect SSL VPN Clients

•Implementing the Cisco SSL VPN Scenario

•What to Do Next

About SSL VPN Client Connections

With an SSL VPN client setup, remote users do not need to install a software client before attempting to establish a connection. Instead, remote users enter the IP address or DNS name of a Cisco SSL VPN interface in their browser. The browser connects to that interface and displays the SSL VPN login screen. If the user successfully authenticates and the adaptive security appliance identifies the user as requiring the client, it pushes the client that matches the operating system of the remote computer.

Note Administrative rights are required the first time the Cisco AnyConnect VPN client is installed or downloaded.

After downloading, the client installs and configures itself and then establishes a secure SSL connection. When the connection terminates, the client software either remains or uninstalls itself, depending on how you configure the adaptive security appliance.

If a remote user has previously established an SSL VPN connection and the client software is not instructed to uninstall itself, when the user authenticates, the adaptive security appliance examines the client version and upgrades if it necessary.

Obtaining the Cisco AnyConnect VPN Client Software

The adaptive security appliance obtains the AnyConnect VPN client software from the Cisco website. This chapter provides instructions for configuring the SSL VPN using a configuration Wizard. You can download the Cisco SSL VPN software during the configuration process.

Users can download the AnyConnect VPN client from the adaptive security appliance, or it can be installed manually on the remote PC by the system administrator. For more information about installing the client software manually, see the Cisco AnyConnect VPN Client Administrator Guide.

The adaptive security appliance pushes the client software based on the group policy or username attributes of the user establishing the connection. You can configure the adaptive security appliance to automatically push the client each time the user establishes a connection, or you can configure it to prompt the remote user to specify whether to download the client. In the latter case, if the user does not respond, you can configure the adaptive security appliance either to push the client after a timeout period or present the SSL VPN login screen.

Example Topology Using AnyConnect SSL VPN Clients

Figure 5-1 shows an adaptive security appliance configured to accept requests for and establish SSL connections from clients running the AnyConnect SSL VPN software. The adaptive security appliance can support connections to both clients running the AnyConnect VPN software and browser-based clients.

Figure 5-1 Network Layout for SSL VPN Scenario

Implementing the Cisco SSL VPN Scenario

This section describes how to configure the adaptive security appliance to accept Cisco AnyConnect SSL VPN connections. Values for example configuration settings are taken from the SSL VPN scenario illustrated in Figure 5-1.

This section includes the following topics:

•Information to Have Available

•Configuring the Adaptive Security Appliance for the Cisco AnyConnect VPN Client

•Specifying the SSL VPN Interface

•Specifying a User Authentication Method

•Specifying a Group Policy

•Configuring the Cisco AnyConnect VPN Client

•Verifying the Remote-Access VPN Configuration

Information to Have Available

Before you begin configuring the adaptive security appliance to accept AnyConnect SSL VPN connections, make sure that you have the following information available:

•Name of the interface on the adaptive security appliance to which remote users will connect.

•Digital certificate

The ASA 5580 generates a self-signed certificate by default. However, for enhanced security you may want to purchase a publicly trusted SSL VPN certificate before putting the system in a production environment.

•Range of IP addresses to be used in an IP pool. These addresses are assigned to SSL AnyConnect VPN clients as they are successfully connected.

•List of users to be used in creating a local authentication database, unless you are using a AAA server for authentication.

•If you are using a AAA server for authentication:

–AAA Server group name

–Authentication protocol to be used (TACACS, SDI, NT, Kerberos, LDAP)

–IP address of the AAA server

–Interface of the adaptive security appliance to be used for authentication

–Secret key to authenticate with the AAA server

Configuring the Adaptive Security Appliance for the Cisco AnyConnect VPN Client

To begin the configuration process, perform the following steps:

Step 1 In the main ASDM window, choose SSL VPN Wizard from the Wizards drop-down menu. The SSL VPN Wizard Step 1 screen appears.

Step 2 In Step 1 of the SSL VPN Wizard, perform the following steps:

a. Check the Cisco SSL VPN Client check box.

b. Click Next to continue.

Specifying the SSL VPN Interface

In Step 2 of the SSL VPN Wizard, perform the following steps:

Step 1 Specify a Connection Name to which remote users connect.

Step 2 From the SSL VPN Interface drop-down list, choose the interface to which remote users connect. When users establish a connection to this interface, the SSL VPN portal page is displayed.

Step 3 From the Certificate drop-down list, choose the certificate the adaptive security appliance sends to the remote user to authenticate the adaptive security appliance.

Step 4 Click Next to continue.

Specifying a User Authentication Method

In Step 3 of the SSL VPN Wizard, perform the following steps:

Step 1 If you are using a AAA server or server group for authentication, perform the following steps:

a. Click the Authenticate using a AAA server group radio button.

b. Specify a AAA Server Group Name.

c. You can either choose an existing AAA server group name from the drop down list, or you can create a new server group by clicking New.

To create a new AAA Server Group, click New. The New Authentication Server Group dialog box appears.

In this dialog box, specify the following:

–A server group name

–The Authentication Protocol to be used (RADIUS, TACACS, SDI, NT, Kerberos, LDAP)

–IP address of the AAA server

–Interface of the adaptive security appliance

–Secret key to be used when communicating with the AAA server

d. Click OK.

Step 2 If you have chosen to authenticate users with the local user database, you can create new user accounts here. You can also add users later using the ASDM configuration interface.

To add a new user, enter a username and password, and then click Add.

Step 3 When you have finished adding new users, click Next to continue.

Specifying a Group Policy

In Step 4 of the SSL VPN Wizard, specify a group policy by performing the following steps:

Step 1 Click the Create new group policy radio button and specify a group name.

OR

Step 2 Click the Modify an existing group policy radio button and choose a group from the drop-down list.

Step 3 Click Next.

Step 4 Step 5 of the SSL VPN Wizard appears. This step does not apply to AnyConnect VPN client connections, so click Next again.

Configuring the Cisco AnyConnect VPN Client

For remote clients to gain access to your network with a Cisco AnyConnect VPN client, you must configure a pool of IP addresses that can be assigned to remote VPN clients as they are successfully connected. In this scenario, the pool is configured to use the range of IP addresses 209.165.201.1-209.166.201.20.

You must also specify the location of the AnyConnect software so that the adaptive security appliance can push it to users.

In Step 6 of the SSL VPN Wizard, perform the following steps:

Step 1 To use a preconfigured address pool, choose the name of the pool from the IPv4 Address Pool drop-down list or the IPv6 Address Pool drop-down list.

Step 2 Alternatively, click New to create a new address pool.

Step 3 Specify the location of the AnyConnect VPN client software image.

To obtain the most current version of the software, click Download Latest AnyConnect VPN client from cisco.com. This downloads the client software to your PC.

Step 4 Click Next to continue.

Verifying the Remote-Access VPN Configuration

In Step 7 of the SSL VPN Wizard, review the configuration settings to ensure that they are correct. The displayed configuration should be similar to the following.

If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance.

If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save. Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM.

If you do not save the configuration changes, the old configuration takes effect the next time the device starts.

What to Do Next

If you are deploying the adaptive security appliance solely to support AnyConnect VPN connections, you have completed the initial configuration. In addition, you may want to consider performing some of the following steps.

To Do This...

See...

Refine configuration and configure optional and advanced features

Cisco ASA 5500 Series Configuration Guide using the CLI

Learn about daily operations

Cisco ASA 5500 Series Command Reference

Cisco ASA 5500 Series System Log Messages

You can configure the adaptive security appliance for more than one application. The following sections provide configuration procedures for other common applications of the adaptive security appliance.

To Do This...

See...

Configure clientless (browser-based) SSL VPN

Chapter 6, "Scenario: SSL VPN Clientless Connections"

Configure a site-to-site VPN

Chapter 7, "Scenario: Site-to-Site VPN Configuration"

Configure a remote-access IPSec VPN

Chapter 8, "Scenario: IPsec Remote-Access VPN Configuration"