Table Of Contents
Release Notes for Cisco AnyConnect VPN Client,
Version 2.0Security Appliances and Software Supported
Interoperability Considerations
AnyConnect Client and Cisco Secure Desktop
Upgrading to AnyConnect Release 2.0
Before You Install the AnyConnect Client
Ensuring Automatic Installation of AnyConnect Clients
AnyConnect Client and New Windows 2000 Installations
Adding a Security Appliance to the List of Trusted Sites (IE)
Adding a Security Certificate in Response to Browser Alert Windows
Installing the AnyConnect Client on a System Running Windows
Installing the AnyConnect Client on a System Running Linux
Installing the AnyConnect Client on a System Running MAC OSX
Using the AnyConnect CLI Commands
Loading the AnyConnect Client and Configuring the Security Appliance with ASDM
Loading the AnyConnect Client and Configuring the Security Appliance with CLI
Disabling Permanent Client Installation
Enabling AnyConnect Client Profile Downloads
Enabling Start Before Logon for the AnyConnect Client
CSA Interoperability with the AnyConnect Client and Cisco Secure Desktop
Authenticating Using Digital Certificate Might Fail to Connect
Internet Explorer Proxy With the AnyConnect Client
Setting the Secure Connection (Lock) Icon
Cisco Security Agent Version Requirements
PC Wireless Client Configurations
Certificate Revocation List Processing
Zyxel Modem SSH Incompatibility
Dynamic Install Fails on Windows Vista When Running Low-rights Internet Explorer
AnyConnect Fails to Establish a DTLS Tunnel When Using RC4-MD5 Encryption
Linux Client Weblaunch Requires an Account with Sudo Access
msvcp60.dll Must Be Available for Installation of the AnyConnect Client
Secure VPN Via Windows Remote Desktop Is Not Supported
AnyConnect Start Before Logon GINA Might Not Appear on Login Screen after Reboot
When Using a Client-Side Proxy and Full Tunneling, the Proxy Should Be Reset
Linux-Specific AnyConnect Client Issue
Setting the AnyConnect Pre-Login Banner
AnyConnect Requires That the ASA Be Configured to Accept TLSv1 Traffic
Mac OS X and Linux Clients Might Disconnect If a Security Appliance Failover Occurs
IPv6 AnyConnect Failover is Not Supported for the Security Appliance
Framed IP Address Is Not Available in a Start Accounting Request
AnyConnect Split-tunneling Does Not Work on Windows Vista
Selecting Crypto Toolkits for AnyConnect on Windows Platforms
First User Message for Double-byte Languages Does Not Translate Correctly
Ensuring Reliable DTLS Connections Through Third-Party Firewalls
SSL VPN Clients Do Not Support Split DNS
Synchronizing a Mobile Device to a PC While a Tunnel Is Active
Open Caveats in Cisco AnyConnect VPN Client, Release 2.0
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
Cisco Technical Support & Documentation Website
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Cisco AnyConnect VPN Client,
Version 2.0
Part Number: OL-12482-03
Introduction
These release notes are for the Cisco AnyConnect VPN Client, Version 2.0, which connects remote users with the Cisco ASA 5500 Series Adaptive Security Appliance using the Secure Socket Layer (SSL) protocol.
The AnyConnect client provides remote end users running Microsoft Vista, Windows XP or Windows 2000, Linux, or Macintosh OS X, with the benefits of a Cisco SSL VPN client, and supports applications and functions unavailable to a clientless, browser-based SSL VPN connection. In addition, the AnyConnect client supports IPv6 over an IPv4 network.
The AnyConnect client can be installed manually on the remote PC by the system administrator. It can also be loaded onto the security appliance and made ready for download to remote users. After downloading, it can automatically uninstall itself after the connection terminates, or it can remain on the remote PC for future SSL VPN connections.
This release supports only the SSL protocol. This release does not include IPSec support.
These release notes describe new features, limitations and restrictions, open and resolved caveats, and related documentation. They also include procedures you should follow before loading this release. The section Usage Notes describes interoperability considerations and other issues you should be aware of when installing and using the AnyConnect client. Read these release notes carefully prior to installing this software.
Contents
This document includes the following sections:
Upgrading to AnyConnect Release 2.0
Cisco Product Security Overview
Obtaining Technical Assistance
Obtaining Additional Publications and Information
System Requirements
The following table indicates the system requirements to install the Cisco AnyConnect VPN Client on each of the supported platforms.
•
Windows 2000 SP4.
•
•
Computer with a Pentium®-class processor or greater.
In addition, x64 or x86 processors are supported for Windows XP and Windows Vista.
•
•
–
–
–
•
The following Linux distributions have been tested and are known to work with the AnyConnect Client, while following the requirements listed in this document:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
gdk: required 2.0.0,
libpango: required 1.0.•
•
Mac OS X, Version 10.4 or later
Macintosh computer1
50 MB hard disk space
1 The AnyConnect VPN Client is not compatible with Parallels Desktop for Mac.
If you are using Internet Explorer, use version 5.0, Service Pack 2 or later.
Note
Security Appliances and Software Supported
The Cisco AnyConnect VPN Client supports all Cisco Adaptive Security Appliance models. It does not support PIX devices. Table 1 shows the Cisco ASA 5500 Adaptive Security Appliance software images that support the AnyConnect client.
Interoperability Considerations
This section describes how the AnyConnect VPN Client interoperates with other software. The AnyConnect client can be loaded on the security appliance and automatically deployed to remote users when they log in to the security appliance, or it can be installed as an application on PCs by a network administrator using standard software deployment mechanisms. You can use a text editor to create user profiles as XML files. These profiles drive the display in the user interface and define the names and addresses of host computers.
AnyConnect Client and Cisco Secure Desktop
Table 2 shows the interoperability of the AnyConnect Client modes with Cisco Secure Desktop modules on remote computers.
Table 2 AnyConnect Client and Cisco Secure Desktop Interoperability
Standalone
Microsoft Windows Vista
Yes
Yes
-
-
Microsoft Windows XP
Yes
Yes
Yes
-
Microsoft Windows 2000
Yes
Yes
Yes
-
Apple Macintosh OS X 10.4 (PowerPC or Intel)
-
-
-
-
Linux
-
-
-
-
WebLaunch
Microsoft Windows Vista
Yes
Yes
-
Yes
Microsoft Windows XP
Yes
Yes
Yes
Yes
Apple Macintosh OS X 10.4 (PowerPC or Intel)
-
-
-
Yes
Linux
-
-
-
Yes
1 By default, the Start Before Logon (SBL) feature of AnyConnect Client is disabled. Cisco Secure Desktop modules are not interoperable with AnyConnect Client if SBL is enabled.
2 Includes both English and non-English support of 32-bit Microsoft operating systems. Cisco Secure Desktop does not support the 64-bit versions.
Caution
AnyConnect and PIX
PIX does not support SSL VPN connections, either clientless or AnyConnect.
AnyConnect and IOS
Certain features of the Cisco AnyConnect VPN Client are supported in conjunction with IOS routers with SSL VPN support. Please see the IOS SSL VPN Feature Guide for specific details.
Upgrading to AnyConnect Release 2.0
This section contains information about upgrading from the Cisco SSL VPN client to Cisco AnyConnect VPN Client, Release 2.0.
Before You Begin
Be aware of the considerations listed in the Usage Notes, section of these Release Notes before you upgrade. These are known product behaviors, and knowing about them at the beginning of the process should expedite the upgrade. Where appropriate, the number of the caveat documenting the issue appears at the end of the item. See the "Caveats" section for a list of open and resolved caveats.
New Features in Release 2.0
The Cisco AnyConnect VPN Client is the next-generation VPN client, providing remote users with secure VPN connections to the Cisco 5500 Series Adaptive Security Appliance. The AnyConnect client supports Windows Vista, Windows XP and Windows 2000, Mac OS X, and Linux.
The client can be loaded on the security appliance and automatically downloaded to remote users when they log in, or it can be manually installed as an application on PCs by a network administrator. The client includes the ability to create user profiles that are displayed in the user interface and define the names and addresses of host computers.
Additional features of the AnyConnect client include:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Remote User Interface
Figure 1 shows the Cisco AnyConnect VPN Client user interface. The Connection tab provides a drop-down list of profiles for connecting to remote systems.
Figure 1 Cisco AnyConnect VPN Client User Interface, Connection Tab
Figure 2 shows the Statistics tab, including current connection information.
Figure 2 Cisco AnyConnect VPN Client User Interface, Statistics Tab
Installation Notes
This section contains procedures for installing the AnyConnect client software on the ASA5500 using the Adaptive Security Device Manager (ASDM) or the CLI command interface.
Without a previously-installed client, remote users enter the IP address or DNS name in their browser of an interface configured to accept clientless SSL VPN connections. Unless the security appliance is configured to redirect http:// requests to https://, users must enter the URL in the form https://<address>.
Note
After entering the URL, the browser connects to that interface and displays the login screen. If the user satisfies the login and authentication, and the security appliance identifies the user as requiring the client, it uploads the client that matches the operating system of the remote computer. After uploading, the client installs and configures itself, establishes a secure SSL connection and either remains or uninstalls itself (depending on the security appliance configuration) when the connection terminates.
In the case of a previously-installed client, when the user authenticates, the security appliance examines the revision of the client, and upgrades the client as necessary.
When the client negotiates an SSL VPN connection with the security appliance, it connects using Transport Layer Security (TLS). The client can also negotiate a simultaneous Datagram Transport Layer Security (DTLS) connection. DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.
The AnyConnect client can be downloaded from the security appliance, or it can be installed manually on the remote PC by the system administrator. For more information about configuring the AnyConnect client, see the Cisco 5500 Series Adaptive Security Appliance CLI Configuration Guide.
The security appliance uploads the client based on the group policy or username attributes of the user establishing the connection. You can configure the security appliance to automatically download the client, or you can configure it to prompt the remote user about whether to download the client. In the latter case, if the user does not respond, you can configure the security appliance to either download the client after a timeout period or present the login page.
The installation and configuration consists of two parts: what you have to do on the security appliance, and what you have to do on the remote PC. The AnyConnect client software is built into the ASA Release 8.0(1) and later. You can decide whether to make the AnyConnect client software permanently resident on the remote PC, or whether to have it resident only for the duration of the connection.
Note
This section describes installation-specific issues and procedures for AnyConnect client Release 2.0, and contains the following sections:
•
•
•
•
•
•
•
Before You Install the AnyConnect Client
The following sections contain recommendations to ensure successful AnyConnect client installation, as well as tips about certificates, Cisco Security Agent (CSA), adding trusted sites, and responding to browser alerts:
•
•
•
•
Ensuring Automatic Installation of AnyConnect Clients
The following recommendations and caveats apply to the automatic installation of AnyConnect client software on client PCs:
•
–
–
The procedure varies by browser. See the procedures that follow this section.
–
•
Current shipping versions of CSA do not have a built-in rule that is compatible with the AnyConnect client. You can create the following rule using CSA version 5.0 or later by following these steps:
Step 1
Priority Allow, no Log, Description: "Cisco Secure Tunneling Browsers, read/write vpnweb.ocx"Applications in the following class: "Cisco Secure Tunneling Client - Controlled Web Browsers"Attempt: Read file, Write FileOn any of these files: @SYSTEM\vpnweb.ocx
Step 2
**\vpndownloader.exe@program_files\**\Cisco\Cisco AnyConnect VPN Client\vpndownloader.exeThis rule will be built into a future version of CSA.
•
AnyConnect Client and New Windows 2000 Installations
In rare circumstances, if you install the AnyConnect client on a computer that has a new or clean Windows 2000 installation, the AnyConnect client might fail to connect, and your computer might display the following message:
The required system DLL (filename) is not present on the system.This could occur if the computer does not have the file MSVCP60.dll or MSVCRT.dll located in the winnt\system32 directory. For more information about this problem, see the Microsoft Knowledge Base, article 259403, at http://support.microsoft.com/kb/259403.
Adding a Security Appliance to the List of Trusted Sites (IE)
To add a security appliance to the list of trusted sites, use Microsoft Internet Explorer and do the following steps.
Note
Step 1
The Internet Options window opens.
Step 2
Step 3
Step 4
The Trusted Sites window opens.
Step 5
Step 6
Step 7
The Trusted Sites window closes.
Step 8
For information on how to use Microsoft Active Directory to add the security appliance to the list of trusted sites for Internet Explorer, see Appendix B of Cisco AnyConnect VPN Cllient Administrator Guide.
Adding a Security Certificate in Response to Browser Alert Windows
This section explains how to install a self-signed certificate as a trusted root certificate on a client in response to the browser alert windows.
In Response to a Microsoft Internet Explorer "Security Alert" Window
The following procedure explains how to install a self-signed certificate as a trusted root certificate on a client in response to a Microsoft Internet Explorer Security Alert window. This window opens when you establish a Microsoft Internet Explorer connection to a security appliance that is not recognized as a trusted site. The upper half of the Security Alert window shows the following text:
Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate. The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority.Install the certificate as a trusted root certificate as follows:
Step 1
The Certificate window opens.
Step 2
The Certificate Import Wizard Welcome opens.
Step 3
The Certificate Import Wizard - Certificate Store window opens.
Step 4
Step 5
The Certificate Import Wizard - Completing window opens.
Step 6
Step 7
The Certificate Import Wizard window indicates the import is successful.
Step 8
Step 9
Step 10
The security appliance window opens, signifying the certificate is trusted.
In Response to a Netscape, Mozilla, or Firefox "Certified by an Unknown Authority" Window
The following procedure explains how to install a self-signed certificate as a trusted root certificate on a client in response to a "Web Site Certified by an Unknown Authority" window. This window opens when you establish a Netscape, Mozilla, or Firefox connection to a security appliance that is not recognized as a trusted site. This window shows the following text:
Unable to verify the identity of <Hostname_or_IP_address> as a trusted site.Install the certificate as a trusted root certificate as follows:
Step 1
The Certificate Viewer window opens.
Step 2
Step 3
The security appliance window opens, signifying the certificate is trusted.
Installing the AnyConnect Client on a System Running Windows
To install the AnyConnect client on a PC running Windows, follow these steps. We suggest you accept the defaults unless your system administrator has instructed otherwise.
Note
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Installing the AnyConnect Client on a System Running Linux
To install the AnyConnect client on a System Running Linux, follow these steps:
Step 1
tar xvzf AnyConnect-Linux-Release-2.0.0241.tar.gzThe files necessary for installation are placed in the folder ciscovpn.
Step 2
[root@linuxhost]# cd ciscovpn[root@linuxhost]# ./vpn_install.shThe client installs in the directory /opt/cisco/vpn. This script also installs the daemon vpnagentd and sets it up as a service that is automatically started when the system boots.
After installing the client, you can start the client manually with the Linux command /opt/cisco/vpn/bin/vpnui or with the client CLI command /opt/cisco/vpn/bin/vpn.
Installing the AnyConnect Client on a System Running MAC OSX
The AnyConnect client image for MAC OSX is a DMG disk image installation package. To install the AnyConnect client on a System Running MAC OSX, follow these steps:
Step 1
Step 2
Step 3
Step 4
The installation is complete.
Using the AnyConnect CLI Commands
The Cisco AnyConnect VPN Client provides a command line interface (CLI) for users who prefer to issue commands instead of using the graphical user interface. The following sections describe how to launch the CLI command prompt.
For Windows
To launch the CLI command prompt and issue commands on a Windows system, locate the file vpncli.exe in the Windows folder C:\Program Files\Cisco\Cisco AnyConnect VPN Client. Double-click the file vpncli.exe.
For Linux
To launch the CLI command prompt and issue commands on a Linux system, locate the file vpn in the folder /opt/cisco/vpn/bin/. Execute the file vpn.
You can run the CLI in interactive mode, in which it provides its own prompt, or you can run it with the commands on the command line. Table 3 shows the CLI commands.
The following examples shows the user establishing and terminating a connection from the command line:
/opt/cisco/vpn/bin/vpn connect 1.2.3.4Establishes a connection to a security appliance with the address 1.2.3.4.
/opt/cisco/vpn/bin/vpn connect some_asa_aliasEstablishes a connection to a security appliance by reading the profile and looking up the alias some_asa_alias in order to find its address.
/opt/cisco/vpn/bin/vpn statsDisplays statistics about the vpn connection.
/opt/cisco/vpn/bin/vpn disconnectDisconnect the vpn session if it exists.
Loading the AnyConnect Client and Configuring the Security Appliance with ASDM
Loading the client on the security appliance consists of copying a client image to the security appliance and identifying the file to the security appliance as a client image. With multiple clients, you must also assign the order that the security appliance uploads the clients to the remote PC. Perform the following steps to install the client:
Step 1
Step 2
Step 3
This panel lists any AnyConnect client files that have been identified as AnyConnect client images. The order in which they appear in the table reflects the order that they download to the remote computer.
Figure 3 SSL VPN Client Settings Panel
To add an AnyConnect client image, Click Add in the SSL VPN Client Images area. The Add SSL VPN Client Image dialog appears (Figure 4).
Figure 4 Add SSL VPN Client Image Dialog
If you already have an image located in the flash memory of the security appliance, you can enter the name of the image in the Flash SVC Image field, and click OK. The SSL VPN Client Images panel now shows the AnyConnect client images you identified (Figure 5).
Figure 5 SSL VPN Client Panel with AnyConnect Client Images
Step 4
This establishes the order in which the security appliance uploads them to the remote computer. It uploads the AnyConnect client image at the top of the list of images first. Therefore, you should move the image used by the most commonly-encountered operating system to the top of the list.
Step 5
Figure 6 Enable SSL VPN Client Check Box
Step 6
To create an IP address pool, choose Network Access > Address Management > Address Pools. Click Add. The Add IP Pool dialog appears (Figure 7).
Figure 7 Add IP Pool Dialog
Enter the name of the new IP address pool. Enter the starting and ending IP addresses, and enter the subnet mask and click OK.
Step 7
Figure 8 Connection Address Pool Assignment
Highlight a connection in the table, and click Edit. The Edit SSL VPN Connection dialog appears.
Click Select in the Client Address Assignment area. The Select Address Pool dialog appears (Figure 9), containing available address pools. Select a pool and click OK.
Figure 9 Select Address Pool Dialog
Step 8
Choose Network Access > Group Policies from the navigation pane. Highlight the group policy in the Group Policy table, and click Edit.
The Edit Internal Group Policy dialog appears (Figure 10):
Figure 10 Edit Internal Group Policy, General Tab
Check the SVC check box to include SSL VPN as a tunneling protocol.
Step 9
Figure 11 SSL VPN Client Features
Configure the following features on the SSL VPN Client tab:
Keep Installer on Client System—Enable to allow permanent client installation on the remote computer. Enabling disables the automatic uninstalling feature of the client. The client remains installed on the remote computer for subsequent connections, reducing the connection time for the remote user.
Compression—Compression increases the communications performance between the security appliance and the client by reducing the size of the packets being transferred.
Datagram TLS—Datagram Transport Layer Security (DTLS) allows the CVC establishing an SSL VPN connection to use two simultaneous tunnels—an SSL tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.
Keepalive Messages—Enter an number, from 15 to 600 seconds, in the Interval field to enable and adjust the interval of keepalive messages to ensure that an connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle. Adjusting the interval also ensures that the client does not disconnect and reconnect when the remote user is not actively running a socket-based application, such as Microsoft Outlook or Microsoft Internet Explorer.
MTU—Adjust the Maximum Transmission Unit (MTU) in bytes, from 256 to 1410 bytes. This setting affects only the AnyConnect client connections established in SSL, with or without DTLS. By default, the MTU size adjusts automatically based on the MTU of the interface that the connection uses, minus the IP/UDP/DTLS overhead.
Client Profile to Download—Specify a file on flash as a client profile. A profile is a group of configuration parameters that the CVC uses to configure the connection entries that appear in the client user interface, including the names and addresses of host computers.
Optional Client Module to Download—Specify any modules that the AnyConnect client needs to download to enable more features, such as Start Before Logon (SBL). To minimize download time, the CVC only requests downloads (from the security appliance) of core modules that it needs for each feature that it supports.
Loading the AnyConnect Client and Configuring the Security Appliance with CLI
This section covers the following topics:
•
•
•
•
Loading the AnyConnect Client
Loading the client on the security appliance consists of copying a client image to the security appliance and identifying the file to the security appliance as a client image. With multiple clients, you must also assign the order that the security appliance uploads the clients to the remote PC. Perform the following steps to install the client:
Step 1
hostname# copy tftp flashAddress or name of remote host []? 209.165.200.226Source filename []? anyconnect-win-2.0.0.343-k9.pkgDestination filename []? anyconnect-win-2.0.0.343-k9.pkgAccessing tftp://209.165.200.226/anyconnect-win-2.0.0.343-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!Writing file disk0:/cdisk71...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!319662 bytes copied in 3.695 secs (86511 bytes/sec)Step 2
svc image filename order
The security appliance expands the file in cache memory for downloading to remote PCs. If you have multiple clients, assign an order to the client images with the order argument.
The security appliance uploads portions of each client in the order you specify until it matches the operating system of the remote PC. Therefore, assign the lowest number to the image used by the most commonly-encountered operating system. For example:
hostname(config-webvpn)# svc image windows.pkg 1hostname(config-webvpn)# svc image linux.pkg 2
Note
Step 3
hostname(config-webvpn)# show webvpn svc1. disk0:/windows.pkg 1CISCO STC win2k+ 1.0.01,0,2,132Thu 03/22/2007 21:51:30.432. disk0:/linux.pkg 2CISCO STC linux 1.0.01,0,0,164Thu 03/15/2007 20:09:22.432 SSL VPN Client(s) installedEnabling SSL VPN Connections
After installing the client, enable the security appliance to allow SSL VPN client connections by performing the following steps:
Step 1
enable interface
For example:
hostname(config)# webvpnhostname(config-webvpn)# enable outsideThe following is an example for an IPv6 connection that enables IPv6 on the outside interface:
hostname(config)# interface GigabitEthernet0/0hostname(config-if)# ipv6 enableStep 2
For example:
hostname(config-webvpn)# svc enableStep 3
ip local pool poolname startaddr-endaddr mask mask
The following example assumes the authentication server group is LOCAL. The example creates the local IP address pool vpn_users:
hostname(config)# ip local pool vpn_users 209.165.200.225-209.165.200.254 mask 255.255.255.224Step 4
address-pool poolname
To do this, first enter the tunnel-group name general-attributes command to enter general-attributes mode. Then specify the local IP address pool using the address-pool command.
In the following example, the user configures the existing tunnel group telecommuters to use the address pool vpn_users created in step 3:
hostname(config)# tunnel-group telecommuters general-attributeshostname(config-tunnel-general)# address-pool vpn_usersStep 5
default-group-policy name
In the following example, the user assigns the group policy sales to the tunnel group telecommuters:
hostname(config-tunnel-general)# default-group-policy salesStep 6
group-alias name enable
First exit to global configuration mode, and then enter the tunnel-group name webvpn-attributes command to enter tunnel group webvpn attributes mode.
In the following example, the user enters webvpn attributes configuration mode for the tunnel group telecommuters, and creates the group alias sales_department:
hostname(config)# tunnel-group telecommuters webvpn-attributeshostname(config-tunnel-webvpn)# group-alias sales_department enableStep 7
tunnel-group-list enable
First exit to global configuration mode, and then enter webvpn mode.
In the following example, the user enters webvpn mode, and then enables the tunnel group list:
hostname(config)# webvpnhostname(config-webvpn)# tunnel-group-list enableStep 8
vpn-tunnel-protocol svc
To do this, first exit to global configuration mode, enter the group-policy name attributes command to enter group-policy mode, or the username name attributes command to enter username mode, and then enter the webvpn command to enter webvpn mode and change the settings for the group or user.
The following example identifies SSL as the only permitted tunneling protocol for the group-policy sales:
hostname(config)# group-policy sales attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# vpn-tunnel-protocol svcFor more information about assigning users to group policies, see Cisco Security Appliance Command Line Configuration Guide, Chapter 30, "Configuring Tunnel Groups, Group Policies, and Users."
Enabling IPv6 Connections
The AnyConnect client allows access to IPv6 resources over a public IPv4 connection (only for Windows XP SP2, Windows Vista, Mac OS X, and Linux). You must use the command line interface to configure IPv6 access. ASDM does not support IPv6.
You enable IPv6 access using the ipv6 enable command as part of enabling SSL VPN copnnections. The following is an example for an IPv6 connection that enables IPv6 on the outside interface:
hostname (config)# interface GigabitEthernet0/0hostname (config-if)# ipv6 enableTo enable IPv6 SSL VPN, do the following general actions:
1.
2.
3.
4.
To implement this procedure, do the following steps:
Step 1
interface GigabitEthernet0/0nameif outsidesecurity-level 0ip address 192.168.0.1 255.255.255.0ipv6 enable ; Needed for IPv6.!interface GigabitEthernet0/1nameif insidesecurity-level 100ip address 10.10.0.1 255.255.0.0ipv6 address 2001:DB8::1/32 ; Needed for IPv6.ipv6 enable ; Needed for IPv6.Step 2
ipv6 local pool ipv6pool 2001:DB8:1:1::5/32 100 ; Use your IPv6 prefix here
Note
Step 3
tunnel-group YourTunGrp1 general-attributes ipv6-address-pool ipv6pool
Note
Step 4
ipv6 route inside ::/0 X:X:X:X::X tunneled
Disabling Permanent Client Installation
Disabling permanent AnyConnect client installation enables the automatic uninstalling feature of the client. The client on the remote computer uninstalls at the end of every session.
To disable permanent AnyConnect client installation for a specific group or user, use the svc keep-installer command from group-policy or username webvpn modes:
svc keep-installer none
The default is that permanent installation of the client is enabled. The client on the remote computer remains installed on the remote computer at the end of every session, reducing the connection time for subsequent connections. The following example configures the existing group-policy sales to not keep the client installed on the remote computer when the session terminates:
hostname(config)# group-policy sales attributeshostname(config-group-policy)# webvpnhostname(config-group-policy)# svc keep-installer nonePrompting Remote Users
You can enable the security appliance to prompt remote SSL VPN client users to download the client with the svc ask command from group policy webvpn or username webvpn configuration modes:
[no] svc ask {none | enable [default {webvpn | svc} timeout value]}
svc ask enable prompts the remote user to download the client or go to the portal page for a clientless connection and waits indefinitely for user response.
svc ask enable default svc immediately uploads the client.
svc ask enable default webvpn immediately goes to the portal page.
svc ask enable default svc timeout value prompts the remote user to download the client or go to the portal page and waits the duration of value before taking the default action—downloading the client.
svc ask enable default webvpn timeout value prompts the remote user to download the client or go to the portal page, and waits the duration of value before taking the default action—displaying the portal page.
Figure 12 shows the prompt displayed to remote users when either default svc timeout value or default webvpn timeout value is configured:
Figure 12 Prompt Displayed to Remote Users for SSL VPN Client Download
The following example configures the security appliance to prompt the remote user to download the client or go to the portal page and to wait 10 seconds for user response before downloading the client:
hostname(config-group-webvpn)# svc ask enable default svc timeout 10Enabling AnyConnect Client Profile Downloads
An AnyConnect client profile is a group of configuration parameters, stored in an XML file, that the client uses to configure the connection entries that appear in the client user interface. The client parameters (XML tags) include the names and addresses of host computers and settings to enable additional client features.
You can create and save XML profile files using a text editor. The client installation contains one profile template (AnyConnectProfile.tmpl) that you can edit and use as a basis to create other profile files.
The profile file is downloaded from the security appliance to the remote users's PC, so you must first import the profile(s) into the security appliance in preparation for downloading to the remote PC. You can import a profile using either ASDM or the command-line interface. See Appendix A of the Cisco AnyConnect VPN Client Administrator Guidefor a sample AnyConnect profile.
When the AnyConnect client starts, it reads the preferences.xml file inthe following directory:
C:\Documents and Settings\<your_username>\Application Data\Cisco\Cisco AnyConnect VPN Client.
The preferences.xml file contains the username and the security appliance IP address/hostname from the last successful connection. The client then establishes an initial connection to the security appliance to get the list of tunnel groups to display in the GUI. during this initial connection, if the security appliance is no longer accessible or if the hostname cannot be resolved, the user sees the message, "Connection attempt has failed" or "Connection attempt has failed due to unresolvable host entry."
You can place a copy of your profile (for example, CiscoAnyConnectProfile.xml) in the directory: C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile The location for Windows Vista is slightly different: C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile The host that appears in the Connect to combo box is the first one listed in the profile or the last host you successfully connected with.
For more information about editing AnyConnect client profiles, see the Cisco AnyConnect VPN Client Administrator Guide.
After you create an AnyConnect client profile, follow these steps to enable the security appliance to download them to remote AnyConnect client users:
Step 1
[no] svc profiles {value profile | none}
This command makes profiles available to group policies and username attributes of AnyConnect client users.
In the following example, the user previously created two new profile files (sales_hosts.xml and engineering_hosts.xml) from the cvcprofile.xml file and uploaded them to the flash memory.
Now the user specifies these files as AnyConnect client profiles for use by group policies, specifying the names sales_hosts and engineering_hosts:
asa1(config-webvpn)# svc profiles sal
Guest
